salatstealer | hxxps://workupload[.]com/file/knU7s5aPPQb

Analysis

max time kernel
151s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2025, 16:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://workupload.com/file/knU7s5aPPQb

Score

10^/10

salatstealer discovery stealer upx

Malware Config

Signatures

Detect SalatStealer payload 12 IoCs

resource	yara_rule
behavioral1/memory/4984-214-0x0000000000CA0000-0x000000000181C000-memory.dmp	family_salatstealer
behavioral1/memory/4588-215-0x0000000000C40000-0x00000000017BC000-memory.dmp	family_salatstealer
behavioral1/memory/4588-216-0x0000000000C40000-0x00000000017BC000-memory.dmp	family_salatstealer
behavioral1/memory/4588-217-0x0000000000C40000-0x00000000017BC000-memory.dmp	family_salatstealer
behavioral1/memory/4588-218-0x0000000000C40000-0x00000000017BC000-memory.dmp	family_salatstealer
behavioral1/memory/4588-219-0x0000000000C40000-0x00000000017BC000-memory.dmp	family_salatstealer
behavioral1/memory/4588-224-0x0000000000C40000-0x00000000017BC000-memory.dmp	family_salatstealer
behavioral1/memory/4588-225-0x0000000000C40000-0x00000000017BC000-memory.dmp	family_salatstealer
behavioral1/memory/1124-230-0x0000000000CA0000-0x000000000181C000-memory.dmp	family_salatstealer
behavioral1/memory/5588-239-0x0000000000CA0000-0x000000000181C000-memory.dmp	family_salatstealer
behavioral1/memory/4588-241-0x0000000000C40000-0x00000000017BC000-memory.dmp	family_salatstealer
behavioral1/memory/3708-242-0x0000000000CA0000-0x000000000181C000-memory.dmp	family_salatstealer

Salatstealer family
salatstealer
salatstealer
SalatStealer is a stealer that takes sceenshot written in Golang.
stealer salatstealer

Executes dropped EXE 6 IoCs

pid	Process
4984	SOLARA.exe
4588	StartMenuExperienceHost.exe
1124	SOLARA.exe
2072	adb.exe
5588	SOLARA.exe
3708	SOLARA.exe

Loads dropped DLL 2 IoCs

pid	Process
2072	adb.exe
2072	adb.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000024331-173.dat	upx
behavioral1/memory/4984-174-0x0000000000CA0000-0x000000000181C000-memory.dmp	upx
behavioral1/memory/4588-213-0x0000000000C40000-0x00000000017BC000-memory.dmp	upx
behavioral1/memory/4984-214-0x0000000000CA0000-0x000000000181C000-memory.dmp	upx
behavioral1/memory/4588-215-0x0000000000C40000-0x00000000017BC000-memory.dmp	upx
behavioral1/memory/4588-216-0x0000000000C40000-0x00000000017BC000-memory.dmp	upx
behavioral1/memory/4588-217-0x0000000000C40000-0x00000000017BC000-memory.dmp	upx
behavioral1/memory/4588-218-0x0000000000C40000-0x00000000017BC000-memory.dmp	upx
behavioral1/memory/4588-219-0x0000000000C40000-0x00000000017BC000-memory.dmp	upx
behavioral1/memory/4588-224-0x0000000000C40000-0x00000000017BC000-memory.dmp	upx
behavioral1/memory/4588-225-0x0000000000C40000-0x00000000017BC000-memory.dmp	upx
behavioral1/memory/1124-228-0x0000000000CA0000-0x000000000181C000-memory.dmp	upx
behavioral1/memory/1124-230-0x0000000000CA0000-0x000000000181C000-memory.dmp	upx
behavioral1/memory/5588-238-0x0000000000CA0000-0x000000000181C000-memory.dmp	upx
behavioral1/memory/5588-239-0x0000000000CA0000-0x000000000181C000-memory.dmp	upx
behavioral1/memory/4588-241-0x0000000000C40000-0x00000000017BC000-memory.dmp	upx
behavioral1/memory/3708-242-0x0000000000CA0000-0x000000000181C000-memory.dmp	upx

