rhadamanthys | a281f5e7c6754fc54b941696d4f6cbe7fccbbf72a4978b13997f65961f0da53a

Analysis

max time kernel
123s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30-08-2024 08:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Solara.zip
Size

14.9MB
MD5

23fa82e27232128a195e621a69bd88a7
SHA1

b2d66dba43d8c5415c44f47687f0d4823f16326b
SHA256

a281f5e7c6754fc54b941696d4f6cbe7fccbbf72a4978b13997f65961f0da53a
SHA512

b9dc0285bafac82de59b727f4ac352e98b00101b4f32e1b1db753e0ceb0e535469f9a6845ac8c84c7ecbd683f99cfa615dfe35441ca0c70b5b5ba6270e84ec97
SSDEEP

393216:9AUFhD0H/KYTb+ipl5PdX3qg08I1k2hLeRr8mWd5:9As8KOb+ipx332WcywmK5

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Extracted

Family

rhadamanthys

https://144.76.133.166:8034/5502b8a765a7d7349/k5851jfq.guti6

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4536 created 2588	4536	Solara.exe	44

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
94	camo.githubusercontent.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5352 set thread context of 4536	5352	Solara.exe	131

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5960	4536	WerFault.exe	131
5996	4536	WerFault.exe	131

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Solara.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Solara.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
432	msedge.exe
432	msedge.exe
3288	msedge.exe
3288	msedge.exe
220	identity_helper.exe
220	identity_helper.exe
5892	msedge.exe
5892	msedge.exe
4536	Solara.exe
4536	Solara.exe
5216	openwith.exe
5216	openwith.exe
5216	openwith.exe
5216	openwith.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	6044	taskmgr.exe
Token: SeSystemProfilePrivilege	6044	taskmgr.exe
Token: SeCreateGlobalPrivilege	6044	taskmgr.exe
Token: 33	6044	taskmgr.exe
Token: SeIncBasePriorityPrivilege	6044	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe

Suspicious use of SendNotifyMessage 60 IoCs

pid	Process
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe
6044	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3288 wrote to memory of 4436	3288	msedge.exe	102
PID 3288 wrote to memory of 4436	3288	msedge.exe	102
PID 3288 wrote to memory of 1908	3288	msedge.exe	103
PID 3288 wrote to memory of 1908	3288	msedge.exe	103
PID 3288 wrote to memory of 1908	3288	msedge.exe	103
PID 3288 wrote to memory of 1908	3288	msedge.exe	103
PID 3288 wrote to memory of 1908	3288	msedge.exe	103
PID 3288 wrote to memory of 1908	3288	msedge.exe	103
PID 3288 wrote to memory of 1908	3288	msedge.exe	103
PID 3288 wrote to memory of 1908	3288	msedge.exe	103
PID 3288 wrote to memory of 1908	3288	msedge.exe	103
PID 3288 wrote to memory of 1908	3288	msedge.exe	103
PID 3288 wrote to memory of 1908	3288	msedge.exe	103
PID 3288 wrote to memory of 1908	3288	msedge.exe	103
PID 3288 wrote to memory of 1908	3288	msedge.exe	103
PID 3288 wrote to memory of 1908	3288	msedge.exe	103
PID 3288 wrote to memory of 1908	3288	msedge.exe	103
PID 3288 wrote to memory of 1908	3288	msedge.exe	103
PID 3288 wrote to memory of 1908	3288	msedge.exe	103
PID 3288 wrote to memory of 1908	3288	msedge.exe	103
PID 3288 wrote to memory of 1908	3288	msedge.exe	103
PID 3288 wrote to memory of 1908	3288	msedge.exe	103
PID 3288 wrote to memory of 1908	3288	msedge.exe	103
PID 3288 wrote to memory of 1908	3288	msedge.exe	103
PID 3288 wrote to memory of 1908	3288	msedge.exe	103
PID 3288 wrote to memory of 1908	3288	msedge.exe	103
PID 3288 wrote to memory of 1908	3288	msedge.exe	103
PID 3288 wrote to memory of 1908	3288	msedge.exe	103
PID 3288 wrote to memory of 1908	3288	msedge.exe	103
PID 3288 wrote to memory of 1908	3288	msedge.exe	103
PID 3288 wrote to memory of 1908	3288	msedge.exe	103
PID 3288 wrote to memory of 1908	3288	msedge.exe	103
PID 3288 wrote to memory of 1908	3288	msedge.exe	103
PID 3288 wrote to memory of 1908	3288	msedge.exe	103
PID 3288 wrote to memory of 1908	3288	msedge.exe	103
PID 3288 wrote to memory of 1908	3288	msedge.exe	103
PID 3288 wrote to memory of 1908	3288	msedge.exe	103
PID 3288 wrote to memory of 1908	3288	msedge.exe	103
PID 3288 wrote to memory of 1908	3288	msedge.exe	103
PID 3288 wrote to memory of 1908	3288	msedge.exe	103
PID 3288 wrote to memory of 1908	3288	msedge.exe	103
PID 3288 wrote to memory of 1908	3288	msedge.exe	103
PID 3288 wrote to memory of 432	3288	msedge.exe	104
PID 3288 wrote to memory of 432	3288	msedge.exe	104
PID 3288 wrote to memory of 4840	3288	msedge.exe	105
PID 3288 wrote to memory of 4840	3288	msedge.exe	105
PID 3288 wrote to memory of 4840	3288	msedge.exe	105
PID 3288 wrote to memory of 4840	3288	msedge.exe	105
PID 3288 wrote to memory of 4840	3288	msedge.exe	105
PID 3288 wrote to memory of 4840	3288	msedge.exe	105
PID 3288 wrote to memory of 4840	3288	msedge.exe	105
PID 3288 wrote to memory of 4840	3288	msedge.exe	105
PID 3288 wrote to memory of 4840	3288	msedge.exe	105
PID 3288 wrote to memory of 4840	3288	msedge.exe	105
PID 3288 wrote to memory of 4840	3288	msedge.exe	105
PID 3288 wrote to memory of 4840	3288	msedge.exe	105
PID 3288 wrote to memory of 4840	3288	msedge.exe	105
PID 3288 wrote to memory of 4840	3288	msedge.exe	105
PID 3288 wrote to memory of 4840	3288	msedge.exe	105
PID 3288 wrote to memory of 4840	3288	msedge.exe	105
PID 3288 wrote to memory of 4840	3288	msedge.exe	105
PID 3288 wrote to memory of 4840	3288	msedge.exe	105
PID 3288 wrote to memory of 4840	3288	msedge.exe	105
PID 3288 wrote to memory of 4840	3288	msedge.exe	105

