umbral | hxxps://workupload[.]com/file/3bLUanW4HKE

Analysis

max time kernel
78s
max time network
77s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-08-2024 20:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://workupload.com/file/3bLUanW4HKE

Score

10^/10

umbral credential_access discovery execution spyware stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000700000002355b-210.dat	family_umbral
behavioral1/memory/2616-219-0x00000189A3A30000-0x00000189A3A70000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1040	powershell.exe
2776	powershell.exe
2996	powershell.exe
1228	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe

Executes dropped EXE 10 IoCs

pid	Process
1664	Bootstrapper.exe
4896	Client.exe
2616	Umbral.exe
1040	Mrk.exe
2996	BootstrapperV1.15.exe
4684	Bootstrapper.exe
3168	Client.exe
2356	Umbral.exe
3532	Mrk.exe
1996	BootstrapperV1.15.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
106	pastebin.com
105	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
92	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4228	cmd.exe
4964	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1228	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	msedge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4964	PING.EXE

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
3516	msedge.exe
3516	msedge.exe
4308	msedge.exe
4308	msedge.exe
4376	identity_helper.exe
4376	identity_helper.exe
4056	msedge.exe
4056	msedge.exe
2616	Umbral.exe
2616	Umbral.exe
1040	powershell.exe
1040	powershell.exe
1040	powershell.exe
1228	powershell.exe
1228	powershell.exe
1228	powershell.exe
2776	powershell.exe
2776	powershell.exe
2776	powershell.exe
5096	powershell.exe
5096	powershell.exe
5096	powershell.exe
2996	powershell.exe
2996	powershell.exe
2996	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4404	7zG.exe
Token: 35	4404	7zG.exe
Token: SeSecurityPrivilege	4404	7zG.exe
Token: SeSecurityPrivilege	4404	7zG.exe
Token: SeDebugPrivilege	2616	Umbral.exe
Token: SeDebugPrivilege	2996	BootstrapperV1.15.exe
Token: SeIncreaseQuotaPrivilege	1800	wmic.exe
Token: SeSecurityPrivilege	1800	wmic.exe
Token: SeTakeOwnershipPrivilege	1800	wmic.exe
Token: SeLoadDriverPrivilege	1800	wmic.exe
Token: SeSystemProfilePrivilege	1800	wmic.exe
Token: SeSystemtimePrivilege	1800	wmic.exe
Token: SeProfSingleProcessPrivilege	1800	wmic.exe
Token: SeIncBasePriorityPrivilege	1800	wmic.exe
Token: SeCreatePagefilePrivilege	1800	wmic.exe
Token: SeBackupPrivilege	1800	wmic.exe
Token: SeRestorePrivilege	1800	wmic.exe
Token: SeShutdownPrivilege	1800	wmic.exe
Token: SeDebugPrivilege	1800	wmic.exe
Token: SeSystemEnvironmentPrivilege	1800	wmic.exe
Token: SeRemoteShutdownPrivilege	1800	wmic.exe
Token: SeUndockPrivilege	1800	wmic.exe
Token: SeManageVolumePrivilege	1800	wmic.exe
Token: 33	1800	wmic.exe
Token: 34	1800	wmic.exe
Token: 35	1800	wmic.exe
Token: 36	1800	wmic.exe
Token: SeIncreaseQuotaPrivilege	1800	wmic.exe
Token: SeSecurityPrivilege	1800	wmic.exe
Token: SeTakeOwnershipPrivilege	1800	wmic.exe
Token: SeLoadDriverPrivilege	1800	wmic.exe
Token: SeSystemProfilePrivilege	1800	wmic.exe
Token: SeSystemtimePrivilege	1800	wmic.exe
Token: SeProfSingleProcessPrivilege	1800	wmic.exe
Token: SeIncBasePriorityPrivilege	1800	wmic.exe
Token: SeCreatePagefilePrivilege	1800	wmic.exe
Token: SeBackupPrivilege	1800	wmic.exe
Token: SeRestorePrivilege	1800	wmic.exe
Token: SeShutdownPrivilege	1800	wmic.exe
Token: SeDebugPrivilege	1800	wmic.exe
Token: SeSystemEnvironmentPrivilege	1800	wmic.exe
Token: SeRemoteShutdownPrivilege	1800	wmic.exe
Token: SeUndockPrivilege	1800	wmic.exe
Token: SeManageVolumePrivilege	1800	wmic.exe
Token: 33	1800	wmic.exe
Token: 34	1800	wmic.exe
Token: 35	1800	wmic.exe
Token: 36	1800	wmic.exe
Token: SeDebugPrivilege	1040	powershell.exe
Token: SeDebugPrivilege	1228	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	5096	powershell.exe
Token: SeIncreaseQuotaPrivilege	1660	wmic.exe