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows NT\smss.exe	SOLARA.exe
File created	C:\Program Files (x86)\Reference Assemblies\sihost.exe	SOLARA.exe
File created	C:\Program Files (x86)\Windows Sidebar\9655f471-67f2-ebad-b357-a568e22e7167	SOLARA.exe
File created	C:\Program Files (x86)\Windows Sidebar\StartMenuExperienceHost.exe	SOLARA.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\StartMenuExperienceHost.exe	SOLARA.exe
File created	C:\Program Files (x86)\Windows NT\smss.exe	SOLARA.exe
File created	C:\Program Files (x86)\Reference Assemblies\9655f471-67f2-ebad-b357-a568e22e7167	SOLARA.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\sihost.exe	SOLARA.exe
File created	C:\Program Files (x86)\Windows NT\9655f471-67f2-ebad-b357-a568e22e7167	SOLARA.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StartMenuExperienceHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SOLARA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SOLARA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SOLARA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SOLARA.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133878266911068174"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings	chrome.exe

Modifies system certificate store 2 TTPs 3 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	StartMenuExperienceHost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	StartMenuExperienceHost.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
4984	SOLARA.exe
4984	SOLARA.exe
4984	SOLARA.exe
4984	SOLARA.exe
4588	StartMenuExperienceHost.exe
4588	StartMenuExperienceHost.exe
3404	chrome.exe
3404	chrome.exe
1124	SOLARA.exe
1124	SOLARA.exe
5588	SOLARA.exe
5588	SOLARA.exe
3708	SOLARA.exe
3708	SOLARA.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5648	chrome.exe
Token: SeCreatePagefilePrivilege	5648	chrome.exe
Token: SeShutdownPrivilege	5648	chrome.exe
Token: SeCreatePagefilePrivilege	5648	chrome.exe
Token: SeShutdownPrivilege	5648	chrome.exe
Token: SeCreatePagefilePrivilege	5648	chrome.exe
Token: SeShutdownPrivilege	5648	chrome.exe
Token: SeCreatePagefilePrivilege	5648	chrome.exe
Token: SeShutdownPrivilege	5648	chrome.exe
Token: SeCreatePagefilePrivilege	5648	chrome.exe
Token: SeShutdownPrivilege	5648	chrome.exe
Token: SeCreatePagefilePrivilege	5648	chrome.exe
Token: SeShutdownPrivilege	5648	chrome.exe
Token: SeCreatePagefilePrivilege	5648	chrome.exe
Token: SeShutdownPrivilege	5648	chrome.exe
Token: SeCreatePagefilePrivilege	5648	chrome.exe
Token: SeShutdownPrivilege	5648	chrome.exe
Token: SeCreatePagefilePrivilege	5648	chrome.exe
Token: SeShutdownPrivilege	5648	chrome.exe
Token: SeCreatePagefilePrivilege	5648	chrome.exe
Token: SeShutdownPrivilege	5648	chrome.exe
Token: SeCreatePagefilePrivilege	5648	chrome.exe
Token: SeShutdownPrivilege	5648	chrome.exe
Token: SeCreatePagefilePrivilege	5648	chrome.exe
Token: SeShutdownPrivilege	5648	chrome.exe
Token: SeCreatePagefilePrivilege	5648	chrome.exe
Token: SeShutdownPrivilege	5648	chrome.exe
Token: SeCreatePagefilePrivilege	5648	chrome.exe
Token: SeShutdownPrivilege	5648	chrome.exe
Token: SeCreatePagefilePrivilege	5648	chrome.exe
Token: SeShutdownPrivilege	5648	chrome.exe
Token: SeCreatePagefilePrivilege	5648	chrome.exe
Token: SeShutdownPrivilege	5648	chrome.exe
Token: SeCreatePagefilePrivilege	5648	chrome.exe
Token: SeShutdownPrivilege	5648	chrome.exe
Token: SeCreatePagefilePrivilege	5648	chrome.exe
Token: SeShutdownPrivilege	5648	chrome.exe
Token: SeCreatePagefilePrivilege	5648	chrome.exe
Token: SeShutdownPrivilege	5648	chrome.exe
Token: SeCreatePagefilePrivilege	5648	chrome.exe
Token: SeShutdownPrivilege	5648	chrome.exe
Token: SeCreatePagefilePrivilege	5648	chrome.exe
Token: SeShutdownPrivilege	5648	chrome.exe
Token: SeCreatePagefilePrivilege	5648	chrome.exe
Token: SeShutdownPrivilege	5648	chrome.exe
Token: SeCreatePagefilePrivilege	5648	chrome.exe
Token: SeShutdownPrivilege	5648	chrome.exe
Token: SeCreatePagefilePrivilege	5648	chrome.exe
Token: SeShutdownPrivilege	5648	chrome.exe
Token: SeCreatePagefilePrivilege	5648	chrome.exe
Token: SeShutdownPrivilege	5648	chrome.exe
Token: SeCreatePagefilePrivilege	5648	chrome.exe
Token: SeShutdownPrivilege	5648	chrome.exe
Token: SeCreatePagefilePrivilege	5648	chrome.exe
Token: SeShutdownPrivilege	5648	chrome.exe
Token: SeCreatePagefilePrivilege	5648	chrome.exe
Token: SeShutdownPrivilege	5648	chrome.exe
Token: SeCreatePagefilePrivilege	5648	chrome.exe
Token: SeShutdownPrivilege	5648	chrome.exe
Token: SeCreatePagefilePrivilege	5648	chrome.exe
Token: SeShutdownPrivilege	5648	chrome.exe
Token: SeCreatePagefilePrivilege	5648	chrome.exe
Token: SeShutdownPrivilege	5648	chrome.exe
Token: SeCreatePagefilePrivilege	5648	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5936	7zG.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe

