rhadamanthys | hxxps://camo[.]githubusercontent[.]com/a6d934a02b33785e2abe8020127a0889b22b2beb9462ec75c61e1546959d2a20/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f446f776e6c6f61642d536f6c6172612532304578656375746f722d626c756576696f6c6574

Analysis

max time kernel
150s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01-09-2024 22:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://camo.githubusercontent.com/a6d934a02b33785e2abe8020127a0889b22b2beb9462ec75c61e1546959d2a20/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f446f776e6c6f61642d536f6c6172612532304578656375746f722d626c756576696f6c6574

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Extracted

Family

rhadamanthys

https://144.76.133.166:8034/5502b8a765a7d7349/k5851jfq.guti6

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2900 created 2600	2900	Solara.exe	44

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	camo.githubusercontent.com
6	camo.githubusercontent.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 632 set thread context of 2900	632	Solara.exe	125

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4428	2900	WerFault.exe	125
4956	2900	WerFault.exe	125

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Solara.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Solara.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
668	msedge.exe
668	msedge.exe
4068	msedge.exe
4068	msedge.exe
4992	identity_helper.exe
4992	identity_helper.exe
468	msedge.exe
468	msedge.exe
2900	Solara.exe
2900	Solara.exe
640	openwith.exe
640	openwith.exe
640	openwith.exe
640	openwith.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
1100	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3120	taskmgr.exe
Token: SeSystemProfilePrivilege	3120	taskmgr.exe
Token: SeCreateGlobalPrivilege	3120	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe
3120	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4068 wrote to memory of 1220	4068	msedge.exe	83
PID 4068 wrote to memory of 1220	4068	msedge.exe	83
PID 4068 wrote to memory of 3408	4068	msedge.exe	85
PID 4068 wrote to memory of 3408	4068	msedge.exe	85
PID 4068 wrote to memory of 3408	4068	msedge.exe	85
PID 4068 wrote to memory of 3408	4068	msedge.exe	85
PID 4068 wrote to memory of 3408	4068	msedge.exe	85
PID 4068 wrote to memory of 3408	4068	msedge.exe	85
PID 4068 wrote to memory of 3408	4068	msedge.exe	85
PID 4068 wrote to memory of 3408	4068	msedge.exe	85
PID 4068 wrote to memory of 3408	4068	msedge.exe	85
PID 4068 wrote to memory of 3408	4068	msedge.exe	85
PID 4068 wrote to memory of 3408	4068	msedge.exe	85
PID 4068 wrote to memory of 3408	4068	msedge.exe	85
PID 4068 wrote to memory of 3408	4068	msedge.exe	85
PID 4068 wrote to memory of 3408	4068	msedge.exe	85
PID 4068 wrote to memory of 3408	4068	msedge.exe	85
PID 4068 wrote to memory of 3408	4068	msedge.exe	85
PID 4068 wrote to memory of 3408	4068	msedge.exe	85
PID 4068 wrote to memory of 3408	4068	msedge.exe	85
PID 4068 wrote to memory of 3408	4068	msedge.exe	85
PID 4068 wrote to memory of 3408	4068	msedge.exe	85
PID 4068 wrote to memory of 3408	4068	msedge.exe	85
PID 4068 wrote to memory of 3408	4068	msedge.exe	85
PID 4068 wrote to memory of 3408	4068	msedge.exe	85
PID 4068 wrote to memory of 3408	4068	msedge.exe	85
PID 4068 wrote to memory of 3408	4068	msedge.exe	85
PID 4068 wrote to memory of 3408	4068	msedge.exe	85
PID 4068 wrote to memory of 3408	4068	msedge.exe	85
PID 4068 wrote to memory of 3408	4068	msedge.exe	85
PID 4068 wrote to memory of 3408	4068	msedge.exe	85
PID 4068 wrote to memory of 3408	4068	msedge.exe	85
PID 4068 wrote to memory of 3408	4068	msedge.exe	85
PID 4068 wrote to memory of 3408	4068	msedge.exe	85
PID 4068 wrote to memory of 3408	4068	msedge.exe	85
PID 4068 wrote to memory of 3408	4068	msedge.exe	85
PID 4068 wrote to memory of 3408	4068	msedge.exe	85
PID 4068 wrote to memory of 3408	4068	msedge.exe	85
PID 4068 wrote to memory of 3408	4068	msedge.exe	85
PID 4068 wrote to memory of 3408	4068	msedge.exe	85
PID 4068 wrote to memory of 3408	4068	msedge.exe	85
PID 4068 wrote to memory of 3408	4068	msedge.exe	85
PID 4068 wrote to memory of 668	4068	msedge.exe	86
PID 4068 wrote to memory of 668	4068	msedge.exe	86
PID 4068 wrote to memory of 880	4068	msedge.exe	87
PID 4068 wrote to memory of 880	4068	msedge.exe	87
PID 4068 wrote to memory of 880	4068	msedge.exe	87
PID 4068 wrote to memory of 880	4068	msedge.exe	87
PID 4068 wrote to memory of 880	4068	msedge.exe	87
PID 4068 wrote to memory of 880	4068	msedge.exe	87
PID 4068 wrote to memory of 880	4068	msedge.exe	87
PID 4068 wrote to memory of 880	4068	msedge.exe	87
PID 4068 wrote to memory of 880	4068	msedge.exe	87
PID 4068 wrote to memory of 880	4068	msedge.exe	87
PID 4068 wrote to memory of 880	4068	msedge.exe	87
PID 4068 wrote to memory of 880	4068	msedge.exe	87
PID 4068 wrote to memory of 880	4068	msedge.exe	87
PID 4068 wrote to memory of 880	4068	msedge.exe	87
PID 4068 wrote to memory of 880	4068	msedge.exe	87
PID 4068 wrote to memory of 880	4068	msedge.exe	87
PID 4068 wrote to memory of 880	4068	msedge.exe	87
PID 4068 wrote to memory of 880	4068	msedge.exe	87
PID 4068 wrote to memory of 880	4068	msedge.exe	87
PID 4068 wrote to memory of 880	4068	msedge.exe	87

