meduza | hxxps://github[.]com/roblox-sol/Roblox-Solara-Executor

Analysis

max time kernel
97s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2024, 21:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/roblox-sol/Roblox-Solara-Executor

Score

10^/10

meduza collection discovery spyware stealer

Malware Config

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 2 IoCs

resource	yara_rule
behavioral1/memory/5152-321-0x0000000140000000-0x000000014014F000-memory.dmp	family_meduza
behavioral1/memory/5152-318-0x0000000140000000-0x000000014014F000-memory.dmp	family_meduza

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	Solara.exe

Executes dropped EXE 1 IoCs

pid	Process
5152	Solara.exe

Loads dropped DLL 1 IoCs

pid	Process
4488	Solara.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Solara.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Solara.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Solara.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Solara.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Solara.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
95	api.ipify.org
96	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4488 set thread context of 5152	4488	Solara.exe	126

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2228	cmd.exe
4236	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Temp1_Solara_External.zip\Solara.exe:a.dll	Solara.exe
File opened for modification	C:\Users\Admin\Documents\Solara.exe:a.dll	Solara.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4236	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4872	msedge.exe
4872	msedge.exe
4172	msedge.exe
4172	msedge.exe
1456	identity_helper.exe
1456	identity_helper.exe
4688	msedge.exe
4688	msedge.exe
5152	Solara.exe
5152	Solara.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4172 wrote to memory of 5108	4172	msedge.exe	85
PID 4172 wrote to memory of 5108	4172	msedge.exe	85
PID 4172 wrote to memory of 3156	4172	msedge.exe	86
PID 4172 wrote to memory of 3156	4172	msedge.exe	86
PID 4172 wrote to memory of 3156	4172	msedge.exe	86
PID 4172 wrote to memory of 3156	4172	msedge.exe	86
PID 4172 wrote to memory of 3156	4172	msedge.exe	86
PID 4172 wrote to memory of 3156	4172	msedge.exe	86
PID 4172 wrote to memory of 3156	4172	msedge.exe	86
PID 4172 wrote to memory of 3156	4172	msedge.exe	86
PID 4172 wrote to memory of 3156	4172	msedge.exe	86
PID 4172 wrote to memory of 3156	4172	msedge.exe	86
PID 4172 wrote to memory of 3156	4172	msedge.exe	86
PID 4172 wrote to memory of 3156	4172	msedge.exe	86
PID 4172 wrote to memory of 3156	4172	msedge.exe	86
PID 4172 wrote to memory of 3156	4172	msedge.exe	86
PID 4172 wrote to memory of 3156	4172	msedge.exe	86
PID 4172 wrote to memory of 3156	4172	msedge.exe	86
PID 4172 wrote to memory of 3156	4172	msedge.exe	86
PID 4172 wrote to memory of 3156	4172	msedge.exe	86
PID 4172 wrote to memory of 3156	4172	msedge.exe	86
PID 4172 wrote to memory of 3156	4172	msedge.exe	86
PID 4172 wrote to memory of 3156	4172	msedge.exe	86
PID 4172 wrote to memory of 3156	4172	msedge.exe	86
PID 4172 wrote to memory of 3156	4172	msedge.exe	86
PID 4172 wrote to memory of 3156	4172	msedge.exe	86
PID 4172 wrote to memory of 3156	4172	msedge.exe	86
PID 4172 wrote to memory of 3156	4172	msedge.exe	86
PID 4172 wrote to memory of 3156	4172	msedge.exe	86
PID 4172 wrote to memory of 3156	4172	msedge.exe	86
PID 4172 wrote to memory of 3156	4172	msedge.exe	86
PID 4172 wrote to memory of 3156	4172	msedge.exe	86
PID 4172 wrote to memory of 3156	4172	msedge.exe	86
PID 4172 wrote to memory of 3156	4172	msedge.exe	86
PID 4172 wrote to memory of 3156	4172	msedge.exe	86
PID 4172 wrote to memory of 3156	4172	msedge.exe	86
PID 4172 wrote to memory of 3156	4172	msedge.exe	86
PID 4172 wrote to memory of 3156	4172	msedge.exe	86
PID 4172 wrote to memory of 3156	4172	msedge.exe	86
PID 4172 wrote to memory of 3156	4172	msedge.exe	86
PID 4172 wrote to memory of 3156	4172	msedge.exe	86
PID 4172 wrote to memory of 3156	4172	msedge.exe	86
PID 4172 wrote to memory of 4872	4172	msedge.exe	87
PID 4172 wrote to memory of 4872	4172	msedge.exe	87
PID 4172 wrote to memory of 2252	4172	msedge.exe	88
PID 4172 wrote to memory of 2252	4172	msedge.exe	88
PID 4172 wrote to memory of 2252	4172	msedge.exe	88
PID 4172 wrote to memory of 2252	4172	msedge.exe	88
PID 4172 wrote to memory of 2252	4172	msedge.exe	88
PID 4172 wrote to memory of 2252	4172	msedge.exe	88
PID 4172 wrote to memory of 2252	4172	msedge.exe	88
PID 4172 wrote to memory of 2252	4172	msedge.exe	88
PID 4172 wrote to memory of 2252	4172	msedge.exe	88
PID 4172 wrote to memory of 2252	4172	msedge.exe	88
PID 4172 wrote to memory of 2252	4172	msedge.exe	88
PID 4172 wrote to memory of 2252	4172	msedge.exe	88
PID 4172 wrote to memory of 2252	4172	msedge.exe	88
PID 4172 wrote to memory of 2252	4172	msedge.exe	88
PID 4172 wrote to memory of 2252	4172	msedge.exe	88
PID 4172 wrote to memory of 2252	4172	msedge.exe	88
PID 4172 wrote to memory of 2252	4172	msedge.exe	88
PID 4172 wrote to memory of 2252	4172	msedge.exe	88
PID 4172 wrote to memory of 2252	4172	msedge.exe	88
PID 4172 wrote to memory of 2252	4172	msedge.exe	88