Suspicious use of SendNotifyMessage 56 IoCs

pid	Process
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5648 wrote to memory of 2848	5648	chrome.exe	85
PID 5648 wrote to memory of 2848	5648	chrome.exe	85
PID 5648 wrote to memory of 2612	5648	chrome.exe	86
PID 5648 wrote to memory of 2612	5648	chrome.exe	86
PID 5648 wrote to memory of 4928	5648	chrome.exe	87
PID 5648 wrote to memory of 4928	5648	chrome.exe	87
PID 5648 wrote to memory of 4928	5648	chrome.exe	87
PID 5648 wrote to memory of 4928	5648	chrome.exe	87
PID 5648 wrote to memory of 4928	5648	chrome.exe	87
PID 5648 wrote to memory of 4928	5648	chrome.exe	87
PID 5648 wrote to memory of 4928	5648	chrome.exe	87
PID 5648 wrote to memory of 4928	5648	chrome.exe	87
PID 5648 wrote to memory of 4928	5648	chrome.exe	87
PID 5648 wrote to memory of 4928	5648	chrome.exe	87
PID 5648 wrote to memory of 4928	5648	chrome.exe	87
PID 5648 wrote to memory of 4928	5648	chrome.exe	87
PID 5648 wrote to memory of 4928	5648	chrome.exe	87
PID 5648 wrote to memory of 4928	5648	chrome.exe	87
PID 5648 wrote to memory of 4928	5648	chrome.exe	87
PID 5648 wrote to memory of 4928	5648	chrome.exe	87
PID 5648 wrote to memory of 4928	5648	chrome.exe	87
PID 5648 wrote to memory of 4928	5648	chrome.exe	87
PID 5648 wrote to memory of 4928	5648	chrome.exe	87
PID 5648 wrote to memory of 4928	5648	chrome.exe	87
PID 5648 wrote to memory of 4928	5648	chrome.exe	87
PID 5648 wrote to memory of 4928	5648	chrome.exe	87
PID 5648 wrote to memory of 4928	5648	chrome.exe	87
PID 5648 wrote to memory of 4928	5648	chrome.exe	87
PID 5648 wrote to memory of 4928	5648	chrome.exe	87
PID 5648 wrote to memory of 4928	5648	chrome.exe	87
PID 5648 wrote to memory of 4928	5648	chrome.exe	87
PID 5648 wrote to memory of 4928	5648	chrome.exe	87
PID 5648 wrote to memory of 4928	5648	chrome.exe	87
PID 5648 wrote to memory of 4928	5648	chrome.exe	87
PID 5648 wrote to memory of 1252	5648	chrome.exe	88
PID 5648 wrote to memory of 1252	5648	chrome.exe	88
PID 5648 wrote to memory of 1252	5648	chrome.exe	88
PID 5648 wrote to memory of 1252	5648	chrome.exe	88
PID 5648 wrote to memory of 1252	5648	chrome.exe	88
PID 5648 wrote to memory of 1252	5648	chrome.exe	88
PID 5648 wrote to memory of 1252	5648	chrome.exe	88
PID 5648 wrote to memory of 1252	5648	chrome.exe	88
PID 5648 wrote to memory of 1252	5648	chrome.exe	88
PID 5648 wrote to memory of 1252	5648	chrome.exe	88
PID 5648 wrote to memory of 1252	5648	chrome.exe	88
PID 5648 wrote to memory of 1252	5648	chrome.exe	88
PID 5648 wrote to memory of 1252	5648	chrome.exe	88
PID 5648 wrote to memory of 1252	5648	chrome.exe	88
PID 5648 wrote to memory of 1252	5648	chrome.exe	88
PID 5648 wrote to memory of 1252	5648	chrome.exe	88
PID 5648 wrote to memory of 1252	5648	chrome.exe	88
PID 5648 wrote to memory of 1252	5648	chrome.exe	88
PID 5648 wrote to memory of 1252	5648	chrome.exe	88
PID 5648 wrote to memory of 1252	5648	chrome.exe	88
PID 5648 wrote to memory of 1252	5648	chrome.exe	88
PID 5648 wrote to memory of 1252	5648	chrome.exe	88
PID 5648 wrote to memory of 1252	5648	chrome.exe	88
PID 5648 wrote to memory of 1252	5648	chrome.exe	88
PID 5648 wrote to memory of 1252	5648	chrome.exe	88
PID 5648 wrote to memory of 1252	5648	chrome.exe	88
PID 5648 wrote to memory of 1252	5648	chrome.exe	88
PID 5648 wrote to memory of 1252	5648	chrome.exe	88
PID 5648 wrote to memory of 1252	5648	chrome.exe	88
PID 5648 wrote to memory of 1252	5648	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://workupload.com/file/knU7s5aPPQb
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbe24adcf8,0x7ffbe24add04,0x7ffbe24add10