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2600
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://camo.githubusercontent.com/a6d934a02b33785e2abe8020127a0889b22b2beb9462ec75c61e1546959d2a20/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f446f776e6c6f61642d536f6c6172612532304578656375746f722d626c756576696f6c6574
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff914d546f8,0x7ff914d54708,0x7ff914d54718
  2⤵
  PID:1220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,8708082446307228053,2663498591135668881,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:3408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,8708082446307228053,2663498591135668881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,8708082446307228053,2663498591135668881,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8
  2⤵
  PID:880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8708082446307228053,2663498591135668881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:2908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8708082446307228053,2663498591135668881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,8708082446307228053,2663498591135668881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8
  2⤵
  PID:3480
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,8708082446307228053,2663498591135668881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8708082446307228053,2663498591135668881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
  2⤵
  PID:1760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8708082446307228053,2663498591135668881,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1920 /prefetch:1
  2⤵
  PID:3280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8708082446307228053,2663498591135668881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
  2⤵
  PID:1860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8708082446307228053,2663498591135668881,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8708082446307228053,2663498591135668881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
  2⤵
  PID:4020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8708082446307228053,2663498591135668881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
  2⤵
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2084,8708082446307228053,2663498591135668881,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5832 /prefetch:8
  2⤵
  PID:1768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8708082446307228053,2663498591135668881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
  2⤵
  PID:3156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,8708082446307228053,2663498591135668881,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3424 /prefetch:8
  2⤵
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8708082446307228053,2663498591135668881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2164 /prefetch:1
  2⤵
  PID:4432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,8708082446307228053,2663498591135668881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6268 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,8708082446307228053,2663498591135668881,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4792 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1100

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4840

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2192

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4268

C:\Users\Admin\Downloads\Solara\Solara\Solara.exe
"C:\Users\Admin\Downloads\Solara\Solara\Solara.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:632
- C:\Users\Admin\Downloads\Solara\Solara\Solara.exe
  "C:\Users\Admin\Downloads\Solara\Solara\Solara.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2900
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 464
    3⤵
    - Program crash
    PID:4428
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 456
    3⤵
    - Program crash
    PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2900 -ip 2900
1⤵
PID:4268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2900 -ip 2900
1⤵
PID:1340

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53bc70ecb115bdbabe67620c416fe9b3

SHA1
af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

SHA256
b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

SHA512
cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
c4da9339d864bc0fab38865a3940fe18

SHA1
832f41fbc60a5818e9b975ef503760fa7e3b4739

SHA256
d1f1cfd05a1fab91037ed9b850627b88e3ba39aaf80bf4132d6a6b5eac089c1d

SHA512
276f7928e29d0a3c7e070c0a23dcd4b0b243cf7244d3f04aee51ca46ae3089d424dc11090b196858ab1d2444150bb630c0b44bfd824ad50ede67f1fd641f16ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
6f03b2ec2abe0fec44fb8333175f3444

