hxxps://cdn[.]discordapp[.]com/attachments/1234488074650517647/1239037173655797860/Solara_Updater[.]exe?ex=664419ca&is=6642c84a&hm=92b335a2c826cb9e50e90c4fa1d356a618e67acd8c9d421409f4f51996b5030d&

Resubmissions

14-05-2024 13:28

240514-qq1eeahc99 10

14-05-2024 13:25

240514-qpascsha31 8

Analysis

max time kernel
149s
max time network
153s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
14-05-2024 13:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1234488074650517647/1239037173655797860/Solara_Updater.exe?ex=664419ca&is=6642c84a&hm=92b335a2c826cb9e50e90c4fa1d356a618e67acd8c9d421409f4f51996b5030d&

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

Solara_Updater.exe

pid process

3800 Solara_Updater.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

3 raw.githubusercontent.com
20 raw.githubusercontent.com

pid	process
3800	Solara_Updater.exe

flow	ioc
3	raw.githubusercontent.com
20	raw.githubusercontent.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1474490143-3221292397-4168103503-1000\{F1B4B4E8-3A1B-44B6-927C-FF497956EF82}	msedge.exe

NTFS ADS 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Solara_Updater.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 794691.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exeSolara_Updater.exemsedge.exemsedge.exe

pid	process
2504	msedge.exe
2504	msedge.exe
868	msedge.exe
868	msedge.exe
4736	identity_helper.exe
4736	identity_helper.exe
3128	msedge.exe
3128	msedge.exe
1280	msedge.exe
1280	msedge.exe
3800	Solara_Updater.exe
3568	msedge.exe
3568	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

Processes:

msedge.exe

pid	process
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Solara_Updater.exe

description pid process

Token: SeDebugPrivilege 3800 Solara_Updater.exe

description	pid	process
Token: SeDebugPrivilege	3800	Solara_Updater.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

msedge.exe

pid	process
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 868 wrote to memory of 4092	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 4092	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1560	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1560	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1560	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1560	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1560	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1560	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1560	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1560	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1560	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1560	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1560	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1560	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1560	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1560	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1560	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1560	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1560	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1560	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1560	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1560	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1560	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1560	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1560	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1560	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1560	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1560	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1560	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1560	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1560	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1560	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1560	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1560	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1560	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1560	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1560	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1560	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1560	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1560	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1560	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1560	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 2504	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 2504	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1200	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1200	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1200	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1200	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1200	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1200	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1200	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1200	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1200	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1200	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1200	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1200	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1200	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1200	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1200	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1200	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1200	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1200	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1200	868	msedge.exe	msedge.exe
PID 868 wrote to memory of 1200	868	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1234488074650517647/1239037173655797860/Solara_Updater.exe?ex=664419ca&is=6642c84a&hm=92b335a2c826cb9e50e90c4fa1d356a618e67acd8c9d421409f4f51996b5030d&
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff80d903cb8,0x7ff80d903cc8,0x7ff80d903cd8
  2⤵
  PID:4092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1940,13929352946945678007,3249018431159051182,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1952 /prefetch:2
  2⤵
  PID:1560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1940,13929352946945678007,3249018431159051182,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1940,13929352946945678007,3249018431159051182,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2628 /prefetch:8
  2⤵
  PID:1200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,13929352946945678007,3249018431159051182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:2964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,13929352946945678007,3249018431159051182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:1764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,13929352946945678007,3249018431159051182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1
  2⤵
  PID:1048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1940,13929352946945678007,3249018431159051182,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5440 /prefetch:8
  2⤵
  PID:1176
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1940,13929352946945678007,3249018431159051182,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5956 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1940,13929352946945678007,3249018431159051182,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5952 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,13929352946945678007,3249018431159051182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,13929352946945678007,3249018431159051182,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
  2⤵
  PID:392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,13929352946945678007,3249018431159051182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
  2⤵
  PID:3168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,13929352946945678007,3249018431159051182,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
  2⤵
  PID:3888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,13929352946945678007,3249018431159051182,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1720 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1280
- C:\Users\Admin\Downloads\Solara_Updater.exe
  "C:\Users\Admin\Downloads\Solara_Updater.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,13929352946945678007,3249018431159051182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,13929352946945678007,3249018431159051182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
  2⤵
  PID:2840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1940,13929352946945678007,3249018431159051182,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3868 /prefetch:8
  2⤵
  PID:3600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1940,13929352946945678007,3249018431159051182,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3576 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,13929352946945678007,3249018431159051182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
  2⤵
  PID:2444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,13929352946945678007,3249018431159051182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
  2⤵
  PID:1444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,13929352946945678007,3249018431159051182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6240 /prefetch:1
  2⤵
  PID:2808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,13929352946945678007,3249018431159051182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:1
  2⤵
  PID:1580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,13929352946945678007,3249018431159051182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6612 /prefetch:1
  2⤵
  PID:2200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,13929352946945678007,3249018431159051182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1236 /prefetch:1
  2⤵
  PID:3708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,13929352946945678007,3249018431159051182,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6880 /prefetch:1
  2⤵
  PID:3972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,13929352946945678007,3249018431159051182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6896 /prefetch:1
  2⤵
  PID:2276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,13929352946945678007,3249018431159051182,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7044 /prefetch:1
  2⤵
  PID:892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1940,13929352946945678007,3249018431159051182,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3016 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3032