  2⤵
  PID:2848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --subproc-heap-profiling --field-trial-handle=2000,i,16214903735216616873,13891177445916737297,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  PID:2612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --subproc-heap-profiling --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2084,i,16214903735216616873,13891177445916737297,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2056 /prefetch:2
  2⤵
  PID:4928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --subproc-heap-profiling --field-trial-handle=2392,i,16214903735216616873,13891177445916737297,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2544 /prefetch:8
  2⤵
  PID:1252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --subproc-heap-profiling --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3132,i,16214903735216616873,13891177445916737297,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:2812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --subproc-heap-profiling --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,16214903735216616873,13891177445916737297,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:4424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4276,i,16214903735216616873,13891177445916737297,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4300 /prefetch:2
  2⤵
  PID:1092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --field-trial-handle=5248,i,16214903735216616873,13891177445916737297,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5272 /prefetch:8
  2⤵
  PID:3904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --field-trial-handle=208,i,16214903735216616873,13891177445916737297,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5668 /prefetch:8
  2⤵
  PID:4236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --field-trial-handle=5692,i,16214903735216616873,13891177445916737297,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5536 /prefetch:8
  2⤵
  PID:912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --field-trial-handle=5688,i,16214903735216616873,13891177445916737297,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5740 /prefetch:8
  2⤵
  PID:3640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --field-trial-handle=4712,i,16214903735216616873,13891177445916737297,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5540 /prefetch:8
  2⤵
  PID:4952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --subproc-heap-profiling --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=5276,i,16214903735216616873,13891177445916737297,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5424 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3404

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:3292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3928

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1532

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\SOLARA\" -ad -an -ai#7zMap9021:74:7zEvent26421
1⤵
- Suspicious use of FindShellTrayWindow
PID:5936

C:\Users\Admin\Downloads\SOLARA\SOLARA\SOLARA.exe
"C:\Users\Admin\Downloads\SOLARA\SOLARA\SOLARA.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4984
- C:\Program Files (x86)\Windows Sidebar\StartMenuExperienceHost.exe
  "C:\Program Files (x86)\Windows Sidebar\StartMenuExperienceHost.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  PID:4588

C:\Users\Admin\Downloads\SOLARA\SOLARA\SOLARA.exe
"C:\Users\Admin\Downloads\SOLARA\SOLARA\SOLARA.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1124