SHA1
6120117f239011c7283247a9144e07afa3db40f9

SHA256
fea4fc4a1b712f17c435bc0637cfb33f8feeb0229d6473a34e9ba8a4d9a36e48

SHA512
2978d88b501a284c95bced61514899f95fc744ae1e55c4dd7536abd0f29821e0e0bfd7fe88e417e643f815c9c10a9a56cc9be2e1397fd81d5b1939e4e764e3f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
202d796d2ca85f020d30bf350a448256

SHA1
dd83d9c28ae90f1ba73fbcee689c9383710ec77a

SHA256
78ee9330a83ada621530cc9142cdbc08eeacc1453ee3f24fec884f9b81382aed

SHA512
baf30c7c714c7680f840f72a0974e645db4afb419bb93169e20b64b064a526a359077f216429ca23c0ee49c327d514edd1f45cc8e40915944f3a2404f6608677

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c8ae2e26e81818f670e8706acf800d61

SHA1
d6f012dc761eaef673b1d0f610134f2c96d963aa

SHA256
d5f88e9791d76419fead323bc96bb8b3ae865d11343f0d08255ab07c46db60b4

SHA512
fddc8781b34b385ddd6fefe0976df5e0d1e1a8a120da5989341c33817446f7df51b9e5a468de79f7f2eada86785813b8898dc2557c6437d85456b003c728ef66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b96416e3f3cd3655e2c0971260fdd028

SHA1
a4c1b1df9ec80d6d82db30e1e72148c95640af4d

SHA256
d18eb9c1d638e3e462472409022f314fec6a847db6e1fbe4d2a692abea82eb88

SHA512
73656aa32a2c819536b8963f9f981bef57b4a9807ce073c924cb7e2d7dc620d72c25d433bb2c0ec1efccc2b87c07122670ffaaa8ef3a0afa763a2997ee29e66b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7d93f25f889fe4953ee363fabb5b60cc

SHA1
619613797894b068ef0bf973378d0d88d78ec0c8

SHA256
1c5b116a4e9fee9f609cc82ba3bd9b5d891703629720fabd5f228e4bf67ead09

SHA512
b91bded8c36c41da27ac59da436279b7088693d0f3dd6052ae5a540574f885c9157a4c416d120202f8dd6529b2408d04244f480c1a5cbf63f733f51944ee5196

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b7da0bf22ff6b2731e10b6ce1a56fe26

SHA1
586c0ad65df4c62a9a2bc45ed2bc2369764bc7f4

SHA256
d54efd66e2467f544a00030b5a1275015d419cf011b59c239b95ef7c683a0121

SHA512
7ac8f4ebdbf9f984b0ba0a59789b9ffc6df2d21d59eda6190c906fca194dc3cbbef6c4272c5730a4a918a847847bc5aa4adb3d71df95239d986e4f6f6aaa202e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
71ed8d837819bd3c6fd60ee92c65518e

SHA1
3de1de714281ccf3f8bd5537a8b4a9a736c79fa9

SHA256
2f33593df55797c3b12f49b80a3492a584ed64c4c6227c30dce88b11abfaa91d

SHA512
23feb8d3d7d6ffe0cfea0b139a2695d04f6a030b44b947168f40852e2a00680fe8f872885ad27ee630bd551caba7ac6bd13eb303609814425fcafd2b5a7f481c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1385e119db708840cb56e23d6a7cc4b0

SHA1
7a230431f9c49c52d9b66e14df44dce506c160cd

SHA256
29d6d5d21d51c1ac4825672869c3b336a24c9cf073b0ee4fd59c9ef4a1f27d05

SHA512
4f76e5b7fb07d9e752958cb09fe60cc1e66becd8f4ec066cdd699db06869eecd890da5bdcf71af1ddcc53c307826ff4a8dfa6fd9aa838cf6401e86fa24aa843b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581aa7.TMP

Filesize
203B

MD5
0c3aa01b8d6bdea8fce996f84ee726d5

SHA1
6d9f1e7064cdef97923b51486421568dfe09fc07

SHA256
81237d6c34fb5ce78483c87c4fce1cec278f13dd2ab6f69ce461d02c387f3e56

SHA512
8a7a8979650f601229ad1e1d675b8839dc6488ab021ba525af081898ca471a8cd9029a713e255737c004d4db4c32ea46f8eb3f6a95d59e742baade668db75b57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c7f2f17bc5a7bedf22ab6ae601ce53b1

