exelastealer | hxxps://www[.]youtube[.]com/watch?v=ZUEdte0wwN8

Analysis

max time kernel
216s
max time network
217s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-01-2025 12:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.youtube.com/watch?v=ZUEdte0wwN8

Score

10^/10

exelastealer collection defense_evasion discovery evasion persistence privilege_escalation spyware stealer themida trojan

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Exelastealer family
exelastealer
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Solara.exe

Downloads MZ/PE file

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5424	netsh.exe
5040	netsh.exe
3756	netsh.exe
4352	netsh.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Solara.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Solara.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	BootstrapperV2.14.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msedgewebview2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msedgewebview2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe

Clipboard Data 1 TTPs 4 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
952	cmd.exe
2288	powershell.exe
5480	cmd.exe
436	powershell.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 32 IoCs

pid	Process
5332	SolaraBootstrapper.exe
5568	CatLoaderv5juju.exe
5660	Bootstrapper.exe
5984	Stub.exe
4328	BootstrapperV2.14.exe
4984	MicrosoftEdgeWebview2Setup.exe
3360	MicrosoftEdgeUpdate.exe
3368	MicrosoftEdgeUpdate.exe
4656	MicrosoftEdgeUpdate.exe
1016	MicrosoftEdgeUpdateComRegisterShell64.exe
5244	MicrosoftEdgeUpdateComRegisterShell64.exe
5172	MicrosoftEdgeUpdateComRegisterShell64.exe
3628	MicrosoftEdgeUpdate.exe
5160	MicrosoftEdgeUpdate.exe
3248	MicrosoftEdgeUpdate.exe
1968	MicrosoftEdgeUpdate.exe
5764	MicrosoftEdge_X64_131.0.2903.112.exe
5796	setup.exe
5700	setup.exe
2376	MicrosoftEdgeUpdate.exe
396	SolaraBootstrapper.exe
4500	CatLoaderv5juju.exe
5340	Bootstrapper.exe
1940	Stub.exe
2568	BootstrapperV2.14.exe
180	Solara.exe
5852	msedgewebview2.exe
1556	msedgewebview2.exe
1460	msedgewebview2.exe
2852	msedgewebview2.exe
5712	msedgewebview2.exe
4884	msedgewebview2.exe

Loads dropped DLL 64 IoCs

pid	Process
5984	Stub.exe
5984	Stub.exe
5984	Stub.exe
5984	Stub.exe
5984	Stub.exe
5984	Stub.exe
5984	Stub.exe
5984	Stub.exe
5984	Stub.exe
5984	Stub.exe
5984	Stub.exe
5984	Stub.exe
5984	Stub.exe
5984	Stub.exe
5984	Stub.exe
5984	Stub.exe
5984	Stub.exe
5984	Stub.exe
5984	Stub.exe
5984	Stub.exe
5984	Stub.exe
5984	Stub.exe
5984	Stub.exe
5984	Stub.exe
5984	Stub.exe
5984	Stub.exe
3360	MicrosoftEdgeUpdate.exe
3368	MicrosoftEdgeUpdate.exe
4656	MicrosoftEdgeUpdate.exe
1016	MicrosoftEdgeUpdateComRegisterShell64.exe
4656	MicrosoftEdgeUpdate.exe
5244	MicrosoftEdgeUpdateComRegisterShell64.exe
4656	MicrosoftEdgeUpdate.exe
5172	MicrosoftEdgeUpdateComRegisterShell64.exe
4656	MicrosoftEdgeUpdate.exe
3628	MicrosoftEdgeUpdate.exe
5160	MicrosoftEdgeUpdate.exe
3248	MicrosoftEdgeUpdate.exe
3248	MicrosoftEdgeUpdate.exe
5160	MicrosoftEdgeUpdate.exe
1968	MicrosoftEdgeUpdate.exe
2376	MicrosoftEdgeUpdate.exe
1940	Stub.exe
1940	Stub.exe
1940	Stub.exe
1940	Stub.exe
1940	Stub.exe
1940	Stub.exe
1940	Stub.exe
1940	Stub.exe
1940	Stub.exe
1940	Stub.exe
1940	Stub.exe
1940	Stub.exe
1940	Stub.exe
1940	Stub.exe
1940	Stub.exe
1940	Stub.exe
1940	Stub.exe
1940	Stub.exe
1940	Stub.exe
1940	Stub.exe
1940	Stub.exe
1940	Stub.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/180-1515-0x0000000180000000-0x0000000181096000-memory.dmp	themida
behavioral1/memory/180-1516-0x0000000180000000-0x0000000181096000-memory.dmp	themida
behavioral1/memory/180-1517-0x0000000180000000-0x0000000181096000-memory.dmp	themida
behavioral1/memory/180-1514-0x0000000180000000-0x0000000181096000-memory.dmp	themida
behavioral1/memory/180-1696-0x0000000180000000-0x0000000181096000-memory.dmp	themida

Unexpected DNS network traffic destination 17 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Solara.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
237	discord.com
157	discord.com
179	raw.githubusercontent.com
190	discord.com
178	discord.com
180	raw.githubusercontent.com
250	pastebin.com
251	pastebin.com
270	pastebin.com
125	discord.com
129	discord.com
177	discord.com
302	discord.com

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
141	ip-api.com
235	ipinfo.io
236	ipinfo.io
243	ip-api.com
121	ipinfo.io
122	ipinfo.io

Network Service Discovery 1 TTPs 4 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
5812	cmd.exe
5292	ARP.EXE
2340	cmd.exe
3468	ARP.EXE

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Checks system information in the registry 2 TTPs 12 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	msedgewebview2.exe

Enumerates processes with tasklist 1 TTPs 10 IoCs

discovery

Process Discovery

T1057

pid	Process
5608	tasklist.exe
2436	tasklist.exe
2176	tasklist.exe
3684	tasklist.exe
3964	tasklist.exe
8	tasklist.exe
4984	tasklist.exe
6120	tasklist.exe
5824	tasklist.exe
2296	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4212	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
180	Solara.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Temp\EU9287.tmp\msedgeupdateres_mk.dll	MicrosoftEdgeWebview2Setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.112\WidevineCdm\manifest.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.112\Locales\ml.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.112\identity_proxy\win10\identity_helper.Sparse.Canary.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{DFEDFC57-4A3C-4884-94AF-0EA33E391FE8}\EDGEMITMP_927AE.tmp\SETUP.EX_	MicrosoftEdge_X64_131.0.2903.112.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.112\Locales\tr.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.112\onramp.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.112\pwahelper.exe	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU9287.tmp\psuser_64.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU9287.tmp\msedgeupdateres_km.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.112\Locales\mi.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.112\VisualElements\LogoBeta.png	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.112\VisualElements\Logo.png	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU9287.tmp\msedgeupdateres_ta.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.112\Locales\ms.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.112\Locales\nl.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.112\msedge.exe	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.112\msvcp140_codecvt_ids.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.112\VisualElements\LogoDev.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.112\learning_tools.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.112\identity_proxy\internal.identity_helper.exe.manifest	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU9287.tmp\msedgeupdateres_el.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU9287.tmp\msedgeupdateres_sv.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU9287.tmp\msedgeupdateres_ur.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.112\Locales\he.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.112\resources.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.112\Locales\fi.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.112\Locales\ka.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.112\Locales\fi.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.112\Locales\hu.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.112\identity_proxy\win10\identity_helper.Sparse.Canary.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.112\BHO\ie_to_edge_bho.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU9287.tmp\msedgeupdateres_mt.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.112\identity_proxy\win11\identity_helper.Sparse.Internal.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.112\vcruntime140_1.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.112\Locales\en-US.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.112\Trust Protection Lists\Sigma\Other	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.112\Locales\ga.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.112\identity_proxy\dev.identity_helper.exe.manifest	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.112\Locales\ca-Es-VALENCIA.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.112\Locales\te.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.112\mip_protection_sdk.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.112\vccorlib140.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.112\Locales\hr.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.112\Locales\sr.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU9287.tmp\msedgeupdateres_pl.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.112\Trust Protection Lists\Mu\Social	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.112\EBWebView\x86\EmbeddedBrowserWebView.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.112\Locales\el.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.112\msedge_100_percent.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{DFEDFC57-4A3C-4884-94AF-0EA33E391FE8}\EDGEMITMP_927AE.tmp\setup.exe	MicrosoftEdge_X64_131.0.2903.112.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source5796_941950180\MSEDGE.7z	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.112\dxcompiler.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.112\vcruntime140_1.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.112\Locales\sr-Cyrl-BA.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.112\Locales\pa.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU9287.tmp\MicrosoftEdgeUpdateOnDemand.exe	MicrosoftEdgeWebview2Setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.112\msedge_100_percent.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.112\show_third_party_software_licenses.bat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.112\Trust Protection Lists\Mu\Advertising	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.112\EdgeWebView.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.112\msedgewebview2.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.112\oneds.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.112\Locales\lb.pak	setup.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CatLoaderv5juju.exe	SolaraBootstrapper.exe
File opened for modification	C:\Windows\CatLoaderv5juju.exe	SolaraBootstrapper.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3332	sc.exe
4040	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 18 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SolaraBootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeWebview2Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SolaraBootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3628	MicrosoftEdgeUpdate.exe
1968	MicrosoftEdgeUpdate.exe
2376	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 4 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
5232	cmd.exe
3112	netsh.exe
3272	cmd.exe
6112	netsh.exe

System Network Connections Discovery 1 TTPs 2 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
5320	NETSTAT.EXE
3952	NETSTAT.EXE

Collects information from the system 1 TTPs 2 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
3580	WMIC.exe
3988	WMIC.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3216	WMIC.exe
1584	WMIC.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe

Gathers network information 2 TTPs 6 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
5372	ipconfig.exe
3952	NETSTAT.EXE
5056	ipconfig.exe
5312	ipconfig.exe
5320	NETSTAT.EXE
116	ipconfig.exe

Gathers system information 1 TTPs 2 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
812	systeminfo.exe
916	systeminfo.exe