Token: SeSecurityPrivilege	1660	wmic.exe
Token: SeTakeOwnershipPrivilege	1660	wmic.exe
Token: SeLoadDriverPrivilege	1660	wmic.exe
Token: SeSystemProfilePrivilege	1660	wmic.exe
Token: SeSystemtimePrivilege	1660	wmic.exe
Token: SeProfSingleProcessPrivilege	1660	wmic.exe
Token: SeIncBasePriorityPrivilege	1660	wmic.exe
Token: SeCreatePagefilePrivilege	1660	wmic.exe
Token: SeBackupPrivilege	1660	wmic.exe
Token: SeRestorePrivilege	1660	wmic.exe
Token: SeShutdownPrivilege	1660	wmic.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4404	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4308 wrote to memory of 3848	4308	msedge.exe	84
PID 4308 wrote to memory of 3848	4308	msedge.exe	84
PID 4308 wrote to memory of 4956	4308	msedge.exe	85
PID 4308 wrote to memory of 4956	4308	msedge.exe	85
PID 4308 wrote to memory of 4956	4308	msedge.exe	85
PID 4308 wrote to memory of 4956	4308	msedge.exe	85
PID 4308 wrote to memory of 4956	4308	msedge.exe	85
PID 4308 wrote to memory of 4956	4308	msedge.exe	85
PID 4308 wrote to memory of 4956	4308	msedge.exe	85
PID 4308 wrote to memory of 4956	4308	msedge.exe	85
PID 4308 wrote to memory of 4956	4308	msedge.exe	85
PID 4308 wrote to memory of 4956	4308	msedge.exe	85
PID 4308 wrote to memory of 4956	4308	msedge.exe	85
PID 4308 wrote to memory of 4956	4308	msedge.exe	85
PID 4308 wrote to memory of 4956	4308	msedge.exe	85
PID 4308 wrote to memory of 4956	4308	msedge.exe	85
PID 4308 wrote to memory of 4956	4308	msedge.exe	85
PID 4308 wrote to memory of 4956	4308	msedge.exe	85
PID 4308 wrote to memory of 4956	4308	msedge.exe	85
PID 4308 wrote to memory of 4956	4308	msedge.exe	85
PID 4308 wrote to memory of 4956	4308	msedge.exe	85
PID 4308 wrote to memory of 4956	4308	msedge.exe	85
PID 4308 wrote to memory of 4956	4308	msedge.exe	85
PID 4308 wrote to memory of 4956	4308	msedge.exe	85
PID 4308 wrote to memory of 4956	4308	msedge.exe	85
PID 4308 wrote to memory of 4956	4308	msedge.exe	85
PID 4308 wrote to memory of 4956	4308	msedge.exe	85
PID 4308 wrote to memory of 4956	4308	msedge.exe	85
PID 4308 wrote to memory of 4956	4308	msedge.exe	85
PID 4308 wrote to memory of 4956	4308	msedge.exe	85
PID 4308 wrote to memory of 4956	4308	msedge.exe	85
PID 4308 wrote to memory of 4956	4308	msedge.exe	85
PID 4308 wrote to memory of 4956	4308	msedge.exe	85
PID 4308 wrote to memory of 4956	4308	msedge.exe	85
PID 4308 wrote to memory of 4956	4308	msedge.exe	85
PID 4308 wrote to memory of 4956	4308	msedge.exe	85
PID 4308 wrote to memory of 4956	4308	msedge.exe	85
PID 4308 wrote to memory of 4956	4308	msedge.exe	85
PID 4308 wrote to memory of 4956	4308	msedge.exe	85
PID 4308 wrote to memory of 4956	4308	msedge.exe	85
PID 4308 wrote to memory of 4956	4308	msedge.exe	85
PID 4308 wrote to memory of 4956	4308	msedge.exe	85
PID 4308 wrote to memory of 3516	4308	msedge.exe	86
PID 4308 wrote to memory of 3516	4308	msedge.exe	86
PID 4308 wrote to memory of 4392	4308	msedge.exe	87
PID 4308 wrote to memory of 4392	4308	msedge.exe	87
PID 4308 wrote to memory of 4392	4308	msedge.exe	87
PID 4308 wrote to memory of 4392	4308	msedge.exe	87
PID 4308 wrote to memory of 4392	4308	msedge.exe	87
PID 4308 wrote to memory of 4392	4308	msedge.exe	87
PID 4308 wrote to memory of 4392	4308	msedge.exe	87
PID 4308 wrote to memory of 4392	4308	msedge.exe	87
PID 4308 wrote to memory of 4392	4308	msedge.exe	87
PID 4308 wrote to memory of 4392	4308	msedge.exe	87
PID 4308 wrote to memory of 4392	4308	msedge.exe	87
PID 4308 wrote to memory of 4392	4308	msedge.exe	87
PID 4308 wrote to memory of 4392	4308	msedge.exe	87
PID 4308 wrote to memory of 4392	4308	msedge.exe	87
PID 4308 wrote to memory of 4392	4308	msedge.exe	87
PID 4308 wrote to memory of 4392	4308	msedge.exe	87
PID 4308 wrote to memory of 4392	4308	msedge.exe	87
PID 4308 wrote to memory of 4392	4308	msedge.exe	87
PID 4308 wrote to memory of 4392	4308	msedge.exe	87
PID 4308 wrote to memory of 4392	4308	msedge.exe	87

