njrat | 233f9f88c16fb185eb91f4afc116b808eb8fa5fd0cf1b3d3a92ec6732c56314b

Analysis

max time kernel
1180s
max time network
1176s
platform
windows11-21h2_x64
resource
win11-20241007-fr
resource tags

arch:x64arch:x86image:win11-20241007-frlocale:fr-fros:windows11-21h2-x64systemwindows
submitted
16-01-2025 14:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bootstrapper.exe
Size

19.0MB
MD5

4581b2e238f1dad629dc72c168b2be8e
SHA1

74dce1860065aad35cb68115545bdf862bddb775
SHA256

233f9f88c16fb185eb91f4afc116b808eb8fa5fd0cf1b3d3a92ec6732c56314b
SHA512

dcea04ffffdf35107a0cd6998eaef3f91270985c80028c206f59ae7d9b193defb3089826a7d1118391f849618904fdf7e77621348531b711d2eac89f422d132a
SSDEEP

24576:tigOpgzfDfMSCWk6/SCOqZkHIyGigOpgzfDfMSCWk6/SCOqZkHIy:dB5CW9/SCzhycB5CW9/SCzhy

Score

10^/10

njrat hacked defense_evasion discovery evasion persistence privilege_escalation themida trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

hakim32.ddns.net:2000

86.1.93.186:25565

Mutex

7b8566fe52762c19d1b844b254fc8d30

Attributes

reg_key
7b8566fe52762c19d1b844b254fc8d30
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Solara.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3104	netsh.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Solara.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Solara.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7b8566fe52762c19d1b844b254fc8d30Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7b8566fe52762c19d1b844b254fc8d30Windows Update.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe

Executes dropped EXE 5 IoCs

pid	Process
776	BootstrapperV1.22.exe
4032	svchost.exe
564	server.exe
2140	BootstrapperV2.15.exe
2884	Solara.exe

Loads dropped DLL 2 IoCs

pid	Process
2884	Solara.exe
2884	Solara.exe

Themida packer 57 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x001c00000002ac19-513.dat	themida
behavioral1/memory/2884-516-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-519-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-518-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-517-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-705-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-772-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-859-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-897-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-1197-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-1388-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-1409-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-1448-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-1462-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-1478-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-1514-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-1551-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-1564-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-1574-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-1643-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-1653-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-1672-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-1689-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-1699-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-1706-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-1721-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-1794-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-1816-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-1831-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-1847-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-1853-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-1859-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-1864-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-1870-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-1886-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-1898-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-1905-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-1915-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-1916-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-1957-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-1966-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-1981-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-1991-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-1994-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-2001-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-2002-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-2006-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-2009-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-2013-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-2026-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-2029-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-2030-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-2031-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-2043-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-2055-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-2059-0x0000000180000000-0x00000001810FC000-memory.dmp	themida
behavioral1/memory/2884-2066-0x0000000180000000-0x00000001810FC000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Solara.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
1	pastebin.com
30	pastebin.com
51	pastebin.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\autorun.inf	server.exe
File created	C:\autorun.inf	server.exe
File opened for modification	C:\autorun.inf	server.exe
File created	F:\autorun.inf	server.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File created	C:\Windows\SysWOW64\Explower.exe	server.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2884	Solara.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 10 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5576	msedgewebview2.exe
6464	msedgewebview2.exe
6052	msedgewebview2.exe
4472	msedgewebview2.exe
1468	msedgewebview2.exe
5000	msedgewebview2.exe
2452	msedgewebview2.exe
4808	msedgewebview2.exe
5360	msedgewebview2.exe
5520	msedgewebview2.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3112	ipconfig.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1164	powershell.exe
1164	powershell.exe
2140	BootstrapperV2.15.exe
2884	Solara.exe
2884	Solara.exe
2884	Solara.exe
1244	msedgewebview2.exe
1244	msedgewebview2.exe
2884	Solara.exe
2884	Solara.exe
2884	Solara.exe
2884	Solara.exe
2884	Solara.exe
2884	Solara.exe
2884	Solara.exe
2884	Solara.exe
2884	Solara.exe
2884	Solara.exe
2884	Solara.exe
2884	Solara.exe
2884	Solara.exe
2884	Solara.exe
2884	Solara.exe
2884	Solara.exe
2884	Solara.exe
2884	Solara.exe
2884	Solara.exe
5360	msedgewebview2.exe
5360	msedgewebview2.exe
2884	Solara.exe
2884	Solara.exe
2884	Solara.exe
2884	Solara.exe
2884	Solara.exe
2884	Solara.exe
2884	Solara.exe
2884	Solara.exe
2884	Solara.exe
2884	Solara.exe
2884	Solara.exe
2884	Solara.exe
2884	Solara.exe
2884	Solara.exe
2884	Solara.exe
2884	Solara.exe
2884	Solara.exe
2884	Solara.exe
2884	Solara.exe
2884	Solara.exe
2884	Solara.exe
2884	Solara.exe
2884	Solara.exe
2884	Solara.exe
2884	Solara.exe
2884	Solara.exe
2884	Solara.exe
2884	Solara.exe
2884	Solara.exe
2884	Solara.exe
2884	Solara.exe
2884	Solara.exe
2884	Solara.exe
2884	Solara.exe
2884	Solara.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
564	server.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs

pid	Process
4000	msedgewebview2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeDebugPrivilege	776	BootstrapperV1.22.exe
Token: SeDebugPrivilege	2140	BootstrapperV2.15.exe
Token: SeDebugPrivilege	564	server.exe
Token: 33	564	server.exe
Token: SeIncBasePriorityPrivilege	564	server.exe
Token: 33	564	server.exe
Token: SeIncBasePriorityPrivilege	564	server.exe
Token: SeDebugPrivilege	5100	firefox.exe
Token: SeDebugPrivilege	5100	firefox.exe
Token: SeDebugPrivilege	2884	Solara.exe
Token: 33	564	server.exe
Token: SeIncBasePriorityPrivilege	564	server.exe
Token: 33	564	server.exe
Token: SeIncBasePriorityPrivilege	564	server.exe
Token: 33	564	server.exe
Token: SeIncBasePriorityPrivilege	564	server.exe
Token: 33	564	server.exe
Token: SeIncBasePriorityPrivilege	564	server.exe
Token: 33	564	server.exe
Token: SeIncBasePriorityPrivilege	564	server.exe
Token: 33	564	server.exe
Token: SeIncBasePriorityPrivilege	564	server.exe
Token: 33	564	server.exe
Token: SeIncBasePriorityPrivilege	564	server.exe
Token: 33	564	server.exe
Token: SeIncBasePriorityPrivilege	564	server.exe
Token: 33	564	server.exe
Token: SeIncBasePriorityPrivilege	564	server.exe
Token: 33	564	server.exe
Token: SeIncBasePriorityPrivilege	564	server.exe
Token: 33	564	server.exe
Token: SeIncBasePriorityPrivilege	564	server.exe
Token: 33	564	server.exe
Token: SeIncBasePriorityPrivilege	564	server.exe
Token: 33	564	server.exe
Token: SeIncBasePriorityPrivilege	564	server.exe
Token: 33	564	server.exe
Token: SeIncBasePriorityPrivilege	564	server.exe
Token: 33	564	server.exe
Token: SeIncBasePriorityPrivilege	564	server.exe
Token: SeDebugPrivilege	5100	firefox.exe
Token: SeDebugPrivilege	5100	firefox.exe
Token: SeDebugPrivilege	5100	firefox.exe
Token: 33	564	server.exe
Token: SeIncBasePriorityPrivilege	564	server.exe
Token: 33	564	server.exe
Token: SeIncBasePriorityPrivilege	564	server.exe
Token: 33	564	server.exe
Token: SeIncBasePriorityPrivilege	564	server.exe
Token: 33	564	server.exe
Token: SeIncBasePriorityPrivilege	564	server.exe
Token: 33	564	server.exe
Token: SeIncBasePriorityPrivilege	564	server.exe
Token: 33	564	server.exe
Token: SeIncBasePriorityPrivilege	564	server.exe
Token: 33	564	server.exe
Token: SeIncBasePriorityPrivilege	564	server.exe
Token: 33	564	server.exe
Token: SeIncBasePriorityPrivilege	564	server.exe
Token: 33	564	server.exe
Token: SeIncBasePriorityPrivilege	564	server.exe
Token: 33	564	server.exe
Token: SeIncBasePriorityPrivilege	564	server.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
4000	msedgewebview2.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe

Suspicious use of SetWindowsHookEx 31 IoCs

pid	Process
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe
5100	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4912 wrote to memory of 1164	4912	Bootstrapper.exe	77
PID 4912 wrote to memory of 1164	4912	Bootstrapper.exe	77
PID 4912 wrote to memory of 1164	4912	Bootstrapper.exe	77
PID 4912 wrote to memory of 776	4912	Bootstrapper.exe	79
PID 4912 wrote to memory of 776	4912	Bootstrapper.exe	79
PID 4912 wrote to memory of 4032	4912	Bootstrapper.exe	81
PID 4912 wrote to memory of 4032	4912	Bootstrapper.exe	81
PID 4912 wrote to memory of 4032	4912	Bootstrapper.exe	81
PID 776 wrote to memory of 3400	776	BootstrapperV1.22.exe	82
PID 776 wrote to memory of 3400	776	BootstrapperV1.22.exe	82
PID 3400 wrote to memory of 3112	3400	cmd.exe	84
PID 3400 wrote to memory of 3112	3400	cmd.exe	84
PID 4032 wrote to memory of 564	4032	svchost.exe	85
PID 4032 wrote to memory of 564	4032	svchost.exe	85
PID 4032 wrote to memory of 564	4032	svchost.exe	85
PID 564 wrote to memory of 3104	564	server.exe	86
PID 564 wrote to memory of 3104	564	server.exe	86
PID 564 wrote to memory of 3104	564	server.exe	86
PID 776 wrote to memory of 2140	776	BootstrapperV1.22.exe	88
PID 776 wrote to memory of 2140	776	BootstrapperV1.22.exe	88
PID 4752 wrote to memory of 5100	4752	firefox.exe	92
PID 4752 wrote to memory of 5100	4752	firefox.exe	92
PID 4752 wrote to memory of 5100	4752	firefox.exe	92
PID 4752 wrote to memory of 5100	4752	firefox.exe	92
PID 4752 wrote to memory of 5100	4752	firefox.exe	92
PID 4752 wrote to memory of 5100	4752	firefox.exe	92
PID 4752 wrote to memory of 5100	4752	firefox.exe	92
PID 4752 wrote to memory of 5100	4752	firefox.exe	92
PID 4752 wrote to memory of 5100	4752	firefox.exe	92
PID 4752 wrote to memory of 5100	4752	firefox.exe	92
PID 4752 wrote to memory of 5100	4752	firefox.exe	92
PID 5100 wrote to memory of 3624	5100	firefox.exe	93
PID 5100 wrote to memory of 3624	5100	firefox.exe	93
PID 5100 wrote to memory of 3624	5100	firefox.exe	93
PID 5100 wrote to memory of 3624	5100	firefox.exe	93
PID 5100 wrote to memory of 3624	5100	firefox.exe	93
PID 5100 wrote to memory of 3624	5100	firefox.exe	93
PID 5100 wrote to memory of 3624	5100	firefox.exe	93
PID 5100 wrote to memory of 3624	5100	firefox.exe	93
PID 5100 wrote to memory of 3624	5100	firefox.exe	93
PID 5100 wrote to memory of 3624	5100	firefox.exe	93
PID 5100 wrote to memory of 3624	5100	firefox.exe	93
PID 5100 wrote to memory of 3624	5100	firefox.exe	93
PID 5100 wrote to memory of 3624	5100	firefox.exe	93
PID 5100 wrote to memory of 3624	5100	firefox.exe	93
PID 5100 wrote to memory of 3624	5100	firefox.exe	93
PID 5100 wrote to memory of 3624	5100	firefox.exe	93
PID 5100 wrote to memory of 3624	5100	firefox.exe	93
PID 5100 wrote to memory of 3624	5100	firefox.exe	93
PID 5100 wrote to memory of 3624	5100	firefox.exe	93
PID 5100 wrote to memory of 3624	5100	firefox.exe	93
PID 5100 wrote to memory of 3624	5100	firefox.exe	93
PID 5100 wrote to memory of 3624	5100	firefox.exe	93
PID 5100 wrote to memory of 3624	5100	firefox.exe	93
PID 5100 wrote to memory of 3624	5100	firefox.exe	93
PID 5100 wrote to memory of 3624	5100	firefox.exe	93
PID 5100 wrote to memory of 3624	5100	firefox.exe	93
PID 5100 wrote to memory of 3624	5100	firefox.exe	93
PID 5100 wrote to memory of 3624	5100	firefox.exe	93
PID 5100 wrote to memory of 3624	5100	firefox.exe	93
PID 5100 wrote to memory of 3624	5100	firefox.exe	93
PID 5100 wrote to memory of 3624	5100	firefox.exe	93
PID 5100 wrote to memory of 3624	5100	firefox.exe	93
PID 5100 wrote to memory of 3624	5100	firefox.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4912
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAbABkACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAeQBmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAYQB4ACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1164
- C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.22.exe
  "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.22.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:776
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /c ipconfig /all
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3400
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:3112
- - C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.15.exe
    "C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.15.exe" --oldBootstrapper "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.22.exe" --isUpdate true
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2140
  - - C:\ProgramData\Solara\Solara.exe
      "C:\ProgramData\Solara\Solara.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2884
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=Solara.exe --webview-exe-version=3.0.0.0 --user-data-dir="C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=1 --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --mojo-named-platform-channel-pipe=2884.1796.16025634779029136842
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:4000
      - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Crashpad --metrics-dir=C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x1b8,0x7ffaf70e3cb8,0x7ffaf70e3cc8,0x7ffaf70e3cd8
        6⤵
        
        PID:3888
      - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1864,16202800984446357830,16337232046923982387,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --noerrdialogs --user-data-dir="C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView" --webview-exe-name=Solara.exe --webview-exe-version=3.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4808
      - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1864,16202800984446357830,16337232046923982387,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=fr --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView" --webview-exe-name=Solara.exe --webview-exe-version=3.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=2184 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1244
      - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1864,16202800984446357830,16337232046923982387,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=fr --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView" --webview-exe-name=Solara.exe --webview-exe-version=3.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=2476 /prefetch:8
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4472
      - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1864,16202800984446357830,16337232046923982387,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=fr --noerrdialogs --user-data-dir="C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView" --webview-exe-name=Solara.exe --webview-exe-version=3.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3064 /prefetch:1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1468
      - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1864,16202800984446357830,16337232046923982387,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=fr --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView" --webview-exe-name=Solara.exe --webview-exe-version=3.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=4120 /prefetch:8
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5360
      - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1864,16202800984446357830,16337232046923982387,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=fr --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView" --webview-exe-name=Solara.exe --webview-exe-version=3.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=1204 /prefetch:8
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5520
      - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1864,16202800984446357830,16337232046923982387,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=fr --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView" --webview-exe-name=Solara.exe --webview-exe-version=3.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=5108 /prefetch:8
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5000
      - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1864,16202800984446357830,16337232046923982387,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --noerrdialogs --user-data-dir="C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView" --webview-exe-name=Solara.exe --webview-exe-version=3.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4656 /prefetch:2
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2452
      - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1864,16202800984446357830,16337232046923982387,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=fr --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView" --webview-exe-name=Solara.exe --webview-exe-version=3.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=3408 /prefetch:8
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5576
      - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1864,16202800984446357830,16337232046923982387,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=fr --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView" --webview-exe-name=Solara.exe --webview-exe-version=3.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=4492 /prefetch:8
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:6464
      - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1864,16202800984446357830,16337232046923982387,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=fr --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView" --webview-exe-name=Solara.exe --webview-exe-version=3.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=1144 /prefetch:8
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:6052
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4032
- - C:\Users\Admin\AppData\Local\Temp\server.exe
    "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Drops autorun.inf file
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:564
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:3104

