8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3

Analysis

max time kernel
169s
max time network
188s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 15:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bootstrapper.exe
Size

800KB
MD5

02c70d9d6696950c198db93b7f6a835e
SHA1

30231a467a49cc37768eea0f55f4bea1cbfb48e2
SHA256

8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3
SHA512

431d9b9918553bff4f4a5bc2a5e7b7015f8ad0e2d390bb4d5264d08983372424156524ef5587b24b67d1226856fc630aaca08edc8113097e0094501b4f08efeb
SSDEEP

12288:qhd8cjaLXVh84wEFkW1mocaBj6WtiRPpptHxQ0z:2ycjar84w5W4ocaBj6y2tHDz

Score

9^/10

discovery evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Solara.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Solara.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Solara.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	BootstrapperV2.12.exe

Executes dropped EXE 2 IoCs

pid	Process
3040	BootstrapperV2.12.exe
3756	Solara.exe

Loads dropped DLL 2 IoCs

pid	Process
3756	Solara.exe
3756	Solara.exe

Themida packer 12 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x0007000000023d45-270.dat	themida
behavioral2/memory/3756-272-0x0000000180000000-0x0000000181107000-memory.dmp	themida
behavioral2/memory/3756-273-0x0000000180000000-0x0000000181107000-memory.dmp	themida
behavioral2/memory/3756-274-0x0000000180000000-0x0000000181107000-memory.dmp	themida
behavioral2/memory/3756-275-0x0000000180000000-0x0000000181107000-memory.dmp	themida
behavioral2/memory/3756-300-0x0000000180000000-0x0000000181107000-memory.dmp	themida
behavioral2/memory/3756-301-0x0000000180000000-0x0000000181107000-memory.dmp	themida
behavioral2/memory/3756-302-0x0000000180000000-0x0000000181107000-memory.dmp	themida
behavioral2/memory/3756-312-0x0000000180000000-0x0000000181107000-memory.dmp	themida
behavioral2/memory/3756-317-0x0000000180000000-0x0000000181107000-memory.dmp	themida
behavioral2/memory/3756-465-0x0000000180000000-0x0000000181107000-memory.dmp	themida
behavioral2/memory/3756-466-0x0000000180000000-0x0000000181107000-memory.dmp	themida

Unexpected DNS network traffic destination 2 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	1.0.0.1
Destination IP	1.0.0.1

