44caliber | 21829708b9a4864c95b5f388fb3e0e850c2f1e04e17f093e6e6bb7d7f383e913

Resubmissions

29-08-2024 18:55

240829-xk71maxhql 10

29-08-2024 18:52

240829-xh927swcmf 10

29-08-2024 18:50

240829-xhcrpsxgnp 6

29-08-2024 18:46

240829-xekyxawaqd 7

Analysis

max time kernel
175s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-08-2024 18:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SynapseDowngrader.exe
Size

600KB
MD5

8c48b5f9d5efc74bfb95390ea23f2db7
SHA1

76e3c2b597164b9009c65f421e87abfc3b3e412b
SHA256

21829708b9a4864c95b5f388fb3e0e850c2f1e04e17f093e6e6bb7d7f383e913
SHA512

de80367169c7862ec66505c84c42be1134c16c9c19a8f1344d6ed9dd1d7510fe993cc249b077c2e61c2f3cdd2555930eef50f44e287fb42ef11b00593229a28f
SSDEEP

12288:Egby/bP2s/c9DO3LOBCjey8al5+mAIG+dGRqCW77UZh:Egby/bP2sIDULOBCjlvWI7GRk2

Score

10^/10

44caliber credential_access discovery spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/1256365156401680444/Q4ybvTW8-P8cHM7v5CKOThKUJqTZ4f03jPUNC4To8TouPRnWl442RcsKLBOptm6uvg63

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Executes dropped EXE 13 IoCs

pid	Process
5584	SolaraBootstrapper.exe
5388	SolaraBootstrapper.exe
5660	SolaraBootstrapper.exe
640	SolaraBootstrapper.exe
1436	SolaraBootstrapper.exe
4092	SolaraBootstrapper.exe
620	SolaraBootstrapper.exe
2868	SolaraBootstrapper.exe
5052	SolaraBootstrapper.exe
5884	SolaraBootstrapper.exe
1520	SolaraBootstrapper.exe
3816	SolaraBootstrapper.exe
1528	SolaraBootstrapper.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 14 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
187	freegeoip.app
192	freegeoip.app
193	freegeoip.app
201	freegeoip.app
189	freegeoip.app
191	freegeoip.app
197	freegeoip.app
199	freegeoip.app
200	freegeoip.app
186	freegeoip.app
195	freegeoip.app
198	freegeoip.app
194	freegeoip.app
196	freegeoip.app