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Solara.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Solara.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/roblox-sol/Roblox-Solara-Executor
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb5dc646f8,0x7ffb5dc64708,0x7ffb5dc64718
  2⤵
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,8955106717708012946,18031556894860391126,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
  2⤵
  PID:3156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,8955106717708012946,18031556894860391126,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,8955106717708012946,18031556894860391126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:8
  2⤵
  PID:2252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,8955106717708012946,18031556894860391126,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,8955106717708012946,18031556894860391126,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:1000
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,8955106717708012946,18031556894860391126,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 /prefetch:8
  2⤵
  PID:3944
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,8955106717708012946,18031556894860391126,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2020,8955106717708012946,18031556894860391126,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5420 /prefetch:8
  2⤵
  PID:1588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,8955106717708012946,18031556894860391126,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
  2⤵
  PID:728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,8955106717708012946,18031556894860391126,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
  2⤵
  PID:3060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2020,8955106717708012946,18031556894860391126,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3364 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,8955106717708012946,18031556894860391126,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:1
  2⤵
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,8955106717708012946,18031556894860391126,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6276 /prefetch:1
  2⤵
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,8955106717708012946,18031556894860391126,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6520 /prefetch:1
  2⤵
  PID:5200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,8955106717708012946,18031556894860391126,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6508 /prefetch:1
  2⤵
  PID:5208

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1700

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2804

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4984

C:\Users\Admin\AppData\Local\Temp\Temp1_Solara_External.zip\Solara.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Solara_External.zip\Solara.exe"
1⤵
- NTFS ADS
PID:5704

C:\Users\Admin\Documents\Solara.exe
"C:\Users\Admin\Documents\Solara.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- NTFS ADS
PID:4488
- C:\Users\Admin\Documents\Solara.exe
  "C:\Users\Admin\Documents\Solara.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - outlook_office_path
  - outlook_win_path
  PID:5152
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\Documents\Solara.exe"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2228
  - - C:\Windows\system32\PING.EXE
      ping 1.1.1.1 -n 1 -w 3000
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7006aacd11b992cd29fca21e619e86ea

SHA1
f224b726a114d4c73d7379236739d5fbb8e7f7b7

SHA256
3c434b96841d5a0fa0a04a6b503c3c4d46f1c4e3a1be77853175e5680e182814

SHA512
6de169882c0e01217c4ca01f6ead8e5ebb316a77558e51cd862532dbf9147d9e267f8db667ff6e9fa33164243724f5e437cb882392382f3cae1072dadb762c1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b80cf20d9e8cf6a579981bfaab1bdce2

SHA1
171a886be3a882bd04206295ce7f1db5b8b7035e

SHA256
10d995b136b604440ac4033b2222543975779068a321d7bddf675d0cb2a4c2b1

SHA512
0233b34866be1afd214a1c8a9dcf8328d16246b3a5ef142295333547b4cfdc787c8627439a2ca03c20cb49107f7428d39696143b71f56b7f1f05029b3a14376a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
7992f50184190906ea091edcc0f00b82