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Solara.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
29	discord.com
30	discord.com
64	pastebin.com
65	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3756	Solara.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1496	ipconfig.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1045960512-3948844814-3059691613-1000\{37866722-43B0-49EF-BD58-300B8C0C40A6}	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3040	BootstrapperV2.12.exe
2676	msedge.exe
2676	msedge.exe
2820	msedge.exe
2820	msedge.exe
2364	msedge.exe
2364	msedge.exe
3488	identity_helper.exe
3488	identity_helper.exe
3756	Solara.exe
3756	Solara.exe
3756	Solara.exe
3756	Solara.exe
3756	Solara.exe
3756	Solara.exe
3756	Solara.exe
3756	Solara.exe
3756	Solara.exe
3756	Solara.exe
3756	Solara.exe
3756	Solara.exe
3756	Solara.exe
3756	Solara.exe
3756	Solara.exe
3756	Solara.exe
3756	Solara.exe
3756	Solara.exe
3756	Solara.exe
3756	Solara.exe
3756	Solara.exe
3756	Solara.exe
3756	Solara.exe
3756	Solara.exe
3756	Solara.exe
3756	Solara.exe
3756	Solara.exe
3756	Solara.exe
3756	Solara.exe
3756	Solara.exe
3756	Solara.exe
3756	Solara.exe
3756	Solara.exe
3756	Solara.exe
3756	Solara.exe
3756	Solara.exe
3756	Solara.exe
3756	Solara.exe
3756	Solara.exe
3756	Solara.exe
3756	Solara.exe
3756	Solara.exe
3756	Solara.exe
3756	Solara.exe
3756	Solara.exe
3756	Solara.exe
3756	Solara.exe
3756	Solara.exe
3756	Solara.exe
3756	Solara.exe
3756	Solara.exe
3756	Solara.exe
3756	Solara.exe
3756	Solara.exe
3756	Solara.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5896	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4848	WMIC.exe
Token: SeSecurityPrivilege	4848	WMIC.exe
Token: SeTakeOwnershipPrivilege	4848	WMIC.exe
Token: SeLoadDriverPrivilege	4848	WMIC.exe
Token: SeSystemProfilePrivilege	4848	WMIC.exe
Token: SeSystemtimePrivilege	4848	WMIC.exe
Token: SeProfSingleProcessPrivilege	4848	WMIC.exe
Token: SeIncBasePriorityPrivilege	4848	WMIC.exe
Token: SeCreatePagefilePrivilege	4848	WMIC.exe
Token: SeBackupPrivilege	4848	WMIC.exe
Token: SeRestorePrivilege	4848	WMIC.exe
Token: SeShutdownPrivilege	4848	WMIC.exe
Token: SeDebugPrivilege	4848	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4848	WMIC.exe
Token: SeRemoteShutdownPrivilege	4848	WMIC.exe
Token: SeUndockPrivilege	4848	WMIC.exe
Token: SeManageVolumePrivilege	4848	WMIC.exe
Token: 33	4848	WMIC.exe
Token: 34	4848	WMIC.exe
Token: 35	4848	WMIC.exe
Token: 36	4848	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4848	WMIC.exe
Token: SeSecurityPrivilege	4848	WMIC.exe
Token: SeTakeOwnershipPrivilege	4848	WMIC.exe
Token: SeLoadDriverPrivilege	4848	WMIC.exe
Token: SeSystemProfilePrivilege	4848	WMIC.exe
Token: SeSystemtimePrivilege	4848	WMIC.exe
Token: SeProfSingleProcessPrivilege	4848	WMIC.exe
Token: SeIncBasePriorityPrivilege	4848	WMIC.exe
Token: SeCreatePagefilePrivilege	4848	WMIC.exe
Token: SeBackupPrivilege	4848	WMIC.exe
Token: SeRestorePrivilege	4848	WMIC.exe
Token: SeShutdownPrivilege	4848	WMIC.exe
Token: SeDebugPrivilege	4848	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4848	WMIC.exe
Token: SeRemoteShutdownPrivilege	4848	WMIC.exe
Token: SeUndockPrivilege	4848	WMIC.exe
Token: SeManageVolumePrivilege	4848	WMIC.exe
Token: 33	4848	WMIC.exe
Token: 34	4848	WMIC.exe
Token: 35	4848	WMIC.exe
Token: 36	4848	WMIC.exe
Token: SeDebugPrivilege	3672	Bootstrapper.exe
Token: SeDebugPrivilege	3040	BootstrapperV2.12.exe
Token: SeDebugPrivilege	3756	Solara.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
5896	OpenWith.exe
5896	OpenWith.exe
5896	OpenWith.exe
5896	OpenWith.exe
5896	OpenWith.exe
5896	OpenWith.exe