Kills process with taskkill 21 IoCs

evasion

pid	Process
5240	taskkill.exe
4116	taskkill.exe
372	taskkill.exe
1400	taskkill.exe
6080	taskkill.exe
5040	taskkill.exe
5060	taskkill.exe
5172	taskkill.exe
4864	taskkill.exe
1636	taskkill.exe
3680	taskkill.exe
1240	taskkill.exe
2588	taskkill.exe
5616	taskkill.exe
2984	taskkill.exe
4856	taskkill.exe
5908	taskkill.exe
2760	taskkill.exe
4420	taskkill.exe
1804	taskkill.exe
1428	taskkill.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedgewebview2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133811605714906499"	msedgewebview2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497}\NumMethods\ = "26"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}\Elevation\IconReference = "@C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.195.43\\msedgeupdate.dll,-1004"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\NumMethods\ = "24"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6B716CB-028B-404D-B72C-50E153DD68DA}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\NumMethods	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\ProxyStubClsid32\ = "{A0B482A5-71D4-4395-857C-1F3B57FB8809}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ProxyStubClsid32\ = "{A0B482A5-71D4-4395-857C-1F3B57FB8809}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{41E1FADF-C62D-4DF4-A0A2-A3BEB272D8AF}\InprocHandler32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.195.43\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusMachineFallback\CLSID\ = "{77857D02-7A25-4B67-9266-3E122A8F39E4}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\ProxyStubClsid32\ = "{A0B482A5-71D4-4395-857C-1F3B57FB8809}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A0B482A5-71D4-4395-857C-1F3B57FB8809}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\NumMethods\ = "41"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}\ = "Microsoft Edge Update Legacy On Demand"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\ProxyStubClsid32\ = "{A0B482A5-71D4-4395-857C-1F3B57FB8809}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}\VersionIndependentProgID	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}\ = "IPolicyStatus5"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\ProxyStubClsid32\ = "{A0B482A5-71D4-4395-857C-1F3B57FB8809}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\NumMethods\ = "10"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\Elevation\IconReference = "@C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.195.43\\msedgeupdate.dll,-1004"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassMachineFallback.1.0\CLSID\ = "{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\MicrosoftEdgeUpdate.exe\AppID = "{CECDDD22-2E72-4832-9606-A9B0E5E344B2}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\ProxyStubClsid32\ = "{A0B482A5-71D4-4395-857C-1F3B57FB8809}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\ = "IApp2"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\ProgID\ = "MicrosoftEdgeUpdate.Update3WebMachine.1.0"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\ = "IAppCommand2"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\ProxyStubClsid32\ = "{A0B482A5-71D4-4395-857C-1F3B57FB8809}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A0B482A5-71D4-4395-857C-1F3B57FB8809}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\ProxyStubClsid32\ = "{A0B482A5-71D4-4395-857C-1F3B57FB8809}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebSvc\ = "Microsoft Edge Update Update3Web"	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\ = "ICredentialDialog"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusMachine.1.0\CLSID\ = "{B5977F34-9264-4AC3-9B31-1224827FF6E8}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\NumMethods\ = "5"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\APPID\{A6B716CB-028B-404D-B72C-50E153DD68DA}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}\LOCALSERVER32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\ = "IAppBundleWeb"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{5F6A18BB-6231-424B-8242-19E5BB94F8ED}\PROGID	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CoreClass\CLSID\ = "{8F09CD6C-5964-4573-82E3-EBFF7702865B}"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}\NumMethods\ = "27"	MicrosoftEdgeUpdateComRegisterShell64.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2156	msedge.exe
2156	msedge.exe
3116	msedge.exe
3116	msedge.exe
3036	identity_helper.exe
3036	identity_helper.exe
5580	msedge.exe
5580	msedge.exe
6132	7zFM.exe
6132	7zFM.exe
6132	7zFM.exe
6132	7zFM.exe
6132	7zFM.exe
6132	7zFM.exe
6132	7zFM.exe
6132	7zFM.exe
6132	7zFM.exe
6132	7zFM.exe
6132	7zFM.exe
6132	7zFM.exe
6132	7zFM.exe
6132	7zFM.exe
6132	7zFM.exe
6132	7zFM.exe
6132	7zFM.exe
6132	7zFM.exe
6132	7zFM.exe
6132	7zFM.exe
6132	7zFM.exe
6132	7zFM.exe
6132	7zFM.exe
6132	7zFM.exe
6132	7zFM.exe
6132	7zFM.exe
6132	7zFM.exe
6132	7zFM.exe
6132	7zFM.exe
6132	7zFM.exe
6132	7zFM.exe
6132	7zFM.exe
6132	7zFM.exe
6132	7zFM.exe
6132	7zFM.exe
6132	7zFM.exe
2288	powershell.exe
2288	powershell.exe
6132	7zFM.exe
6132	7zFM.exe
2288	powershell.exe
6132	7zFM.exe
6132	7zFM.exe
6132	7zFM.exe
6132	7zFM.exe
6132	7zFM.exe
6132	7zFM.exe
6132	7zFM.exe
4328	BootstrapperV2.14.exe
6132	7zFM.exe
4328	BootstrapperV2.14.exe
6132	7zFM.exe
6132	7zFM.exe
6132	7zFM.exe
6132	7zFM.exe
6132	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
6132	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
5852	msedgewebview2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	3900	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3900	AUDIODG.EXE
Token: SeRestorePrivilege	6132	7zFM.exe
Token: 35	6132	7zFM.exe
Token: SeSecurityPrivilege	6132	7zFM.exe
Token: SeIncreaseQuotaPrivilege	5136	WMIC.exe
Token: SeSecurityPrivilege	5136	WMIC.exe
Token: SeTakeOwnershipPrivilege	5136	WMIC.exe
Token: SeLoadDriverPrivilege	5136	WMIC.exe
Token: SeSystemProfilePrivilege	5136	WMIC.exe
Token: SeSystemtimePrivilege	5136	WMIC.exe
Token: SeProfSingleProcessPrivilege	5136	WMIC.exe
Token: SeIncBasePriorityPrivilege	5136	WMIC.exe
Token: SeCreatePagefilePrivilege	5136	WMIC.exe
Token: SeBackupPrivilege	5136	WMIC.exe
Token: SeRestorePrivilege	5136	WMIC.exe
Token: SeShutdownPrivilege	5136	WMIC.exe
Token: SeDebugPrivilege	5136	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5136	WMIC.exe
Token: SeRemoteShutdownPrivilege	5136	WMIC.exe
Token: SeUndockPrivilege	5136	WMIC.exe
Token: SeManageVolumePrivilege	5136	WMIC.exe
Token: 33	5136	WMIC.exe
Token: 34	5136	WMIC.exe
Token: 35	5136	WMIC.exe
Token: 36	5136	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5136	WMIC.exe
Token: SeSecurityPrivilege	5136	WMIC.exe
Token: SeTakeOwnershipPrivilege	5136	WMIC.exe
Token: SeLoadDriverPrivilege	5136	WMIC.exe
Token: SeSystemProfilePrivilege	5136	WMIC.exe
Token: SeSystemtimePrivilege	5136	WMIC.exe
Token: SeProfSingleProcessPrivilege	5136	WMIC.exe
Token: SeIncBasePriorityPrivilege	5136	WMIC.exe
Token: SeCreatePagefilePrivilege	5136	WMIC.exe
Token: SeBackupPrivilege	5136	WMIC.exe
Token: SeRestorePrivilege	5136	WMIC.exe
Token: SeShutdownPrivilege	5136	WMIC.exe
Token: SeDebugPrivilege	5136	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5136	WMIC.exe
Token: SeRemoteShutdownPrivilege	5136	WMIC.exe
Token: SeUndockPrivilege	5136	WMIC.exe
Token: SeManageVolumePrivilege	5136	WMIC.exe
Token: 33	5136	WMIC.exe
Token: 34	5136	WMIC.exe
Token: 35	5136	WMIC.exe
Token: 36	5136	WMIC.exe
Token: SeDebugPrivilege	5660	Bootstrapper.exe
Token: SeIncreaseQuotaPrivilege	3216	WMIC.exe
Token: SeSecurityPrivilege	3216	WMIC.exe
Token: SeTakeOwnershipPrivilege	3216	WMIC.exe
Token: SeLoadDriverPrivilege	3216	WMIC.exe
Token: SeSystemProfilePrivilege	3216	WMIC.exe
Token: SeSystemtimePrivilege	3216	WMIC.exe
Token: SeProfSingleProcessPrivilege	3216	WMIC.exe
Token: SeIncBasePriorityPrivilege	3216	WMIC.exe
Token: SeCreatePagefilePrivilege	3216	WMIC.exe
Token: SeBackupPrivilege	3216	WMIC.exe
Token: SeRestorePrivilege	3216	WMIC.exe
Token: SeShutdownPrivilege	3216	WMIC.exe
Token: SeDebugPrivilege	3216	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3216	WMIC.exe
Token: SeRemoteShutdownPrivilege	3216	WMIC.exe
Token: SeUndockPrivilege	3216	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
6132	7zFM.exe
6132	7zFM.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3116 wrote to memory of 3668	3116	msedge.exe	82
PID 3116 wrote to memory of 3668	3116	msedge.exe	82
PID 3116 wrote to memory of 4940	3116	msedge.exe	83
PID 3116 wrote to memory of 4940	3116	msedge.exe	83
PID 3116 wrote to memory of 4940	3116	msedge.exe	83
PID 3116 wrote to memory of 4940	3116	msedge.exe	83
PID 3116 wrote to memory of 4940	3116	msedge.exe	83
PID 3116 wrote to memory of 4940	3116	msedge.exe	83
PID 3116 wrote to memory of 4940	3116	msedge.exe	83
PID 3116 wrote to memory of 4940	3116	msedge.exe	83
PID 3116 wrote to memory of 4940	3116	msedge.exe	83
PID 3116 wrote to memory of 4940	3116	msedge.exe	83
PID 3116 wrote to memory of 4940	3116	msedge.exe	83
PID 3116 wrote to memory of 4940	3116	msedge.exe	83
PID 3116 wrote to memory of 4940	3116	msedge.exe	83
PID 3116 wrote to memory of 4940	3116	msedge.exe	83
PID 3116 wrote to memory of 4940	3116	msedge.exe	83
PID 3116 wrote to memory of 4940	3116	msedge.exe	83
PID 3116 wrote to memory of 4940	3116	msedge.exe	83
PID 3116 wrote to memory of 4940	3116	msedge.exe	83
PID 3116 wrote to memory of 4940	3116	msedge.exe	83
PID 3116 wrote to memory of 4940	3116	msedge.exe	83
PID 3116 wrote to memory of 4940	3116	msedge.exe	83
PID 3116 wrote to memory of 4940	3116	msedge.exe	83
PID 3116 wrote to memory of 4940	3116	msedge.exe	83
PID 3116 wrote to memory of 4940	3116	msedge.exe	83
PID 3116 wrote to memory of 4940	3116	msedge.exe	83
PID 3116 wrote to memory of 4940	3116	msedge.exe	83
PID 3116 wrote to memory of 4940	3116	msedge.exe	83
PID 3116 wrote to memory of 4940	3116	msedge.exe	83
PID 3116 wrote to memory of 4940	3116	msedge.exe	83
PID 3116 wrote to memory of 4940	3116	msedge.exe	83
PID 3116 wrote to memory of 4940	3116	msedge.exe	83
PID 3116 wrote to memory of 4940	3116	msedge.exe	83
PID 3116 wrote to memory of 4940	3116	msedge.exe	83
PID 3116 wrote to memory of 4940	3116	msedge.exe	83
PID 3116 wrote to memory of 4940	3116	msedge.exe	83
PID 3116 wrote to memory of 4940	3116	msedge.exe	83
PID 3116 wrote to memory of 4940	3116	msedge.exe	83
PID 3116 wrote to memory of 4940	3116	msedge.exe	83
PID 3116 wrote to memory of 4940	3116	msedge.exe	83
PID 3116 wrote to memory of 4940	3116	msedge.exe	83
PID 3116 wrote to memory of 2156	3116	msedge.exe	84
PID 3116 wrote to memory of 2156	3116	msedge.exe	84
PID 3116 wrote to memory of 3684	3116	msedge.exe	85
PID 3116 wrote to memory of 3684	3116	msedge.exe	85
PID 3116 wrote to memory of 3684	3116	msedge.exe	85
PID 3116 wrote to memory of 3684	3116	msedge.exe	85
PID 3116 wrote to memory of 3684	3116	msedge.exe	85
PID 3116 wrote to memory of 3684	3116	msedge.exe	85
PID 3116 wrote to memory of 3684	3116	msedge.exe	85
PID 3116 wrote to memory of 3684	3116	msedge.exe	85
PID 3116 wrote to memory of 3684	3116	msedge.exe	85
PID 3116 wrote to memory of 3684	3116	msedge.exe	85
PID 3116 wrote to memory of 3684	3116	msedge.exe	85
PID 3116 wrote to memory of 3684	3116	msedge.exe	85
PID 3116 wrote to memory of 3684	3116	msedge.exe	85
PID 3116 wrote to memory of 3684	3116	msedge.exe	85
PID 3116 wrote to memory of 3684	3116	msedge.exe	85
PID 3116 wrote to memory of 3684	3116	msedge.exe	85
PID 3116 wrote to memory of 3684	3116	msedge.exe	85
PID 3116 wrote to memory of 3684	3116	msedge.exe	85
PID 3116 wrote to memory of 3684	3116	msedge.exe	85
PID 3116 wrote to memory of 3684	3116	msedge.exe	85