SHA1
43af78194cf3627db43f9c09529200be429cd997

SHA256
e92f6e30cbdb1058ed9dfc054ddea1b183ad3578524c998221f283982f650635

SHA512
706519a3055645fe7fb67a7dd08a39fcf17118d43ac10b406242beda9c87ca745e873aeead5f5b4ada29c1055e692db7a7e5e2994810c291b9845e7562f52d90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
3e91b31c99c3fcdf372c311615ee26e6

SHA1
c86b6339df1d601bc57aa7fa0fb1f18fb4cdecfa

SHA256
5b17797937d753dcb053cd10a0bc55c49208d3b1736f9c1bdefa821adc3479f4

SHA512
49d09661088ca61ab233b66af5b2ee1916112d28bc37a2afd178138a222b3e6043890b885477570dfc81dc140291e597293a7ca26b48845a34c90f5c1882fd59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
fe43ca399bb2453e3d717d24546f8eff

SHA1
2b25efb61660629642e44e1d9169cb91e7953447

SHA256
84184d139aa6bb2192382b0896b37c3552862686d476d6ddf314a0e7989ece92

SHA512
7147af057fa5f69993646a39db3a368471557a3a7afb7deece9f5796fa25449c287d9b7bc5f68cbdd0816cd4f6865c5a902042f62828cf283cefebf5898a1f06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
15KB

MD5
12238f9ec164b3afcad2535736708c44

SHA1
90e454cb5969b4c50f8c6ceb60f4918580d813e3

SHA256
59451764a13f4147c415d9941d11675a8afd4d5d612b1d095c14922cb818960d

SHA512
72ee5cc1c736f420a16276a5f7c5070ffcab84905b9f8466dfc0075e39e6badc846395dc48a3120c1c7a5e49ee6f6e6027dc723b3ba26f2b641720a7d1d3ed35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
cee29c84b352948c046bf3ab33eb9dc6

SHA1
bbab1a0095996d52d4529c649dfaf27039e54c67

SHA256
d989bd968c4faa735dd11dc67aafaa42bc2e2caa5f3468db6ba2bd2ba7ca7286

SHA512
6a56fe3e1c339e6def40a7d6029a201a55ffcf6c5b867f296ab38856989cd9077596e978e02592693badb84402eebf3bce3fe7be72bbe8e5ed3e24974855072b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
780B

MD5
1534a05eea4bc9ca22b08aac71728ffa

SHA1
69f697bb36d1462ca87d4fe2e3237e99d093537b

SHA256
334c711caf4f272fe265649ea22374c9ab934922d739578251d5c1172a8a8df7

SHA512
56017820a7659ac972a91aa4fba89988a2d686f6df3655742998e0c45468c102b7849fc32c7002564da9c4738b19fd9766e7dfec7ff46b35f86eea998dd0222c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2aa232332453f5e50fdbfcba94cdab93

SHA1
b3a3ce42d53a2c884612de5a0ece42b83accd2ed

SHA256
7d5f64d1c7e61d0ced5ff4e1db6111cada29131bef1b36230d41bd387f442a0e

SHA512
6568faed31488f0371ff4c51ea265e8681b1b34a87ca75fcb3e97bc60df489f71b2f075bb1e0ad40d74e17b81d72f79284e8460932e91a32f995c1070b4ad9d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bfc4cdf967db7418b9200f443eb884e4

SHA1
df6a8afa8f364ecc203788accc835c0fe447c249

SHA256
50faf2469cbd479616876f7766c21bb1e7d4c3848caa2aff234e43a3740c8dd9

SHA512
6ef7597f55f960f73c3d87196df74697cab18a5b2732d64c98261e78a710a8a84ee8aea2f956f23515677e2cfdb921178ffe51bc5229a29c15e5c9a2d160c00a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0ca1007c902b4a23f0dffaf1fe650fb0

SHA1
f03be10b3852eb53f97eb37fe517cc05780bb409

SHA256
061e93e4d82c71d543e9715a4496f4ce73a313790630ead5ba99831c563290e8

SHA512
07463a8097fa533d8f4fa036ade39711ca04f732c166a82983e51e9b6e53d5bd7d7ba007c439000830c85b3906b30c724775d587edf995e187cc1b82bbd3ccbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ceb6bd199e349bee5b286838d4686901