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5100
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1952 -parentBuildID 20240401114208 -prefsHandle 1880 -prefMapHandle 1872 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {041bde1e-a9b8-4ac6-9971-b750dab890f3} 5100 "\\.\pipe\gecko-crash-server-pipe.5100" gpu
    3⤵
    PID:3624
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2368 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e8cdd6d2-f4ea-4ef8-be6c-5842a205b673} 5100 "\\.\pipe\gecko-crash-server-pipe.5100" socket
    3⤵
    PID:1144
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3236 -childID 1 -isForBrowser -prefsHandle 3232 -prefMapHandle 3024 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c2619d3-9d52-4c17-9968-170a5a77252d} 5100 "\\.\pipe\gecko-crash-server-pipe.5100" tab
    3⤵
    PID:4388
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3720 -childID 2 -isForBrowser -prefsHandle 3708 -prefMapHandle 3696 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {205ed1e8-e454-49b8-b666-96c65b404028} 5100 "\\.\pipe\gecko-crash-server-pipe.5100" tab
    3⤵
    PID:3144
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2580 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 1444 -prefMapHandle 1596 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb9d1442-b419-4b6b-9531-a91546af8beb} 5100 "\\.\pipe\gecko-crash-server-pipe.5100" utility
    3⤵
    - Checks processor information in registry
    PID:5104
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5456 -childID 3 -isForBrowser -prefsHandle 5448 -prefMapHandle 5412 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0db8ddfa-4403-4524-88c4-14f974b60d89} 5100 "\\.\pipe\gecko-crash-server-pipe.5100" tab
    3⤵
    PID:3836
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5664 -childID 4 -isForBrowser -prefsHandle 5668 -prefMapHandle 5456 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9dcbecea-0479-4af5-a80e-a87371dc9205} 5100 "\\.\pipe\gecko-crash-server-pipe.5100" tab
    3⤵
    PID:3040
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5732 -childID 5 -isForBrowser -prefsHandle 5740 -prefMapHandle 5748 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9fefa09d-1601-45bc-b238-2afa47c7c3be} 5100 "\\.\pipe\gecko-crash-server-pipe.5100" tab
    3⤵
    PID:776
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6252 -childID 6 -isForBrowser -prefsHandle 6232 -prefMapHandle 6244 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {66fc0aa1-7199-419b-832a-eca9c0dce05f} 5100 "\\.\pipe\gecko-crash-server-pipe.5100" tab
    3⤵
    PID:3124
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4444 -childID 7 -isForBrowser -prefsHandle 4440 -prefMapHandle 1624 -prefsLen 27965 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0856789e-3cf6-4bc7-8bb9-5cf51a4ab829} 5100 "\\.\pipe\gecko-crash-server-pipe.5100" tab
    3⤵
    PID:2228
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3996 -parentBuildID 20240401114208 -prefsHandle 4116 -prefMapHandle 1856 -prefsLen 33872 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8669e3ff-da0a-4b19-ba7d-8512b95c27d0} 5100 "\\.\pipe\gecko-crash-server-pipe.5100" rdd
    3⤵
    PID:6340
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5080 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 5752 -prefMapHandle 6612 -prefsLen 33872 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bfdfe584-3d20-49ec-8510-4f8df812b126} 5100 "\\.\pipe\gecko-crash-server-pipe.5100" utility
    3⤵
    - Checks processor information in registry
    PID:6284
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7100 -childID 8 -isForBrowser -prefsHandle 7092 -prefMapHandle 7088 -prefsLen 28338 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f622d98c-0513-42d5-a22d-0ceffc6a8cb9} 5100 "\\.\pipe\gecko-crash-server-pipe.5100" tab
    3⤵
    PID:6932

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1604

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:6036

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:5888

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:4412

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:6228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s LxpSvc
1⤵
PID:6696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Solara\Microsoft.Web.WebView2.Core.dll

Filesize
557KB

MD5
b037ca44fd19b8eedb6d5b9de3e48469

SHA1
1f328389c62cf673b3de97e1869c139d2543494e

SHA256
11e88b2ca921e5c88f64567f11bd83cbc396c10365d40972f3359fcc7965d197

SHA512
fa89ab3347fd57486cf3064ad164574f70e2c2b77c382785479bfd5ab50caa0881de3c2763a0932feac2faaf09479ef699a04ba202866dc7e92640246ba9598b

Download Submit
C:\ProgramData\Solara\Microsoft.Web.WebView2.Wpf.dll

Filesize
50KB

MD5
e107c88a6fc54cc3ceb4d85768374074

SHA1
a8d89ae75880f4fca7d7167fae23ac0d95e3d5f6

SHA256
8f821f0c818f8d817b82f76c25f90fde9fb73ff1ae99c3df3eaf2b955653c9c8

SHA512
b39e07b0c614a0fa88afb1f3b0d9bb9ba9c932e2b30899002008220ccf1acb0f018d5414aee64d92222c2c39f3ffe2c0ad2d9962d23aaa4bf5750c12c7f3e6fe

Download Submit
C:\ProgramData\Solara\Monaco\combined.html

Filesize
14KB

MD5
70dbd0d3a7a6037767c36f73b7a9110d

SHA1
f7e9470cae0887555535d81df1a52af3263c867c

SHA256
63bfe89b5643144822ddce80d280be3c6abb4427872fab8da7ed49a5f4c84ed5

SHA512
d22f8c3549b098bf902503bbf7ada6497b82ddbb23a96f2d46359122a39ac0c4f4cd58509c4d52b1242a9e37892859a9811e7a739838b08c15a1fcbefccae560

Download Submit
C:\ProgramData\Solara\Monaco\index.html

Filesize
14KB

MD5
610eb8cecd447fcf97c242720d32b6bd

SHA1
4b094388e0e5135e29c49ce42ff2aa099b7f2d43

SHA256
107d8d9d6c94d2a86ac5af4b4cec43d959c2e44d445017fea59e2e0a5efafdc7

SHA512
cf15f49ef3ae578a5f725e24bdde86c33bbc4fd30a6eb885729fd3d9b151a4b13822fa8c35d3e0345ec43d567a246111764812596fd0ecc36582b8ee2a76c331

Download Submit
C:\ProgramData\Solara\Monaco\vs\basic-languages\lua\lua.js

Filesize
5KB

MD5
8706d861294e09a1f2f7e63d19e5fcb7

SHA1
fa5f4bdc6c2f1728f65c41fb5c539211a24b6f23

SHA256
fc2d6fb52a524a56cd8ac53bfe4bad733f246e76dc73cbec4c61be32d282ac42

SHA512
1f9297eb4392db612630f824069afdc9d49259aba6361fb0b87372123ada067bc27d10d0623dc1eb7494da55c82840c5521f6fef74c1ada3b0fd801755234f1f

Download Submit
C:\ProgramData\Solara\Monaco\vs\editor\editor.main.css

Filesize
171KB

MD5
6af9c0d237b31c1c91f7faa84b384bdf

SHA1
c349b06cad41c2997f5018a9b88baedd0ba1ea11

SHA256
fb2cbf2ee64286bc010a6c6fe6a81c6c292c145a2f584d0240c674f56e3015b0

SHA512
3bda519fed1cfa5352f463d3f91194122cf6bf7c3c7ab6927c8ca3eea159d35deb39328576e7cbd982cfdf1f101b2a46c3165221501b36919dbde6f1e94bf5ff

Download Submit
C:\ProgramData\Solara\Monaco\vs\editor\editor.main.js

Filesize
2.0MB

MD5
9399a8eaa741d04b0ae6566a5ebb8106

SHA1
5646a9d35b773d784ad914417ed861c5cba45e31

SHA256
93d28520c07fbca09e20886087f28797bb7bd0e6cf77400153aab5ae67e3ce18

SHA512
d37ef5a848e371f7db9616a4bf8b5347449abb3e244a5527396756791583cad455802450ceeb88dce39642c47aceaf2be6b95bede23b9ed68b5d4b7b9022b9c8

Download Submit
C:\ProgramData\Solara\Monaco\vs\editor\editor.main.nls.js

Filesize
31KB

MD5
74dd2381ddbb5af80ce28aefed3068fc

SHA1
0996dc91842ab20387e08a46f3807a3f77958902

SHA256
fdd9d64ce5284373d1541528d15e2aa8aa3a4adc11b51b3d71d3a3953f8bcc48

SHA512
8841e0823905cf3168f388a7aeaf5edd32d44902035ba2078202193354caf8cd74cb4cab920e455404575739f35e19ea5f3d88eab012c4ebefc0ccb1ed19a46e

Download Submit
C:\ProgramData\Solara\Monaco\vs\loader.js

Filesize
27KB

MD5
8a3086f6c6298f986bda09080dd003b1

SHA1
8c7d41c586bfa015fb5cc50a2fdc547711b57c3c

SHA256
0512d9ed3e5bb3daef94aa5c16a6c3e2ee26ffed9de00d1434ffe46a027b16b9

SHA512
9e586742f4e19938132e41145deec584a7b8c7e111b3c6e9254f8d11db632ebe4d66898458ed7bcfc0614d06e20eb33d5a6a8eb8b32d91110557255cf1dbf017

Download Submit
C:\ProgramData\Solara\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\ProgramData\Solara\Solara.exe

Filesize
613KB

MD5
efa26a96b7af259f6682bc888a8b6a14

SHA1
9800a30228504c30e7d8aea873ded6a7d7d133bb

SHA256
18f4dca864799d7cd00a26ae9fb7eccf5c7cf3883c51a5d0744fd92a60ca1953

SHA512
7ca4539ab544aee162c7d74ac94b290b409944dd746286e35c8a2712db045d255b9907d1ebea6377d1406ddd87f118666121d0ec1abe0e9415de1bba6799f76e

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Crashpad\settings.dat

Filesize
152B

MD5
41a34bd5661ec4829e531d04f18efe87

SHA1
2f0f25c54a854c28407bf6184c29bd8ce9374328

SHA256
27638ae4c47ee0083a8dd3ac76534fdad27674cf40f2d09a281a3e1955290689

SHA512
a4ce8c0bfa6ec1a31b255a8e1f23516f4c1c2128f56d0be688e5d0f9d7c36fcb373b1b6a3909daa2d872b4a1f5eebf3d2f720ed809a94e852619107b31255492

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Crashpad\settings.dat

Filesize
152B

MD5
b325c0cf4249d2bebfa664e5e187c354

SHA1
e38f6c5dfb5917960ec14f883ce7f7be56db306d

SHA256
97743b479d9108a306c33ed0547401da3eb9f4500bb0ac77c04775999bcd5145

SHA512
982f7d411d0db6b755ca27719dc82019e792471994b758b9105f4b1e5cb1ba2fcb699db6698741b24f300a31bef196ffc5633c8e2afea90e960e038dbe64c82b