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2588
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5216

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Solara.zip
1⤵
PID:2184

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffec0b846f8,0x7ffec0b84708,0x7ffec0b84718
  2⤵
  PID:4436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,4884025703545449865,1157215409294296482,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
  2⤵
  PID:1908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,4884025703545449865,1157215409294296482,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,4884025703545449865,1157215409294296482,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2544 /prefetch:8
  2⤵
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4884025703545449865,1157215409294296482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:2504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4884025703545449865,1157215409294296482,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4884025703545449865,1157215409294296482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4264 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4884025703545449865,1157215409294296482,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4592 /prefetch:1
  2⤵
  PID:3788
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,4884025703545449865,1157215409294296482,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3636 /prefetch:8
  2⤵
  PID:868
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,4884025703545449865,1157215409294296482,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3636 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4884025703545449865,1157215409294296482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:1
  2⤵
  PID:2928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4884025703545449865,1157215409294296482,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:1
  2⤵
  PID:3988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4884025703545449865,1157215409294296482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:5200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4884025703545449865,1157215409294296482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:5608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4884025703545449865,1157215409294296482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
  2⤵
  PID:5696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,4884025703545449865,1157215409294296482,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3052 /prefetch:8
  2⤵
  PID:5544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4884025703545449865,1157215409294296482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:5492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,4884025703545449865,1157215409294296482,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5968 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5892

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3764

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2156

C:\Users\Admin\Downloads\Solara\Solara\Solara.exe
"C:\Users\Admin\Downloads\Solara\Solara\Solara.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5352
- C:\Users\Admin\Downloads\Solara\Solara\Solara.exe
  "C:\Users\Admin\Downloads\Solara\Solara\Solara.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4536
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 460
    3⤵
    - Program crash
    PID:5960
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 456
    3⤵
    - Program crash
    PID:5996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4536 -ip 4536
1⤵
PID:5872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4536 -ip 4536
1⤵
PID:5988

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53bc70ecb115bdbabe67620c416fe9b3

SHA1
af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

SHA256
b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

SHA512
cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
28c93b0a8e84baf05ad40a66e37c61a8

SHA1
6b9a4816dfd06280f26a0b0f346602a482b4887d

SHA256
02d8c274073b99286fa78981ac0afc54f96ef741ca9af81780e5c7aa93167aae

SHA512
b5e07009768bcf0610dfa3d8ccd2939826f72c45a87625ec85f0f3e0d0b194d1236dd54e3975c153e3a3c7486d4e4cc85634719ba178719e8553aad9ac9628f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
566B