5896	OpenWith.exe
5896	OpenWith.exe
5896	OpenWith.exe
5896	OpenWith.exe
5896	OpenWith.exe
5896	OpenWith.exe
5896	OpenWith.exe
5896	OpenWith.exe
5896	OpenWith.exe
5896	OpenWith.exe
5896	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3672 wrote to memory of 4320	3672	Bootstrapper.exe	86
PID 3672 wrote to memory of 4320	3672	Bootstrapper.exe	86
PID 4320 wrote to memory of 1496	4320	cmd.exe	88
PID 4320 wrote to memory of 1496	4320	cmd.exe	88
PID 3672 wrote to memory of 1188	3672	Bootstrapper.exe	90
PID 3672 wrote to memory of 1188	3672	Bootstrapper.exe	90
PID 1188 wrote to memory of 4848	1188	cmd.exe	92
PID 1188 wrote to memory of 4848	1188	cmd.exe	92
PID 3672 wrote to memory of 3040	3672	Bootstrapper.exe	96
PID 3672 wrote to memory of 3040	3672	Bootstrapper.exe	96
PID 3040 wrote to memory of 2820	3040	BootstrapperV2.12.exe	97
PID 3040 wrote to memory of 2820	3040	BootstrapperV2.12.exe	97
PID 2820 wrote to memory of 2888	2820	msedge.exe	98
PID 2820 wrote to memory of 2888	2820	msedge.exe	98
PID 2820 wrote to memory of 4116	2820	msedge.exe	99
PID 2820 wrote to memory of 4116	2820	msedge.exe	99
PID 2820 wrote to memory of 4116	2820	msedge.exe	99
PID 2820 wrote to memory of 4116	2820	msedge.exe	99
PID 2820 wrote to memory of 4116	2820	msedge.exe	99
PID 2820 wrote to memory of 4116	2820	msedge.exe	99
PID 2820 wrote to memory of 4116	2820	msedge.exe	99
PID 2820 wrote to memory of 4116	2820	msedge.exe	99
PID 2820 wrote to memory of 4116	2820	msedge.exe	99
PID 2820 wrote to memory of 4116	2820	msedge.exe	99
PID 2820 wrote to memory of 4116	2820	msedge.exe	99
PID 2820 wrote to memory of 4116	2820	msedge.exe	99
PID 2820 wrote to memory of 4116	2820	msedge.exe	99
PID 2820 wrote to memory of 4116	2820	msedge.exe	99
PID 2820 wrote to memory of 4116	2820	msedge.exe	99
PID 2820 wrote to memory of 4116	2820	msedge.exe	99
PID 2820 wrote to memory of 4116	2820	msedge.exe	99
PID 2820 wrote to memory of 4116	2820	msedge.exe	99
PID 2820 wrote to memory of 4116	2820	msedge.exe	99
PID 2820 wrote to memory of 4116	2820	msedge.exe	99
PID 2820 wrote to memory of 4116	2820	msedge.exe	99
PID 2820 wrote to memory of 4116	2820	msedge.exe	99
PID 2820 wrote to memory of 4116	2820	msedge.exe	99
PID 2820 wrote to memory of 4116	2820	msedge.exe	99
PID 2820 wrote to memory of 4116	2820	msedge.exe	99
PID 2820 wrote to memory of 4116	2820	msedge.exe	99
PID 2820 wrote to memory of 4116	2820	msedge.exe	99
PID 2820 wrote to memory of 4116	2820	msedge.exe	99
PID 2820 wrote to memory of 4116	2820	msedge.exe	99
PID 2820 wrote to memory of 4116	2820	msedge.exe	99
PID 2820 wrote to memory of 4116	2820	msedge.exe	99
PID 2820 wrote to memory of 4116	2820	msedge.exe	99
PID 2820 wrote to memory of 4116	2820	msedge.exe	99
PID 2820 wrote to memory of 4116	2820	msedge.exe	99
PID 2820 wrote to memory of 4116	2820	msedge.exe	99
PID 2820 wrote to memory of 4116	2820	msedge.exe	99
PID 2820 wrote to memory of 4116	2820	msedge.exe	99
PID 2820 wrote to memory of 4116	2820	msedge.exe	99
PID 2820 wrote to memory of 4116	2820	msedge.exe	99
PID 2820 wrote to memory of 4116	2820	msedge.exe	99
PID 2820 wrote to memory of 2676	2820	msedge.exe	100
PID 2820 wrote to memory of 2676	2820	msedge.exe	100
PID 2820 wrote to memory of 4300	2820	msedge.exe	101
PID 2820 wrote to memory of 4300	2820	msedge.exe	101
PID 2820 wrote to memory of 4300	2820	msedge.exe	101
PID 2820 wrote to memory of 4300	2820	msedge.exe	101
PID 2820 wrote to memory of 4300	2820	msedge.exe	101
PID 2820 wrote to memory of 4300	2820	msedge.exe	101
PID 2820 wrote to memory of 4300	2820	msedge.exe	101
PID 2820 wrote to memory of 4300	2820	msedge.exe	101