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Default\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Default\Network Persistent State

Filesize
930B

MD5
382329ce7029588f0ac0f0b77fc48291

SHA1
a2b39106a9f05afc580d68c8a08c55e9facd2892

SHA256
d9b75aaed7f5288eb0c53ee3002af4ee27e977e4a6c821a039713a8bb6c44641

SHA512
aaf5ef6af3f30066c42d47ac6e187c5e171582579b18a4bbd1cae5fa4557921c496b2384ae5e1360047e3f7a3574abc7c21b74e80107af2fc44305b29bce30b3

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Default\Network Persistent State~RFe58ed49.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Default\Preferences

Filesize
3KB

MD5
0c112fb0bf44c64805573247e318187f

SHA1
f46697a0b0d27b83dea3b18f48b8bc8e2ad2ebfb

SHA256
b6fcdaaf45b52fdc3980f942874b65fe98ceaa689af6426bd13211ee5f5502fd

SHA512
8991f7e7bf068548377d0fb76d0f4e3c08f04c84762f08a4d7ef5341e355ef1612fb9e552ea0c666729eb6ebb4099d2e38083815d1f11270b68d0e9ddb65136a

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Default\Preferences

Filesize
3KB

MD5
7b7bb5552612fe1ac69a5a90779cac2a

SHA1
f21594b0c09234f437ab343a34db4a1473783627

SHA256
418aa9570a671e4a92759889268d35a5c673dce503a70d02db70f24fff28cab2

SHA512
a653df47f398096bc0c8de5ce487ebc6039a160279e50b8ce5318c261c8c30f0be3b8fd4e2d8b832b08f866dccadbfb3dec0f641e66b17490360b98939ac3c6d

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Default\Sync Data\LevelDB\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Local State

Filesize
8KB

MD5
7071ca0c99d8bfef17a048e50d6922fd

SHA1
aee2cc074a17f33c02a72115f8a4ed67d1215972

SHA256
622ecac765572c19f632cb1e387d6195d8fc50d36ff00892062986da5f7606c1

SHA512
2d363b463a644acb2014052db2aee27afb6aeb427a8b7ce306f88dedc51b4a4222e338705a42536836ff867fb8afb53224a87a859458df3aa91dee200b943b81

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Local State~RFe5827d6.TMP

Filesize
8KB

MD5
15e58948cb66cce307eab575c316b137

SHA1
7fab9465550ca3ddc0dc108da4e1d408657b89a6

SHA256
86299fadac13b2edae8c6a92bc7d2e8fbe2d9dcb14b65878ec2693df20fab3c5

SHA512
ca8587ff4ce07a86bb62f8e8ff000717b9eb5e54bc36210a290da7623d933d02a8d257e670de6c971262c13504fef9fa0ab6311c3125481669904ec3370e7d71

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Trust Protection Lists\1.0.0.26\Mu\Advertising

Filesize
24KB

MD5
131857baba78228374284295fcab3d66

SHA1
180e53e0f9f08745f28207d1f7b394455cf41543

SHA256
b1666e1b3d0b31e147dc047e0e1c528939a53b419c6be4c8278ee30a0a2dbd49

SHA512
c84c3794af8a3a80bb8415f18d003db502e8cb1d04b555f1a7eef8977c9f24e188ae28fc4d3223b52eab4046342b2f8fd0d7461130f3636609214a7b57f49cb4

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Trust Protection Lists\1.0.0.26\Mu\Analytics

Filesize
4KB

MD5
da298eacf42b8fd3bf54b5030976159b

SHA1
a976f4f5e2d81f80dc0e8a10595190f35e9d324b

SHA256
3abd2e1010e8824f200878942e0850d6e2620a2f0f15b87d32e2451fdda962ec

SHA512
5bf24c2df7cc12c91d1fb47802dbac283244c1010baa68bfae9eb5eb8ee25758156bb1e21f6cc3f55e7d71e5c330888ffd41469b2630eb86237c9970d7ede75e

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Trust Protection Lists\1.0.0.26\Mu\CompatExceptions

Filesize
689B

MD5
108de320dc5348d3b6af1f06a4374407

SHA1
90aa226d3c9d50cf4435ecdd2b8b0086d8edeb8b

SHA256
5b462316a51c918d0bae95959bf827cb9c72bbd84ffb0e43b750aa91fbf3ba53

SHA512
70f30c45e20b7cddd0cba6476af9338975cec8e40b8b19603af5fa859a34c6eb2138957daaa263633fe65213e2186402d05d9d29ad53e8f311335555116314c2

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Trust Protection Lists\1.0.0.26\Mu\Content

Filesize
6KB

MD5
97ea4c3bfaadcb4b176e18f536d8b925

SHA1
61f2eae05bf91d437da7a46a85cbaa13d5a7c7af

SHA256
72ec1479e9cc7f90cf969178451717966c844889b715dff05d745915904b9554

SHA512
5a82729fd2dce487d5f6ac0c34c077228bee5db55bf871d300fcbbd2333b1ee988d5f20ef4d8915d601bd9774e6fa782c8580edca24a100363c0cdce06e5503f

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Trust Protection Lists\1.0.0.26\Mu\Cryptomining

Filesize
1KB

MD5
16779f9f388a6dbefdcaa33c25db08f6

SHA1
d0bfd4788f04251f4f2ac42be198fb717e0046ae

SHA256
75ad2a4d85c1314632e3ac0679169ba92ef0a0f612f73a80fdd0bc186095b639

SHA512
abd55eff87b4445694b3119176007f71cf71c277f20ea6c4dcadfb027fdce78f7afbcf7a397bd61bd2fa4bc452e03087a9e0e8b9cc5092ec2a631c1ebb00ee25

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Trust Protection Lists\1.0.0.26\Mu\Entities

Filesize
68KB

MD5
571c13809cc4efaff6e0b650858b9744

SHA1
83e82a841f1565ad3c395cbc83cb5b0a1e83e132

SHA256
ab204851f39da725b5a73b040519c2e6aaf52cb7a537c75802cb25248d02ec1b

SHA512
93ff4625866abf7cd96324528df2f56ecb358235ff7e63438ac37460aeb406a5fb97084e104610bb1d7c2e8693cabedc6239b95449e9abb90252a353038cb2a2

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Trust Protection Lists\1.0.0.26\Mu\Fingerprinting

Filesize
1KB

MD5
b46196ad79c9ef6ddacc36b790350ca9

SHA1
3df9069231c232fe8571a4772eb832fbbe376c23

SHA256
a918dd0015bcd511782ea6f00eed35f77456944981de7fd268471f1d62c7eaa3

SHA512
61d6da8ee2ca07edc5d230bdcbc5302a2c6e3a9823e95ccfd3896d2e09a0027fece76f2c1ea54e8a8c4fa0e3cf885b35f3ff2e6208bf1d2a2757f2cbcdf01039

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Trust Protection Lists\1.0.0.26\Mu\Other

Filesize
34B

MD5
cd0395742b85e2b669eaec1d5f15b65b

SHA1
43c81d1c62fc7ff94f9364639c9a46a0747d122e

SHA256
2b4a47b82cbe70e34407c7df126a24007aff8b45d5716db384d27cc1f3b30707

SHA512
4df2ce734e2f7bc5f02bb7845ea801b57dcf649565dd94b1b71f578b453ba0a17c61ccee73e7cff8f23cdd6aa37e55be5cb15f4767ff88a9a06de3623604fbf0

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Trust Protection Lists\1.0.0.26\Mu\Social

Filesize
355B

MD5
4c817c4cb035841975c6738aa05742d9

SHA1
1d89da38b339cd9a1aadfc824ed8667018817d4e

SHA256
4358939a5a0b4d51335bf8f4adb43de2114b54f3596f9e9aacbdb3e52bef67e6

SHA512
fa8e1e8aa00bf83f16643bf6a22c63649402efe70f13cd289f51a6c1172f504fedd7b63fc595fb867ecb9d235b8a0ea032b03d861ebb145f0f6a7d5629df8486

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Trust Protection Lists\1.0.0.26\Sigma\Advertising

Filesize
2KB

MD5
326ddffc1f869b14073a979c0a34d34d

SHA1
df08e9d94ad0fad7cc7d2d815ee7d8b82ec26e63

SHA256
d4201efd37aec4552e7aa560a943b4a8d10d08af19895e6a70991577609146fb

SHA512
3822e64ca9cf23e50484afcc2222594b4b2c7cd8c4e411f557abea851ae7cbd57f10424c0c9d8b0b6a5435d6f28f3b124c5bc457a239f0a2f0caf433b01da83f

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Trust Protection Lists\1.0.0.26\Sigma\Analytics