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection	msedgewebview2.exe

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
6012	attrib.exe

cURL User-Agent 6 IoCs

Uses User-Agent string associated with cURL utility.

description	flow	ioc
HTTP User-Agent header	259	curl/8.9.1-DEV
HTTP User-Agent header	260	curl/8.9.1-DEV
HTTP User-Agent header	261	curl/8.9.1-DEV
HTTP User-Agent header	268	curl/8.9.1-DEV
HTTP User-Agent header	269	curl/8.9.1-DEV
HTTP User-Agent header	256	curl/8.9.1-DEV

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.youtube.com/watch?v=ZUEdte0wwN8
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff866c646f8,0x7ff866c64708,0x7ff866c64718
  2⤵
  PID:3668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,17944900897137237177,3333556764394178146,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
  2⤵
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,17944900897137237177,3333556764394178146,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,17944900897137237177,3333556764394178146,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
  2⤵
  PID:3684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17944900897137237177,3333556764394178146,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:3212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17944900897137237177,3333556764394178146,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:1444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17944900897137237177,3333556764394178146,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1
  2⤵
  PID:3244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17944900897137237177,3333556764394178146,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:1
  2⤵
  PID:3816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2076,17944900897137237177,3333556764394178146,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3340 /prefetch:8
  2⤵
  PID:4576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17944900897137237177,3333556764394178146,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
  2⤵
  PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,17944900897137237177,3333556764394178146,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6836 /prefetch:8
  2⤵
  PID:1400
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,17944900897137237177,3333556764394178146,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6836 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17944900897137237177,3333556764394178146,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6360 /prefetch:1
  2⤵
  PID:3608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17944900897137237177,3333556764394178146,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6344 /prefetch:1
  2⤵
  PID:4432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,17944900897137237177,3333556764394178146,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5268 /prefetch:8
  2⤵
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17944900897137237177,3333556764394178146,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:1
  2⤵
  PID:5016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,17944900897137237177,3333556764394178146,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5624 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17944900897137237177,3333556764394178146,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
  2⤵
  PID:5680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17944900897137237177,3333556764394178146,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:5688

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4328

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4056

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1588

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f4 0x510
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3900

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5980

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\SolaraB.rar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:6132
- C:\Users\Admin\AppData\Local\Temp\7zO4F785848\SolaraBootstrapper.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO4F785848\SolaraBootstrapper.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:5332
- - C:\Windows\CatLoaderv5juju.exe
    "C:\Windows\CatLoaderv5juju.exe"
    3⤵
    - Executes dropped EXE
    PID:5568
  - - C:\Users\Admin\AppData\Local\Temp\onefile_5568_133811603992984428\Stub.exe
      C:\Windows\CatLoaderv5juju.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5984
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:5212
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        5⤵
        
        PID:5196
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Detects videocard installed
        Suspicious use of AdjustPrivilegeToken
        
        PID:3216
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
        5⤵
        
        PID:5164
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get Manufacturer
        6⤵
        
        PID:3332
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "gdb --version"
        5⤵
        
        PID:5252
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        5⤵
        
        PID:5308
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:4984
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
        5⤵
        
        PID:5644
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get Manufacturer
        6⤵
        
        PID:5552
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:1932
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:4808
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        5⤵
        
        PID:1136
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:2176
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\HellionUpdate\Hellion.exe""
        5⤵
        Hide Artifacts: Hidden Files and Directories
        
        PID:4212
      - C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\HellionUpdate\Hellion.exe"
        6⤵
        Views/modifies file attributes
        
        PID:6012
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
        5⤵
        
        PID:4012
      - C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
        6⤵
        
        PID:6088
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        5⤵
        
        PID:4788
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:6120
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3116"
        5⤵
        
        PID:5140
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3116
        6⤵
        Kills process with taskkill
        
        PID:2588
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3668"
        5⤵
        
        PID:5884
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3668
        6⤵
        Kills process with taskkill
        
        PID:5240
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4940"
        5⤵
        
        PID:5348
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4940
        6⤵
        Kills process with taskkill
        
        PID:5616
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2156"
        5⤵
        
        PID:5656
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2156
        6⤵
        Kills process with taskkill
        
        PID:4864
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3684"
        5⤵
        
        PID:5296
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3684
        6⤵
        Kills process with taskkill
        
        PID:4116
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3212"
        5⤵
        
        PID:5552
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3212
        6⤵
        Kills process with taskkill
        
        PID:2984
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3816"
        5⤵
        
        PID:3188
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3816
        6⤵
        Kills process with taskkill
        
        PID:4856
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4576"
        5⤵
        
        PID:4472
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4576
        6⤵
        Kills process with taskkill
        
        PID:372
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3608"
        5⤵
        
        PID:844
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3608
        6⤵
        Kills process with taskkill
        
        PID:5908
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5680"
        5⤵
        
        PID:5924
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5680
        6⤵
        Kills process with taskkill
        
        PID:1400
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5688"
        5⤵
        
        PID:4988
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5688
        6⤵
        Kills process with taskkill
        
        PID:1240
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        5⤵
        
        PID:3620
      - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        6⤵
        
        PID:3640
        
        C:\Windows\system32\chcp.com
        
        chcp
        7⤵
        
        PID:3628
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        5⤵
        
        PID:2200
      - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        6⤵
        
        PID:4628
        
        C:\Windows\system32\chcp.com
        
        chcp
        7⤵
        
        PID:5176
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:4524
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:3684
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
        5⤵
        Clipboard Data
        
        PID:952
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        6⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:2288
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
        5⤵
        Network Service Discovery
        
        PID:2340
      - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        6⤵
        Gathers system information
        
        PID:812
      - C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        6⤵
        
        PID:1588
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        6⤵
        Collects information from the system
        
        PID:3580
      - C:\Windows\system32\net.exe
        
        net user
        6⤵
        
        PID:1656
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        7⤵
        
        PID:2468
      - C:\Windows\system32\query.exe
        
        query user
        6⤵
        
        PID:5096
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        7⤵
        
        PID:5776
      - C:\Windows\system32\net.exe
        
        net localgroup
        6⤵
        
        PID:5780
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        7⤵
        
        PID:5788
      - C:\Windows\system32\net.exe
        
        net localgroup administrators
        6⤵
        
        PID:5808
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        7⤵
        
        PID:5680
      - C:\Windows\system32\net.exe
        
        net user guest
        6⤵
        
        PID:5704
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        7⤵
        
        PID:5692
      - C:\Windows\system32\net.exe
        
        net user administrator
        6⤵
        
        PID:5736
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        7⤵
        
        PID:5752
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        6⤵
        
        PID:2652
      - C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        6⤵
        Enumerates processes with tasklist
        
        PID:3964
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        6⤵
        Gathers network information
        
        PID:5312
      - C:\Windows\system32\ROUTE.EXE
        
        route print
        6⤵
        
        PID:1560
      - C:\Windows\system32\ARP.EXE
        
        arp -a
        6⤵
        Network Service Discovery
        
        PID:3468
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:5320
      - C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        6⤵
        Launches sc.exe
        
        PID:3332
      - C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4352
      - C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5424
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5232
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3112
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:4116
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:3844
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:5552
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:5876
- - C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5660
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /c ipconfig /all
      4⤵
      PID:1580
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        5⤵
        Gathers network information
        
        PID:5056
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
      4⤵
      PID:1264
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5136
  - - C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.14.exe
      "C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.14.exe" --oldBootstrapper "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe" --isUpdate true
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4328
    - - C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe" /silent /install
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:4984
      - C:\Program Files (x86)\Microsoft\Temp\EU9287.tmp\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\Temp\EU9287.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"
        6⤵
        Event Triggered Execution: Image File Execution Options Injection
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Checks system information in the registry
        System Location Discovery: System Language Discovery
        
        PID:3360
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3368
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4656
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1016
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:5244
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:5172
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Q0YwMDJGNjMtODg0Qy00MDJDLUI2MTgtQTUwOUREOUMxRTAyfSIgdXNlcmlkPSJ7RDJBMDM5MTktM0EzOC00NzNBLTg2NzMtMTU4OUQwODJBRTdGfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntFMkYwQTVFNC0yOTQ4LTRGMTItOUREQi0yRDVBMDI1MEQ3RER9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iIi8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xNDcuMzciIG5leHR2ZXJzaW9uPSIxLjMuMTk1LjQzIiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NDI5MDc3NTI0IiBpbnN0YWxsX3RpbWVfbXM9IjkwNSIvPjwvYXBwPjwvcmVxdWVzdD4
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks system information in the registry
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3628
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{CF002F63-884C-402C-B618-A509DD9C1E02}" /silent
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:5160
- C:\Users\Admin\AppData\Local\Temp\7zO4F7BFB3A\SolaraBootstrapper.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO4F7BFB3A\SolaraBootstrapper.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:396
- - C:\Windows\CatLoaderv5juju.exe
    "C:\Windows\CatLoaderv5juju.exe"
    3⤵
    - Executes dropped EXE
    PID:4500
  - - C:\Users\Admin\AppData\Local\Temp\onefile_4500_133811605452989953\Stub.exe
      C:\Windows\CatLoaderv5juju.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1940
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:3324
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        5⤵
        
        PID:2428
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Detects videocard installed
        
        PID:1584
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
        5⤵
        
        PID:2408
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get Manufacturer
        6⤵
        
        PID:5556
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "gdb --version"
        5⤵
        
        PID:428
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        5⤵
        
        PID:2072
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:5824
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
        5⤵
        
        PID:4120
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get Manufacturer
        6⤵
        
        PID:5988
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:5300
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:3376
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        5⤵
        
        PID:1400
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:8
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
        5⤵
        
        PID:972
      - C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
        6⤵
        
        PID:440
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        5⤵
        
        PID:1944
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:5608
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2844"
        5⤵
        
        PID:4632
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2844
        6⤵
        Kills process with taskkill
        
        PID:6080
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4940"
        5⤵
        
        PID:3816
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4940
        6⤵
        Kills process with taskkill
        
        PID:2760
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5684"
        5⤵
        
        PID:3324
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5684
        6⤵
        Kills process with taskkill
        
        PID:4420
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5776"
        5⤵
        
        PID:4104
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5776
        6⤵
        Kills process with taskkill
        
        PID:1804
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4384"
        5⤵
        
        PID:4756
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4384
        6⤵
        Kills process with taskkill
        
        PID:5040
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4240"
        5⤵
        
        PID:3368
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4240
        6⤵
        Kills process with taskkill
        
        PID:5060
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5620"
        5⤵
        
        PID:1716
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5620
        6⤵
        Kills process with taskkill
        
        PID:5172
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3604"
        5⤵
        
        PID:4140
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3604
        6⤵
        Kills process with taskkill
        
        PID:1636
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1288"
        5⤵
        
        PID:1620
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1288
        6⤵
        Kills process with taskkill
        
        PID:1428
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5236"
        5⤵
        
        PID:2688
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5236
        6⤵
        Kills process with taskkill
        
        PID:3680
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        5⤵
        
        PID:3936
      - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        6⤵
        
        PID:4940
        
        C:\Windows\system32\chcp.com
        
        chcp
        7⤵
        
        PID:2156
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        5⤵
        
        PID:2468
      - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        6⤵
        
        PID:4720
        
        C:\Windows\system32\chcp.com
        
        chcp
        7⤵
        
        PID:2760
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:5792
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:2436
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
        5⤵
        Clipboard Data
        
        PID:5480
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        6⤵
        Clipboard Data
        
        PID:436
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3272
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6112
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
        5⤵
        Network Service Discovery
        
        PID:5812
      - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        6⤵
        Gathers system information
        