C:\Users\Admin\Downloads\SOLARA\SOLARA\adb.exe
"C:\Users\Admin\Downloads\SOLARA\SOLARA\adb.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2072

C:\Users\Admin\Downloads\SOLARA\SOLARA\SOLARA.exe
"C:\Users\Admin\Downloads\SOLARA\SOLARA\SOLARA.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5588

C:\Users\Admin\Downloads\SOLARA\SOLARA\SOLARA.exe
"C:\Users\Admin\Downloads\SOLARA\SOLARA\SOLARA.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3708

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
fbda4e1543345d74057691c369895bf2

SHA1
1231f3f0d2a71d4ca67a8681fa457a29ea8d0912

SHA256
d506803400a2eb383871ec21b0dbc8b5d02dafe4519679b7dad492e347326007

SHA512
f8b77ad1388efb2f4a455d2d9b7304739ebb742bfeedecae0714d8acc8f03e41e068f8d755d43239102d86d5d13e8a5ef61acb25882139c5fdc5cc340f45b8d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
2cb66a49e9e58aae0a5870b954c51028

SHA1
b97d58de9ebc2e226a6a811c327431aa3f04fdb4

SHA256
bfd78f679c1b47c71036cc9fe574666a0ff5b892597cf18df31f5e8d079a0c01

SHA512
d97e9bc8cd7f1545b73b47ac62cb55f0e4c49fae4c6ba4a6b0065ccc0ac67b2d38c57b2029f0b03a42d801cba7aca01e45eb730c279895da5e805bf18cf73113

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
af47964f01e50751a9d1112482283b49

SHA1
bca9ea474898f33e4a2a8529d998fea030cb7f6f

SHA256
1241a29067d44f06c03b89c76688f1e584e0dccb04013b729d35545bdcb20f79

SHA512
6525247ce1925da68c154eb74ee7f2174e596594653be169eef807bf66c64ba4057f773270ef554558199ea13e2937198aed45b9c2bfe116b53aa3948e387a36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
440c3a3510d54e2804c489df77adf548

SHA1
e258fbaee25edd7c8450007b3cb4f0049d165c32

SHA256
bbc4572ef858bfbf0027cb2e611adec321202f34d6963ae9d8e6e1e2ff3faf1d

SHA512
f106332943db79a1f120adb47dcde5f7e58025132d82db5be4ac7093d0343cc8621f4a4043ba9e44ad4a209fa78354fb8646536fd5a940477b1439dbedb50e3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8b3fe5412e8ee13a1d1c27f3428e9f55

SHA1
deccd93df0e2a0027b7de4dc621cb2d949609398

SHA256
eed50eb6333ea570a8c7f19f9e948bb082d3116e63d7431deb918055ae64ef54

SHA512
8aefe252db5d19a81556a4f157a552027dabdda2ac6904aec83439e9c62b62f1d45538619d0d109b4ca55f136e07a5fb7680c8238f9d73ea550111c9dcfcf874

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
e3859d149cce26b3fd0dfbc8103212d3

SHA1
7742bf40f5fd90ce1c48ab6a9c157a278df40160

SHA256
60558052bea42099c2df539209b069c76aec4173e21b830d890075df52092d5d

SHA512
172973c95cfd60085ae201c596504debc4d55b7d03e46b77a968b61e01a7daffa3456e5cacdec03662753eeee90d7a39241f8b5bc3796168fa1b7b55ba75c802

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
f4c31e1267c5c5c4c3ac135387315911

SHA1
a9e58e5140742e0b25395e4eff2019e491c7e21e

SHA256
003fbe143f47ac9c60f6ec1c2c693e91b29ee65bc084f63f1b15c2e6b2067a92

SHA512
a7cb51df6648f818fefb01b9a845a09d8c630c56448eca38673f1fb135f69c5f7e19d1b92ee433ae098d4e0832e067c811e92d9dbabad15657113fe1ad96ebcc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
8cf4a9410314e4049ac4f670d9239599

SHA1
7252f899c2eb9b82f6158029cef30bbea8406187

SHA256
81511ac20998e5f4680cf3b1dde123a08819b6d7538ef54f4039ac394eb36ddd

SHA512
c23743a4f11b4f514a3dad2c96b9cb877b7fd0ffeba8edbdd8cfcccfb55d749b36fe483052fe7f2e30ae419f7f5f61078270a04fdb74c9c609b9a8a3d6d575b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57c10e.TMP