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4448

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ade01a8cdbbf61f66497f88012a684d1

SHA1
9ff2e8985d9a101a77c85b37c4ac9d4df2525a1f

SHA256
f49e20af78caf0d737f6dbcfc5cc32701a35eb092b3f0ab24cf339604cb049b5

SHA512
fa024bd58e63402b06503679a396b8b4b1bc67dc041d473785957f56f7d972317ec8560827c8008989d2754b90e23fc984a85ed7496f05cb4edc2d8000ae622b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d0f84c55517d34a91f12cccf1d3af583

SHA1
52bd01e6ab1037d31106f8bf6e2552617c201cea

SHA256
9a24c67c3ec89f5cf8810eba1fdefc7775044c71ed78a8eb51c8d2225ad1bc4c

SHA512
94764fe7f6d8c182beec398fa8c3a1948d706ab63121b8c9f933eef50172c506a1fd015172b7b6bac898ecbfd33e00a4a0758b1c8f2f4534794c39f076cd6171

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
86KB

MD5
862b6033dc6723bda6b54609820b9b3f

SHA1
64881c76d084f2ff93cefdc4e0d829b03861f696

SHA256
decf0a34519cf25f9e3f2e3fd6c15a5e52f4f550541a151121e9a5bee5d9220b

SHA512
695c1d1e1a682851b5a3eb52e8be1563a5d2a26d7925db8fd8aec8b0eab0ffa1cdeb18c4c4abb0660c71a3cbd6939d04ebe5fbe47a27a69c52d4151520d520bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002d

Filesize
48KB

MD5
21af9bc981d404957c6344aaff4b3e28

SHA1
e5569bc0876884ded0d9594432cc261effc66d47

SHA256
e9515acb1b0c8f7c1008358ed424d6563cae681f0e87c53547d0cb7b9f51b051

SHA512
fb42427a114a3cb5739c30f6235c4fe3102876b2063772665c82ecce483955d357dead930e6da185f2b27fb0e72b9837ee272c3271efa5b7e80f98edf4cfaae8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
ad5e4e2a82c706de4beb863c6f58f455

SHA1
c83fb827083bd64797bc7b716200ec0ffa6ec487

SHA256
37a259256d9e0b68fb1fdb999888cbf6087b256c4f46f7dd20b146f4a737ca94

SHA512
25ee0292cb5324aceab0b317f04094cc9b621a5babcd23772a69a08dd7088f96d1e7e0fa32f8358bc2b31d35f0d4e18403784959061de9cbcf3e0304b6873a85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
da178a5eae7ac65351874261f429b9b0

SHA1
eff4c797a68d0abd212e2a7d7beee2c43bef30d5

SHA256
d6dcc9e9fad77e40ceee17a1912f8ca2e72c4d988af8b60c8849d5d8d3e9369e

SHA512
07ce158a7c15ac17c97ecb6b50e32f80f61901380183079cb0e8990053874d47796efb9d65f382c5f6454896f194173a643af7130dd552ac81410910cec7b34f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
186B

MD5
094ab275342c45551894b7940ae9ad0d

SHA1
2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

SHA256
ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

SHA512
19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6ea11541818640a1fe9d719e75c85b85

SHA1
c6aae8ff846ee17fee995a4808fd10fe2f2d11e4

SHA256
cf47a07fb06b5722b1ebdf23b851fd5d1a2663061a35afe43ba4905710629437

SHA512
bc229e2cf54e6e2402b2d462cd24c7fae20243907cd9c7855d11453d520e89637a9d67410b62fe22b152928d5c7265bce1c9a996579580802a647fce685e2c2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
907af78a23c951ddfd8c15f51df17ff6

SHA1
95c08ba3e25a54d3ee3d971e955ddb484cc90027

SHA256
02a9b3352dd599c28a628e2aaf4e48b364cf2d22ed53006536c268e0db598310

SHA512
1b4fd84b4c4fbd5a85e6c0d9deb4e3e52fa5751a45c8cb5a537f361c3f84409028ba4b5847f192853f23e44546fe8a0c56e14c0ea9b34b626ffd8d7008843b8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5cb7ca9423e55e0ac725196076a02fc6