        PID:916
      - C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        6⤵
        
        PID:4212
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        6⤵
        Collects information from the system
        
        PID:3988
      - C:\Windows\system32\net.exe
        
        net user
        6⤵
        
        PID:4320
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        7⤵
        
        PID:1476
      - C:\Windows\system32\query.exe
        
        query user
        6⤵
        
        PID:6084
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        7⤵
        
        PID:1956
      - C:\Windows\system32\net.exe
        
        net localgroup
        6⤵
        
        PID:5644
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        7⤵
        
        PID:452
      - C:\Windows\system32\net.exe
        
        net localgroup administrators
        6⤵
        
        PID:5544
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        7⤵
        
        PID:5520
      - C:\Windows\system32\net.exe
        
        net user guest
        6⤵
        
        PID:840
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        7⤵
        
        PID:2132
      - C:\Windows\system32\net.exe
        
        net user administrator
        6⤵
        
        PID:2708
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        7⤵
        
        PID:4080
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        6⤵
        
        PID:1008
      - C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        6⤵
        Enumerates processes with tasklist
        
        PID:2296
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        6⤵
        Gathers network information
        
        PID:5372
      - C:\Windows\system32\ROUTE.EXE
        
        route print
        6⤵
        
        PID:2620
      - C:\Windows\system32\ARP.EXE
        
        arp -a
        6⤵
        Network Service Discovery
        
        PID:5292
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:3952
      - C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        6⤵
        Launches sc.exe
        
        PID:4040
      - C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5040
      - C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3756
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:1188
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:5368
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:5276
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:3028
- - C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:5340
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /c ipconfig /all
      4⤵
      PID:5100
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        5⤵
        Gathers network information
        
        PID:116
  - - C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.14.exe
      "C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.14.exe" --oldBootstrapper "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe" --isUpdate true
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:2568
    - - C:\ProgramData\Solara\Solara.exe
        
        "C:\ProgramData\Solara\Solara.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:180
      - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.112\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.112\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=Solara.exe --webview-exe-version=3.0.0.0 --user-data-dir="C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=1 --mojo-named-platform-channel-pipe=180.6076.6636260699881953044
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Checks system information in the registry
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        System policy modification
        
        PID:5852
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.112\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.112\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=131.0.6778.205 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.112\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=131.0.2903.112 --initial-client-data=0x178,0x17c,0x180,0x154,0x188,0x7ff847676070,0x7ff84767607c,0x7ff847676088
        7⤵
        Executes dropped EXE
        
        PID:1556
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.112\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.112\msedgewebview2.exe" --type=gpu-process --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView" --webview-exe-name=Solara.exe --webview-exe-version=3.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1796,i,18208477639394671266,11784191078391263018,262144 --variations-seed-version --mojo-platform-channel-handle=1792 /prefetch:2
        7⤵
        Executes dropped EXE
        
        PID:1460
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.112\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.112\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView" --webview-exe-name=Solara.exe --webview-exe-version=3.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --field-trial-handle=1712,i,18208477639394671266,11784191078391263018,262144 --variations-seed-version --mojo-platform-channel-handle=2120 /prefetch:3
        7⤵
        Executes dropped EXE
        
        PID:2852
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.112\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.112\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView" --webview-exe-name=Solara.exe --webview-exe-version=3.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --field-trial-handle=2396,i,18208477639394671266,11784191078391263018,262144 --variations-seed-version --mojo-platform-channel-handle=2412 /prefetch:8
        7⤵
        Executes dropped EXE
        
        PID:5712
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.112\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.112\msedgewebview2.exe" --type=renderer --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView" --webview-exe-name=Solara.exe --webview-exe-version=3.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --field-trial-handle=3644,i,18208477639394671266,11784191078391263018,262144 --variations-seed-version --mojo-platform-channel-handle=3672 /prefetch:1
        7⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4884

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3248
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Q0YwMDJGNjMtODg0Qy00MDJDLUI2MTgtQTUwOUREOUMxRTAyfSIgdXNlcmlkPSJ7RDJBMDM5MTktM0EzOC00NzNBLTg2NzMtMTU4OUQwODJBRTdGfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RjM2MzFDNjAtMDE4Qi00RTlGLUFBRkMtMEMzMEI4QkUyNUFFfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI5NyIgaW5zdGFsbGRhdGV0aW1lPSIxNzI4MjkyOTAyIiBvb2JlX2luc3RhbGxfdGltZT0iMTMzNzI3NjU0Njg2NTIwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjE3OTg2MiIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTQzNjg4NzYwOCIvPjwvYXBwPjwvcmVxdWVzdD4
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:1968
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{DFEDFC57-4A3C-4884-94AF-0EA33E391FE8}\MicrosoftEdge_X64_131.0.2903.112.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{DFEDFC57-4A3C-4884-94AF-0EA33E391FE8}\MicrosoftEdge_X64_131.0.2903.112.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:5764
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{DFEDFC57-4A3C-4884-94AF-0EA33E391FE8}\EDGEMITMP_927AE.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{DFEDFC57-4A3C-4884-94AF-0EA33E391FE8}\EDGEMITMP_927AE.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{DFEDFC57-4A3C-4884-94AF-0EA33E391FE8}\MicrosoftEdge_X64_131.0.2903.112.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:5796
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{DFEDFC57-4A3C-4884-94AF-0EA33E391FE8}\EDGEMITMP_927AE.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{DFEDFC57-4A3C-4884-94AF-0EA33E391FE8}\EDGEMITMP_927AE.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=131.0.6778.205 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{DFEDFC57-4A3C-4884-94AF-0EA33E391FE8}\EDGEMITMP_927AE.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=131.0.2903.112 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ff6a6512918,0x7ff6a6512924,0x7ff6a6512930
      4⤵
      Executes dropped EXE
      PID:5700
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Q0YwMDJGNjMtODg0Qy00MDJDLUI2MTgtQTUwOUREOUMxRTAyfSIgdXNlcmlkPSJ7RDJBMDM5MTktM0EzOC00NzNBLTg2NzMtMTU4OUQwODJBRTdGfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins5MDhENUNDRS0xMUQzLTQ0RDItQUYxMS04REYyOTI2NDdDNTV9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7VlBRb1AxRitmcTE1d1J6aDFrUEw0UE1wV2g4T1JNQjVpenZyT0MvY2hqUT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMTMxLjAuMjkwMy4xMTIiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpbnN0YWxsYWdlPSItMSIgaW5zdGFsbGRhdGU9Ii0xIj48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjkiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU0NDk0ODc2ODYiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NDQ5NjE3NjMwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTY1OTg2Nzc2OCIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vbXNlZGdlLmYudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvN2Q5Y2Q5M2MtMWQ1ZS00NDliLTlhZDctZjFlOGQ2YjkwNTA5P1AxPTE3MzcyOTE2MjcmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9Z084dkZ0dnROJTJmZm5nc0trOHRWVW11bGNERmVUJTJiZzA5UGpNc01uWlpaYUxPQ1ZVSnRERDglMmZtZk4lMmJ2MTcxbnAlMmJKM2o3SGl4RXUybUhYeXp3cjRSN3hRJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMTc2ODcwOTc2IiB0b3RhbD0iMTc2ODcwOTc2IiBkb3dubG9hZF90aW1lX21zPSIxNDU0NiIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU2NjAxNjc3ODYiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI2IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1Njc0NDE3NTYxIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMTk2NzU3IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI2Mjg0MDk4OTc0IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iNjY0IiBkb3dubG9hZF90aW1lX21zPSIyMTAzOCIgZG93bmxvYWRlZD0iMTc2ODcwOTc2IiB0b3RhbD0iMTc2ODcwOTc2IiBwYWNrYWdlX2NhY2hlX3Jlc3VsdD0iMCIgaW5zdGFsbF90aW1lX21zPSI2MDk2MCIvPjwvYXBwPjwvcmVxdWVzdD4
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff857e246f8,0x7ff857e24708,0x7ff857e24718
  2⤵
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,2504276806304881580,7158623510451281654,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2232 /prefetch:2
  2⤵
  PID:5684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,2504276806304881580,7158623510451281654,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2480 /prefetch:3
  2⤵
  PID:5776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,2504276806304881580,7158623510451281654,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
  2⤵
  PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,2504276806304881580,7158623510451281654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:1
  2⤵
  PID:2144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,2504276806304881580,7158623510451281654,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3628 /prefetch:1
  2⤵
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,2504276806304881580,7158623510451281654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4368 /prefetch:1
  2⤵
  PID:4240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,2504276806304881580,7158623510451281654,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:3844
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,2504276806304881580,7158623510451281654,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3784 /prefetch:8
  2⤵
  PID:960
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,2504276806304881580,7158623510451281654,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3784 /prefetch:8
  2⤵
  PID:1956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,2504276806304881580,7158623510451281654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:1
  2⤵
  PID:5620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,2504276806304881580,7158623510451281654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:1
  2⤵
  PID:624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2172,2504276806304881580,7158623510451281654,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5428 /prefetch:8
  2⤵
  PID:3604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,2504276806304881580,7158623510451281654,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:1944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,2504276806304881580,7158623510451281654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:1
  2⤵
  PID:1288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,2504276806304881580,7158623510451281654,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:1
  2⤵
  PID:5236

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4388

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Network Share Discovery

T1135

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.112\Installer\setup.exe

Filesize
6.6MB

MD5
f0dc48bc6e1b1a2b0b15c769d4c01835

SHA1
66c1ba4912ae18b18e2ae33830a6ba0939bb9ef1

SHA256
7ada85f31a3b501eaecd2aa37b8df1f74b470b355279b5db2d1fbc0bb7de4889

SHA512
d2ceeaf987446f7463e84a6286dc1c8f50a80466af641f77d174826189ff5a56b048e616ad8d97ddb12a2f68e182af80309be717367224605c06dcf74a84cc0f

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

Filesize
201KB

MD5
70cc35c7fb88d650902e7a5611219931

SHA1
85a28c8f49e36583a2fa9969e616ec85da1345b8

SHA256
7eca199201273f0bcff1e26778cb535e69c74a69064e7759ff8dad86954d42b1

SHA512
3906ddb96b4b1b68b8c2acc940a62c856e8c3415a1b459f17cf2afc09e05751e0086f8e4e5e0ddd8e45cfb61f811bbe4dd96198db68072b45b6379c88d9ea055

Download Submit
C:\Program Files\MsEdgeCrashpad\settings.dat

Filesize
280B

MD5
68d9524785eb81ea3663763f1072dc99

SHA1
0caa26358d33b0298eae7c23ea75392295244afc

SHA256
6536a04910e0206f00e184bda027e6ec07313afbd6cc77778eb2432b49d5d692

SHA512
ea7da7a39276df0199192eb52aec9e6a9ff72dc2a25609a480500ac28ddd93f21df68f03eaffd15043ea623987a62346d155a11b5cf6e9ca3dad4b1ec388848e

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
95KB

MD5
c860aa99bb6d24ae5b8827b5387ce07f

SHA1
5cc7b42d35c97d38366f23951c7e83e335acb737

SHA256
cb68dca48f8f77265af8e6242aa1f7e39253fb4663f69995529988564063d979

SHA512
bc73a75befd5dcf9787380078b4156c1f3d1928e6ddba04b65031424f203dc794658fdba94a51a2f6c92f09a8c86540e8b46731185bd656f8d048b27403346af

Download Submit
C:\ProgramData\Solara\Solara.exe

Filesize
613KB

MD5
efa26a96b7af259f6682bc888a8b6a14

SHA1
9800a30228504c30e7d8aea873ded6a7d7d133bb

SHA256
18f4dca864799d7cd00a26ae9fb7eccf5c7cf3883c51a5d0744fd92a60ca1953

SHA512
7ca4539ab544aee162c7d74ac94b290b409944dd746286e35c8a2712db045d255b9907d1ebea6377d1406ddd87f118666121d0ec1abe0e9415de1bba6799f76e