cURL User-Agent 6 IoCs

Uses User-Agent string associated with cURL utility.

description	flow	ioc
HTTP User-Agent header	89	curl/8.9.1-DEV
HTTP User-Agent header	93	curl/8.9.1-DEV
HTTP User-Agent header	94	curl/8.9.1-DEV
HTTP User-Agent header	75	curl/8.9.1-DEV
HTTP User-Agent header	80	curl/8.9.1-DEV
HTTP User-Agent header	87	curl/8.9.1-DEV

C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3672
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c ipconfig /all
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4320
- - C:\Windows\system32\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:1496
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1188
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4848
- C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.12.exe
  "C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.12.exe" --oldBootstrapper "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe" --isUpdate true
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/w9yACJan55
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdcbe746f8,0x7ffdcbe74708,0x7ffdcbe74718
      4⤵
      PID:2888
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,5315665960864977251,18399568705339267134,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
      4⤵
      PID:4116
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,5315665960864977251,18399568705339267134,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2676
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,5315665960864977251,18399568705339267134,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
      4⤵
      PID:4300
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5315665960864977251,18399568705339267134,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
      4⤵
      PID:2836
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5315665960864977251,18399568705339267134,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
      4⤵
      PID:2456
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5315665960864977251,18399568705339267134,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2400 /prefetch:1
      4⤵
      PID:1192
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2172,5315665960864977251,18399568705339267134,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4092 /prefetch:8
      4⤵
      PID:2592
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2172,5315665960864977251,18399568705339267134,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4112 /prefetch:8
      4⤵
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      PID:2364
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,5315665960864977251,18399568705339267134,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5684 /prefetch:8
      4⤵
      PID:3600
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,5315665960864977251,18399568705339267134,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5684 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3488
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5315665960864977251,18399568705339267134,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
      4⤵
      PID:1500
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5315665960864977251,18399568705339267134,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
      4⤵
      PID:4596
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5315665960864977251,18399568705339267134,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:1
      4⤵
      PID:4896
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5315665960864977251,18399568705339267134,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
      4⤵
      PID:2172
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5315665960864977251,18399568705339267134,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
      4⤵
      PID:5236
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5315665960864977251,18399568705339267134,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
      4⤵
      PID:2280
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5315665960864977251,18399568705339267134,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1
      4⤵
      PID:3780
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5315665960864977251,18399568705339267134,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
      4⤵
      PID:3580
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5315665960864977251,18399568705339267134,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4584 /prefetch:1
      4⤵
      PID:1716
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5315665960864977251,18399568705339267134,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
      4⤵
      PID:2232
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5315665960864977251,18399568705339267134,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1
      4⤵
      PID:3928
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5315665960864977251,18399568705339267134,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
      4⤵
      PID:4848
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5315665960864977251,18399568705339267134,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:1
      4⤵
      PID:1640
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5315665960864977251,18399568705339267134,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:1
      4⤵
      PID:4352
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5315665960864977251,18399568705339267134,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:1
      4⤵
      PID:3040
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5315665960864977251,18399568705339267134,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:1
      4⤵
      PID:5272
- - C:\ProgramData\Solara\Solara.exe
    "C:\ProgramData\Solara\Solara.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3756

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3540

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:216

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5720

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5896
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\SolaraTab\Tab 1.lua
  2⤵
  PID:6020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Solara\Microsoft.Web.WebView2.Core.dll

Filesize
557KB

MD5
b037ca44fd19b8eedb6d5b9de3e48469

SHA1
1f328389c62cf673b3de97e1869c139d2543494e

SHA256
11e88b2ca921e5c88f64567f11bd83cbc396c10365d40972f3359fcc7965d197

SHA512
fa89ab3347fd57486cf3064ad164574f70e2c2b77c382785479bfd5ab50caa0881de3c2763a0932feac2faaf09479ef699a04ba202866dc7e92640246ba9598b

Download Submit
C:\ProgramData\Solara\Microsoft.Web.WebView2.Wpf.dll

Filesize
50KB

MD5
e107c88a6fc54cc3ceb4d85768374074

SHA1
a8d89ae75880f4fca7d7167fae23ac0d95e3d5f6

SHA256
8f821f0c818f8d817b82f76c25f90fde9fb73ff1ae99c3df3eaf2b955653c9c8

SHA512
b39e07b0c614a0fa88afb1f3b0d9bb9ba9c932e2b30899002008220ccf1acb0f018d5414aee64d92222c2c39f3ffe2c0ad2d9962d23aaa4bf5750c12c7f3e6fe

Download Submit
C:\ProgramData\Solara\Monaco\combined.html

Filesize
14KB

MD5
12b639080896b92257ee04bc5ceb2aee

SHA1
80d46ad0f37a31806c367b66defddd3f66964408

SHA256
ebc0d0dce25f400077db31a540c54dea00e4be25ba9755b2958250446aa414cc

SHA512
ad1b8f4b58af420e30758209ebfd7c7d7e79c098bbb1c062a96a7817715bfe1dd1cd5207a46c009aae87421341aa9f163b136a583fdfa8cc58117202e412fcd5