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2718105630-359604950-2820636825-1000\{103BDFBF-1289-4D13-85D1-A96C7F05BE89}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1452	msedge.exe
1452	msedge.exe
2680	msedge.exe
2680	msedge.exe
4308	identity_helper.exe
4308	identity_helper.exe
5932	msedge.exe
5932	msedge.exe
4064	msedge.exe
4064	msedge.exe
5584	SolaraBootstrapper.exe
5584	SolaraBootstrapper.exe
5584	SolaraBootstrapper.exe
5584	SolaraBootstrapper.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
5388	SolaraBootstrapper.exe
5388	SolaraBootstrapper.exe
5388	SolaraBootstrapper.exe
5388	SolaraBootstrapper.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
1832	msedge.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
5660	SolaraBootstrapper.exe
5660	SolaraBootstrapper.exe
5660	SolaraBootstrapper.exe
5660	SolaraBootstrapper.exe
4180	taskmgr.exe
640	SolaraBootstrapper.exe
640	SolaraBootstrapper.exe
640	SolaraBootstrapper.exe
640	SolaraBootstrapper.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
1436	SolaraBootstrapper.exe
1436	SolaraBootstrapper.exe
1436	SolaraBootstrapper.exe
1436	SolaraBootstrapper.exe
4180	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeRestorePrivilege	1260	7zG.exe
Token: 35	1260	7zG.exe
Token: SeSecurityPrivilege	1260	7zG.exe
Token: SeSecurityPrivilege	1260	7zG.exe
Token: SeDebugPrivilege	5584	SolaraBootstrapper.exe
Token: SeDebugPrivilege	4180	taskmgr.exe
Token: SeSystemProfilePrivilege	4180	taskmgr.exe
Token: SeCreateGlobalPrivilege	4180	taskmgr.exe
Token: SeDebugPrivilege	5388	SolaraBootstrapper.exe
Token: SeDebugPrivilege	5660	SolaraBootstrapper.exe
Token: SeDebugPrivilege	640	SolaraBootstrapper.exe
Token: SeDebugPrivilege	1436	SolaraBootstrapper.exe
Token: SeDebugPrivilege	4092	SolaraBootstrapper.exe
Token: SeDebugPrivilege	620	SolaraBootstrapper.exe
Token: SeDebugPrivilege	2868	SolaraBootstrapper.exe
Token: SeDebugPrivilege	5052	SolaraBootstrapper.exe
Token: SeDebugPrivilege	5884	SolaraBootstrapper.exe
Token: SeDebugPrivilege	1520	SolaraBootstrapper.exe
Token: SeDebugPrivilege	3816	SolaraBootstrapper.exe
Token: SeDebugPrivilege	1528	SolaraBootstrapper.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
1260	7zG.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
464	OpenWith.exe
5476	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3916 wrote to memory of 4768	3916	SynapseDowngrader.exe	85
PID 3916 wrote to memory of 4768	3916	SynapseDowngrader.exe	85
PID 2680 wrote to memory of 856	2680	msedge.exe	98
PID 2680 wrote to memory of 856	2680	msedge.exe	98
PID 2680 wrote to memory of 3056	2680	msedge.exe	99
PID 2680 wrote to memory of 3056	2680	msedge.exe	99
PID 2680 wrote to memory of 3056	2680	msedge.exe	99
PID 2680 wrote to memory of 3056	2680	msedge.exe	99
PID 2680 wrote to memory of 3056	2680	msedge.exe	99
PID 2680 wrote to memory of 3056	2680	msedge.exe	99
PID 2680 wrote to memory of 3056	2680	msedge.exe	99
PID 2680 wrote to memory of 3056	2680	msedge.exe	99
PID 2680 wrote to memory of 3056	2680	msedge.exe	99
PID 2680 wrote to memory of 3056	2680	msedge.exe	99
PID 2680 wrote to memory of 3056	2680	msedge.exe	99
PID 2680 wrote to memory of 3056	2680	msedge.exe	99
PID 2680 wrote to memory of 3056	2680	msedge.exe	99
PID 2680 wrote to memory of 3056	2680	msedge.exe	99
PID 2680 wrote to memory of 3056	2680	msedge.exe	99
PID 2680 wrote to memory of 3056	2680	msedge.exe	99
PID 2680 wrote to memory of 3056	2680	msedge.exe	99
PID 2680 wrote to memory of 3056	2680	msedge.exe	99
PID 2680 wrote to memory of 3056	2680	msedge.exe	99
PID 2680 wrote to memory of 3056	2680	msedge.exe	99
PID 2680 wrote to memory of 3056	2680	msedge.exe	99
PID 2680 wrote to memory of 3056	2680	msedge.exe	99
PID 2680 wrote to memory of 3056	2680	msedge.exe	99
PID 2680 wrote to memory of 3056	2680	msedge.exe	99
PID 2680 wrote to memory of 3056	2680	msedge.exe	99
PID 2680 wrote to memory of 3056	2680	msedge.exe	99
PID 2680 wrote to memory of 3056	2680	msedge.exe	99
PID 2680 wrote to memory of 3056	2680	msedge.exe	99
PID 2680 wrote to memory of 3056	2680	msedge.exe	99
PID 2680 wrote to memory of 3056	2680	msedge.exe	99
PID 2680 wrote to memory of 3056	2680	msedge.exe	99
PID 2680 wrote to memory of 3056	2680	msedge.exe	99
PID 2680 wrote to memory of 3056	2680	msedge.exe	99
PID 2680 wrote to memory of 3056	2680	msedge.exe	99
PID 2680 wrote to memory of 3056	2680	msedge.exe	99
PID 2680 wrote to memory of 3056	2680	msedge.exe	99
PID 2680 wrote to memory of 3056	2680	msedge.exe	99
PID 2680 wrote to memory of 3056	2680	msedge.exe	99
PID 2680 wrote to memory of 3056	2680	msedge.exe	99
PID 2680 wrote to memory of 3056	2680	msedge.exe	99
PID 2680 wrote to memory of 1452	2680	msedge.exe	100
PID 2680 wrote to memory of 1452	2680	msedge.exe	100
PID 2680 wrote to memory of 4040	2680	msedge.exe	101
PID 2680 wrote to memory of 4040	2680	msedge.exe	101
PID 2680 wrote to memory of 4040	2680	msedge.exe	101
PID 2680 wrote to memory of 4040	2680	msedge.exe	101
PID 2680 wrote to memory of 4040	2680	msedge.exe	101
PID 2680 wrote to memory of 4040	2680	msedge.exe	101
PID 2680 wrote to memory of 4040	2680	msedge.exe	101
PID 2680 wrote to memory of 4040	2680	msedge.exe	101
PID 2680 wrote to memory of 4040	2680	msedge.exe	101
PID 2680 wrote to memory of 4040	2680	msedge.exe	101
PID 2680 wrote to memory of 4040	2680	msedge.exe	101
PID 2680 wrote to memory of 4040	2680	msedge.exe	101
PID 2680 wrote to memory of 4040	2680	msedge.exe	101
PID 2680 wrote to memory of 4040	2680	msedge.exe	101
PID 2680 wrote to memory of 4040	2680	msedge.exe	101
PID 2680 wrote to memory of 4040	2680	msedge.exe	101
PID 2680 wrote to memory of 4040	2680	msedge.exe	101
PID 2680 wrote to memory of 4040	2680	msedge.exe	101