MD5
32e00885c44d5c3bba4c993c54862ac1

SHA1
367b00f40f49cee09a13cb2f0b6c5df922367668

SHA256
84cc6dd3285dd490f185d3098912288933077699d9839ad4c607fdc9526048e7

SHA512
cf1f5fa1c8f8bbac9da7b54f984bccb3d98f32543c6fdfe8c4066f8eab7042e9e9ec308f9acc70f86e632d4aa88fabbc3e4cff1358959f147c0012a66d964a99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0af04579b8dfe8d6b63fb3cf144bcc5c

SHA1
4a26a82244d0eddec0158d709c1398076629d1aa

SHA256
9813a39603c83f1f007a0f5486956009023be694630ca230739a32492a41b787

SHA512
c27f81ccf27875353b15da2e86ac89c2c49cd13afc98011026bd30bbdc6a57ebc0c4d5037e10e046e29c0442cbfc94a2ad898e027597e69f49762d95cf500c7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
73d6d559be5e06f4836f523a1cea07ae

SHA1
82707d754b24954c1e88ce59024b7a81376acd70

SHA256
2b836f76e958b4314179b43f311e30ea721331417f35783365aa3b0d1df41018

SHA512
46a086c09fb3cede2cb651e38f56b7f5760be98d732d60df0ff2261287c4fae1b3dbe6087195f57366500444d89fdf16af79392b1e356824d2a4e8fef972122d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
865769af3c8dc2e7b9cd6f2e7beeb598

SHA1
8671f9def1b7fba750bedb8acc91b3a8e387e596

SHA256
970b2b30a92fe1a2c59e2afdbc0ab4be6617de6757edcf315d0c34ef37c59613

SHA512
4f51ae63797450583d73903a3b9e4792ba92c31022d4567e3d751e1006bebe23aaeaa1babeb3674fffb5feadd352669574b84aff00f37eeb98c74d9bfe5e555f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f5b90cc4564545f75a6361b905e024c2

SHA1
15d5abc6d0098694906b41b3d47017e9b1fc031f

SHA256
8fe0b40691e45f11dd70009cb14416764f1775ef538274092fd3bd05fc7db2e8

SHA512
1d8f6c3ec221af5d1d1c2631f7e64b06eab335c95490e12e3f32c8a40fa808cb7942d12f817688250f000d554e7d98be09a56ec61035cfc00f4ea19e523229fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bcf869edc460bd69e05d97aee3c11e85

SHA1
7ffc5831c3f6a2de913581b7d2ddc036ee07d90c

SHA256
32606c02ae9d43ddc79f8f90329dbd5fcdf2a1b6c779cafc1c06db4f798be2f3

SHA512
2cae89c5daa910148442a61356b344d3210bcce921905f634a468b2906a540771b20ba75f3c78a37bf8a88cdbff27057f8539cc479dfdc646da7970a4003c362

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d3d28dc7d8f50359d1db53d5a4e0785c

SHA1
4d67e391b5bed7de6ac95285c0730355f6a602a5

SHA256
fa24ddada1a6b549fe645be5a2ca9f892696ba24ecbea13b90eca0d3383a0e2b

SHA512
1680f6a84860995b00cea4764b71d1213a1d60b3cd4bfb8cb331477c9d5bf028b85f4f663f5e27de8430112113d9caea7a9251c79ab9f6ea2741b4fa2885c089

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
27a53e75beefaae3c7c05720a35b8d13

SHA1
76aa477c63a88bc2b19279c17151561d5c6de58e

SHA256
17d181831f57aeecf7ec00837b856a1670f0a91ec921d51d04478ca501ee612a

SHA512
c60796c8bbbd6d359f8de69e9a2375da9186d62745a76ec60bbcac8a8c26369e41c3371634aa3b6cae13a3f397d3453643ce2885d315d6065d2124beb77e3ceb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58e308.TMP

Filesize
1KB

MD5
476b33fff2fe48d3fb2e915c02aaf642

SHA1
db6f93283afd534137b9f8d230d0e85c933930a8

SHA256
777ab157c7f821ad83a0f12cd345ac6ee161eb16fc676e3d10cfc69c5bd1ae7f

SHA512
3ede1f4e58878389ec737c890d1469685133ebbfcb08dcaa4138cb93ab1c69d0b49b5a6fc8cb9c9e287d5dedf2059d8a556f29d0e46aa46b6e4f1fca1528077d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
bdb157f7b2a58a29d43c8a9b9b47255a