Filesize
48B

MD5
4400af192a4dde8af7919926bf85c08f

SHA1
1d29369f25e63c8ae76b4a972fd5b4d7931115c8

SHA256
909baf764a20f9c40731c458dbaf76d5b94847a731babcb4bd7eb7a4f3fe9ae6

SHA512
c77d94aa26010b2c6e9c3f0ae99ea9d253f8f509044ad3597997de0980cefb06f779a443412d450a4a89f26c9dc1a62e77ce6f7d80a7aaa9944cebea23a41a31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
1d8bb3455c6a9c71ae83e1a4644b5a5c

SHA1
0d422a2ac319fe87f54bf3088a03dd611fc2cd75

SHA256
109f7a52d61ea8ca1531f6addc1219bb65bc229266108f4a9b1e790791f37932

SHA512
1c20cfe85a888809362515a8febb756b2725e315e08476a4d4a276ca17ba184c545b57ddaa9c2e8b339cb8789404cdff0ca54eb3a3d29d691a9789e6980bdd5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
79KB

MD5
3ba6be568fa4df2a3ad0bb5e5b5299ab

SHA1
3fc489bde36a258fc119bd705fcb0571f964ae91

SHA256
98925c272d0f918d97135c74ff256206c282fe20ed2364381d57b0de9571e5dc

SHA512
a93301797700f32969cea85cfb601a674aa4d36ae1a4252685e966a36015ccf0df20c3f965d26a71e548c37e3661089c202e02ecfa62611ba7a1944b24520a33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
5502e95cd72c91ba9c08b1a9f86548cc

SHA1
80b3dc8ce82c08e41b6cea9af09b31886b06f01c

SHA256
f68f84c6b019018af94f90bdcc62d2e26c3a90be08587093a3d215ac1637aece

SHA512
4b8bc5a71142863c6aacef97f1777c575f9e232b7027acf2a93987d3bfc1c9760c2ffa07e75c4dcdec895efda2e28d5e3d07c5a58f820a7c47a5cf1185b0ff5c

Download Submit
C:\Users\Admin\Downloads\SOLARA.rar.crdownload

Filesize
10.3MB

MD5
6f2ccba4ac6ae8ca7da0af7653bd1cd1

SHA1
04246acdcc908f2129cbcbe8688f2216a3a45c8e

SHA256
272b560a7b37126e127940bd6af1e0d0b8e55c07e409577d3c155e0f070d39dc

SHA512
5b4992b9a0b38ac863aa00d70b835eecc6fedcceed783cd24ecaa3abe5ada1094d33048641f00c2727385a07802a027a8168a16c508d1d3ddb34b2a5c1fdbc3b

Download Submit
C:\Users\Admin\Downloads\SOLARA\SOLARA\AdbWinApi.dll

Filesize
105KB

MD5
73030f38c867f5a7bd6ee331203f3d7a

SHA1
3e71b43c9b25af29bb4b8f455c176c5e89404567

SHA256
9ffacedc41b2752075571e1a474ff50c5dcbe1f64db56db24aaec78aea1126df

SHA512
492988fc89ae61e3af4904c0f593fbc4703293a915901ff98824cdcc77a7ac695faee8e1da56c66e3e2591216234a609841fb2393ce1dd2aeb91014952c6a297

Download Submit
C:\Users\Admin\Downloads\SOLARA\SOLARA\AdbWinUsbApi.dll

Filesize
71KB

MD5
f67d9ec28d19316754d7ecb0e990197d

SHA1
a82ba3ad1a0749dd91eaac34dced3622d10dba54

SHA256
13918fdab0c3ac77d077453a6036247cfeca10910aec845f188c41148c630bb2

SHA512
abd80e386ce282bbb4727c7bd795d7bb0046fecfe65b005c98609f18b341606166187e951a5beacb5112726eab28bf9b75b383cb55ca9d0303b286389fd25022