C:\Users\Admin\AppData\Local\Temp\SynapseDowngrader.exe
"C:\Users\Admin\AppData\Local\Temp\SynapseDowngrader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c pause > nul
  2⤵
  PID:4768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff95a7f46f8,0x7ff95a7f4708,0x7ff95a7f4718
  2⤵
  PID:856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2268,15857067515112506562,8274281225402366842,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2272 /prefetch:2
  2⤵
  PID:3056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2268,15857067515112506562,8274281225402366842,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2268,15857067515112506562,8274281225402366842,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
  2⤵
  PID:4040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,15857067515112506562,8274281225402366842,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:4308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,15857067515112506562,8274281225402366842,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:2212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,15857067515112506562,8274281225402366842,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
  2⤵
  PID:3152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,15857067515112506562,8274281225402366842,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2268,15857067515112506562,8274281225402366842,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3584 /prefetch:8
  2⤵
  PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2268,15857067515112506562,8274281225402366842,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3584 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,15857067515112506562,8274281225402366842,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:1
  2⤵
  PID:1712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,15857067515112506562,8274281225402366842,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
  2⤵
  PID:2388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,15857067515112506562,8274281225402366842,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
  2⤵
  PID:5192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,15857067515112506562,8274281225402366842,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
  2⤵
  PID:5280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,15857067515112506562,8274281225402366842,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4200 /prefetch:1
  2⤵
  PID:5288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,15857067515112506562,8274281225402366842,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4184 /prefetch:1
  2⤵
  PID:5624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2268,15857067515112506562,8274281225402366842,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5236 /prefetch:8
  2⤵
  PID:5924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2268,15857067515112506562,8274281225402366842,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5132 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,15857067515112506562,8274281225402366842,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
  2⤵
  PID:3400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,15857067515112506562,8274281225402366842,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,15857067515112506562,8274281225402366842,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3896 /prefetch:1
  2⤵
  PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,15857067515112506562,8274281225402366842,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
  2⤵
  PID:5628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,15857067515112506562,8274281225402366842,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
  2⤵
  PID:5364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2268,15857067515112506562,8274281225402366842,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1856 /prefetch:8
  2⤵
  PID:5400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,15857067515112506562,8274281225402366842,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1
  2⤵
  PID:1680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2268,15857067515112506562,8274281225402366842,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6868 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2268,15857067515112506562,8274281225402366842,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4848 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1832