Download Submit
C:\ProgramData\Solara\Monaco\index.html

Filesize
14KB

MD5
610eb8cecd447fcf97c242720d32b6bd

SHA1
4b094388e0e5135e29c49ce42ff2aa099b7f2d43

SHA256
107d8d9d6c94d2a86ac5af4b4cec43d959c2e44d445017fea59e2e0a5efafdc7

SHA512
cf15f49ef3ae578a5f725e24bdde86c33bbc4fd30a6eb885729fd3d9b151a4b13822fa8c35d3e0345ec43d567a246111764812596fd0ecc36582b8ee2a76c331

Download Submit
C:\ProgramData\Solara\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\ProgramData\Solara\Solara.exe

Filesize
613KB

MD5
efa26a96b7af259f6682bc888a8b6a14

SHA1
9800a30228504c30e7d8aea873ded6a7d7d133bb

SHA256
18f4dca864799d7cd00a26ae9fb7eccf5c7cf3883c51a5d0744fd92a60ca1953

SHA512
7ca4539ab544aee162c7d74ac94b290b409944dd746286e35c8a2712db045d255b9907d1ebea6377d1406ddd87f118666121d0ec1abe0e9415de1bba6799f76e

Download Submit
C:\ProgramData\Solara\SolaraV3.dll

Filesize
6.6MB

MD5
5ddea7243d5fc4cad4fea7345b5786a6

SHA1
e1305c340bb224403c79829b1dfcfca8131ce3b8

SHA256
68c9d0c6040d0f8b7ecfcd53b4732603336dc5e90d62c3b2c8318a3323bda332

SHA512
9920609f8b8976244285cdce236e26f26af62587e8ebd77e9b95edd508e0fa6e7abeafdf98ab08bf46c24b2acab9dfdef6cd61c85457c9c33b1451bad0f6dff5

Download Submit
C:\ProgramData\Solara\WebView2Loader.dll

Filesize
133KB

MD5
a0bd0d1a66e7c7f1d97aedecdafb933f

SHA1
dd109ac34beb8289030e4ec0a026297b793f64a3

SHA256
79d7e45f8631e8d2541d01bfb5a49a3a090be72b3d465389a2d684680fee2e36

SHA512
2a50ae5c7234a44b29f82ebc2e3cfed37bf69294eb00b2dc8905c61259975b2f3a059c67aeab862f002752454d195f7191d9b82b056f6ef22d6e1b0bb3673d50

Download Submit
C:\ProgramData\Solara\Wpf.Ui.dll

Filesize
5.2MB

MD5
aead90ab96e2853f59be27c4ec1e4853

SHA1
43cdedde26488d3209e17efff9a51e1f944eb35f

SHA256
46cfbe804b29c500ebc0b39372e64c4c8b4f7a8e9b220b5f26a9adf42fcb2aed

SHA512
f5044f2ee63906287460b9adabfcf3c93c60b51c86549e33474c4d7f81c4f86cd03cd611df94de31804c53006977874b8deb67c4bf9ea1c2b70c459b3a44b38d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d22073dea53e79d9b824f27ac5e9813e

SHA1
6d8a7281241248431a1571e6ddc55798b01fa961

SHA256
86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

SHA512
97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bffcefacce25cd03f3d5c9446ddb903d

SHA1
8923f84aa86db316d2f5c122fe3874bbe26f3bab

SHA256
23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

SHA512
761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
576B

MD5
145b219f373c78f1c21a394922ee835f

SHA1
8459b6a9184197678e0ac265610de70203143d52

SHA256
60987c9383befeac1164e8813ffdc9284e3cb9aedc14bb48674cdcf6da081157

SHA512
869276f556427e66ae88dcdac05c7b780b0df968cbb4d7d6de69470fe60d36a563dbd113cb86ab5472206b60bea4b613d32eea02ba36d6bc713cf04d5e7e623f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
323B

MD5
a5a1149047729a493b1a2a65063c39ba

SHA1
8f1f45cb0c0772dcd05795734cbf408636fb9fb9

SHA256
e0ef1f906ea2606c802310437fe799d93e073770ab6549060ee4b9c9c49f2006

SHA512
8ce257a087115e2d542657a2b4679d0c100ebdec76e3392cff1bbba133e129f2fcdbd73f9baab92e762bef47a2572d3dc8553fa3858d787d2a0b2bf8f05dc54e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ab51a00748ca752defe3851b1c336d5f