Download Submit
C:\Users\Admin\Downloads\SOLARA\SOLARA\SOLARA.exe

Filesize
3.1MB

MD5
1e4e8c6d1bf62ff6b365e0cba9c4a6d1

SHA1
2acf897c8414528b0620707c8661d268af0d1222

SHA256
19f8b2f1c0fffe8f37dee7acb107554034f73af09de178fcee107a04cb6ea98e

SHA512
4f537099eacd68f3c825cfb5501f2082c3b43b7e3cdff9755765d9a3b9285cbfadd8374df79c78963404c7c51866eb324482cd0b32e965c121c3beb2736c935c

Download Submit
C:\Users\Admin\Downloads\SOLARA\SOLARA\adb.exe

Filesize
5.6MB

MD5
f1f479bba21298e758fc22d8d98f8e48

SHA1
2f7ef0bf7a9ca33da621ba29794ae9c8c95c0bca

SHA256
705ddc21f33ac52105d1b075b019962ad0e44fb3d560bde69ce8cb3a36bca183

SHA512
3b491cd07e1e05e14fcec13956e8c023a4f2bbcb9459f3965868a00e33bc4d7e258ac645da9f1b5ca6f9d9a757b879d696ab95800a03240b37aa42265d4e914f

Download Submit
memory/1124-230-0x0000000000CA0000-0x000000000181C000-memory.dmp

Filesize
11.5MB

Download
memory/1124-228-0x0000000000CA0000-0x000000000181C000-memory.dmp

Filesize
11.5MB

Download
memory/1128-252-0x00000286F2860000-0x00000286F2861000-memory.dmp

Filesize
4KB

Download
memory/1128-250-0x00000286F2860000-0x00000286F2861000-memory.dmp

Filesize
4KB

Download
memory/1128-249-0x00000286F2860000-0x00000286F2861000-memory.dmp

Filesize
4KB

Download
memory/1128-243-0x00000286F2860000-0x00000286F2861000-memory.dmp

Filesize
4KB

Download
memory/1128-244-0x00000286F2860000-0x00000286F2861000-memory.dmp

Filesize
4KB

Download
memory/1128-251-0x00000286F2860000-0x00000286F2861000-memory.dmp

Filesize
4KB

Download
memory/1128-253-0x00000286F2860000-0x00000286F2861000-memory.dmp

Filesize
4KB

Download
memory/1128-255-0x00000286F2860000-0x00000286F2861000-memory.dmp

Filesize
4KB

Download
memory/1128-254-0x00000286F2860000-0x00000286F2861000-memory.dmp

Filesize
4KB

Download
memory/1128-245-0x00000286F2860000-0x00000286F2861000-memory.dmp

Filesize
4KB

Download
memory/3708-242-0x0000000000CA0000-0x000000000181C000-memory.dmp

Filesize
11.5MB

Download
memory/4588-218-0x0000000000C40000-0x00000000017BC000-memory.dmp

Filesize
11.5MB

Download
memory/4588-241-0x0000000000C40000-0x00000000017BC000-memory.dmp

Filesize
11.5MB

Download
memory/4588-225-0x0000000000C40000-0x00000000017BC000-memory.dmp

Filesize
11.5MB

Download
memory/4588-224-0x0000000000C40000-0x00000000017BC000-memory.dmp

Filesize
11.5MB

Download
memory/4588-219-0x0000000000C40000-0x00000000017BC000-memory.dmp

Filesize
11.5MB

Download
memory/4588-217-0x0000000000C40000-0x00000000017BC000-memory.dmp

Filesize
11.5MB

Download
memory/4588-216-0x0000000000C40000-0x00000000017BC000-memory.dmp

Filesize
11.5MB

Download
memory/4588-215-0x0000000000C40000-0x00000000017BC000-memory.dmp

Filesize
11.5MB

Download
memory/4588-213-0x0000000000C40000-0x00000000017BC000-memory.dmp

Filesize
11.5MB

Download
memory/4984-214-0x0000000000CA0000-0x000000000181C000-memory.dmp

Filesize
11.5MB

Download
memory/4984-174-0x0000000000CA0000-0x000000000181C000-memory.dmp

Filesize
11.5MB

Download
memory/5588-239-0x0000000000CA0000-0x000000000181C000-memory.dmp

Filesize
11.5MB

Download
memory/5588-238-0x0000000000CA0000-0x000000000181C000-memory.dmp

Filesize
11.5MB

Download