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1632

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4172

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3d0 0x318
1⤵
PID:5440

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3900

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:464

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5476

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Solara-V4-main\Solara-V4-main\Solara\" -ad -an -ai#7zMap17766:134:7zEvent15627
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1260

C:\Users\Admin\Downloads\Solara-V4-main\Solara-V4-main\Solara\Solara\SolaraBootstrapper.exe
"C:\Users\Admin\Downloads\Solara-V4-main\Solara-V4-main\Solara\Solara\SolaraBootstrapper.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5584

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4180

C:\Users\Admin\Downloads\Solara-V4-main\Solara-V4-main\Solara\Solara\SolaraBootstrapper.exe
"C:\Users\Admin\Downloads\Solara-V4-main\Solara-V4-main\Solara\Solara\SolaraBootstrapper.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5388

C:\Users\Admin\Downloads\Solara-V4-main\Solara-V4-main\Solara\Solara\SolaraBootstrapper.exe
"C:\Users\Admin\Downloads\Solara-V4-main\Solara-V4-main\Solara\Solara\SolaraBootstrapper.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5660

C:\Users\Admin\Downloads\Solara-V4-main\Solara-V4-main\Solara\Solara\SolaraBootstrapper.exe
"C:\Users\Admin\Downloads\Solara-V4-main\Solara-V4-main\Solara\Solara\SolaraBootstrapper.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:640

C:\Users\Admin\Downloads\Solara-V4-main\Solara-V4-main\Solara\Solara\SolaraBootstrapper.exe
"C:\Users\Admin\Downloads\Solara-V4-main\Solara-V4-main\Solara\Solara\SolaraBootstrapper.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1436

C:\Users\Admin\Downloads\Solara-V4-main\Solara-V4-main\Solara\Solara\SolaraBootstrapper.exe
"C:\Users\Admin\Downloads\Solara-V4-main\Solara-V4-main\Solara\Solara\SolaraBootstrapper.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4092

C:\Users\Admin\Downloads\Solara-V4-main\Solara-V4-main\Solara\Solara\SolaraBootstrapper.exe
"C:\Users\Admin\Downloads\Solara-V4-main\Solara-V4-main\Solara\Solara\SolaraBootstrapper.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:620

C:\Users\Admin\Downloads\Solara-V4-main\Solara-V4-main\Solara\Solara\SolaraBootstrapper.exe
"C:\Users\Admin\Downloads\Solara-V4-main\Solara-V4-main\Solara\Solara\SolaraBootstrapper.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2868

C:\Users\Admin\Downloads\Solara-V4-main\Solara-V4-main\Solara\Solara\SolaraBootstrapper.exe
"C:\Users\Admin\Downloads\Solara-V4-main\Solara-V4-main\Solara\Solara\SolaraBootstrapper.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5052

C:\Users\Admin\Downloads\Solara-V4-main\Solara-V4-main\Solara\Solara\SolaraBootstrapper.exe
"C:\Users\Admin\Downloads\Solara-V4-main\Solara-V4-main\Solara\Solara\SolaraBootstrapper.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5884

C:\Users\Admin\Downloads\Solara-V4-main\Solara-V4-main\Solara\Solara\SolaraBootstrapper.exe
"C:\Users\Admin\Downloads\Solara-V4-main\Solara-V4-main\Solara\Solara\SolaraBootstrapper.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Users\Admin\Downloads\Solara-V4-main\Solara-V4-main\Solara\Solara\SolaraBootstrapper.exe
"C:\Users\Admin\Downloads\Solara-V4-main\Solara-V4-main\Solara\Solara\SolaraBootstrapper.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3816

C:\Users\Admin\Downloads\Solara-V4-main\Solara-V4-main\Solara\Solara\SolaraBootstrapper.exe
"C:\Users\Admin\Downloads\Solara-V4-main\Solara-V4-main\Solara\Solara\SolaraBootstrapper.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Browsers\Firefox\Bookmarks.txt