SHA1
4919ccb89e55f7f80e1fea652b361da9011675f0

SHA256
f2dde2ccb9fd17c44dfe0119c81f8a607944044e14e9bb2f3ef2197db568fcad

SHA512
c89bbdefcfa03427b0221a3b9373088aea2a0e751620968491adfe00de3719cfb5ab3d3e71373dd804b56cd5963e870ca0771a0344546b417b66b414d5f10665

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e873fc6d1b816cddd14ca07eff433798

SHA1
06088c58d1e32fde8c6f8e46da35d4aaaf40e506

SHA256
9f7571a458a3351ce123ac75dfe68ad56e7a13eb0108a877140498861866dfb5

SHA512
2fd0a9a414b8017e4a6e3e5ebe671dcf7c91551c99d377438c99697ff49cc1d1f48d74f208cd79703b1e5ade5abed4b8cb9cfd48ad5ab59f455d9d204a03801f

Download Submit
C:\Users\Admin\Downloads\Solara.zip

Filesize
13.4MB

MD5
6fe0bb4598fba38e1c2dc25b084ae38e

SHA1
7514257cc85b0a2d4b218f43f9a8f4dd61c545cf

SHA256
ceaed51bfaf0862e89a1790376ff6969bcc7c266e2c7b73cf67f57ad3ca7a397

SHA512
232b90973680eadbf11851fa20dc1e0ffbcae86f14bd8b605964a593775705cdc69dcb3cd9a5ab66ce18785c2a098df75f58392b1c3d6a04f28c57541fdc632b

Download Submit
memory/632-462-0x0000000005230000-0x0000000005252000-memory.dmp

Filesize
136KB

Download
memory/632-461-0x0000000005B00000-0x00000000060A4000-memory.dmp

Filesize
5.6MB

Download
memory/632-459-0x0000000005260000-0x00000000052FC000-memory.dmp

Filesize
624KB

Download
memory/632-458-0x00000000004F0000-0x00000000008C8000-memory.dmp

Filesize
3.8MB

Download
memory/632-460-0x0000000005430000-0x0000000005550000-memory.dmp

Filesize
1.1MB

Download
memory/640-471-0x0000000000530000-0x0000000000539000-memory.dmp

Filesize
36KB

Download
memory/640-476-0x0000000075530000-0x0000000075745000-memory.dmp

Filesize
2.1MB

Download
memory/640-474-0x00007FF923270000-0x00007FF923465000-memory.dmp

Filesize
2.0MB

Download
memory/640-473-0x0000000002440000-0x0000000002840000-memory.dmp

Filesize
4.0MB

Download
memory/2900-468-0x00007FF923270000-0x00007FF923465000-memory.dmp

Filesize
2.0MB

Download
memory/2900-470-0x0000000075530000-0x0000000075745000-memory.dmp

Filesize
2.1MB

Download
memory/2900-467-0x0000000003BE0000-0x0000000003FE0000-memory.dmp

Filesize
4.0MB

Download
memory/2900-466-0x0000000003BE0000-0x0000000003FE0000-memory.dmp

Filesize
4.0MB

Download
memory/2900-464-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2900-463-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3120-502-0x000002A3B5B30000-0x000002A3B5B31000-memory.dmp

Filesize
4KB

Download
memory/3120-504-0x000002A3B5B30000-0x000002A3B5B31000-memory.dmp

Filesize
4KB

Download
memory/3120-503-0x000002A3B5B30000-0x000002A3B5B31000-memory.dmp

Filesize
4KB

Download
memory/3120-508-0x000002A3B5B30000-0x000002A3B5B31000-memory.dmp

Filesize
4KB

Download
memory/3120-509-0x000002A3B5B30000-0x000002A3B5B31000-memory.dmp

Filesize
4KB

Download
memory/3120-514-0x000002A3B5B30000-0x000002A3B5B31000-memory.dmp

Filesize
4KB

Download
memory/3120-513-0x000002A3B5B30000-0x000002A3B5B31000-memory.dmp

Filesize
4KB

Download
memory/3120-512-0x000002A3B5B30000-0x000002A3B5B31000-memory.dmp

Filesize
4KB

Download
memory/3120-511-0x000002A3B5B30000-0x000002A3B5B31000-memory.dmp

Filesize
4KB

Download
memory/3120-510-0x000002A3B5B30000-0x000002A3B5B31000-memory.dmp

Filesize
4KB

Download