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3564	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://workupload.com/file/3bLUanW4HKE
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd139a46f8,0x7ffd139a4708,0x7ffd139a4718
  2⤵
  PID:3848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,17399276262480597070,12647476775914751262,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,17399276262480597070,12647476775914751262,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,17399276262480597070,12647476775914751262,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
  2⤵
  PID:4392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17399276262480597070,12647476775914751262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17399276262480597070,12647476775914751262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:3144
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,17399276262480597070,12647476775914751262,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:8
  2⤵
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,17399276262480597070,12647476775914751262,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17399276262480597070,12647476775914751262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
  2⤵
  PID:852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17399276262480597070,12647476775914751262,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
  2⤵
  PID:3780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17399276262480597070,12647476775914751262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:1
  2⤵
  PID:1728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17399276262480597070,12647476775914751262,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
  2⤵
  PID:4372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,17399276262480597070,12647476775914751262,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5880 /prefetch:8
  2⤵
  PID:4436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17399276262480597070,12647476775914751262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
  2⤵
  PID:3632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,17399276262480597070,12647476775914751262,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5968 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4056

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1376

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4452

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2116

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Solara\" -spe -an -ai#7zMap24064:74:7zEvent9135
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4404

C:\Users\Admin\Downloads\Solara\Bootstrapper.exe
"C:\Users\Admin\Downloads\Solara\Bootstrapper.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:1664
- C:\Users\Admin\AppData\Local\Temp\Client.exe
  "C:\Users\Admin\AppData\Local\Temp\Client.exe"
  2⤵
  - Executes dropped EXE
  PID:4896
- C:\Users\Admin\AppData\Local\Temp\Umbral.exe
  "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2616
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1800
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    3⤵
    - Views/modifies file attributes
    PID:3564
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1040
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1228
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2776
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5096
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1660
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:4440
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:3980
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2996
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1228
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4228
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4964
- C:\Users\Admin\AppData\Local\Temp\Mrk.exe
  "C:\Users\Admin\AppData\Local\Temp\Mrk.exe"
  2⤵
  - Executes dropped EXE
  PID:1040
- C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.15.exe
  "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.15.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2996