Filesize
315B

MD5
71227f862899452aa270d580a8b090c8

SHA1
13a6dc9506be2066777ec34acbe5ab62684c4929

SHA256
22e5316f3216208507c8ae67cbb2a90cfcf4389dae87f8f71c3388593eca57c1

SHA512
126c549e82d679bb9d3e229b09c3dded86b72aa5a98cb956a0d2a740ca43a4da14049134c3836c49ef50e76bb0a69fe158bb776a4c86a7e7b04893ced8ba5b5a

Download Submit
C:\ProgramData\44\Browsers\Firefox\Bookmarks.txt

Filesize
420B

MD5
01735e34db13c5f93eead0f8572adb67

SHA1
5b819f76344907d93f62ecd11e2a2cbd514bee2f

SHA256
bca74f82c72da083cf88a725f198e0730982595bfa6a137e46d0b77b81552f4d

SHA512
e833925ccd15947e9234b72cf06e2620b3d982dd4840e5c5cae31634f437702b10c29db85fbb5115490f1d72f4bb5b935815fb14f6221ace756216604101924c

Download Submit
C:\Users\Admin\AppData\Local\44\Browsers\Cookies_Edge(56).txt

Filesize
6KB

MD5
98d770d50df5f9667627e9a05ccec581

SHA1
1196f679de3cf3cff0d837b64490203dbe3f3740

SHA256
ab0fe4281137485b5c2d5617e3bbc97ebe117146c2d5e56092c2aae4ff7132e7

SHA512
04b71b9f08aed02a192abfe88eac4efc6d905908f73a4dd373ad5bade3c36734eb03babfa2e9f35cb4fa67f5e5b2e410b60e66c1b34a0cd9dc33cde1deb9ac47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ab8ce148cb7d44f709fb1c460d03e1b0

SHA1
44d15744015155f3e74580c93317e12d2cc0f859

SHA256
014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff

SHA512
f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
38f59a47b777f2fc52088e96ffb2baaf

SHA1
267224482588b41a96d813f6d9e9d924867062db

SHA256
13569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b

SHA512
4657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\22b13609-a83d-4f82-a1f6-875673005895.tmp

Filesize
6KB

MD5
e908e826c90e236e8eddcad4981ab2f1

SHA1
77addcfd3067d0453c1d7564122c00f86a92a0da

SHA256
297e768338f0d9d8936a6c029cd1d1e97a29f022986cd73276bcb84ff8331fdb

SHA512
f71cdf39fa50fb2db38ce929e7e2cc796bc4e7214a7340ba86e7625e9d742fe016ea8e9d4d03b9a1b73f4aa83480be36db90ced5db6ca7dbf420da6a187662fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
62b2751a67c42143ed9686dbea2e1fd3

SHA1
fe10232ad821f2e927eb0abd84833e4366e9119a

SHA256
ca11c1a7fa587144910dc21c4d6542a3b26aaf200b825136008cf623028ea7d0

SHA512
06e369c775de3bf6864b5bad9bd4ede5cd132c04ce32e53d613e9484fda7242b3d7e7913ecc644ab1faf873e806efb3639ca618f0770fcdb0caf59ab009d3748

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
32KB

MD5
147413c124cd165d6dba1c0f634a0918

SHA1
69a383f017667724c20e5584365a37d23dd95aca

SHA256
18e0db6df97a5ecb9da85269f7291121e10db60523feeedfa7fcbfbed27750ed

SHA512
a089853cce5b86a9d8084276e81840e9004d008714abba80fb28889ed5af349e1cc88b1a6b30fd169d65f48e96cde93107ba3a94700fe9f3d9e18bb893d829a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
4e18ed7e6036831c7b0938cc2a01bd5f

SHA1
a62eefd26f08b678e21b4cf0d8cb320af629bb74

SHA256
bf498c8ec45203517ac0082f0783ca240e0d936516353b89f57f854ac3030a6f

SHA512
22b04f04abde7b01567896588945f005b9d68f92f32f83826b9721382ebbd688b49977193232466db2a0199cb6a80e54494b568cd7a6e69927e84b714f0d59d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
4f6a05adee1f7c616a40b047a515cede

