umbral | hxxps://mega[.]nz/file/1hZ3WILL#DGrjJzYHSfFCLfLvaxSZpTP59LebjFpjwFl2oQaTQf8

Analysis

max time kernel
90s
max time network
86s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-10-2024 14:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/1hZ3WILL#DGrjJzYHSfFCLfLvaxSZpTP59LebjFpjwFl2oQaTQf8

Score

10^/10

umbral discovery stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00070000000234d3-195.dat	family_umbral
behavioral1/memory/2164-209-0x0000010B3F790000-0x0000010B3F7D0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Executes dropped EXE 4 IoCs

pid	Process
2164	SolaraBootstrapper.exe
5416	SolaraBootstrapper.exe
5744	SolaraBootstrapper.exe
5912	SolaraBootstrapper.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
66	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 181545.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3208	msedge.exe
3208	msedge.exe
4724	msedge.exe
4724	msedge.exe
4744	identity_helper.exe
4744	identity_helper.exe
3180	msedge.exe
3180	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	4548	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4548	AUDIODG.EXE
Token: SeDebugPrivilege	2164	SolaraBootstrapper.exe
Token: SeIncreaseQuotaPrivilege	5136	wmic.exe
Token: SeSecurityPrivilege	5136	wmic.exe
Token: SeTakeOwnershipPrivilege	5136	wmic.exe
Token: SeLoadDriverPrivilege	5136	wmic.exe
Token: SeSystemProfilePrivilege	5136	wmic.exe
Token: SeSystemtimePrivilege	5136	wmic.exe
Token: SeProfSingleProcessPrivilege	5136	wmic.exe
Token: SeIncBasePriorityPrivilege	5136	wmic.exe
Token: SeCreatePagefilePrivilege	5136	wmic.exe
Token: SeBackupPrivilege	5136	wmic.exe
Token: SeRestorePrivilege	5136	wmic.exe
Token: SeShutdownPrivilege	5136	wmic.exe
Token: SeDebugPrivilege	5136	wmic.exe
Token: SeSystemEnvironmentPrivilege	5136	wmic.exe
Token: SeRemoteShutdownPrivilege	5136	wmic.exe
Token: SeUndockPrivilege	5136	wmic.exe
Token: SeManageVolumePrivilege	5136	wmic.exe
Token: 33	5136	wmic.exe
Token: 34	5136	wmic.exe
Token: 35	5136	wmic.exe
Token: 36	5136	wmic.exe
Token: SeIncreaseQuotaPrivilege	5136	wmic.exe
Token: SeSecurityPrivilege	5136	wmic.exe
Token: SeTakeOwnershipPrivilege	5136	wmic.exe
Token: SeLoadDriverPrivilege	5136	wmic.exe
Token: SeSystemProfilePrivilege	5136	wmic.exe
Token: SeSystemtimePrivilege	5136	wmic.exe
Token: SeProfSingleProcessPrivilege	5136	wmic.exe
Token: SeIncBasePriorityPrivilege	5136	wmic.exe
Token: SeCreatePagefilePrivilege	5136	wmic.exe
Token: SeBackupPrivilege	5136	wmic.exe
Token: SeRestorePrivilege	5136	wmic.exe
Token: SeShutdownPrivilege	5136	wmic.exe
Token: SeDebugPrivilege	5136	wmic.exe
Token: SeSystemEnvironmentPrivilege	5136	wmic.exe
Token: SeRemoteShutdownPrivilege	5136	wmic.exe
Token: SeUndockPrivilege	5136	wmic.exe
Token: SeManageVolumePrivilege	5136	wmic.exe
Token: 33	5136	wmic.exe
Token: 34	5136	wmic.exe
Token: 35	5136	wmic.exe
Token: 36	5136	wmic.exe
Token: SeDebugPrivilege	5416	SolaraBootstrapper.exe
Token: SeIncreaseQuotaPrivilege	5504	wmic.exe
Token: SeSecurityPrivilege	5504	wmic.exe
Token: SeTakeOwnershipPrivilege	5504	wmic.exe
Token: SeLoadDriverPrivilege	5504	wmic.exe
Token: SeSystemProfilePrivilege	5504	wmic.exe
Token: SeSystemtimePrivilege	5504	wmic.exe
Token: SeProfSingleProcessPrivilege	5504	wmic.exe
Token: SeIncBasePriorityPrivilege	5504	wmic.exe
Token: SeCreatePagefilePrivilege	5504	wmic.exe
Token: SeBackupPrivilege	5504	wmic.exe
Token: SeRestorePrivilege	5504	wmic.exe
Token: SeShutdownPrivilege	5504	wmic.exe
Token: SeDebugPrivilege	5504	wmic.exe
Token: SeSystemEnvironmentPrivilege	5504	wmic.exe
Token: SeRemoteShutdownPrivilege	5504	wmic.exe
Token: SeUndockPrivilege	5504	wmic.exe