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Crashpad\settings.dat

Filesize
280B

MD5
b3fdebe766d19be5951496b66c15f718

SHA1
f01cfa5549b2f769a4ef974f35c01f62dd7a2b49

SHA256
841932ceaad5f9b4fd22f9208deee0ea4432a77a45a3d16565310eaaeb46eaaa

SHA512
55c55f9d2d6ff4c5a27c3fff92edcd69c7982ffe39f3547f2fe1270427a1dbecf269f50fee9a15ddca2c13e996772ee70d2c6938fbc01a716a88bd2a23ff1120

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Default\Sync Data\LevelDB\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\GrShaderCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\GrShaderCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\GrShaderCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\GrShaderCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Local State

Filesize
1KB

MD5
fe457ae2357d47b914258fc4d436d0c9

SHA1
bf3c4424ec9c7974f977d43e7138db07da7b1c7c

SHA256
d389c7a96a9a9acecb24d8b600705c87d232513f229365e9234adb88f0ec7a48

SHA512
62d01e1a4039f860117106e2927b851ee1fbb06dedcea07b54c4b606496562ad77e6f7738e39dd373f959eb64f328b1e02b7a9eba9bc886f27c72ab9509b9d10

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Local State

Filesize
2KB

MD5
924bb77f395377b4a526c120219618b9

SHA1
2699a2ddbb8f18b91866f5a053118cf4ba4d0321

SHA256
cd59be9e63cf4148b3f0a41fd1805e9050e21efe97e72281f218f89bbf742526

SHA512
decdbfb04f60a04f1ddf1d996cc69bd3434eee550db6e372b75495c5d6e8bcdfff4048905201d570afbdeea3cfed3586cae2a8ae962e1b756b46774e0163e35b

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Local State

Filesize
3KB

MD5
05dc3f5ef54acdef07e8c6c72ab28462

SHA1
a589aef12a8712081563c7dcac6055b4308bc868

SHA256
fe9869fc23a600e649e66f0d5fc005d159251db69841160b83ded54b81bdeb18

SHA512
9ba720deb0f3d2045758f024a3525a66dfd886efd6372637768b59b3e6f75159bf02b8c8c6c7e979a4e294585fe96f6070b6612c5558874c807d6f614ee9932d

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Local State~RFe5ac749.TMP

Filesize
1KB

MD5
0655e60a15cfa664eeedd4d898296fe3

SHA1
a01c8e9b8d5d3b5c97b9a33dc6142afe4ac807df

SHA256
926399ebf9b193a08147585dc558b9432091d2bc83c591080088f267feca1293

SHA512
4ee05d82e5d7594832d712dfaa275f2bbd38aa1531e27d80cc2548cb8d99311b245df12b4962d605b47d250523fea0eddc9cb403037d895b3789156974f17064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9db2a0594df297bf53c2c7a01c33cad4

SHA1
d2a815ec895516ea6b7cf3bff26b77383cdc901e

SHA256
33730d3aa056b2f0f6cebaa88c2082cbfe65b0a4657566140a022cd8a9b62c44

SHA512
e6349846db38ea7aed3338ca32dd022cbd84e6ae40ff252301020ba7b41a984907dad63d49cac44a854d4fc2c06d9b848582df953429191b211efceefa515043

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
49KB

MD5
65da8d6932ad74d3b51694b5a28dd0bb

SHA1
aa6e37cdacda153f499c299299a4dacf50c93765

SHA256
309ec80a404d5ba8c9816e0932bff343c8e205fe36819908682289ed7c7ae482

SHA512
bfce7ba0e18dde7d6f833709e565f704701d7a51b14d7c11b06cdce0b057290a334219c9aa4f7ea098c097eb779a2ceca397a9ad1ede0784348f78c81fd55015

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
34KB

MD5
796cde84f96aeb0e7938a6449c5df98c

SHA1
bcfe2832173b772cf4ac08aa90a45550dd54f96d

SHA256
d4bd3e815320447860e0564ac090789168e4b742484a19a05824992d6984f38c

SHA512
ecce78771f99bc03e989abb43f2a10b254aa49bc35faa6d49c95304388ac2b054c3b513c7bbb14730fb14d0563712c1fc0cb376f5a298e8ec17160fa69033be7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
576B

MD5
3e8ed757bcc98447007ba25739ee696b

SHA1
b034ff548d08ed76670fc773fb0b96d3ae80a8d1

SHA256
8752426b8381ef8a2c0fa1c80537aadee5b979543fa8135094453d76d2cf4888

SHA512
7e4645061c7764dabc972ec593cb8d233c624657904abf9914bac1ea96ab93159a88ac821ebd27620fa0dda5a2d1e78c79f2e5cf7f0567cab362221fe2bed3c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2a3563750c0f3d7d9dff864307a3ac7d

SHA1
4a05f8afce9828ce3b953814726922483b3bc33a

SHA256
f7097a69247bf44991302c83edcd24edc7b6147f0273e25e9f89557311398a9b

SHA512
6cb2bf736233100baed4e542d8bcdd426e012da8bdc17f525e295519b0a0502224b91a3cf9846b610e452173652b63f8bb84cc43b203a0782505cb3a872cc821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8d7bc49ae8efdbb43b5b85cbab157591

SHA1
c80a9d8b3948428baea36bde6f38557c06e94493

SHA256
67db5aaf6209da6cd3479c50ae1e89dde00e6371c900ba60418ff44168b86fbf

SHA512
98ff38d9dc6b48437bba3264c7bbfb853fcf7a47f605ffc5c526b3907dfd5f0c59ca9b774ffccc7197ea65d60a0a618ff0e8b2ea9ecbe3e3ffcce47dae26b96d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
62dedff035472d0fc5343229df933ccc

SHA1
b3bf12fec2f2d3f71727038d491ef42e5c120bb2

SHA256
17b20d14139840ec51ae6f1e29de26e9d52b7509ab782a43dfe579b79e3d30c8

SHA512
226961a2c519b90bf54f28bddc364d2d991b26afaaa1113c2d02f6375fb96af80c5640b24408eccbac96f9ee828b7df8a134b5076efec39da664827f672e231e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3c5a3c1fc560dd9f5f80bf95d2df37bf

SHA1
f93b28ebbd22d969fad13e6d27a8e68cb0d34c84

SHA256
30d924742151a4eb7f558c7fec42c7fc64913487a7dab9e8b1cc87ff3c7d6081

SHA512
c44461d09d1c2b75c0cb7960e9e6ee7315f731611220c9ab23429520b3c8e8990e63b3dd32a6649aaa7995b613fc20a55942e7932f4c28b3da04f5eba9060091

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
789be59c104422f592d77f9ea61acd74

SHA1
399375ce8ddb3bb97bf7f84e435f2058d3c0c1f6

SHA256
432d7a12917f23c2a033f9b832ebcda4ab8e12d69dd122a9b9f4a05d4cfa38e8

SHA512
094801a0cc6dcc62f1e18b81240171e77e838e735b46f17e8ebb2731cf08c1d7191730bf0a22acde256f207ae9cc9f7034555f30483ef2912c7a42d731fe4b09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\15870185-063a-48cb-ada6-74a8b39d8312\index-dir\the-real-index

Filesize
2KB

MD5
e1aeb805e6faf5cc0a69452dbf13803f

SHA1
f218c389797efb53e0c28e447935d7a92c209eb7

SHA256
2d445d7632221ba15ba253020b6725ba347c3af15e857f63e85973aa595be761

SHA512
a71452751358730355bb8bfb57b6bd7a08064dee31e3b8ad59f95442d15ab3c62c3159e145d4771fc2d72f278e3ed9470ae9603e04780b0298b8c4fa6bd6fa79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\15870185-063a-48cb-ada6-74a8b39d8312\index-dir\the-real-index

Filesize
2KB

MD5
09397e2bd237bb6ba31d4a4ced79487f

SHA1
64e79d96e3bc2b233cb1ef941d076c761b5c182f

SHA256
cafd51e036f8d951e601863086fc44a118c67c7cba5b95115e5190e0e2184daa

SHA512
bc4bd5b39e708f615c6e71ba2cd6ff83f7dc0127f167b5f6b6d097518cf90a84e57eb5b04f92d30ee50f074beb503375afa4243a4ec8297718d9adabcfe84293

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\15870185-063a-48cb-ada6-74a8b39d8312\index-dir\the-real-index~RFe57b91e.TMP

Filesize
48B

MD5
7cbae4a667b7f958f0006876e1095e0b

SHA1
091cde8f21c4644c6e777fc0c8af78e9626bbbb3

SHA256
36a50309fab3be88d352ebdecdbf8056a4c7481ff813a805667cbc46045769a5

SHA512
f3806348e0f7039011f308bc5ed3ba73480332b00fe595866a497c3a6aeef82ff6ee1030eac6aec61809d1b697453d8df455f1745cdafa6b487899fbbb22c2be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\329a5242-87d8-4601-bbe9-6efb5bdd060d\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\9cd872a8-57f9-429a-8f48-aa318f1e70d7\index-dir\the-real-index

Filesize
624B

MD5
9b2fbd8f641637bebfdce47ba7682c32

SHA1
f4acbe27c9341c4b03c64aba143566068c4ac88a

SHA256
4b69619754a4b1a13608eb072548f266211e4ca2f731c246b46725398d5d842d

SHA512
4bab48f312648a03b186b72a71a18e9cd3ea36a55024d3e210f764d84655c74a1def5f344322f528d1441a42e9085620deabdbdc597b10bc00101feaa163eec6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\9cd872a8-57f9-429a-8f48-aa318f1e70d7\index-dir\the-real-index~RFe5813f0.TMP

Filesize
48B

MD5
7983eda96ee65af75917efae8bbd0f4d

SHA1
94bc989051efa36d5b635a9616e7b2aa4711e026

SHA256
26270c63a8f0d5851864e6a9542e2c7b6f5ab9bdd27ee3fd03847fa2a47dba8d

SHA512
18c2f3dd2995805b1bf6f925b3cab6359552eef5c81c07ef792284e9a42ecaa0bfa18fa804e9cb4acba57ad66fea07866817c6d6b6ca550ff559ad74db636861

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
153B

MD5
d1e5cae37874b4bd1f4e61886120e9c3

SHA1
15e2aa4fd6db00eaecdfdb9656a69f7e2585c1a8

SHA256
23e6111a5bd83ef3ab1d6c939afa60446d31f4d53455f99176ea03ec84a33706

SHA512
1c85a3528ba9839197b42dd7fd8754df2d2c5af2565b427f82a10200e40f32b237dda19314397532f44e8bfd2a4b9a3b0b4c0200ee1db89c095bb783002a9d4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
217B

MD5
5bd07501a05202b46ea06998f02d3dce

SHA1
a985e02f76b496f7621009b727225220f96e8035

SHA256
263f9c60ab07a36e9f39aca8ffbc9cff8ab1fd450130fa5eabe9f6dab2018013

SHA512
b29e7e6c8de1a771dda25b7a9ffb4344db144a484e8c625620fd5198a1b845c8244c9535a4c0e5c59fcca38990f7fa3345733fb5b063e1fed22ff95fdb6972a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
7d4b9525f64c531c00071f61a6fb9ea5

SHA1
689d7289634f3e51026ff6f2ded3e18a71c49a64

SHA256
914c3e312de55f6a224e624896322a12dc91143d1ab49bce21a5768b8a6eab18

SHA512
1011d549655d54721c39478bbda8ea5da806133e54387d96ddd1aba8e489a81946efdd9f4ced819074c3acd3d0620cb4b9c430635ff9f2f12f500ff32b58a967

