8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3

Analysis

max time kernel
106s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20250207-de
resource tags

arch:x64arch:x86image:win10v2004-20250207-delocale:de-deos:windows10-2004-x64systemwindows
submitted
09-02-2025 16:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bootstrapper.exe
Size

800KB
MD5

02c70d9d6696950c198db93b7f6a835e
SHA1

30231a467a49cc37768eea0f55f4bea1cbfb48e2
SHA256

8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3
SHA512

431d9b9918553bff4f4a5bc2a5e7b7015f8ad0e2d390bb4d5264d08983372424156524ef5587b24b67d1226856fc630aaca08edc8113097e0094501b4f08efeb
SSDEEP

12288:qhd8cjaLXVh84wEFkW1mocaBj6WtiRPpptHxQ0z:2ycjar84w5W4ocaBj6y2tHDz

Score

9^/10

defense_evasion discovery execution themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Solara.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2436	powershell.exe
1524	powershell.exe

Downloads MZ/PE file 2 IoCs

flow	pid	Process
40	2760	Process not Found
47	3808	Bootstrapper.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Solara.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Solara.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000\Control Panel\International\Geo\Nation	BootstrapperV2.19.exe

Executes dropped EXE 2 IoCs

pid	Process
2616	BootstrapperV2.19.exe
4444	Solara.exe

Loads dropped DLL 2 IoCs

pid	Process
4444	Solara.exe
4444	Solara.exe

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x0007000000023e4a-140.dat	themida
behavioral2/memory/4444-142-0x0000000180000000-0x0000000181111000-memory.dmp	themida
behavioral2/memory/4444-144-0x0000000180000000-0x0000000181111000-memory.dmp	themida
behavioral2/memory/4444-145-0x0000000180000000-0x0000000181111000-memory.dmp	themida
behavioral2/memory/4444-143-0x0000000180000000-0x0000000181111000-memory.dmp	themida
behavioral2/memory/4444-146-0x0000000180000000-0x0000000181111000-memory.dmp	themida

Unexpected DNS network traffic destination 28 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	flow	ioc	pid	Process
Destination IP	55	1.0.0.1	1720	Process not Found
Destination IP	75	1.0.0.1	4444	Solara.exe
Destination IP	80	1.0.0.1	4444	Solara.exe
Destination IP	106	1.0.0.1	1720	Process not Found
Destination IP	115	1.0.0.1	4444	Solara.exe
Destination IP	24	1.0.0.1	1720	Process not Found
Destination IP	26	1.0.0.1	2616	BootstrapperV2.19.exe
Destination IP	73	1.0.0.1	1720	Process not Found
Destination IP	38	1.0.0.1	1720	Process not Found
Destination IP	92	1.0.0.1	1720	Process not Found
Destination IP	83	1.0.0.1	1720	Process not Found
Destination IP	25	1.0.0.1	1720	Process not Found
Destination IP	39	1.0.0.1	1720	Process not Found
Destination IP	51	1.0.0.1	1720	Process not Found
Destination IP	67	1.0.0.1	1720	Process not Found
Destination IP	71	1.0.0.1	1720	Process not Found
Destination IP	28	1.0.0.1	3908	MicrosoftEdgeUpdate.exe
Destination IP	37	1.0.0.1	1720	Process not Found
Destination IP	69	1.0.0.1	1720	Process not Found
Destination IP	32	1.0.0.1	1720	Process not Found
Destination IP	56	1.0.0.1	1720	Process not Found
Destination IP	78	1.0.0.1	2616	BootstrapperV2.19.exe
Destination IP	90	1.0.0.1	1720	Process not Found
Destination IP	21	1.0.0.1	4444	Solara.exe
Destination IP	46	1.0.0.1	1720	Process not Found
Destination IP	81	1.0.0.1	1720	Process not Found
Destination IP	91	1.0.0.1	4444	Solara.exe
Destination IP	97	1.0.0.1	1720	Process not Found