SHA1
58aca3e95e7dacfa16e5a0919280cf1dceef4ff6

SHA256
83b35d2a64d811d57f6dff84129e204d416a898468ee815c3a0de246bd56f3c0

SHA512
b0ec5f3cf3c9d681ef0a2cb6419d8aa2810560f90e5df608221ae70e6b8174dfeae87d90908756c0367a935f8b4f4e5101e01a3696e2be29897235b393e72e41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7513649480320572c01b6b925990597b

SHA1
56deecf5b0a8c9c47995aab17f4c31c137150fc2

SHA256
7a642b2c33f4418a6e6cc88b2ee9be25d34ca1989dc02c1158d394beca8ac2e0

SHA512
88561e358cc027bbb6f84e2828efe08dff255c4438fad8e64420d9fc5be078528e8dafb7d64448322f7134898fac68f49f14abfd897f0166d7a5f50a4025d2bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f1f3408b-d590-48d6-9de6-d0e0fb2dc0a7.tmp

Filesize
6KB

MD5
4664faf2df734692d108397b9d0f9dec

SHA1
90ef5602558cf1aaa776472e7bca444c88afbddf

SHA256
3017f741aee2c85f27a8ab01047ecfc881a6747f843788f9ff0ecb69e2089d0b

SHA512
fd764bd0913ce4039fe39cac1e6611d079b061e203c85445f9b89c611ff22a3694006bd9be16784d053666811e469e3b1a4c5b31798a31e25c0e64a79091a716

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0638769f2958e221066665d521e6e2d5

SHA1
32aacfa4b5da87dc704d74d44c90243a20896e89

SHA256
b198fa18214200194a8ae86db572ca0404819b8a0d3372dcef182ef9171eee79

SHA512
7ff9c1575fd17fe6ebbacbdd8fc57f16009ca5a56c6fc74d1bbfc18053f4f2c9fd2dc9ffeca9f387be2df0b65567d86f2caa80039da96140bb8ade67b5eb953f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4da59a01849a8a3f52fd093bac052c0c

SHA1
12b39ec28eb99ccc4be9c586541dbb4e35ca2f23

SHA256
0625160b60e476542daf23eb04792e125019e23cca93fdbd2e74f8c1a9c5c886

SHA512
2066b327855a3bfe7c2940fbbd672416ca9c952c368af43607c1440d0abd2775198e7b054e0c0255b8518c2d1b426a900e4937ce915eab00c947201b0c111b50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
be69fedb0b4680501c608838536dda3e

SHA1
83333e30bd6fd3f048fc2b24ea0cb279b6910f92

SHA256
aa8755b283dded95a75e1ab83b30d74a01fb70bdad23c07bf9ab455c62e45701

SHA512
d1cd847e386d9c627c5b9179346c5ea4d8c2a5670de962f1830c53e53cc739c6be761b213e4de1d4e93806346fe14097541b9ef2f7ad9e8d7a8777c266930d98

Download Submit
C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.12.exe

Filesize
2.9MB

MD5
a36750fe814c6cd0a94312ebaf85e07e

SHA1
9382378c4831247b2efc387581dc909c6352571f

SHA256
933acdb61d5d05bb55cd56957312b677719ac237a2daae0f1daf9d70dc68f2de

SHA512
d028e93cfe594c557e74376854916c33ad0614db1fa1efdf4a4477ff246ccb791510192c35296d5a32b81b376e9ee94ec5f5c0109f04f0320ed788ceda092f21