SHA1
87d00beff6457b91143d08dcd64a0688540a9abe

SHA256
8c3f09ea663281abc2e56f82694c11ce0792944354e18602e49a0f85ccb8a3b9

SHA512
bef729ae02b8711345b37083bbd05450bbe6852cec4a80a06d85050ebcc5f0d57be2cd62c20038f3bf7f03be7b70d38d04cc3e3d565b06740db54f04be462aad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
591034dbb759f84d77b0977a104cdfe3

SHA1
68097a588927a3a5c3becf267eee814e4af7877c

SHA256
92a490c0436961cd5bfc509cf910daf1ece3cd464127734a750451b28d2f229f

SHA512
4e4469521e8177c8f2e8eb5513982cbaf8f23f4d004bd9655f0130cf2c9d75b18bd7496487a1b304d24c43dc4ee4d8b7cb5ae77785b3304582ca50941dc81f24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
37f70e3f2ef454fc905ffd44278eca50

SHA1
8d02d5b9b1c8ac5760dc293098e98c64ac048d39

SHA256
3d1804b15bc6c58776f4250e0bd843be00e419a001d811195755429e9bf1fd2a

SHA512
c75e3311420cb935f263dc688dfc064053e5865b9b4f5aa74a8f9d56bbc932e0789960fec0982800ec2aa2c895f0b3831831f97d04939fa4f79e12b8e7885293

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 332543.crdownload

Filesize
14.9MB

MD5
456adec7a01fff85c1204428b5123a66

SHA1
26165fe003a01a3a59dc64070fbf2e96187214d7

SHA256
b6127458de06667662655e158e7d1adc6cf505d08d9dffe243a0b308b3166090

SHA512
3b2cbfaf171297da578c0db840e54a156a1aec481a0f441acaddfe127d20f1013d62a74c99fdbb8a44bc9ced109aa25509dad05131cc5cfe99ade170027fcc41

Download Submit
memory/4536-326-0x00007FFEDF1B0000-0x00007FFEDF3A5000-memory.dmp

Filesize
2.0MB

Download
memory/4536-316-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4536-318-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4536-328-0x00000000760B0000-0x00000000762C5000-memory.dmp

Filesize
2.1MB

Download
memory/4536-324-0x0000000003F50000-0x0000000004350000-memory.dmp

Filesize
4.0MB

Download
memory/4536-325-0x0000000003F50000-0x0000000004350000-memory.dmp

Filesize
4.0MB

Download
memory/5216-332-0x00007FFEDF1B0000-0x00007FFEDF3A5000-memory.dmp

Filesize
2.0MB

Download
memory/5216-329-0x00000000008D0000-0x00000000008D9000-memory.dmp

Filesize
36KB

Download
memory/5216-331-0x0000000002460000-0x0000000002860000-memory.dmp

Filesize
4.0MB

Download
memory/5216-334-0x00000000760B0000-0x00000000762C5000-memory.dmp

Filesize
2.1MB

Download
memory/5352-313-0x0000000006050000-0x0000000006232000-memory.dmp

Filesize
1.9MB

Download
memory/5352-314-0x00000000067F0000-0x0000000006D94000-memory.dmp

Filesize
5.6MB

Download
memory/5352-312-0x0000000005FB0000-0x000000000604C000-memory.dmp

Filesize
624KB

Download
memory/5352-315-0x0000000005E70000-0x0000000005E92000-memory.dmp

Filesize
136KB

Download
memory/5352-311-0x0000000000F00000-0x000000000152A000-memory.dmp

Filesize
6.2MB

Download
memory/6044-348-0x00000164FF310000-0x00000164FF311000-memory.dmp

Filesize
4KB

Download
memory/6044-359-0x00000164FF310000-0x00000164FF311000-memory.dmp

Filesize
4KB

Download
memory/6044-358-0x00000164FF310000-0x00000164FF311000-memory.dmp

Filesize
4KB

Download
memory/6044-357-0x00000164FF310000-0x00000164FF311000-memory.dmp

Filesize
4KB

Download
memory/6044-356-0x00000164FF310000-0x00000164FF311000-memory.dmp

Filesize
4KB

Download
memory/6044-355-0x00000164FF310000-0x00000164FF311000-memory.dmp

Filesize
4KB

Download
memory/6044-354-0x00000164FF310000-0x00000164FF311000-memory.dmp

Filesize
4KB

Download
memory/6044-353-0x00000164FF310000-0x00000164FF311000-memory.dmp

Filesize
4KB

Download
memory/6044-349-0x00000164FF310000-0x00000164FF311000-memory.dmp

Filesize
4KB

Download
memory/6044-347-0x00000164FF310000-0x00000164FF311000-memory.dmp

Filesize
4KB

Download