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Solara.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
80	pastebin.com
84	pastebin.com
85	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4444	Solara.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3908	MicrosoftEdgeUpdate.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1924	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2616	BootstrapperV2.19.exe
2436	powershell.exe
2436	powershell.exe
1524	powershell.exe
1524	powershell.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2380	WMIC.exe
Token: SeSecurityPrivilege	2380	WMIC.exe
Token: SeTakeOwnershipPrivilege	2380	WMIC.exe
Token: SeLoadDriverPrivilege	2380	WMIC.exe
Token: SeSystemProfilePrivilege	2380	WMIC.exe
Token: SeSystemtimePrivilege	2380	WMIC.exe
Token: SeProfSingleProcessPrivilege	2380	WMIC.exe
Token: SeIncBasePriorityPrivilege	2380	WMIC.exe
Token: SeCreatePagefilePrivilege	2380	WMIC.exe
Token: SeBackupPrivilege	2380	WMIC.exe
Token: SeRestorePrivilege	2380	WMIC.exe
Token: SeShutdownPrivilege	2380	WMIC.exe
Token: SeDebugPrivilege	2380	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2380	WMIC.exe
Token: SeRemoteShutdownPrivilege	2380	WMIC.exe
Token: SeUndockPrivilege	2380	WMIC.exe
Token: SeManageVolumePrivilege	2380	WMIC.exe
Token: 33	2380	WMIC.exe
Token: 34	2380	WMIC.exe
Token: 35	2380	WMIC.exe
Token: 36	2380	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2380	WMIC.exe
Token: SeSecurityPrivilege	2380	WMIC.exe
Token: SeTakeOwnershipPrivilege	2380	WMIC.exe
Token: SeLoadDriverPrivilege	2380	WMIC.exe
Token: SeSystemProfilePrivilege	2380	WMIC.exe
Token: SeSystemtimePrivilege	2380	WMIC.exe
Token: SeProfSingleProcessPrivilege	2380	WMIC.exe
Token: SeIncBasePriorityPrivilege	2380	WMIC.exe
Token: SeCreatePagefilePrivilege	2380	WMIC.exe
Token: SeBackupPrivilege	2380	WMIC.exe
Token: SeRestorePrivilege	2380	WMIC.exe
Token: SeShutdownPrivilege	2380	WMIC.exe
Token: SeDebugPrivilege	2380	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2380	WMIC.exe
Token: SeRemoteShutdownPrivilege	2380	WMIC.exe
Token: SeUndockPrivilege	2380	WMIC.exe
Token: SeManageVolumePrivilege	2380	WMIC.exe
Token: 33	2380	WMIC.exe
Token: 34	2380	WMIC.exe
Token: 35	2380	WMIC.exe
Token: 36	2380	WMIC.exe
Token: SeDebugPrivilege	3808	Bootstrapper.exe
Token: SeDebugPrivilege	2616	BootstrapperV2.19.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	4444	Solara.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3808 wrote to memory of 4988	3808	Bootstrapper.exe	88
PID 3808 wrote to memory of 4988	3808	Bootstrapper.exe	88
PID 4988 wrote to memory of 1924	4988	cmd.exe	90
PID 4988 wrote to memory of 1924	4988	cmd.exe	90
PID 3808 wrote to memory of 2600	3808	Bootstrapper.exe	94
PID 3808 wrote to memory of 2600	3808	Bootstrapper.exe	94
PID 2600 wrote to memory of 2380	2600	cmd.exe	96
PID 2600 wrote to memory of 2380	2600	cmd.exe	96
PID 3808 wrote to memory of 2616	3808	Bootstrapper.exe	102
PID 3808 wrote to memory of 2616	3808	Bootstrapper.exe	102
PID 2616 wrote to memory of 2436	2616	BootstrapperV2.19.exe	104
PID 2616 wrote to memory of 2436	2616	BootstrapperV2.19.exe	104
PID 2616 wrote to memory of 1524	2616	BootstrapperV2.19.exe	106
PID 2616 wrote to memory of 1524	2616	BootstrapperV2.19.exe	106
PID 2616 wrote to memory of 4444	2616	BootstrapperV2.19.exe	108
PID 2616 wrote to memory of 4444	2616	BootstrapperV2.19.exe	108

cURL User-Agent 8 IoCs

Uses User-Agent string associated with cURL utility.