Filesize
432B

MD5
01f1f3c305218510ccd9aaa42aee9850

SHA1
fbf3e681409d9fb4d36cba1f865b5995de79118c

SHA256
62d7286cd7f74bdfda830ee5a48bce735ee3661bda8ceac9903b5627cbd0b620

SHA512
e5b665e981f702a4a211d0569bb0bc42e3c29b76b3f75aaf8dc173f16f18f7c443f5cf0ccf1550df3aa2b151e607969c2c90ab1a6e7a910dfeb83854cea4e690

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Trust Protection Lists\1.0.0.26\Sigma\Content

Filesize
48B

MD5
7b0b4a9aafc18cf64f4d4daf365d2d8d

SHA1
e9ed1ecbec6cccfefe00f9718c93db3d66851494

SHA256
0b55eb3f97535752d3c1ef6cebe614b9b67dddfcfd3c709b84c6ecad6d105d43

SHA512
a579069b026ed2aaef0bd18c3573c77bfb5e0e989c37c64243b12ee4e59635aaa9d9c9746f82dcc16ca85f091ec4372c63e294c25e48dfffbed299567149c4e2

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Trust Protection Lists\1.0.0.26\Sigma\Cryptomining

Filesize
32B

MD5
4ec1eda0e8a06238ff5bf88569964d59

SHA1
a2e78944fcac34d89385487ccbbfa4d8f078d612

SHA256
696e930706b5d391eb8778f73b0627ffc2be7f6c9a3e7659170d9d37fc4a97b5

SHA512
c9b1ed7b61f26d94d7f5eded2d42d40f3e4300eee2319fe28e04b25cdb6dd92daf67828bff453bf5fc8d7b6ceb58cab319fc0daac9b0050e27a89efe74d2734e

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Trust Protection Lists\1.0.0.26\Sigma\Entities

Filesize
42KB

MD5
f446eb7054a356d9e803420c8ec41256

SHA1
98a1606a2ba882106177307ae11ec76cfb1a07ee

SHA256
4dc67d4b882621a93ffdb21a198a48a0bc491148c91208cf440af5f0de3ef640

SHA512
3cc3a521b297e4f48ed4ba29866a5ade380c9f0c06d85bea4140e24b05c6762d645df3d03d0a7058383b559baa3ae34ad3ed2b06017e91a061632862911a823b

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Trust Protection Lists\1.0.0.26\Sigma\Fingerprinting

Filesize
172B

MD5
3852430540e0356d1ba68f31be011533

SHA1
d3f622450bcf0ced36d9d9c0aad630ebccfcb7ff

SHA256
f1f413704c32a28a31a646f60cad36cc2da793e143f70eee72ae56f736df8054

SHA512
7a4faa493c141ea88d6cd933dfc0b50ef6d25983323db2b931c7512e039859d60c4935e56b771264ca72b45c035b1962ad8680d616eaaf04fbc5a6e0b674e435

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Trust Protection Lists\1.0.0.26\Sigma\Other

Filesize
91B

MD5
09cedaa60eab8c7d7644d81cf792fe76

SHA1
e68e199c88ea96fcb94b720f300f7098b65d1858

SHA256
c8505ea2fe1b8f81a1225e4214ad07d8d310705be26b3000d7df8234e0d1f975

SHA512
564f8e5c85208adabb4b10763084b800022bb6d6d74874102e2f49cc8f17899ce18570af1f462aa592a911e49086a2d1c2d750b601eedd2f61d1731689a0a403

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Trust Protection Lists\1.0.0.26\Sigma\Social

Filesize
3KB

MD5
318801ce3611c0d25c65b809dd9b5b3c

SHA1
b9d07f2aa9da1d83180dc24459093e20fe9cf1d8

SHA256
2458da5d79b393459520e1319937cfc39caadbc2294f175659fae5df804e1d03

SHA512
7daff0253da90f35bf00141b53d39c7cadacf451a7ecf1667c4ca6e8aed59a0c4a6b44ddc2afffa690e12c2134eddb9f46f72e4317ce99c307d9e524a5fd1103

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Trust Protection Lists\1.0.0.26\Sigma\Staging

Filesize
16KB

MD5
39bdf35ac4557a2d2a4efdeeb038723e

SHA1
9703ca8af3432b851cb5054036de32f8ba7b083f

SHA256
04441a10b0b1deee7996e298949ac3b029bd7c24257faf910fe14f9996ba12ae

SHA512
732337f7b955e6acaf1e3aaa3395bc44c80197d204bd3cbb3e201b6177af6153cc9d7b22ad0e90b36796f92b0022806c32ac763eaec733b234503890900bf284

Download Submit
C:\ProgramData\Solara\SolaraV3.dll

Filesize
6.6MB

MD5
72b5c3c801a25d3073195c228d7fa3bd

SHA1
30055c1e87225657805c9cfd7447a5421d75bb60

SHA256
a20e553e91b06a7f9232301c980974d95c138ac374125dcb543d97c3946b4c91

SHA512
88350c4de5df735358ffded404a4f52f4ac1d21ffe9faee36f747d00232c1dc1216ad4d7396943f262f0d5c1e1fb502060b98fb2e35dd46ad3021346b6a220b1

Download Submit
C:\ProgramData\Solara\WebView2Loader.dll

Filesize
133KB

MD5
a0bd0d1a66e7c7f1d97aedecdafb933f

SHA1
dd109ac34beb8289030e4ec0a026297b793f64a3

SHA256
79d7e45f8631e8d2541d01bfb5a49a3a090be72b3d465389a2d684680fee2e36

SHA512
2a50ae5c7234a44b29f82ebc2e3cfed37bf69294eb00b2dc8905c61259975b2f3a059c67aeab862f002752454d195f7191d9b82b056f6ef22d6e1b0bb3673d50

Download Submit
C:\ProgramData\Solara\Wpf.Ui.dll

Filesize
5.2MB

MD5
aead90ab96e2853f59be27c4ec1e4853

SHA1
43cdedde26488d3209e17efff9a51e1f944eb35f

SHA256
46cfbe804b29c500ebc0b39372e64c4c8b4f7a8e9b220b5f26a9adf42fcb2aed

SHA512
f5044f2ee63906287460b9adabfcf3c93c60b51c86549e33474c4d7f81c4f86cd03cd611df94de31804c53006977874b8deb67c4bf9ea1c2b70c459b3a44b38d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jj59r4xg.default-release\activity-stream.discovery_stream.json

Filesize
22KB

MD5
4c7f7de2794788eb66da0a6e5246e57e

SHA1
e7a5296c0e0cf0a97d3a65af802dab53972b86eb

SHA256
459ba092663f961661d6555ad5a351d79c3b46cf8aa7d55f1c4d80f7e52be7f5

SHA512
95069e05c89676a4afa00b94167e759263ec9f194a3f8da1040d784484d24935ff8dc250a99cb582a8a20111b260260b2999db4ec12fdddd0ef62368302e5247

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jj59r4xg.default-release\cache2\doomed\28356

Filesize
30KB

MD5
ece7780013c11045b7fc43a75cc4daba

SHA1
415326c74eecf39f6e2acb65a7a638a71bd1e37e

SHA256
6108a0454dff14e4fd987b7211ce1d40cc06e1b9890ef4bdb48f317dee5a8029

SHA512
52f0ea3d15d34a67d713eb6d7145878fd3784ca1d9a1f4ee1499bce3342b7ff16eb4873e8ac09d89301cbf8e46475f1b4887e84c825c141569b9739202098960

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jj59r4xg.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\0ef9d066-463f-4a04-b503-c5e02f937bf3.down_data

Filesize
132KB

MD5
1782244d9f1821c9a63a5087a6e0afd0

SHA1
e75a848a04723c9bbb675e5e2b4cfa5e1ce42368

SHA256
df82425d8726e49ebf5f80c9133ff65b38a6513771033fc1c59df02590472877

SHA512
6b29fd74305e1cb5cd21b235f83b88a49c1df0e7da099ad5512fd34c47d5ea0d3bba7faf84e2116ee6bef69b1b366ec84c1610a1bc44b22bb67a6c8c871d489e

Download Submit
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.22.exe

Filesize
800KB

MD5
2a4dcf20b82896be94eb538260c5fb93

SHA1
21f232c2fd8132f8677e53258562ad98b455e679

SHA256
ebbcb489171abfcfce56554dbaeacd22a15838391cbc7c756db02995129def5a

SHA512
4f1164b2312fb94b7030d6eb6aa9f3502912ffa33505f156443570fc964bfd3bb21ded3cf84092054e07346d2dce83a0907ba33f4ba39ad3fe7a78e836efe288

Download Submit
C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.15.exe

Filesize
2.9MB

MD5
e5833801199a03b60c657c6b96aa3d34

SHA1
6f6914731a21481bf2dd779ee04a753993ec06c3

SHA256
f6de5d95a94c8780de0da6b1fe3a7534d20756ef1fb0800b664afd29f96a9f7a

SHA512
e0b638880793662d360ccb921c91bc40cb675f6b5cfef8c67580ed2885a335e11bf9373dad94dd14c1a7e9b2894bdbdb1aa1fa01586406ee249c71a2918d7bb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lwnacsps.wya.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
93KB