SHA1
e1070d7cd4c65d078bc9c9919055490f39cc3940

SHA256
aa524efba02fba23a16151fd78734d274d9fd891436e2c4251ed1e0ddc9337d2

SHA512
046f420db53faaccac765ffba422e4d52303b5120149cfaf839ca8f79539fa7ac0fd6f906a8f5f5c735be766160d6e8404a937685deb323e89355f846a15262f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
428fa8fa555256a57af7fdc4b352468f

SHA1
bf92ad171fb595a504ec6a3a57dbdc759e5446dd

SHA256
ce22b29f8bad798d57544c9ab7a7e7fcec46b14ad7b877039a885758c2b874a7

SHA512
c702e75ba687aa551cdfa534b8d7f2a22ce7f12fa2d9c91c078a4a3d5f0f29a0056b4d8bd5e7852b9af0d6047ceb15d45cb8f1421f40998a5905a1f5d0a3af38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
545f8959ecdcce8b6a7663b715f97ccd

SHA1
ce0e636450883b637414be5c6af51e85d0f5486c

SHA256
4d7db6c041ebeec97070dcb5fc14b65ae66ad1cb9a195a2c4dc796df4b32ad38

SHA512
d2264bdc42deedccc368e5aea82cf0c276e7c030f16b8f9e92510b034f6e77d71b9a4c99f7d4532f5f40254aeac8674c76164c6586efc10c162d7746956a1b54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
17929f71b6ab4e97daa8ddd3a069449e

SHA1
2ba1416620e4ca4b023ee035cda950356f7b4ee9

SHA256
a04ca667553413dfc50a0e220f6543d46c8c5c03c026045f16c0d0035799a529

SHA512
99ee582b1559d16a4425e9b2c597567fb9de2882b8d7dffacbba3a4208fde89c41c2894d17fa11d619d4d8a9aa127e81d16047811e0f20001341a1e50146d8e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\5769c1dd22d8a4b17b8f1bc6a61d1fc6ad709ab9\index.txt

Filesize
110B

MD5
2d3a0d3fc35e37734f5d7d2b835f31ea

SHA1
a157f2bf3458879fff041b5b2c6aca9b7972f8c7

SHA256
ee659eb81433b27b09fa59ea6e15a399725d0588d5a7ea3b12fb7fbc9b9d2ff9

SHA512
81128fcfd8a576625450e0f9ec4b21b6bf46eaa833b4d141ed455d78dcc4fecf7c30171582ce09cf8557b3d656740f83da72c24693fb98ad54d8c7aeda657a65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\5769c1dd22d8a4b17b8f1bc6a61d1fc6ad709ab9\index.txt

Filesize
103B

MD5
93db82c41b6ef7998a7a0d35c6814cef

SHA1
0c0fd8f094b1b4ee2a78372531e63c486ca9e593

SHA256
7b1a9df3ed8a949e6d40fa49e35ae2f892c4cd09dc6ab296b3f2957a7aa91044

SHA512
b4fab807259b7df12cb3a33a663d2796d8e5169a62f8fb7884ab0859c8d3f7deef292d02a47b8aa13cf6adba6620cd0c83e080114f996050aa914507a4864d18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
fec51f73c13aad7c88f3606424bcf4e4

SHA1
9edd2775eb19b9c735833619b4d5025c173c557b

SHA256
cb036ca27ffbc629024e0cf16191623f0c13c723daf91c2358bead108adcfe2d

SHA512
4380a8acb663067bf74ae652d3324563417912a4f807dedae96df5e0985c11c2ea25ceba6a114af62882d742e687019e223c2cbd6305e990a3ac789329c6c72d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7eca24e1b110083af94d00509b6a22a9

SHA1
d5621af7848497a21c04ccc15e2a082e62c4d422

SHA256
f99e81e794f8ecb87402abbb230334d06a717a8cd8e49cd4b09078ca3e1f998a

SHA512
42b5670e154e1db19313faf735f0d768985b9a5ea7b587bea2875eb3e4a196f09ea10dfb808d85f3dc92898cfcdc9203bc52ff2d28aea1395974ce101489f038