description	flow	ioc
HTTP User-Agent header	109	curl/8.9.1-DEV
HTTP User-Agent header	117	curl/8.9.1-DEV
HTTP User-Agent header	118	curl/8.9.1-DEV
HTTP User-Agent header	94	curl/8.9.1-DEV
HTTP User-Agent header	100	curl/8.9.1-DEV
HTTP User-Agent header	101	curl/8.9.1-DEV
HTTP User-Agent header	102	curl/8.9.1-DEV
HTTP User-Agent header	108	curl/8.9.1-DEV

C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
1⤵
- Downloads MZ/PE file
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3808
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c ipconfig /all
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4988
- - C:\Windows\system32\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:1924
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2380
- C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.19.exe
  "C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.19.exe" --oldBootstrapper "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe" --isUpdate true
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Unexpected DNS network traffic destination
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command "Get-MpPreference | Select-Object -ExpandProperty ExclusionPath"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2436
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData\Solara'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1524
- - C:\ProgramData\Solara\Solara.exe
    "C:\ProgramData\Solara\Solara.exe" --bootstrapperPath "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Unexpected DNS network traffic destination
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of AdjustPrivilegeToken
    PID:4444

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7OTQ4MDA3NjEtNzdEQi00Njg4LUJDODktOUMzRjUwOTgxNUJEfSIgdXNlcmlkPSJ7NzJDRDlGQ0UtMzhGNy00NTkxLUI4MUQtMEUxQTAxRjJERTZBfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RjQ3NUY5NjUtRTc0Qy00ODlBLUFDMjAtMDUxNEFBMEUwMUQyfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5ODUiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODQ0NDQzNjAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0OTc4NjE3MTcwIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- Unexpected DNS network traffic destination
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Solara\Microsoft.Web.WebView2.Core.dll

Filesize
557KB

MD5
b037ca44fd19b8eedb6d5b9de3e48469

SHA1
1f328389c62cf673b3de97e1869c139d2543494e

SHA256
11e88b2ca921e5c88f64567f11bd83cbc396c10365d40972f3359fcc7965d197

SHA512
fa89ab3347fd57486cf3064ad164574f70e2c2b77c382785479bfd5ab50caa0881de3c2763a0932feac2faaf09479ef699a04ba202866dc7e92640246ba9598b

Download Submit
C:\ProgramData\Solara\Microsoft.Web.WebView2.Wpf.dll

Filesize
50KB

MD5
e107c88a6fc54cc3ceb4d85768374074

SHA1
a8d89ae75880f4fca7d7167fae23ac0d95e3d5f6

SHA256
8f821f0c818f8d817b82f76c25f90fde9fb73ff1ae99c3df3eaf2b955653c9c8

SHA512
b39e07b0c614a0fa88afb1f3b0d9bb9ba9c932e2b30899002008220ccf1acb0f018d5414aee64d92222c2c39f3ffe2c0ad2d9962d23aaa4bf5750c12c7f3e6fe

Download Submit
C:\ProgramData\Solara\Monaco\combined.html

Filesize
14KB

MD5
2a0506c7902018d7374b0ec4090c53c0

SHA1
26c6094af2043e1e8460023ac6b778ba84463f30

SHA256
cad1e2eef6e20e88699fac5ef31d495890df118e58c86fc442ea6337aac7a75a

SHA512
4a9856512e7866b8623565886e5f3aebf15c824cb127e24be9afa2a5501a83fa95d209875a8777566bcac9973b38881e18caf6ad160c8d01366a508cafc2164b

Download Submit
C:\ProgramData\Solara\Monaco\index.html

Filesize
14KB

MD5
610eb8cecd447fcf97c242720d32b6bd

SHA1
4b094388e0e5135e29c49ce42ff2aa099b7f2d43

SHA256
107d8d9d6c94d2a86ac5af4b4cec43d959c2e44d445017fea59e2e0a5efafdc7

SHA512
cf15f49ef3ae578a5f725e24bdde86c33bbc4fd30a6eb885729fd3d9b151a4b13822fa8c35d3e0345ec43d567a246111764812596fd0ecc36582b8ee2a76c331