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
50e75b30de7172697346ae42494d4416

SHA1
637354b941f59796a30e19cfe7766b0efd63cb48

SHA256
db58ccfc0f981bf3e8685e55cf265da0998bb174f36a82a2abf0b3175e33e1e3

SHA512
fd6fccea3d3abbacdffdec1b41781a9e9a5672bff2ba22b90a410122703f4a8eb74260278a35d1aef48e16565e4bf48db39270d1a0cf71fb5954bf623551a041

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
148B

MD5
0e573d75a0ce7fdac9aadd1e786744c2

SHA1
ed6d7b877cbfed334599b2555587219b3b770ac4

SHA256
56e87e640e3d4ca072db78ff3f61ac8f027d612584927c10cc33dfde66e7aff1

SHA512
7f0a40ba4df91219a58112874e099e25a83c25531b375517a4319081e83bc5b89b62f1269a5f10166aa16dc4d01364c98ac011383bd3a15947ff077c8221e548

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
895363da0262d2fe3599c31e766cf63e

SHA1
dd77192ae50448ea1f86f2b1544e39c6c360cd82

SHA256
a8635216de24a6468b4bfe6859070b89e56ad5e1c520b4e5fd781c721c6401b0

SHA512
8a7710f7f76eea99720eabc2c18978347a245ef6832f217e61dcb30f503090ae5f60d9ef66fec4f635eb8ea712cac9cc42658776599116ede874e41f358aeef6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
157B

MD5
80891275d2801d7795ed181f0ab94173

SHA1
0b03dbd05610b289d2d5b4ed2cb0009dcad2d40e

SHA256
adb183f85fee155f0441439e0d01cf284a97a7b878222438f06e6b4554cc2510

SHA512
a2acf463b671ac3093c2059901d51c65da485fe96ded7cb370b184ed8d86594a77b7de594d8fe357854c5d582a87bd82b0edb519098fb0ef0dbe21284332ca34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe57a817.TMP

Filesize
89B

MD5
523ce54f64ddff88cb2dfb9a86e2bfe9

SHA1
735c7c3f42aa747ae41a1dbb20538d3114033b7b

SHA256
5969bdab0a5c0afd37224d1cc539ca6f3b84f55256bc25bee22c73aae26eb6d3

SHA512
6d6b4dcf11c655caf370bb9126f49e7973b09e9d3d81536ee4b5eeb1c0c5277f0e64e001fe9139229da2bb8b62e499e4d8c1e0bc4c5b3c51b8e9fc73574d1859

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
e653f7660a9276caf9f485e8e1fa3d58

SHA1
7fefa15857e3ce31ba37795c89aba1ba581d4905

SHA256
5d2ffd4f86afa252bfe1176ea71f80b4d8d169c24a096de1dccc9f0e0b0f8a29

SHA512
fcfe913da2bc61a5497ff23b6fec18f953ac6e569321bd04a255c6b6f7fd24318969e5ef0f2cc6cb11f9d8454a3ff2bba75a3efaf700901797af3382b1f8105f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe580ccc.TMP

Filesize
48B

MD5
0ea669a18df027f2acb82d81fba2fbba

SHA1
ce06871428a1e1fee1fce8f4f1941e68547c786b

SHA256
7b95a7da01121648cb72bd13d02f1d21031b5663df88b1c479052c16e8ba0163

SHA512
122be9e25e0c0aecbbf1ccd666fdf4e8330197739688b91866eba5f59624c15d269787f84f9a840d1c86367492ae8c2261e0b2d8aa97d9e0be7aa263cca3ad18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
871B

MD5
c5fc3e00d2624e1fc8f10aad2cc1acf6

SHA1
ac15619f610e86634c4358c5fa2857c0515526fe

SHA256
d4a06bc2ef74a476000c5369f315ec7cb395ca70237ed5d161926fff14699a19

SHA512
7139830e25118a47938082dbb562a4f72de9fc137425e0ee8243ff5d26ef6b2f3d79097d573e3c0e107469c46d9e307711a12349e16b2a0cf324c98560ec8c7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
871B

MD5
a11590afa1e7b7b94901f5eac7154652

SHA1
8ad9a367513c97461c2fc0c7b09d36bf736d9848

SHA256
f501adc0ab985739a262570be121c717daa63fa141d99b9f38cecd5206446ee4

SHA512
98af0a96904377db67042f09de7a56782a47eb65266793d3fa9fafa9dd77050885b968d23d344f7e3da69b4cb08367ce83ab00ea2aff446bd9e0ec9a86b88d26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57fb09.TMP

Filesize
704B

MD5
73a95c6ffc7524b7bd1a22309c8fd129

SHA1
bc3a42827b5072813bad59b2af5f328242ed92ca

SHA256
6f83498b9310f06b9b2f465cedc8911ce7bba0566521aa57817a524a0a25bcf0

SHA512
0545399fa0ee457b488d72bafb99c41617affadf2be615200297018c5a12792e81a6714214cc0c62baf00b0869c3dfb18627a4cff85e0a27ef6d393c58aba072

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
61b7c0ebb00600324bf3e9e17d7d96d3

SHA1
b51c3b2266cfd6112554995d0bbf8e0688c82928

SHA256
aee9d82480794f12ad100dc6a2d3baaa5a89becf8dd0214911eae8ea51611562

SHA512
c81cf6bd4cd82740fea3bc310a21b0f521d97fdc2035118310d2951db4336a7d70aada1bbad9122e207fd3e97a0174fd416b42ac9942f1e01d15aa05026558ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
428795366f9e782ba244e1953113726f

SHA1
94146dcb113bccfb9758392d5d505f2572361495

SHA256
a875a4d223e1d6f0351365e48419fd04341d7e7800611bd111dca9c1f1e23bd4

SHA512
169e31334ec280c530ff94e74baf2a1a76ceb1c792ba13d31c4c552204e618c81c23e8db0d35cb5167b03df6ce8c7956f1c6103bcdb9739f0466d4e9d2f39903

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\a5906ea6-b617-48ec-bcc9-07751b8c93aa.tmp

Filesize
11KB

MD5
e97f38456fcc3adcbc50a56fbaae887e

SHA1
0ed932961fbd6ac17da215e724cc227a0a646fe9

SHA256
1910705f3bd2ff53f274e4962e3f179be3b669279ca425081ef77a6ca5aaf6f6

SHA512
7319d024e4527923c22df106228dbb065c6e2223c1616543e7dacc1bbf0273a537254b0f9a50445e2507157218e740783da33be2730031fc4e695e6951957af2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4F785848\SolaraBootstrapper.exe

Filesize
39.0MB

MD5
674c34ea3491bec6673193c5f3e78214

SHA1
b5473312a449d5e1f0dec6a9d5c46a7d06708240

SHA256
d3ba0aafc26fb7a3d58e4e720ab05698df33efa6486fe5c51e507f4099306fc6

SHA512
2d2ecb4ae7389c85d02d0a39ed64f17e75be6cbb0d55736b908f2f8d56a369d6abfdc6b7e5bf27d9752cb79c8fadefc594d2c7afea1a4a14163af3df7724bc48

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe

Filesize
800KB

MD5
02c70d9d6696950c198db93b7f6a835e

SHA1
30231a467a49cc37768eea0f55f4bea1cbfb48e2

SHA256
8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3

SHA512
431d9b9918553bff4f4a5bc2a5e7b7015f8ad0e2d390bb4d5264d08983372424156524ef5587b24b67d1226856fc630aaca08edc8113097e0094501b4f08efeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.14.exe

Filesize
2.9MB

MD5
ec429587b94b0288039bf1492e3350af

SHA1
acfd0ea4f9d321a898fed79e2e8e41e04620625b

SHA256
c372c94338eaaa7ab2eb7c5b6d1c9fc5658ec62da7f5fcd04e2d4c72d900ea9f

SHA512
79090e46a9f6e2cc4728aa4cb5e48eab80d18151ae3257cbede4d685b80d40b56e2ef57a4ab37ddf90ccd67e5cd54a728f559fcf9fc32c6971bb88468c1ec88d

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Desktop\AddStep.xlsx

Filesize
11KB

MD5
f2011fe0619d92547b23cbd9de9b68ba

SHA1
5aa2db53a2e68aa2cb00108c4cc5b0e7b3b9dc6e

SHA256
2a6ca3fe3229d402f8e4c4d3afc3cd072d4ab16b9fc582261fd17fb33ba2daf6

SHA512
9c7431f154b056081e31815f9e7135e81468deebb98ba3654e511a6b23ab723ebb0503eb1b2827f56b6a367d76a641676602ea2cf677e5f08e16a70b1f189173

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Desktop\BackupRead.mpeg

Filesize
246KB

MD5
8aefdc5f5e8804adc6764f44b12a0f09

SHA1
3d8e9daf1f804cd3a9fb26f5d3a611106e5908d4

SHA256
3e19b0cd8359937f4596f1f66acbbca9cf03055029541659656e6c3a4c625352

SHA512
0b00afd3addb83e1c6c08800628738ed0efd7ab93f434919bc802d147027188b79404a4676c6bf874c9af2c120c43916209690a957d68eeda19434580f6553bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Desktop\BlockWait.pdf

Filesize
111KB

MD5
7e10dcefdcf5a16943e36ea0a465b728

SHA1
4cc2e031e72938eb8c31b733fcf937830a3b8504

SHA256
7b45baea90e4599585ab1aa5888aca7e9ccbe90c8de9d7d6c5271c525cd8d711

SHA512
842a67dbb033bcdebb1c17c8c770b164d3992f42ca4567114e35b8a6100c82dacbeafa396b510fe40d8281e3ea8063372990feaace95960c66749abb2ecfc473

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Desktop\MountUnpublish.docx

Filesize
16KB

MD5
cb37c4950bb1927c371fc917ddd893ba

SHA1
15ae02afdd6bd45515e3508e619926fc72455797

SHA256
0cde2dceca4ccf9166aefc88e9e8059887bc3d3688d2d8fd43ee6960fade2e4b

SHA512
51bd71135da80a93a12667aa5ef5fed92669a3e97b58958b9e311d47a998e12724571df82d08a9903639c4aa5cdf9ec1961244e4bfa103481378727463082527

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Documents\BlockWait.xlsx

Filesize
9KB

MD5
385dea4cea405593d17b2e5272ac864e

SHA1
53b36b812e02de63cd22ce40f714f4e6f6ec6dcd

SHA256
cefa885a55ced3ebd930fa6f2f833cfe83494e8fecb0ea1377b01973680ca882

SHA512
562f8640d28e86550ed4cf4d9647f47ad6f0b57fe3667bae552d1d0263469c0405f2885c9ec8b761f560be0d757b2aeb1ae52b9edebccc20aeed3edd3e5057f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Documents\ConnectStep.xlsx

Filesize
14KB

MD5
e7af8a58a76e12f44819e815713ae52a

SHA1
b0799c01a1c587d706ffa0bf785aa072062eef1e

SHA256
33dfd6eb70189a6d8ee528ce4d799da1e908df0ddf5af0c123b2120bca60105d

SHA512
235ee43c0340d58007918923ac55876a4e8b14f9ba8cc04276295ecfadef325fa89a3120a8c0e945adde496325fdc3fe7d25d7a5c3e6a37ca743ecd80fa967fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Documents\DenyMeasure.docx

Filesize
17KB

MD5
20a6300b8a9fb47570cbac8bee6eb2e8

SHA1
a44d899492fa8ea9ab81a5d712c57509510241b9

SHA256
7b41d1d63616b8556b4305424b80c7f8753f275a2281a4205d40475979b79637

SHA512
51f7df4d2e30cd770dcaba54bdd4c3b295c5f87b71b10b156c3a3b6e5862033baaf304ce4c6476f3101ee01f463ce0eb5cb7d9043d8de1ad56d3d02f90426064