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
57a252036eb69416fffee4a5b70df9fd

SHA1
192b9ef779e8d1d8ea7ca8ad1956549cf6517ba7

SHA256
f119d3ec1f3dd434c95040a84dcb620e4ad69a838f7974153c08ae16b845ca97

SHA512
a598ea2a64dc32df2c9122eb94cf67eb5eee62bf87e12420172f0c4e71ed479c20402d485a0484f9f9f1f07919422592cfe9e1f49088f545702a9f8c23eaf785

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ea6f.TMP

Filesize
872B

MD5
80742e14586bc76512484aed560621aa

SHA1
5d1a9c27972ae6a32e7f20ac7806caa357a70177

SHA256
5ab15737f5571c65cac29fc584aeaecd37a7e77a304a5d5fb4127e24b1ed97ea

SHA512
a26fd67f8f805afda73126d37d43b7acc6da665b4516fa764d0a171bab949d3dbd454746cd841019b59f1dd03b48ee53e9fc6175e9e9b02f4f838256e45037d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
116KB

MD5
98e184247ba50e9bf3731e925067b604

SHA1
1f098bc6f116652134c45bb27fde492819c60128

SHA256
4d5506b4a83cc351902fcd5d909b6279f34d6e0534c3b3150af1b04ea507912c

SHA512
e3e616da590b1597d2ea222dfbdc99187aa8462d4c1cf3bb6f0f7b371b04962ffe6d8b50e8ff7a9bb46936532470d1dde43196ed0fa366021a3bd875ff4bd7b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4ace2b1a5cb2b0b6870c3c2850d89326

SHA1
408516064637d337e272a5c62999c6594a170a17

SHA256
8ca2fdc0078e07866a7f1da2c5ce4e3307cfebec0fe522eee4655884f9ba650b

SHA512
f0e0f49b2f3c90605708af7025cfe1d0bc4bb997d248ac7dcb24f4694eec13d32e4204950db08a8335a853171726f5959c06a48975024d5ac73f05fba811f5fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d320849827c179e0e42a6fc0f879d875

SHA1
92d5596b5f2f5b47027993e2872665cf4dabd29b

SHA256
32c33bee18593b8df370ce81c998860550d42698d5bb23c519a5f9c33db45658

SHA512
0050e31315fa68cf95196578ae51bda15c5d8423418f1f8d4c197619c6bfa274415b5b1beb5dde1641b29b09f80241b4be131bef5853d03a68126fd9b76d8174

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
49b5c5842571b2a9a354236e22d9534f

SHA1
db27ce2d9941c7561865fb8e545eeb940214ac77

SHA256
5685a4ddda2ff7eb712eae0e925a80d36da649ef2f070e38d689406401f806f4

SHA512
7c566f8d9dc6ab944e3e5a474ff952cab0ad6cb1d256ca55eef23fd3675752e8d34cb9c8679e1ad08c15bf22c4bfa2decfd275c87e964b5e4f86da5d6e9787ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3F32.tmp.dat

Filesize
114KB

MD5
242b4242b3c1119f1fb55afbbdd24105

SHA1
e1d9c1ed860b67b926fe18206038cd10f77b9c55

SHA256
2d0e57c642cc32f10e77a73015075c2d03276dd58689944b01139b2bde8a62a1

SHA512
7d1e08dc0cf5e241bcfe3be058a7879b530646726c018bc51cc4821a7a41121bcda6fbfdeeca563e3b6b5e7035bdd717781169c3fdbd2c74933390aa9450c684

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6AB7.tmp.tmpdb

Filesize
5.0MB

MD5
81412f7f844b75a6c65ed71eac0b9e61

SHA1
39b14eb48e13daaf94023482666fc9e13118ba72

SHA256
e37ca7753860c60248b70828432c8e018a3788479808fdfdbc4d3b369b381019

SHA512
63f2f6af6974091fb8de9dae945b392bb5f68abe66f7d9e3906089bb31f8e7ae2be03fcce44288514678b2b79eb309667b4607e9132183d1bb9a631ad65a983a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6AC8.tmp.dat