MD5
053913a8ea56bc5973dd3aa48dfa0a57

SHA1
f291c838cac064afe19dc618df7dba91c71c5ec6

SHA256
d6147d18985d4ab04c8e23d1f755ba92765ea63daf8bb498b18dbd5586ce8a25

SHA512
31d52760f4ae13f57f87ab17124141e55560c52e41ed013d9739fb1b856f1b1f02ba2f23f0b1ca7640a2edcb5aadf6511160d2f65625db3951082e85e3e16643

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
13KB

MD5
ba3337544081e95a307e5c4bbefcede6

SHA1
57f6c892b0c55da0f63a18b51349f3cda773a12c

SHA256
1ad21358c17f41acfa383b7f1838f4cd7574b85d759a4ceb07de533745dbd8eb

SHA512
6af27770c1bb9c2111eee36921be0d0055f6fd3a441c8f58bd5324d6123fd0ce61d64933811e1a2676fa3a26a28dd89c90ca8cb1c55b96a9cf892a7e0b7f7902

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
15KB

MD5
5a08a4bbbde511aa25d121be4e4a9ff7

SHA1
5b5fa675cb8fb2a5c068328e942fb229920eaa54

SHA256
d6f1171ea217d1ec774ead1099c1d3de9f6434251084af9b86399876e8f8b2c0

SHA512
9a2090493c1c64d539fb39f51fe5df8f8d7dc4f2dea24cdf559e528da6fb46d33608b66e6ef5f45e5d8dcf7e90075f6d455d4dfd415a51803ba9bc8357716f46

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
13KB

MD5
fca32bf0947fcba218fa993c9fbbe6eb

SHA1
09e6094c33f800fc93e6cf41a2e05fab22dc6d07

SHA256
ff91559828c61bc5d862939e576561cdbc802ed37b3278196359c2cac61d5748

SHA512
600d87a66b74da9b423eddd3a776cd97e319e81add69724ca07a22d9ba5df64e41d8ba3b3c62d55e0f45d8f25906c5e580c6e50240eb54f103a40b4bebcc5916

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\AlternateServices.bin

Filesize
6KB

MD5
e1e01c3752ee3808c31fe51cfe48964d

SHA1
fff992b868a3e5fff72a76d3b1a3583edae3e72c

SHA256
7b92649bccab4d7a50e3adafa6921b51b699df4da0f57cf427cf91a3606337b5

SHA512
a80a7c867ebf06208706e62a8287d7e28cf8dbe2418fe1861c4e8418aae6d5463c6660ff992ed4aebeb9660eb27f2bd47b365f40649ff185c7c5c0d7ff0c13f2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\AlternateServices.bin

Filesize
12KB

MD5
cf0273baab8fba2fb012c5e04f8a9c80

SHA1
91a4658dec84ebbb4fb0ca1b2bc962fc241665e5

SHA256
ba7c55cfa9a457d55887a6c3f6d2321b4141f487baa373b17a616f355939adf8

SHA512
2a1862ba14b8d2b41a0ba8a8cd2b481791b79e1f3e50464fba7f31d4b9aab8212024a24e25c97000312c307f4dfc9195de63336da398f29ef3539a3c33f1bfb9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\bookmarkbackups\bookmarks-2025-01-16_11_vguqMnBcz+5CMA42E4yudQ==.jsonlz4

Filesize
1008B

MD5
4a9b18b081bb33102d1f2637d1afa680

SHA1
8218e5532f33447c23b3889523ca1416a87846e3

SHA256
3e452b585b88f0f0f08250f21aa41e9cbf8328153888a4aac6ac0399755d57c7

SHA512
d7d3fc51bc8bbf2aa2a3051aa80248d8efc526679ac7ca3d3e512b3194b5041966c351ae0459f52a4cc52783c78fe38443e45a9c91452017f9424abe7ebd61f3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
160944e0087e10abe7666d6593de4d76

SHA1
6949884ec64c8ec3b640d776ed1db9081f484a66

SHA256
186d5dcd8e8539bff9dba7efc2b2af252f71a303f7b221bf6aaa461cd501cc24

SHA512
0dc06af162068e88b410fbf22c25d06c476a8948b75c2357d6e4510d292792b202bb80dfd323c976affd68415e1657615a3fa0be66aea314fe68d96f717f31b5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\db\data.safe.tmp

Filesize
81KB

MD5
4051d048daf0477ed25fdd748f1c781a

SHA1
fa6c4e64f940b736310206a9330004ec171b31c1

SHA256
9ceacbb09fea1e9aac166e4b8c6730f8bf0427cef5b37178127f840868cc6301

SHA512
71b4509a746de4b0f124a35438f1bad7023c1bacea599d694a96571966be9c55bb18a448c4f5e70c6c930c178375d28356b9d7b1b614caefad54f329c4a617d1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\db\data.safe.tmp

Filesize
80KB

MD5
81cbfdfa8a16bc6ce0e7386f273d905a

SHA1
a231faa19d9a13df4801970e18a6a52b134d8cf9

SHA256
f012697d1ec6b8e666326ec19641c70d49523168a920fb7b816ca3c0a10b4a2c

SHA512
a42f77e1e2aeb231a2f4deb19d0004aed1685dca44248ec3424452754e3de6b6e890db679af77eb23ac29ad701fd0f26c0ed1197f11fc6548156029d9d25c6ca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
191f289b23b92a5411208d1598bf7f12

SHA1
2ee899674610291e40d3bd31cb7f109bc7e54e17

SHA256
b20c2253f19797cde1cc930ffd98de48adc1130cf714c1da7a0ac7b28968a65c

SHA512
2982e8d93bf539ae40564a115b7d7f557ee242291530344fa82d309795bc3600957346159a38a95eef897624ddc6dda8182228045670c4926ce38e5e6a54d830

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
e6743d1ea43b637f3616d1a0f26f194c

SHA1
b64e48d1d4170d47111a99c99b2be0f059135017

SHA256
9bd9da764fbf494109a50fc7a42aed022399d961cc19b1f26f28846b2234fd89

SHA512
a31abb189f8a0fd91eaa09bfbe7e5b9783feca0a31244848c36675701fdb117031bbe8a864aaed7c5295d7665560276a8ba32e61ab28a4efe08c7afed95737a3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\pending_pings\23f65f94-84b2-4622-ad31-1229dedd36ec

Filesize
982B

MD5
82430ad2c1e684bfd767c5b0e1de6b36

SHA1
a31509557fb5b0ab94f3be7183fa8b3ac5f70c41

SHA256
8a02019ff8cd515af240f402fc77054a9fd200deb95f31b53d41d0daf54cc415

SHA512
0270f1652dcb13c59f4e9e661199790657bd62cf39dd49482eba0b219b58433cb591e053f72670a4ce79f221132e0a1a0e88c4bba1d181401faf037b80d6bb04

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\pending_pings\39438a6f-9dde-41f8-924c-a3f3549d099b

Filesize
846B

MD5
0cc935cd194ac43948efd8af8f147320

SHA1
89af220b1d08dcdc3dd75942eb7a9a1042dcdaab

SHA256
ac6741a5a2d0b90db02fa4f9dde428a1baa173850328dda08b5e5e6ce8c78665

SHA512
13e3d984d8bf9251cb8ef3c1002fedadb0bb6a50f73e02f7a9fe5026a76c3fbae0c0ed1fbbbdbd74b07eafe0aef09e73d44f479473435de6b6900838bab15ddc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\pending_pings\7a953b6a-b28f-4f5e-ba87-8cfac4446c1d

Filesize
841B

MD5
5d544b017ab0cefd347a2fd9fd0282a2

SHA1
140d957ffd0d1de7d323fdf8a03f114ff8ee0242

SHA256
72759614e13fb4be59c1c3a1243bf287e1658df74cc91b9e681428a092c8b87e

SHA512
df9e653e2965058ef915d229d1ac67195da025ec3d22bbf18a07f5fd2cf0c9b2b4d3f6853ff316563742f64680432d22136e5dd49e4b5d739efebc0c4f2c75e5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\pending_pings\8dd18b9f-12ab-4a3a-adac-366d61132161

Filesize
2KB

MD5
c33ef1e67e56e75987370708df67a656

SHA1
7904c1190fc8d8e12ed19f00efbc4a10e9c42981

SHA256
12e6bbfab0181d86feff101c17b7e643c739d1b3f57a6aae5aa331f6d969181a

SHA512
0122b83754487d3461ae4f462cb7308426da1153708abfa4091f952cf5086c7941d42d326910388667b64c5c47ec87671bd833fb23b3167d2646092c4f93798b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\pending_pings\8e40c514-b933-4b31-954c-53fdb5c5d8da