Download Submit
C:\ProgramData\Solara\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\ProgramData\Solara\Solara.exe

Filesize
619KB

MD5
91f5d6abf1fc57cb3e6222f10c51bff1

SHA1
fd1183ba06cf793f12de674d8aa31bd8bfbe1172

SHA256
c48c486f8655d33b4b0d7fc169adf5cbc964c723161953ef5877e99e45833840

SHA512
4538dc6b1c0c21f09fcce5a496538c25cbbc88bd5bb484806fa9426753691df7d798882085be0bdf4ee542da793c04a0d45675265a6ced2f4ea61b691909597a

Download Submit
C:\ProgramData\Solara\SolaraV3.dll

Filesize
6.6MB

MD5
10d99a6d714e98f1e7989dda7052b837

SHA1
b2293ba8e3bb04b266c9d9cf50075d9c883067c0

SHA256
b70b77c0c0ff6d0ee35c06e4ea0166f1e5b0ca87c99d328ee4fd61544cf739fe

SHA512
bfe0866eac5f983163d3aa329a33856ad390c5a4c1533687e3e4f7bf9267e1a9e1af1e18caeca7c831e7e266a1c561262e15094ad82ddd78afe8c1a9e5e2fe40

Download Submit
C:\ProgramData\Solara\WebView2Loader.dll

Filesize
133KB

MD5
a0bd0d1a66e7c7f1d97aedecdafb933f

SHA1
dd109ac34beb8289030e4ec0a026297b793f64a3

SHA256
79d7e45f8631e8d2541d01bfb5a49a3a090be72b3d465389a2d684680fee2e36

SHA512
2a50ae5c7234a44b29f82ebc2e3cfed37bf69294eb00b2dc8905c61259975b2f3a059c67aeab862f002752454d195f7191d9b82b056f6ef22d6e1b0bb3673d50

Download Submit
C:\ProgramData\Solara\Wpf.Ui.dll

Filesize
5.2MB

MD5
aead90ab96e2853f59be27c4ec1e4853

SHA1
43cdedde26488d3209e17efff9a51e1f944eb35f

SHA256
46cfbe804b29c500ebc0b39372e64c4c8b4f7a8e9b220b5f26a9adf42fcb2aed

SHA512
f5044f2ee63906287460b9adabfcf3c93c60b51c86549e33474c4d7f81c4f86cd03cd611df94de31804c53006977874b8deb67c4bf9ea1c2b70c459b3a44b38d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.19.exe

Filesize
2.9MB

MD5
e398a0557b44366c849b85fbe26a63e1

SHA1
d20b6b46fc572a435e4e5eb7f5dbd3e601725bac

SHA256
63466a7b4c4ca557cbb2e8b57c125db52fffb234fdbfa38f31eb61b040411e7d

SHA512
a4c0a608ea1f4a33bd39a5536dc4b2105598e3fa4a9ff9033b2279f885a7251684761e1f4ac7b1ba5226de2b0ca777fdc971f0a7f22e65f66f0a3b9c601291d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kpkgeed0.aoc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2436-37-0x0000026D77970000-0x0000026D779F6000-memory.dmp