C:\Users\Admin\Downloads\Solara\Bootstrapper.exe
"C:\Users\Admin\Downloads\Solara\Bootstrapper.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:4684
- C:\Users\Admin\AppData\Local\Temp\Client.exe
  "C:\Users\Admin\AppData\Local\Temp\Client.exe"
  2⤵
  - Executes dropped EXE
  PID:3168
- C:\Users\Admin\AppData\Local\Temp\Umbral.exe
  "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
  2⤵
  - Executes dropped EXE
  PID:2356
- C:\Users\Admin\AppData\Local\Temp\Mrk.exe
  "C:\Users\Admin\AppData\Local\Temp\Mrk.exe"
  2⤵
  - Executes dropped EXE
  PID:3532
- C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.15.exe
  "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.15.exe"
  2⤵
  - Executes dropped EXE
  PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Bootstrapper.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
871B

MD5
386677f585908a33791517dfc2317f88

SHA1
2e6853b4560a9ac8a74cdd5c3124a777bc0d874e

SHA256
7caf8779608c167ab6fa570df00c973aff6dee850bb63439770889a68c7cdae0

SHA512
876d2269e25a4b2754bdf2c7e3c410050f885d7e6bd8abce41c5fc74ae1f8c549b2266dd1588c750f614063f36c8a8e5008cea610505897d04e4ef5c3adc52d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Umbral.exe.log

Filesize
1KB

MD5
4c8fa14eeeeda6fe76a08d14e08bf756

SHA1
30003b6798090ec74eb477bbed88e086f8552976

SHA256
7ebfcfca64b0c1c9f0949652d50a64452b35cefe881af110405cd6ec45f857a5

SHA512
116f80182c25cf0e6159cf59a35ee27d66e431696d29ec879c44521a74ab7523cbfdefeacfb6a3298b48788d7a6caa5336628ec9c1d8b9c9723338dcffea4116

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f9664c896e19205022c094d725f820b6

SHA1
f8f1baf648df755ba64b412d512446baf88c0184

SHA256
7121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e

SHA512
3fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
847d47008dbea51cb1732d54861ba9c9

SHA1
f2099242027dccb88d6f05760b57f7c89d926c0d

SHA256
10292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1

SHA512
bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\91a46a21-4610-48d5-b20f-b1c399cef5d5.tmp

Filesize
6KB

MD5
4a302447fb4701cea684877756b6f5ff

SHA1
ee7f689ee583d4d10d403075c24ae61ecf530f84

SHA256
fcb057bed0667fda598b8526605649662a0db7d75edf5d0a458db42acbb7e33d

SHA512
5cabc1d61dfe968e8a03322efe1334066fb06146de9ab5e7c1b18f5e3b9a9474c15156ee4044d9950c89757febedfb332dba6ae798d7ac84beb7bd84af81cb3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
168B

MD5
8bf7745e3e50472b11436ff0b643384f

SHA1
17630bfacb648726c39b925753708d34b01685d6

SHA256
e210218f728b31cd29829df9913ad1d441e4ea2e6f559fd0e0130813ba97f7c2

SHA512
43fcf54c882a44f80365b05eed066e5a8973b2a8af572c9883e752c76d2cb818c22183eab4276112e2dd171c4e86f71bd8f770b683e637f22889e157923c1f5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
357c5b8f4bd4bceafb48e9d4d1d398a7

SHA1
024831a51f92fa2184fae12e37e5a4d1e7c9c6e3

SHA256
eed29b6edba670296c19c183bc3b46a87bd4db9f45929ec1f77575be2658e19a

SHA512
a067a228169d97d7a14bbaee9bfcba9b0a9c31f44080a3232d3fc384cd175a397458461a8b86084cf2f8d91f7b6bb5cce54b4458ab3af5402988923ffa84314f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
386e8f37509501e8b7036d7a0e0a4fdb

SHA1
5b52f634dfdcdf8020c7fe76cb4fc7f00c95ce40

SHA256
aff55455ab47681d25f729fd6295f4254ce420ec79eec31082126fb00ca437ea

SHA512
c1b8d54d77f76bb819aa3a0fc85aa34d433bf04a6f58dfc4c4b47aa7c2271427335a986ccf5ad9c728cfbeafc2efbbc71d81c638de14934803cf50d0c140d33d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