Filesize
1KB

MD5
0d79da85667fddedee9e7422bc4d235b

SHA1
ce4f40962d38213bdb2afc0900498add3d7f831c

SHA256
ca81ede37d89f729a16f998d00e78fb62d6ebd6bf333ab959603db2b43fab279

SHA512
7872a98bc143cef38840f5b605fd2ff23a1e63677c9bb293fc3bb83b63c175cdb8a44dd704c36e9321931f434fc27170581dccaedb15696b8054e0addb0fb1e2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\pending_pings\b2a13416-1cfe-4b3b-b7d5-ba0882bb891f

Filesize
24KB

MD5
8d67431211f161d0817f73b346dfad06

SHA1
2327e99fefa6c651c5551010cda685a88e0e3c0f

SHA256
3daa199bf73cd75271a1c159cb34c448fc663e3f0a2e842917247e44c9d0b2ed

SHA512
fe982f64c8c0829c534cffc7be4f1ed9c63f7f428698ecf7f7881d2c5f64b0cca0d048333011354c0e9cdb340d9aec105c96e0973dc163c55aa70d29722abe92

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\pending_pings\c2ae8e03-208d-4f98-80f5-e32e140563f1

Filesize
671B

MD5
ab081ed0039dead4e0a131ddcede2a81

SHA1
789ce250da53b57aa6b88cdd1d4fa21a22085c88

SHA256
9c0bd2068796c537fefd3d91c92134da66e9c41ef088b12ed0c06d792a2ca40c

SHA512
65802273a4977f56c280c34e33afaef1b74b27ecf67fca755544fdbb50cf8c9a7cd41a435e7deecc48ad5f91fbf7e1a45438b8a1e4d9959ae421b65cca9ea8f0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\prefs-1.js

Filesize
9KB

MD5
9458c45b78153a8a2e8d567f2100dca3

SHA1
e8ffb32476e7063ebc7552d9a68d0f877ae7a188

SHA256
068781ffd9d279b549fe08361a4e1a7742ea03566274a4282a7941be16ced0aa

SHA512
96eeb8774929f1c1c6ee12f064cd5357d0fe8105072a253469522e93b382fb677686a18ddb3e95b2d09ff8a0704137deed31772af86bd77cb2d9de96e9f0de76

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\prefs-1.js

Filesize
10KB

MD5
40b78a06189b89dbeceedb18641b8e8c

SHA1
a38f8507df1c8ae8e50cc2a141e3eb0977173326

SHA256
7221056f876bbc79a32371db19d3bccf0c4bd9d84dc20d231f5e4d431ae0b211

SHA512
6d65e268b5c7f01649c95b4de363bd4374d823b32bb2662da738e53b66bd512879cb2cf9e36a40919a746cb5e737ab08b632078903b8635a7e0d0a9dd37bd92f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\prefs.js

Filesize
10KB

MD5
20ca72effa20f03180f5dba62d39ddc4

SHA1
228d90005ada26d576cc50fdc18f4728f52638a3

SHA256
f666689ed8b83eb27573f73578130e875a43a76ce3c82b04f1faf51b74a602a7

SHA512
a94472424db826f1d6b5b03c7d0f0a8b166e7dc1ab6394ae63643256c6a4d04f290049b55ccc9d5efbdd0f92eabf6e17f2e39f6ccc955f7e2debc3cd42779688

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\prefs.js

Filesize
11KB

MD5
2abbbd591bf6c6b6bc0cce47496571fc

SHA1
b4968549435648bcf142101592fb86e2fac8f685

SHA256
763f14776484ffc7a1eea8f0e6a8f801a538b9336fac0036f78ea50f689fe159

SHA512
7308d04be3089098829f539ffb474f0e8785c7147ccd7b2a788fe573f3796ae5d16b58b99155c8a1f8fdf6507935117829d36fa4f75c1f9fdef4a853169c0dc9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\sessionstore-backups\recovery.baklz4

Filesize
12KB

MD5
d9bb72d59c7b0b0c92021337e16750eb

SHA1
75fa3370a80dd8d18ec6dfb1f80a8db0170caaf5

SHA256
40413c16684824bd200bfc201e423fcfaacc2c2a6ca5120c71ad3c940e5e9514

SHA512
44e2088f7bddcbf5dc4c07696fada4976d95ce0391f166a7260d46f0a96774d49eb932ec27c766acc19fe1eeb4c920d6f8bf0d998267331388b86740f3ada56f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\sessionstore-backups\recovery.baklz4

Filesize
7KB

MD5
a2216c893ab39e14f865b6b0415e0778

SHA1
ee95d4dad1c91c078dd5d8509a1d2d160ce0ade9

SHA256
a93eb46ee8d67964053560b7ed5b1f2a08046ce20438d68f698e4067bfef2e8a

SHA512
61ad295c8ae8eae1bdcffb8b65ce86bb67c85c23fe640efac2032219896382061d0d9655516576f99a4bd731ae63dc11cbca71929188d59112f3498f717118ec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
d70dd4eeda2a70ec920a3c95a890a460

SHA1
0769c67fa0e5201a191619ff05e0ba2de8127eee

SHA256
eadf281a79778288f6fbcfa23ae496a6203417476750e3401a789dd6a6b13d67

SHA512
327b4196d04e0a66f207a6fc2385686e9a0e3ba42d346452f4c49eedf2b7a7d5c3374583cfbfdd628c5701517a067604f6f7a5d60c05746b54d079ff0c784fb3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
e4bcf1745ff587201e9fb791dd66e600

SHA1
a57c5711f2a9655e63432c1384f1eb44e63833f0

SHA256
feb11d9daa213669cb868991c5ac9e7dd8c68f351b45b2bb866297cc1ea138f7

SHA512
16dab2bd669dcdd576280d1df6ed2bceda32fe0473b9b4b2ad396349cb6823d872de9ea160ff39c0958056bb9f089bf02ddbb5d448ab2238e8a7150f3a4390ea

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\sessionstore-backups\recovery.baklz4

Filesize
12KB

MD5
c6a99301bb0c9fc11c0417656819b129

SHA1
02171c547f724367ba1d3985752446b44f43850f

SHA256
26a8f340a0e880ac6f66d84245c61ad61d8e0b8cb113359ddbe3d38cc7fba96f

SHA512
d0be308537fbc36c6288af3de63330edc8206c99eb33b5d3feb7eda5a3b7651aeed022d691a17a1d61c9339b47d8c0802a4ff1da8500073646cd24c8e3c08669

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\sessionstore-backups\recovery.baklz4

Filesize
12KB

MD5
7e36f98a1bb502b6532070948a5ecef9

SHA1
16b53e6c59e694b4e106144065060b285c2e2f35

SHA256
d09113bc4efdf8f77026b88b252a00223e6b3bdfa790689058d9951f947a0106

SHA512
c9f51664dbacb6b258e65c965e0eca347577b45768bf6241714145deb24a92ec8b349224ae340f192e053ddb1867eb03c3d9a701f800b5e436bea57d8cb75f4e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\sessionstore-backups\recovery.baklz4

Filesize
10KB

MD5
4b6edbd46c98e0078f19ac76148bbf79

SHA1
812cd7c8504f426dd26bacb713b8e67f80731d0e

SHA256
d248f184c5cb43c3133e7ade5a566d9055ceba8163f0d89a1b8f272b738b0882

SHA512
f5b13799b5b8d37360282f23a305b4c394bd698ca711bab4994af81f176f645aeaf533ec0332fec7228e7a0a1e5e52a35289a509f741096e9b76196f099196e6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\sessionstore-backups\recovery.baklz4

Filesize
14KB

MD5
0fc45106da85303e8e7963d9899839e3

SHA1
e4f7e3b43b880489cfc337fa34bb5979eb254a70

SHA256
c5584812fc5c08d8a93a1757b51b4de04c9d6dec88dd5cf7b97888a63505d75d

SHA512
256ae48e7c7df7768390a6be46714e53f89c331f79d294beadedd49a254303d9e39a2458b9b2f7f195f0d49f08594e572bdfab521e5a9c0560d23a1170d207a2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
e4b0a1784c68928b928f23ab4fa85f75

SHA1
e882bb2b1f05599c9acb3e326de938012f75e538

SHA256
700e7de39f7aeeed90a73d97806e700d45273daedfe9fa374204e729b8dd892b

SHA512
bfac7210e7ed26ddaa9afd74e1e9b03289d0af5cd612a33e769c78e76525dd7910cd919eaa483178a88c5d1bfb89a5c4f23635e69199f12522a37e22265f6c92

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\storage\default\https+++www.roblox.com\idb\3140325527hBbDa.sqlite

Filesize
48KB

MD5
1a0c46a3491f6c17dee740933867984f

SHA1
f025212fef23d973026c36f0627ffc4ac595acdf

SHA256
ab2d169b8afcda96ef5d2f948c2961671b4e8d35ea54ff0034e94c15ab57f03b

SHA512
a798902e1aaad7476167f35a14a54c07da8c6dcb2d09ea902aeeeef91fb346e096484b06d3eab6130eb0ee6e835dde607c1170215a2ba77e377800d9070aa4ec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
560KB