SHA1
5d42f7e80ef3b4a98c2adaa33da04300315bcfde

SHA256
3d5fe0ecee55f07c268fa7727a7296a1bf6eb35af156143777a9e9f1f67211fc

SHA512
36e8391a5585db3ab613091350bad8f96d1a6872bf8d617cd6035c9c5185f0b72b58357909da872ab69613ebe93e898c29f3582f3be574a8d15494b10caea3ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
11f70165bcc5a107776543547967af51

SHA1
ee08e86dfc472076354d3ccb1044b788bace5523

SHA256
b224505e5a30deb5b3a5034f46dd946d83e48c7d2b1f9839fa7e637a9bc5713a

SHA512
c177ff035b5997c572ad2ad61ddfcd7c8ac86412210a23d7f633099d9143583325e6f91e59a130039c2e90fdaee24f1c8e1fc5f8e91bde7e6448650403d7a93b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
00eed789dd001ff9b2e1e9cd9b37229f

SHA1
07ef1abbf5e8e30a7ba36ee0f5356c45de5c3760

SHA256
0434149e5113f46ced8071311744b885976c2e7288ae243564b5b639a4867e6c

SHA512
30ddf689f841e25e231f0fa479af68ec9dcc42d4bb7a0ad458b508bd0ae8eb39c7847af004b97994a3a550470c57360af13e8700c688148056d22d4446275eb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
bc64717deda3588072942934c6db1d3f

SHA1
fa18f451bc61d0e57aff58bbdc182ad9712465f4

SHA256
e7363c19a43071ffce8e73d74241f58d6007d4571e75bf82156abf587c4b24e0

SHA512
b47efc7a5eda4e1d2be8456e3a9a88194c2a562093df58cc6e19d5d04ade62d3e2dcc62ca373acb19a28618b7783d7e4b784908c9f8e54712f71fbda84fce877

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58a033.TMP

Filesize
538B

MD5
3c6bcab93efb1db123145b287acc13ce

SHA1
baf408f0630ef82bec35286cac9efb395f3d6f0f

SHA256
44262cc7a2d10e10934f4fa65e4aa675835cb72985b17000e0752f02f769e2b8

SHA512
1ac3b69dd7eb0e00ebb2cdd9283d87d2cb42c741939f23c85f0a0fcf0dc937d2c64df84bc27f9928bb7c206ac5e3b49518ace1c10cb3c5503b46eac8f703c143

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f924a774-16cf-401a-b992-af52cb66b4e9.tmp

Filesize
5KB

MD5
10b66135a4b84bde65c86731c63f7dd2

SHA1
2a4ee0f6a63d71997f398dbdfa085a38342e8a61

SHA256
f20f19432f5c08cdc6f934d89f4154bb53d1178eb1b84fec6b83ae7905d11f6e

SHA512
dd22ac2a1149ae0fdcdb1d5d4dc243856b9cc7cee01583fd4828ed6060c00e5660201a3336e644d48fa0c5fd56a3980b19e5d65203183b1baefd7c46ad5d5001

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
556dff8e13038e37bf69df2be459ad0e

SHA1
46555df7ce44dcd6041ba76e048ee3d9b016b0a2

SHA256
5e53589f20ac4cb21185fefe3fd5c08dcda6f6cac29356e0537942324ae8f550

SHA512
78e5489702cbe3c93f771a24123ceca4b936ecf26d17d3626346f077e64647fba5dc970aa2bd47cac64484cfc8b1ddd9204b01a260af82598e7d0b774e081351

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
dc3c808e4d1aedf1d673eaea3f3e14ba

SHA1
3fb14364444b76e6d74068de8ce51b1a0673afee

SHA256
d29a28b587c42d96acb2f4cedaf301df6a3aa8b312bcf198d3001d871de59dc3

SHA512
777963d3c8f01f6d6354e66f41b392944caa424ccc1dced359b291e2f7e9efad2f3e02e53a51e6ef4f5add1d805a30b6803d7d7e0b0ca595001e4054d0568be9

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 794691.crdownload

Filesize
240KB

MD5
b89051e8cf348e69c0943b540af3b99c

SHA1
50200e338cb5df75077c6144884bf0ff6bf7cc7a

SHA256
2e0a0e7e5d510f4274cd22ca2ed10f4bcca932a8cb2a756a47c13fb36a5fb58d

SHA512
ab1e75c6ccf80fdd29bb35ec802032a46cf642e444ba392a2224cc025d05d78148f60bf81d4405b25301ce86b83e03d9249378864afa575fa6a61f05dea21408

Download Submit
\??\pipe\LOCAL\crashpad_868_MMHSFLJRAKNBCBLK

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3800-97-0x0000000007280000-0x0000000007292000-memory.dmp

Filesize
72KB

Download
memory/3800-96-0x0000000007250000-0x000000000725A000-memory.dmp

Filesize
40KB

Download
memory/3800-94-0x0000000000EC0000-0x0000000000F02000-memory.dmp

Filesize
264KB

Download