Download Submit
memory/3040-28-0x0000028DF74F0000-0x0000028DF7516000-memory.dmp

Filesize
152KB

Download
memory/3040-18-0x0000028DD63B0000-0x0000028DD6690000-memory.dmp

Filesize
2.9MB

Download
memory/3040-34-0x0000028DF7570000-0x0000028DF7578000-memory.dmp

Filesize
32KB

Download
memory/3040-31-0x0000028DF7520000-0x0000028DF752A000-memory.dmp

Filesize
40KB

Download
memory/3040-30-0x0000028DF7540000-0x0000028DF7556000-memory.dmp

Filesize
88KB

Download
memory/3040-196-0x0000028DBF3A0000-0x0000028DBF452000-memory.dmp

Filesize
712KB

Download
memory/3040-198-0x0000028DB5040000-0x0000028DB505E000-memory.dmp

Filesize
120KB

Download
memory/3040-199-0x0000028DF2A50000-0x0000028DF2A5A000-memory.dmp

Filesize
40KB

Download
memory/3040-201-0x0000028DFFFE0000-0x0000028DFFFF2000-memory.dmp

Filesize
72KB

Download
memory/3040-29-0x0000028DF7530000-0x0000028DF7538000-memory.dmp

Filesize
32KB

Download
memory/3040-33-0x0000028DF74E0000-0x0000028DF74EA000-memory.dmp

Filesize
40KB

Download
memory/3040-20-0x0000028DD6AC0000-0x0000028DD6AD0000-memory.dmp

Filesize
64KB

Download
memory/3040-21-0x0000028DD8500000-0x0000028DD8508000-memory.dmp

Filesize
32KB

Download
memory/3040-22-0x0000028DD85D0000-0x0000028DD8608000-memory.dmp

Filesize
224KB

Download
memory/3040-25-0x0000028DD85C0000-0x0000028DD85CA000-memory.dmp

Filesize
40KB

Download
memory/3040-23-0x0000028DD85A0000-0x0000028DD85AE000-memory.dmp

Filesize
56KB

Download
memory/3040-24-0x0000028DF6550000-0x0000028DF6650000-memory.dmp

Filesize
1024KB

Download
memory/3672-19-0x00007FFDCF480000-0x00007FFDCFF41000-memory.dmp

Filesize
10.8MB

Download
memory/3672-1-0x0000013C0FB00000-0x0000013C0FBCE000-memory.dmp

Filesize
824KB

Download
memory/3672-2-0x00007FFDCF480000-0x00007FFDCFF41000-memory.dmp

Filesize
10.8MB

Download
memory/3672-4-0x00007FFDCF483000-0x00007FFDCF485000-memory.dmp

Filesize
8KB

Download
memory/3672-5-0x0000013C2A230000-0x0000013C2A252000-memory.dmp

Filesize
136KB

Download
memory/3672-0-0x00007FFDCF483000-0x00007FFDCF485000-memory.dmp

Filesize
8KB

Download
memory/3756-275-0x0000000180000000-0x0000000181107000-memory.dmp

Filesize
17.0MB

Download
memory/3756-302-0x0000000180000000-0x0000000181107000-memory.dmp

Filesize
17.0MB

Download
memory/3756-273-0x0000000180000000-0x0000000181107000-memory.dmp

Filesize
17.0MB

Download
memory/3756-274-0x0000000180000000-0x0000000181107000-memory.dmp

Filesize
17.0MB

Download
memory/3756-262-0x000001CC0EC20000-0x000001CC0EC30000-memory.dmp

Filesize
64KB

Download
memory/3756-255-0x000001CC0E780000-0x000001CC0E81C000-memory.dmp

Filesize
624KB

Download
memory/3756-267-0x000001CC2A6C0000-0x000001CC2A750000-memory.dmp

Filesize
576KB

Download
memory/3756-300-0x0000000180000000-0x0000000181107000-memory.dmp

Filesize
17.0MB

Download
memory/3756-301-0x0000000180000000-0x0000000181107000-memory.dmp

Filesize
17.0MB

Download
memory/3756-272-0x0000000180000000-0x0000000181107000-memory.dmp

Filesize
17.0MB

Download
memory/3756-312-0x0000000180000000-0x0000000181107000-memory.dmp

Filesize
17.0MB

Download
memory/3756-317-0x0000000180000000-0x0000000181107000-memory.dmp

Filesize
17.0MB

Download
memory/3756-257-0x000001CC2AC00000-0x000001CC2B13C000-memory.dmp

Filesize
5.2MB

Download
memory/3756-258-0x000001CC2A780000-0x000001CC2A83A000-memory.dmp

Filesize
744KB

Download
memory/3756-260-0x000001CC2A840000-0x000001CC2A8F2000-memory.dmp

Filesize
712KB

Download
memory/3756-465-0x0000000180000000-0x0000000181107000-memory.dmp

Filesize
17.0MB

Download
memory/3756-466-0x0000000180000000-0x0000000181107000-memory.dmp

Filesize
17.0MB

Download