SHA1
01d1ec40ac17a18a73b44ee931584a97a7c8da3c

SHA256
82584c700bb532f165747cb7b6f3bb2fc5e65c2a944c54e7f04b6d0089d58bd6

SHA512
5ec96dcd58f15e9129de43bb91a24b8fe8316befa50d8478c29c06e13cdcf316964b769e6e5910080022fe2fc66de54c5fb617b866471d77c06f48ade58c03f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe582e3f.TMP

Filesize
1KB

MD5
1a5bfd8eed1f884c4d676d28d89749b9

SHA1
fbe64e3106390bc09e0b70bc2149fecc56c809eb

SHA256
355db1cb8ea39622d06a04bfb338f976a292048bdd9996efb21578ea125273d3

SHA512
0aebf145b476c79b1ca640c1a947ac975bb0fa61dfade7cf43d8886fb6ce37dc6fff28a9e4a644a7086fff2f3eb962a11bbf0039029036b7bbd59f86c0546b48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3ee8bdd890e7fd2a94bef0676e7bd1cc

SHA1
93c3400d456f3334734af33302d09d2d04f747cc

SHA256
35d9ded928045967fdd6e46e076c3737fd00b32a8b93cd5fc482ee4ea2206904

SHA512
857649efe150c6ef606f59596899c2a2150302bdee9d1c915aa8882e7e95b828c72e6eaa417103613be07358ca2d0bf992d89e5e513cc892e9476a9469f065a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c3c4431945c8659c1492667bf30cbf04

SHA1
16e3f0b5e7c39b85d86cf70b929df72b03893f16

SHA256
a938ee703ebbf0604c14fee3a55f0b38e761c4fd4859562ae3ac8f26e17a6fe0

SHA512
084c2acf2edbd4f7cfd10e2551c14a4e8cf0a46e6899a2996e9cb09a5e1b87865011e2fc99c7a459e86670a9f60e9b0c5fc82585d995c6da035d0b5e7b32a491

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
85a0363604578fa7a80d6a9b465d53df

SHA1
b126390aa444b9c6f718c54519fbb1d54261b63a

SHA256
007b075fc54b7b5e7629ff7203f9323c56504e22acb28a6ade9394397061620e

SHA512
74a83eae93ccdae5d4a1bc158330a5985f61063d21e6a655302cbd66cf450246944be24641850ee6dd64364ae70f3e00f3422c59b6701753f890c22fd14dbda2

Download Submit
C:\Users\Admin\Documents\Solara.exe

Filesize
2.7MB

MD5
e83631c84cfa21705e4390ef9cdf6341

SHA1
533e1d5f522997eb86b0b0ffd761ce13aa3f134e

SHA256
a7738025689de06459060afbe7c51f0dc18881e2eb3b3309baa6cb73a248738f

SHA512
b931b430b743dd82fc18dfbf2a3898a1d8dec9ceab33c84ca09eec1f6e1b4b35c50a5a94f30c19a8e838c7daeb3262cd0fc65b77f8dcd31a7459cc8b692986e7

Download Submit
C:\Users\Admin\Documents\Solara.exe:a.dll

Filesize
1.4MB

MD5
1251cbe47b9b2f98a260194b051cd0d4

SHA1
7fee5c96a189d877557b269548dcc1f514eadba2

SHA256
f0d2d1f75e9435fb071896c23b58cd3329d1648bc49f8ecf7d62b025ff47a2d6

SHA512
cd37fb362d479b9dea68fe13249ba2fdefddfcfdc401b571b7100ab8f17708473525bb3b5c9c01827c8d9312f62eba60cd2ee915c5a9494483fab1f85b32611d

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 863243.crdownload

Filesize
22.7MB

MD5
80fa413e0eebd41ab34d10c91daf76d9

SHA1
9bf5aba85785d65f641f69ef7da2582f0c010ceb

SHA256
7ecbfe48017e5b83806f8bbcb7085321291c81c2296eba4f60da80ae8376eaa2

SHA512
5f2e4bc6807d9fcfd2d422f43658f65f6944df132d41a50ca4cf42506b98e74c293d036645545f3c547b6780d9dd8237dd65ddc728c31a6eb0074e1500bd465e

Download Submit
memory/4488-323-0x00007FFB5DD30000-0x00007FFB5DEA8000-memory.dmp

Filesize
1.5MB

Download
memory/4488-322-0x00007FF71F340000-0x00007FF71F5F6000-memory.dmp

Filesize
2.7MB

Download
memory/5152-321-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/5152-318-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/5704-281-0x00007FF751BB0000-0x00007FF751E66000-memory.dmp

Filesize
2.7MB

Download