Filesize
48KB

MD5
f186a65cc78f8d4a7c6a83e7e6dd60bb

SHA1
05aed17311f711379f735c8c22f783d9d436d482

SHA256
bb056088d65352f5873df06ee4b82b8cd598caee595bb9b22b1bc6779b0c4dd3

SHA512
cde031c2f95b4f8cdcc00ee90e51ca6814e724b2003972ef022bc80a0a013527e341f97146e16d61d37a1c588a981ecd0ef2b012e1c291e25fc8aa409181c02c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c8c3ee9bef0982317dfd21adc7666a49

SHA1
5206f8bb8b0c4b793b058b5d778d7d843a7a80e0

SHA256
245e930026dad19da1765567723df90e88d69b3e347c82b3c1d7933ede013bc4

SHA512
46aececbf637a0ac45dc4624e51785f05cddd7f6f86bf06d1ba38b99083a8e4aee60f222fdf1f98990fa9f91e628a836549f8a7418611bf8af3f43e0d3672d0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
67c2a82a097aecba5428d10c46f2aad0

SHA1
2be3333ceda66fb51da74eefbbe9314b243d1c1a

SHA256
3aae3d69d537a7d0352f96dd9060e39100be165ba4c1a29d33645244f6b9f521

SHA512
b2478716463aac53653c4e30407267c9946211f77b58a406393de0be1b9b5a68038802074a4924338e42401e67174557e36851168cab83e17e4016f03b9c9b74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b2cbadef9109abf6dbc75514f22faf1d

SHA1
659bf6716e8d4409193aa4f9cd14de08d540399a

SHA256
151eecdea46490d1d69ca1684db205294cec46f16b796b66d990837befed767d

SHA512
1b5995c468efd94dc56b1676835d4567e627706b7e6190a398a3ebbaa3b8235c1a3a1af604fd221d35b9fa017fee2801ea61fe2b5fe248d5eb6e65b38cc7f534

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
90516175f76b19993b7e15de87003af3

SHA1
aee6c5a0c844c91daff007120b0784796fcba3d4

SHA256
def23eee3ce6d71b03ac0b2cca0d0976ffb6ee4073786ce0e31724f2da81682b

SHA512
017e388c1721c8851b005e06c7c95329d880573d34bd83deae1ed6520f67b5672e48d736b954a7e28d6e322962bca4f67dbfd1c5dc7e75ec337999df67abe58b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
29da3296f910375fdc7e55c29a130df1

SHA1
421790fe49bb9f8ade80903eba42d753e0355749

SHA256
4184c1f58a9bd9df258b385e7a3981b5b56cf7b4770ea925b370cdfe293c7518

SHA512
6842b2c31919c93670a3d5b2dbb95195aa7df108b48ae73c41df671076d28c681d160b499ae5f6188a874b8078ebaf89db02f0da7ada828857a63b72613dc8fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
966914e2e771de7a4a57a95b6ecfa8a9

SHA1
7a32282fd51dd032967ed4d9a40cc57e265aeff2

SHA256
98d3c70d7004fa807897317bd6cd3e977b9b6c72d4d2565aca0f9f8b1c315cba

SHA512
dc39c7124a9c7c8d4c7e8e16290c46360b8d9a8f4e43edaacbbeb09bdcf20159a53db54d2b322372001b6a3de52b2f88e9088b5fdbc7638816ae0d122bb015f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0b1e5bafe94cf085f2ba054497e57607

SHA1
800290d3be6f73be3148035a33936f064e752fdc

SHA256
708db3531e20822219e2af830062a2534c7bd91bb9d6f6c33515641910764b0b

SHA512
30735e17963743a0dd19e3c376fdaa0e01bf0eb863839ffbee8a30fd227076a51df6283483991cff4a7c679315ac9e952520ba101e9a4431439e120e69366e83

Download Submit
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.15.exe

Filesize
796KB

MD5
653c07b9b5f1b22c84f72c03b0083d18

SHA1
54c25b876736011d016dc0ea06a1533365555cc4

SHA256
c9d04a3a87fee318ba65f837f40bd2dd2428f25e78bf271207f8b2b02aaa8a06

SHA512
b605773fc4fa244f354bb8f51621225e6482751d19bddf747f03f624581bc7ae896ca0e40be91b667aea7a7978a291497a362f9bd65449682e1948938af684f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
562KB