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Documents\ImportClear.doc

Filesize
306KB

MD5
528ee4404a1437758d9130735cc29011

SHA1
4665a776c755f96fd30a9f0876815fc8528cd78c

SHA256
7576137ff3d6cd933ef15bd9082baa14245adf17ac8d325bb827d404bee82611

SHA512
1874cdf4262b111478d44f79d11db1922b7c931ce2a802c0899468fee743e16a9900dc4447e2cca032a552fc158236a0ec6f4b74cca59e0631995c3e0a3be5e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Documents\StepDismount.csv

Filesize
450KB

MD5
aac6bfb5c7b287cfe7c63044e42d0907

SHA1
0b17c1ebefa51ffea3e2b4d1a6367433184e0923

SHA256
a29b7c2c5fac50f24327f76f40a8a4f780a65ddee10841c3c8d638b4059533b6

SHA512
d02ff2c05d47e5f0eb406d45ccc545ba18f12c0510a8111b2d4b2437f9b6a1f510cba68052c8f9c5dc9963d479b41c7d2cd166b1c48182308712a2c2aaec34ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Documents\UnregisterUpdate.doc

Filesize
774KB

MD5
3bc27bb313cd2f1021163bee60d46d7a

SHA1
db354df6505b058f43b13f07164300ab3457dfe5

SHA256
f86ae18f154ed2aa965f3bf76db3db1b57531d21f44b72c12ac7328d4fd4a9f3

SHA512
c56c4acb8152a01f6740991700b8199c25e100dd0e42b3c6953482f23c1a62f2bbd03738d6beaf0da05720162e20c73ea2e892ce55e6e92d761ef9e0abd0df3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Downloads\CompareMerge.zip

Filesize
386KB

MD5
81ddd18f7204300961f5cef11e28d8ee

SHA1
5ebf86f64a42e643d4d5eb9b59eb3f01301933bc

SHA256
2e092857658900da8a8f867ed142a834c8a096695cab87c6882d9f0fa7260dfa

SHA512
74975fb7ce73b39b2cfcaa298af98e18a0e8d7b5a4e0d7cde655241a83f79f7b81fd8c44b94093cdcab30415175748d38b42e4aeaa9ca551ae4102f0e02b7d8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Downloads\ConnectUnregister.docx

Filesize
551KB

MD5
2683e05954128d759ea7ac89a63b8edc

SHA1
4f0e8f49f0487214eceea21d71e335e5bb6a03de

SHA256
2c8826228a9d01476863d3372f8d77d30f1718cd92d503ccb72352c83188d021

SHA512
810eaccf05182e7ce64b96aeae7dd82bc80d2dae320f171aa5372b0c39681d12d4b1d4150fca858a64669caf95838a022725fe986e04bb95ced78481c05ab047

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Downloads\ReceiveShow.docx

Filesize
715KB

MD5
5b565d5702d860d6baa231b5f121c9d1

SHA1
856c1fddbefa5404ef6b1cd812468d28e01191eb

SHA256
02280343b6ace629f0a84718ffb37ae00e70ff05ae3f333d01db126a22d10a37

SHA512
96ccd5c920c3b5f6e3e74d88511bb49ae53d652b1368844dc117b3a6008b83aa0d2a82fd574ed1d0d15cf8549d2256ff8a20266dbaef747abde8515c383f1e0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Music\DisableInstall.docx

Filesize
132KB

MD5
7f68571152ed509e28467e1da6f5f54a

SHA1
1f6b29487cbe798da99d905a32310ce7ab53a09d

SHA256
73c458ea6659c307aee6fe7c665f6e8d9070bd292cf688b8af2c4bca9e25a828

SHA512
2b316daf60221906b0488b94b5fff5db0c268b90f71e9eb9fa2f360f8fc2901445b54593705d2e7d572ccc6675d1a33a64eaadcf7b2cdd8f6e7ab94b7d45730d

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Music\ResetEnter.csv

Filesize
156KB

MD5
4f346ee1da2e48d03cfae9014600557c

SHA1
6e6b7b186e902626cf46a6f8d6722e581482e6fe

SHA256
b76d192eb607333eb7ad4ac5d6264b7a854793b310bd03a425314fb580262b52

SHA512
b815b017383b71dfc5393a7db586a8ae0c95ab23b7027d75c061babccf87b6c69add4b2468e297173efba37ef945d5528880e34bdd341876b20562fa3de5a618

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Pictures\CompressOpen.png

Filesize
303KB

MD5
969d505b7b5036a9dbac630ae39b71e6

SHA1
31cd630d96a60db003334a4ca33aecfcc0ac91da

SHA256
30582877854004d1e561025743890730637fadba9813d5b0f520334b2715ecb5

SHA512
adf903ec10c31aaf2b2bffa1989a4b86bd9981679cc9d2044bcbc324161f4faaac4dd4f1577fff766809647d3bcae4ab81574d8d55f08ddd0541b37f124afaf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Pictures\ImportPing.jpg

Filesize
257KB

MD5
7907181ef766d1487e068cc4a42ef98b

SHA1
75da2a884c95878d707d884a89f2c376e3dea895

SHA256
fe046ff7935866cec870434e09f32a3a9ba0bcb8e3fc95103717b28eae92cdc7

SHA512
d54fc7d9e680a5218e02bb76fe9e00f4b406c63edd295d9fd0690537776bb11432708c17a394c62d57b186af35749124ecd58458d72f1ccb05c8f3b248b321af

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Pictures\InstallConvert.jpeg

Filesize
520KB

MD5
7c13d08aafac8dee6a9558f3457e7db5

SHA1
50c9acc721b77732c7f63961208c0451be35641d

SHA256
c56b0ec0180f334f2de62464e25b016e2a6e141793695fafd14a4286dff34475

SHA512
f4a789e69b68241101f9ac239f7783ce2496d4d60c87524e10cbc6a7272fa3d1c3dce36d39b23ac73b08ed3018c71d7be1d2e8c6fa03c1c1197608e022c735af

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Pictures\My Wallpaper.jpg

Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Pictures\ResizeUninstall.jpeg

Filesize
223KB

MD5
424af13be7138e65f1d4e68336939f5f

SHA1
63864498d3a01e0a9fdc886940ec23acf1070005

SHA256
438d127a063132a922bdb900bebc055ad80f2ef3895e8d709456594625cd7cc7

SHA512
b9dae071d7dfa16e7386bc36f25edd896680a257fad861e2a05a481876faaf6e74c57a4efa9138cfb296ae79478081c01446d56b413691826fe2f6f92f8c18a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Pictures\UseTrace.jpeg

Filesize
589KB

MD5
66517c245b72f70160979bf0b9a7925a

SHA1
acffe20b76f16d3591ad9555a0c4215c2eeeaba3

SHA256
27adb85230f92066759ee3fc558d5df166d8e40c31e092d60c35e36fff1e024a

SHA512
d48a03952801ade4e9d4159687eaea651d843bd364de7baa7635c46109f0322bd11456070f1e62771a2ceeb2cbc564b55b60bd4b49e037d88ebcaaeeceeef8f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Pictures\UseUpdate.jpg

Filesize
383KB

MD5
e5efe873fa29cc7726aa1b04f710be95

SHA1
6cbeb885c615cf3d940046fb99d691a5bc7db14b

SHA256
51f4e31a5618b2e523904a9e871f95228ffa776f1e0cff9c13403d70679bfd4c

SHA512
c4dea6ee731654d0593b76b90a900f162622d48e1954fdb37699c45d4195bb614505e9fad1824f0afce0098a5579cc88e444479999eff3558d8abf8a97ad1e5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\HistoryData.db

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_asyncio.pyd

Filesize
63KB

MD5
686262283ba69cce7f3eaba7cdeb0372

SHA1
5b771e444ee97b246545affcdc8fa910c8f591ea

SHA256
02ec5cd22543c0ca298c598b7e13949a4e8247cec288d0bca0a1269059b548ef

SHA512
dca7403cfe2bfe14cf51f747a893f49db52d4d43691dbccecaa83796351b6f7e644cf8e455a0b9c38c6c006f481d5c45d32ae789756250a2b29978e9feb839d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pyd

Filesize
81KB

MD5
56203038756826a0a683d5750ee04093

SHA1
93d5a07f49bdcc7eb8fba458b2428fe4afcc20d2

SHA256
31c2f21adf27ca77fa746c0fda9c7d7734587ab123b95f2310725aaf4bf4ff3c

SHA512
3da5ae98511300694c9e91617c152805761d3de567981b5ab3ef7cd3dbba3521aae0d49b1eb42123d241b5ed13e8637d5c5bc1b44b9eaa754657f30662159f3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd

Filesize
120KB

MD5
462fd515ca586048459b9d90a660cb93

SHA1
06089f5d5e2a6411a0d7b106d24d5203eb70ec60

SHA256
bf017767ac650420487ca3225b3077445d24260bf1a33e75f7361b0c6d3e96b4

SHA512
67851bdbf9ba007012b89c89b86fd430fce24790466fefbb54431a7c200884fc9eb2f90c36d57acd300018f607630248f1a3addc2aa5f212458eb7a5c27054b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_hashlib.pyd

Filesize
63KB

MD5
7a74284813386818ada7bf55c8d8acf9

SHA1
380c4184eec7ca266e4c2b96bb92a504dfd8fe5f

SHA256
21a1819013de423bb3b9b682d0b3506c6ef57ee88c61edf4ba12d8d5f589c9c2

SHA512
f8bc4ac57ada754006bbbb0bfa1ccb6c659f9c4d3270970e26219005e872b60afb9242457d8eb3eae0ce1f608f730da3bf16715f04b47bea4c95519dd9994a46

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_overlapped.pyd

Filesize
48KB

MD5
a5bd529290006ef1ebc8d32ffe501ca5

SHA1
c59ef2157358fb8f79b5a37ee9abba802ae915ba

SHA256
eeaa26addf211b37e689d46cfac6b7fad0d5421adc4c0113872dac1347aff130

SHA512
6b026e62b0b37445a480599175161cf6a60284ef881e0f0d1da643ac80013c2005f790f099733d76cfcf855e2ecd3a0e6c8bfc19dbabff67869119676ee03b73

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd

Filesize
77KB

MD5
c389430e19f1cd4c2e7b8538e8c52459

SHA1
546ed5a85ad80a7b7db99f80c7080dc972e4f2a2

SHA256
a14efa68d8f7ec018fb867a6ba6c6c290a803b4001fd8c45db7bda66fb700067

SHA512
5bef6c90c65bf1d4be0ce0d0cb3f38fe288f5716c93e444cf12f89f066791850d8316d414f1d795ff148c9e841cda90ef9c35ceb4a499563f28d068a6b427671

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_sqlite3.pyd

Filesize
96KB

MD5
98228631212a443781d0ac72e4656b97

SHA1
7e87e1fb891439cf466648b37abdbd4053a5da66

SHA256
fab3440d88376c9c334333b80b50f20a273a08f1d319bf0a9a6eb8bd04d35250

SHA512
5d41384b0280415f581c13b4b47de3de845fd60fc0373613dc9a73d4e0ecf9e855cb0e4aaa1c88fdc2d98e973ca083a48c129529141a8fd65c74c104ad9015f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ssl.pyd

Filesize
156KB

MD5
7c7223f28c0c27c85a979ad222d19288

SHA1
4185e671b1dc56b22134c97cd8a4a67747887b87

SHA256
4ec47beadc4fd0d38fa39092244c108674012874f3190ee0e484aa988b94f986

SHA512
f3e813b954357f1bc323d897edf308a99ed30ff451053b312f81b6baae188cda58d144072627398a19d8d12fe659e4f40636dbbdf22a45770c3ca71746ec2df0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libcrypto-1_1.dll