MD5
6376e0d4ea173903e11b33d3550a5c17

SHA1
3f16578f6401174d7d36e786e0cc3ff9c136dc94

SHA256
30c8fc0745d80c3a412ad2a103a8bf459ef4e07e085e619fdee27c1caefd219c

SHA512
2b57c96eb1ec35f39d3c65d42bade8fa0e359b41afbaaacedcca29d9a5a8625ba75bb21b2bdae1c58d976bad1ecd3e4b5f527fbd449f7c987e9ffc33c2471474

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
5B

MD5
02b81b0cbe1faaa1fa62d5fc876ab443

SHA1
d473cfe21fb1f188689415b0bdd239688f8fddd9

SHA256
e7e9e2c247bc872bacce77661c78f001a17d70ee3130a9016a5818da9da00cdb

SHA512
592ab5b200d4c560951cb70288dc1b7a562f0cbfaee01ce03076b6934d537b88575c2e1e0fedcc05db95e6c224ca739923e7d74f9165e683f3fbad7bbf641784

Download Submit
memory/776-98-0x000001A9163C0000-0x000001A9163E2000-memory.dmp

Filesize
136KB

Download
memory/776-22-0x00007FFB039E3000-0x00007FFB039E5000-memory.dmp

Filesize
8KB

Download
memory/776-97-0x000001A92EC80000-0x000001A92ECC2000-memory.dmp

Filesize
264KB

Download
memory/776-23-0x000001A9145E0000-0x000001A9146AE000-memory.dmp

Filesize
824KB

Download
memory/1164-40-0x0000000005AE0000-0x0000000005AF0000-memory.dmp

Filesize
64KB

Download
memory/1164-20-0x00000000746DE000-0x00000000746DF000-memory.dmp

Filesize
4KB

Download
memory/1164-25-0x0000000005CD0000-0x00000000062FA000-memory.dmp

Filesize
6.2MB

Download
memory/1164-24-0x00000000033F0000-0x0000000003426000-memory.dmp

Filesize
216KB

Download
memory/1164-27-0x0000000005930000-0x00000000059BA000-memory.dmp

Filesize
552KB

Download
memory/1164-28-0x0000000005AF0000-0x0000000005B12000-memory.dmp

Filesize
136KB

Download
memory/1164-30-0x0000000005C00000-0x0000000005C66000-memory.dmp

Filesize
408KB

Download
memory/1164-39-0x00000000064A0000-0x00000000067F7000-memory.dmp

Filesize
3.3MB

Download
memory/1164-56-0x000000006F2F0000-0x000000006F33C000-memory.dmp

Filesize
304KB

Download
memory/1164-55-0x0000000007070000-0x00000000070A4000-memory.dmp

Filesize
208KB

Download
memory/1164-65-0x0000000007A80000-0x0000000007A9E000-memory.dmp

Filesize
120KB

Download
memory/1164-29-0x0000000005B90000-0x0000000005BF6000-memory.dmp

Filesize
408KB

Download
memory/1164-41-0x0000000006A10000-0x0000000006B12000-memory.dmp

Filesize
1.0MB

Download
memory/1164-74-0x00000000080B0000-0x00000000080BE000-memory.dmp

Filesize
56KB

Download
memory/1164-66-0x0000000007AB0000-0x0000000007B54000-memory.dmp

Filesize
656KB

Download
memory/1164-75-0x00000000080C0000-0x00000000080D5000-memory.dmp

Filesize
84KB

Download
memory/1164-67-0x0000000008430000-0x0000000008AAA000-memory.dmp

Filesize
6.5MB

Download
memory/1164-43-0x00000000069B0000-0x00000000069FC000-memory.dmp

Filesize
304KB

Download
memory/1164-42-0x0000000006990000-0x00000000069AE000-memory.dmp

Filesize
120KB

Download
memory/1164-68-0x0000000007DF0000-0x0000000007E0A000-memory.dmp

Filesize
104KB

Download
memory/1164-72-0x0000000008030000-0x0000000008041000-memory.dmp

Filesize
68KB

Download
memory/1164-69-0x0000000007E80000-0x0000000007E8A000-memory.dmp

Filesize
40KB

Download
memory/1164-76-0x0000000008110000-0x000000000812A000-memory.dmp

Filesize
104KB

Download
memory/1164-70-0x0000000008060000-0x00000000080AC000-memory.dmp

Filesize
304KB

Download
memory/1164-71-0x0000000008150000-0x00000000081E6000-memory.dmp

Filesize
600KB

Download
memory/1164-77-0x0000000008100000-0x0000000008108000-memory.dmp

Filesize
32KB

Download
memory/2140-128-0x0000022489BA0000-0x0000022489BBE000-memory.dmp

Filesize
120KB

Download
memory/2140-144-0x00000224BA8D0000-0x00000224BA8E2000-memory.dmp

Filesize
72KB

Download
memory/2140-111-0x000002249F9C0000-0x000002249FCA2000-memory.dmp

Filesize
2.9MB

Download
memory/2140-112-0x00000224A00E0000-0x00000224A00F0000-memory.dmp

Filesize
64KB

Download
memory/2140-113-0x00000224BA2A0000-0x00000224BA2A8000-memory.dmp

Filesize
32KB

Download
memory/2140-114-0x00000224BA2D0000-0x00000224BA2F0000-memory.dmp

Filesize
128KB

Download
memory/2140-115-0x00000224BE430000-0x00000224BE468000-memory.dmp

Filesize
224KB

Download
memory/2140-117-0x00000224BEB30000-0x00000224BEC30000-memory.dmp

Filesize
1024KB

Download
memory/2140-116-0x00000224BA2C0000-0x00000224BA2CE000-memory.dmp

Filesize
56KB

Download
memory/2140-118-0x00000224BA2F0000-0x00000224BA2FA000-memory.dmp

Filesize
40KB

Download
memory/2140-120-0x00000224BA390000-0x00000224BA398000-memory.dmp

Filesize
32KB

Download
memory/2140-121-0x00000224BE470000-0x00000224BE486000-memory.dmp

Filesize
88KB

Download
memory/2140-122-0x00000224BA380000-0x00000224BA38A000-memory.dmp

Filesize
40KB

Download
memory/2140-124-0x00000224BE490000-0x00000224BE498000-memory.dmp

Filesize
32KB

Download
memory/2140-123-0x00000224BA300000-0x00000224BA30A000-memory.dmp

Filesize
40KB

Download
memory/2140-119-0x00000224BA350000-0x00000224BA376000-memory.dmp

Filesize
152KB

Download
memory/2140-126-0x0000022489CC0000-0x0000022489D72000-memory.dmp

Filesize
712KB

Download
memory/2140-129-0x00000224BE4F0000-0x00000224BE4FA000-memory.dmp

Filesize
40KB

Download
memory/2140-143-0x00000224BA9C0000-0x00000224BAAC2000-memory.dmp

Filesize
1.0MB

Download
memory/2884-481-0x0000028BEA550000-0x0000028BEA596000-memory.dmp

Filesize
280KB

Download
memory/2884-1898-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-483-0x0000028BEA3A0000-0x0000028BEA3B0000-memory.dmp

Filesize
64KB

Download
memory/2884-1409-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-480-0x0000028BEA680000-0x0000028BEA732000-memory.dmp

Filesize
712KB

Download
memory/2884-478-0x0000028BEA5C0000-0x0000028BEA67A000-memory.dmp

Filesize
744KB

Download
memory/2884-469-0x0000028BEA950000-0x0000028BEAE8C000-memory.dmp

Filesize
5.2MB

Download
memory/2884-455-0x0000028BCFCF0000-0x0000028BCFD8C000-memory.dmp

Filesize
624KB

Download
memory/2884-516-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-519-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-518-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-1643-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-1653-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-517-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-1672-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-1689-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-1699-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-1706-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-1721-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-1388-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-1794-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-705-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-1816-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-772-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-859-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-1831-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-1847-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-1853-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-1859-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-1864-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-1870-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-1574-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-1886-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-488-0x0000028BEAE90000-0x0000028BEAF20000-memory.dmp

Filesize
576KB

Download
memory/2884-1905-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-1915-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-1916-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-1564-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-1551-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-1514-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-1957-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-1966-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-1981-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-897-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-1991-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-1994-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-2001-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-2002-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-2006-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-2009-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-2013-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-2026-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-1478-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-2029-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-2030-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-2031-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-2043-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-2055-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-2059-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-2066-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-1197-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-1462-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/2884-1448-0x0000000180000000-0x00000001810FC000-memory.dmp

Filesize
17.0MB

Download
memory/4032-21-0x0000000074E92000-0x0000000074E94000-memory.dmp

Filesize
8KB

Download
memory/4032-19-0x0000000074E91000-0x0000000074E92000-memory.dmp

Filesize
4KB

Download
memory/4808-609-0x00007FFB23E80000-0x00007FFB23E81000-memory.dmp

Filesize
4KB

Download