MD5
db9d17931383491400c6a1de75addd05

SHA1
db833f365c1196709d579b73cd28beb6e7864dbc

SHA256
57732922ef4493cce50ed5cfa1f8ed3ff9d863a93a78b5d9a6c02a5108d24548

SHA512
d4b8d1a3f201a933905247e4b5bcea63c4726b63773206329909af8381b19c64ee478f9689a912c9903968b2d55c512d302066014e37be31b9c3f1a6b699586f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mrk.exe

Filesize
320KB

MD5
7f94d3391375c4a2242eff3822b9d8f6

SHA1
f3cc1c25878195af48cf64c11676d7cb7706ee9c

SHA256
0e1d6fcba38765439ced76fdb50fb41e7f65f8e6c1c45c48d1c6ce0723e7e4e9

SHA512
ee05f1d3da37f131d0536446a9cd58aba2c5d94f6f429ee16e619e9050c192c6dea462e35f0d7c7543e8ea48a4eb8811a901f03bb43287a8ddf8af8beb24be02

Download Submit
C:\Users\Admin\AppData\Local\Temp\Umbral.exe

Filesize
231KB

MD5
500daa0991a630bd98ab4927749abdb4

SHA1
5af5571ad0463601eed5683e9a8ba558f17d6449

SHA256
cea258c52aaad136bb8e07e2150826904346387efa9b060cb0fb7ad2818b892c

SHA512
8d27e88728eed7e90362eb249539be31b8da7fd3cee909f9bce2b433774334a403c46b7cbfb743ab6e16d3e08575b3ac8c49753f0a10b467c0ef37cb6f7aa58a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4io2pdas.frs.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\Solara.zip

Filesize
797KB

MD5
915b969f7ec0979044dd317fca405d5e

SHA1
34fb27fab0032f6da97e13cf632a5380ba2f4207

SHA256
5e3cfd2d5541a353a74683832846b13b6fc4ca5b5f647de5165e41a3453d15de

SHA512
8f3036c407bea001035db6e7c81aae4f9c033e4c50a34ffdb6eb999f56fdd312f4d263c71e72a0e0f50ddc1f1da4a01547f3eadcee0a3bcc01cc664614a46974

Download Submit
C:\Users\Admin\Downloads\Solara\Bootstrapper.exe

Filesize
804KB

MD5
5c21978c41a37711843d51af861ed19c

SHA1
999126cce1470ba67d8f6beb45370d71bc7c1563

SHA256
3227134f60f17d8c221df254e01433e42b781548e2dd6742e2c17a3afb975f60

SHA512
71db5808578747191490b9985b8090f4201c17f1f423e52652f9f78c35ffd3c8eee01442348930180e6c83e89d944ed3dfc2d3a575584d365baea8e2f11027d9

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/1040-239-0x0000000000FF0000-0x0000000001044000-memory.dmp

Filesize
336KB

Download
memory/1040-246-0x00000273DEA50000-0x00000273DEA72000-memory.dmp

Filesize
136KB

Download
memory/1664-194-0x0000000000990000-0x0000000000A60000-memory.dmp

Filesize
832KB

Download
memory/2616-287-0x00000189BDE90000-0x00000189BDEAE000-memory.dmp

Filesize
120KB

Download
memory/2616-276-0x00000189BDEE0000-0x00000189BDF30000-memory.dmp

Filesize
320KB

Download
memory/2616-275-0x00000189BE180000-0x00000189BE1F6000-memory.dmp

Filesize
472KB

Download
memory/2616-332-0x00000189BDED0000-0x00000189BDEDA000-memory.dmp

Filesize
40KB

Download
memory/2616-333-0x00000189BE220000-0x00000189BE232000-memory.dmp

Filesize
72KB

Download
memory/2616-219-0x00000189A3A30000-0x00000189A3A70000-memory.dmp

Filesize
256KB

Download
memory/2996-245-0x000001EBFAB40000-0x000001EBFAC0E000-memory.dmp

Filesize
824KB

Download
memory/4896-218-0x0000000000260000-0x00000000002F2000-memory.dmp

Filesize
584KB

Download