Filesize
536KB

Download
memory/2436-48-0x0000026D77C10000-0x0000026D77D14000-memory.dmp

Filesize
1.0MB

Download
memory/2436-47-0x0000026D77900000-0x0000026D77910000-memory.dmp

Filesize
64KB

Download
memory/2616-26-0x0000019AA13E0000-0x0000019AA1418000-memory.dmp

Filesize
224KB

Download
memory/2616-30-0x0000019AA13A0000-0x0000019AA13C6000-memory.dmp

Filesize
152KB

Download
memory/2616-31-0x0000019AA1420000-0x0000019AA1428000-memory.dmp

Filesize
32KB

Download
memory/2616-32-0x0000019AA1430000-0x0000019AA1446000-memory.dmp

Filesize
88KB

Download
memory/2616-33-0x0000019AA13D0000-0x0000019AA13DA000-memory.dmp

Filesize
40KB

Download
memory/2616-34-0x0000019A9BF10000-0x0000019A9BF1A000-memory.dmp

Filesize
40KB

Download
memory/2616-35-0x0000019AA1460000-0x0000019AA1468000-memory.dmp

Filesize
32KB

Download
memory/2616-29-0x0000019A9BF00000-0x0000019A9BF0A000-memory.dmp

Filesize
40KB

Download
memory/2616-28-0x0000019AA1AB0000-0x0000019AA1BB0000-memory.dmp

Filesize
1024KB

Download
memory/2616-27-0x0000019A9BED0000-0x0000019A9BEDE000-memory.dmp

Filesize
56KB

Download
memory/2616-21-0x0000019A81680000-0x0000019A81962000-memory.dmp

Filesize
2.9MB

Download
memory/2616-25-0x0000019A9BEE0000-0x0000019A9BF00000-memory.dmp

Filesize
128KB

Download
memory/2616-24-0x0000019A9BEB0000-0x0000019A9BEB8000-memory.dmp

Filesize
32KB

Download
memory/2616-63-0x0000019A9D930000-0x0000019A9D9E2000-memory.dmp

Filesize
712KB

Download
memory/2616-65-0x0000019A9D9E0000-0x0000019A9D9FE000-memory.dmp

Filesize
120KB

Download
memory/2616-66-0x0000019A9DA10000-0x0000019A9DA1A000-memory.dmp

Filesize
40KB

Download
memory/2616-68-0x0000019A9DBD0000-0x0000019A9DBE2000-memory.dmp

Filesize
72KB

Download
memory/2616-23-0x0000019A81D70000-0x0000019A81D80000-memory.dmp

Filesize
64KB

Download
memory/3808-22-0x00007FFAA9270000-0x00007FFAA9D31000-memory.dmp

Filesize
10.8MB

Download
memory/3808-2-0x00007FFAA9273000-0x00007FFAA9275000-memory.dmp

Filesize
8KB

Download
memory/3808-1-0x00000252652D0000-0x000002526539E000-memory.dmp

Filesize
824KB

Download
memory/3808-3-0x00007FFAA9270000-0x00007FFAA9D31000-memory.dmp

Filesize
10.8MB

Download
memory/3808-0-0x00007FFAA9273000-0x00007FFAA9275000-memory.dmp

Filesize
8KB

Download
memory/3808-5-0x00000252670F0000-0x0000025267132000-memory.dmp

Filesize
264KB

Download
memory/3808-6-0x0000025267140000-0x0000025267162000-memory.dmp

Filesize
136KB

Download
memory/3808-7-0x00007FFAA9270000-0x00007FFAA9D31000-memory.dmp

Filesize
10.8MB

Download
memory/4444-131-0x0000026B94670000-0x0000026B94680000-memory.dmp

Filesize
64KB

Download
memory/4444-129-0x0000026BAE6F0000-0x0000026BAE738000-memory.dmp

Filesize
288KB

Download
memory/4444-128-0x0000026BAE870000-0x0000026BAE922000-memory.dmp

Filesize
712KB

Download
memory/4444-136-0x0000026BAEAC0000-0x0000026BAEB50000-memory.dmp

Filesize
576KB

Download
memory/4444-126-0x0000026BAE7B0000-0x0000026BAE86A000-memory.dmp

Filesize
744KB

Download
memory/4444-123-0x0000026B92820000-0x0000026B928C0000-memory.dmp

Filesize
640KB

Download
memory/4444-125-0x0000026BAEC30000-0x0000026BAF16C000-memory.dmp

Filesize
5.2MB

Download
memory/4444-142-0x0000000180000000-0x0000000181111000-memory.dmp

Filesize
17.1MB

Download
memory/4444-144-0x0000000180000000-0x0000000181111000-memory.dmp

Filesize
17.1MB

Download
memory/4444-145-0x0000000180000000-0x0000000181111000-memory.dmp

Filesize
17.1MB

Download
memory/4444-143-0x0000000180000000-0x0000000181111000-memory.dmp

Filesize
17.1MB

Download
memory/4444-146-0x0000000180000000-0x0000000181111000-memory.dmp

Filesize
17.1MB

Download