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6ADC.tmp.dat

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6AED.tmp.tmpdb

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\Users\Admin\AppData\Roaming\44\Browsers\Firefox\Bookmarks.txt

Filesize
525B

MD5
74d90dd5a73f1679bd73fdce50983c50

SHA1
6f374995ce4842a9f07fc1a935833003066820bb

SHA256
da34d9a479cfcc31980c9be0a13eb90defa37ec3438f114f03f12649a415cfb9

SHA512
ad173b782022b72727c9a1d66aa7509ac316450d18561b018ddf563fe921636ea32d9615019ee0fb3be7a8b781154c5e09f6916547bbb7ab4484d3fea509b95f

Download Submit
C:\Users\Admin\AppData\Roaming\44\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Roaming\44\Browsers\Firefox\Bookmarks.txt

Filesize
210B

MD5
1267f4be35fbe5510886cf08ddee9fdd

SHA1
04e714a1c8a9d76e860c7cbbe7ebf62c71dea6b9

SHA256
ab038447adbfd1faf46f0d3bf6dc387621dc8435ab552696ec8d9bbe7a6a9ab3

SHA512
6f1bc0ad9eb850f37cddc2422e738f0cbbfe8a7a7e064c0c989cafbf0f7d5ae5bdfced4b3f93952688de3bfa338ff5a8c7258aff8397cdaccb36b23b5d16686b

Download Submit
C:\Users\Admin\Downloads\Solara-V4-main.zip

Filesize
123KB

MD5
50ce5e4b99ff5e6f7ae228c96613f741

SHA1
85605682324cb7a73faf43febeef66c1b61fc49e

SHA256
03f901b60674c42a7fe45f27c022a6db9d37f08e5f908cfb182c325263724e98

SHA512
4b44a29b05f270108177b1e66c1d5e327abf690c9704029c6b338be072c7660076fec218c908f2a1077cd845e7e3db08fbd58b7ec31ff292eea502e4e4a3b095

Download Submit
C:\Users\Admin\Downloads\Solara-V4-main\Solara-V4-main\Solara\Solara\SolaraBootstrapper.exe

Filesize
303KB

MD5
7553c649cdd15e01bc47cfa2dc88fdae

SHA1
1ad33f546146e52d05e667f0907262c1e55cb958

SHA256
12a8d265fe2c0fb139d2dc9994ebdfaf7aea93a2ecc18dc4e132f1a04d36eda6

SHA512
b40c066725b3f9ece6f75dd11598ad73f702b608253a4fa990774d2a61433b7a8218e19c3f5b348b62d18f533069f0cb228bcd5904497e98cd8f77d94a9d1849

Download Submit
memory/4180-635-0x000001FDFE180000-0x000001FDFE181000-memory.dmp

Filesize
4KB

Download
memory/4180-640-0x000001FDFE180000-0x000001FDFE181000-memory.dmp

Filesize
4KB

Download
memory/4180-641-0x000001FDFE180000-0x000001FDFE181000-memory.dmp

Filesize
4KB

Download
memory/4180-642-0x000001FDFE180000-0x000001FDFE181000-memory.dmp

Filesize
4KB

Download
memory/4180-643-0x000001FDFE180000-0x000001FDFE181000-memory.dmp

Filesize
4KB

Download
memory/4180-644-0x000001FDFE180000-0x000001FDFE181000-memory.dmp

Filesize
4KB

Download
memory/4180-645-0x000001FDFE180000-0x000001FDFE181000-memory.dmp

Filesize
4KB

Download
memory/4180-646-0x000001FDFE180000-0x000001FDFE181000-memory.dmp

Filesize
4KB

Download
memory/4180-636-0x000001FDFE180000-0x000001FDFE181000-memory.dmp

Filesize
4KB

Download
memory/4180-634-0x000001FDFE180000-0x000001FDFE181000-memory.dmp

Filesize
4KB

Download
memory/5584-546-0x0000019D61BA0000-0x0000019D61BF2000-memory.dmp

Filesize
328KB

Download