Filesize
3.3MB

MD5
80b72c24c74d59ae32ba2b0ea5e7dad2

SHA1
75f892e361619e51578b312605201571bfb67ff8

SHA256
eb975c94e5f4292edd9a8207e356fe4ea0c66e802c1e9305323d37185f85ad6d

SHA512
08014ee480b5646362c433b82393160edf9602e4654e12cd9b6d3c24e98c56b46add9bf447c2301a2b2e782f49c444cb8e37ee544f38330c944c87397bdd152a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libssl-1_1.dll

Filesize
686KB

MD5
86f2d9cc8cc54bbb005b15cabf715e5d

SHA1
396833cba6802cb83367f6313c6e3c67521c51ad

SHA256
d98dd943517963fd0e790fde00965822aa4e4a48e8a479afad74abf14a300771

SHA512
0013d487173b42e669a13752dc8a85b838c93524f976864d16ec0d9d7070d981d129577eda497d4fcf66fc6087366bd320cff92ead92ab79cfcaa946489ac6cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\multidict\_multidict.pyd

Filesize
46KB

MD5
95463f615865a472f75ddb365644a571

SHA1
91f22ef3f2ffd3e9d6ce6e58beea9a96287b090b

SHA256
9ee77474d244a17337d4ccc5113fe4af7b4d86f9969293a884927718d06e63c8

SHA512
e3cccce9ebf5e7cf33e68046d3e7b59e454ccb791635eb5f405977fd270126ef8b58e6288dbe58c96b681361d81ef28720eba8d0bd389bfb0f4c3114d098a117

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\select.pyd

Filesize
29KB

MD5
c6ef07e75eae2c147042d142e23d2173

SHA1
6ef3e912db5faf5a6b4225dbb6e34337a2271a60

SHA256
43ee736c8a93e28b1407bf5e057a7449f16ee665a6e51a0f1bc416e13cee7e78

SHA512
30e915566e7b934bdd49e708151c98f732ff338d7bc3a46797de9cca308621791276ea03372c5e2834b6b55e66e05d58cf1bb4cb9ff31fb0a1c1aca0fcdc0d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\sqlite3.dll

Filesize
1.5MB

MD5
fcc7a468d46c90f5a71e3e9c99b1d50e

SHA1
91070cac3cdde28905a7bc695f8c0fd1290fd0d0

SHA256
215c02ac57378e48428d4b013f7bcedd2b58d73e83c54eca17a8c9bd7f3bdf55

SHA512
95bff194696436e590a5df8f18987ce6e5c20b6e50e552e7d049fec8da834c71cdbd87418fc85be73aaea4176aeb672d44e89256cd64bfade5959f3aabb0884d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\unicodedata.pyd

Filesize
1.1MB

MD5
d4964a28a22078c30064c65e968f9e1f

SHA1
b9b95975bea97a55c888da66148d54bdb38b609b

SHA256
b204718d21952369726472ca12712047839119ccf87e16979af595c0a57b6703

SHA512
bfe200b255ae1ddba53d98d54479e7e1d0932fb27bbfdcb4170d3d4cbbbfc297e3b5fd273b830399b795feb64cd0d9c48d0e1e0eaf72d0e0992261864e2d7296

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\yarl\_helpers_c.pyd

Filesize
53KB

MD5
6fb550ddaee31afedd29bdb97e2525f2

SHA1
b58257f37c581f143176d0c7abd3a98fec75a12f

SHA256
33a9b6f1caede0dbc9ee83097dea21c6db0a5cabff27f2917ea94cf47688e9df

SHA512
dbeb69892c63238aea76422815e45b7b1e12a7d2a0bcc6170f690b68eb56bc04c071413885fce81cc6ce435d9c60c36d9b97c792c75c21541db612c48124df38

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\yarl\_quoting_c.pyd

Filesize
93KB

MD5
6809491f7b8ad46a7281e222ca71745a

SHA1
138c75bfb03b1d54cd62fe14c3dc4501cb418397

SHA256
80660605ae26882225d02d130d0a84927635a79c78055c2eede010a28e84eb32

SHA512
97b498e3f69de6ccc4f3373683d9e2aae67cbe2532508a7677738702bbaf02ebd7c05c26e53cebb076f9943eea59b1ac4b9f7ee71a1626b8e31e539d009b39e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Web.db

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\Web.db

Filesize
114KB

MD5
0163d73ac6c04817a0bed83c3564b99f

SHA1
784001e8d0e7ab6a09202c2a1094f371f7d017cb

SHA256
5114af822abc2b0f2aabb7565919164c9babf884e34c21095213dbe6a71511ea

SHA512
47051ee935be9e9d4457447c7fe5df06a5b0c5ef55d2c757d3dfa179b6049ae79732b1552e812febe5ae41a076cb29d8a809ae9b168afc7eb4c9eadfadcf5d9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5nedtgmj.3ok.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5568_133811603992984428\_lzma.pyd

Filesize
154KB

MD5
14ea9d8ba0c2379fb1a9f6f3e9bbd63b

SHA1
f7d4e7b86acaf796679d173e18f758c1e338de82

SHA256
c414a5a418c41a7a8316687047ed816cad576741bd09a268928e381a03e1eb39

SHA512
64a52fe41007a1cac4afedf2961727b823d7f1c4399d3465d22377b5a4a5935cee2598447aeff62f99c4e98bb3657cfae25b5c27de32107a3a829df5a25ba1ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5568_133811603992984428\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5568_133811603992984428\python310.dll

Filesize
4.3MB

MD5
e4533934b37e688106beac6c5919281e

SHA1
ada39f10ef0bbdcf05822f4260e43d53367b0017

SHA256
2bf761bae584ba67d9a41507b45ebd41ab6ae51755b1782496d0bc60cc1d41d5

SHA512
fa681a48ddd81854c9907026d4f36b008e509729f1d9a18a621f1d86cd1176c1a1ff4f814974306fa4d9e3886e2ce112a4f79b66713e1401f5dae4bcd8b898b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5568_133811603992984428\vcruntime140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\Downloads\SolaraB.rar

Filesize
38.6MB

MD5
196feb975c5cd2663eae6599ca847565

SHA1
ca87b9c0f9a346a1c7bf352616076016f598f7f0

SHA256
ad6eea1962c037cb7d886fda3980fbd3bb3c05e08f70f8d4125ceb3a528e0e5c

SHA512
bcc33590e30b337d035e88b799257f075606ae3b22246f12eca8082256775b40b953dd94a19706718cfe7db7edf3b65511ccf7c3165d850754756af67981c814

Download Submit
C:\Windows\CatLoaderv5juju.exe

Filesize
38.2MB

MD5
435ec84a9fa0cd8a5d979f139d529edd

SHA1
2cd983ba573163cd7cf34ff7e989e4773a1f1465

SHA256
6ce7962f45d3739810870c363f2bfab0e9cbfe448e5b5f1e6cfab829df610eb5

SHA512
5e138c594b1ac0be97ed772a2007765f5b887a71f4d2a009d5ac37f6074e78fe92a38a1d8abad560e7abfa4b78f7352e18647ec90ca8df4c014e550c1b1fe059

Download Submit
memory/180-1514-0x0000000180000000-0x0000000181096000-memory.dmp

Filesize
16.6MB

Download
memory/180-1507-0x00000202E2A30000-0x00000202E2ACC000-memory.dmp

Filesize
624KB

Download
memory/180-1696-0x0000000180000000-0x0000000181096000-memory.dmp

Filesize
16.6MB

Download
memory/180-1515-0x0000000180000000-0x0000000181096000-memory.dmp

Filesize
16.6MB

Download
memory/180-1513-0x00000202FDB00000-0x00000202FDB90000-memory.dmp

Filesize
576KB

Download
memory/180-1511-0x00000202FCF10000-0x00000202FCF20000-memory.dmp

Filesize
64KB

Download
memory/180-1516-0x0000000180000000-0x0000000181096000-memory.dmp

Filesize
16.6MB

Download
memory/180-1510-0x00000202FD2F0000-0x00000202FD3A2000-memory.dmp

Filesize
712KB

Download
memory/180-1509-0x00000202FD230000-0x00000202FD2EA000-memory.dmp

Filesize
744KB

Download
memory/180-1508-0x00000202FD5C0000-0x00000202FDAFC000-memory.dmp

Filesize
5.2MB

Download
memory/180-1517-0x0000000180000000-0x0000000181096000-memory.dmp

Filesize
16.6MB

Download
memory/1460-1544-0x00007FF8741E0000-0x00007FF8741E1000-memory.dmp

Filesize
4KB

Download
memory/2568-1453-0x000001C2FF8F0000-0x000001C2FF8FA000-memory.dmp

Filesize
40KB

Download
memory/2568-1455-0x000001C2FF9B0000-0x000001C2FF9C2000-memory.dmp

Filesize
72KB

Download
memory/2568-1452-0x000001C2E27C0000-0x000001C2E27DE000-memory.dmp

Filesize
120KB

Download
memory/3360-998-0x0000000074C40000-0x0000000074E66000-memory.dmp

Filesize
2.1MB

Download
memory/3360-1189-0x0000000000E40000-0x0000000000E75000-memory.dmp

Filesize
212KB

Download
memory/3360-1039-0x0000000074C40000-0x0000000074E66000-memory.dmp

Filesize
2.1MB

Download
memory/3360-997-0x0000000000E40000-0x0000000000E75000-memory.dmp

Filesize
212KB

Download
memory/4328-862-0x0000028C27AD0000-0x0000028C27AF6000-memory.dmp

Filesize
152KB

Download
memory/4328-803-0x0000028C090B0000-0x0000028C09392000-memory.dmp

Filesize
2.9MB

Download
memory/4328-1190-0x0000028C23E90000-0x0000028C23F42000-memory.dmp

Filesize
712KB

Download
memory/4328-860-0x0000028C28160000-0x0000028C28260000-memory.dmp

Filesize
1024KB

Download
memory/4328-863-0x0000028C27B10000-0x0000028C27B18000-memory.dmp

Filesize
32KB

Download
memory/4328-859-0x0000028C27A60000-0x0000028C27A6E000-memory.dmp

Filesize
56KB

Download
memory/4328-858-0x0000028C27A90000-0x0000028C27AC8000-memory.dmp

Filesize
224KB

Download
memory/4328-857-0x0000028C27A10000-0x0000028C27A18000-memory.dmp

Filesize
32KB

Download
memory/4328-856-0x0000028C09760000-0x0000028C09770000-memory.dmp

Filesize
64KB

Download
memory/4328-861-0x0000028C27A70000-0x0000028C27A7A000-memory.dmp

Filesize
40KB

Download
memory/4328-867-0x0000028C28290000-0x0000028C28298000-memory.dmp

Filesize
32KB

Download
memory/4328-866-0x0000028C27A80000-0x0000028C27A8A000-memory.dmp

Filesize
40KB

Download
memory/4328-865-0x0000028C27B00000-0x0000028C27B0A000-memory.dmp

Filesize
40KB

Download
memory/4328-864-0x0000028C28260000-0x0000028C28276000-memory.dmp

Filesize
88KB

Download
memory/4884-1635-0x00007FF8741E0000-0x00007FF8741E1000-memory.dmp

Filesize
4KB

Download
memory/5660-695-0x0000029892930000-0x00000298929FE000-memory.dmp

Filesize
824KB

Download
memory/5660-783-0x00000298947B0000-0x00000298947D2000-memory.dmp

Filesize
136KB

Download
memory/5712-1626-0x00007FF874F80000-0x00007FF874F81000-memory.dmp

Filesize
4KB

Download
memory/5712-1625-0x00007FF8752B0000-0x00007FF8752B1000-memory.dmp

Filesize
4KB

Download