Token: SeManageVolumePrivilege	5504	wmic.exe
Token: 33	5504	wmic.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4724 wrote to memory of 4512	4724	msedge.exe	82
PID 4724 wrote to memory of 4512	4724	msedge.exe	82
PID 4724 wrote to memory of 724	4724	msedge.exe	83
PID 4724 wrote to memory of 724	4724	msedge.exe	83
PID 4724 wrote to memory of 724	4724	msedge.exe	83
PID 4724 wrote to memory of 724	4724	msedge.exe	83
PID 4724 wrote to memory of 724	4724	msedge.exe	83
PID 4724 wrote to memory of 724	4724	msedge.exe	83
PID 4724 wrote to memory of 724	4724	msedge.exe	83
PID 4724 wrote to memory of 724	4724	msedge.exe	83
PID 4724 wrote to memory of 724	4724	msedge.exe	83
PID 4724 wrote to memory of 724	4724	msedge.exe	83
PID 4724 wrote to memory of 724	4724	msedge.exe	83
PID 4724 wrote to memory of 724	4724	msedge.exe	83
PID 4724 wrote to memory of 724	4724	msedge.exe	83
PID 4724 wrote to memory of 724	4724	msedge.exe	83
PID 4724 wrote to memory of 724	4724	msedge.exe	83
PID 4724 wrote to memory of 724	4724	msedge.exe	83
PID 4724 wrote to memory of 724	4724	msedge.exe	83
PID 4724 wrote to memory of 724	4724	msedge.exe	83
PID 4724 wrote to memory of 724	4724	msedge.exe	83
PID 4724 wrote to memory of 724	4724	msedge.exe	83
PID 4724 wrote to memory of 724	4724	msedge.exe	83
PID 4724 wrote to memory of 724	4724	msedge.exe	83
PID 4724 wrote to memory of 724	4724	msedge.exe	83
PID 4724 wrote to memory of 724	4724	msedge.exe	83
PID 4724 wrote to memory of 724	4724	msedge.exe	83
PID 4724 wrote to memory of 724	4724	msedge.exe	83
PID 4724 wrote to memory of 724	4724	msedge.exe	83
PID 4724 wrote to memory of 724	4724	msedge.exe	83
PID 4724 wrote to memory of 724	4724	msedge.exe	83
PID 4724 wrote to memory of 724	4724	msedge.exe	83
PID 4724 wrote to memory of 724	4724	msedge.exe	83
PID 4724 wrote to memory of 724	4724	msedge.exe	83
PID 4724 wrote to memory of 724	4724	msedge.exe	83
PID 4724 wrote to memory of 724	4724	msedge.exe	83
PID 4724 wrote to memory of 724	4724	msedge.exe	83
PID 4724 wrote to memory of 724	4724	msedge.exe	83
PID 4724 wrote to memory of 724	4724	msedge.exe	83
PID 4724 wrote to memory of 724	4724	msedge.exe	83
PID 4724 wrote to memory of 724	4724	msedge.exe	83
PID 4724 wrote to memory of 724	4724	msedge.exe	83
PID 4724 wrote to memory of 3208	4724	msedge.exe	84
PID 4724 wrote to memory of 3208	4724	msedge.exe	84
PID 4724 wrote to memory of 1216	4724	msedge.exe	85
PID 4724 wrote to memory of 1216	4724	msedge.exe	85
PID 4724 wrote to memory of 1216	4724	msedge.exe	85
PID 4724 wrote to memory of 1216	4724	msedge.exe	85
PID 4724 wrote to memory of 1216	4724	msedge.exe	85
PID 4724 wrote to memory of 1216	4724	msedge.exe	85
PID 4724 wrote to memory of 1216	4724	msedge.exe	85
PID 4724 wrote to memory of 1216	4724	msedge.exe	85
PID 4724 wrote to memory of 1216	4724	msedge.exe	85
PID 4724 wrote to memory of 1216	4724	msedge.exe	85
PID 4724 wrote to memory of 1216	4724	msedge.exe	85
PID 4724 wrote to memory of 1216	4724	msedge.exe	85
PID 4724 wrote to memory of 1216	4724	msedge.exe	85
PID 4724 wrote to memory of 1216	4724	msedge.exe	85
PID 4724 wrote to memory of 1216	4724	msedge.exe	85
PID 4724 wrote to memory of 1216	4724	msedge.exe	85
PID 4724 wrote to memory of 1216	4724	msedge.exe	85
PID 4724 wrote to memory of 1216	4724	msedge.exe	85
PID 4724 wrote to memory of 1216	4724	msedge.exe	85
PID 4724 wrote to memory of 1216	4724	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/1hZ3WILL#DGrjJzYHSfFCLfLvaxSZpTP59LebjFpjwFl2oQaTQf8
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe59b146f8,0x7ffe59b14708,0x7ffe59b14718
  2⤵
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,5631283565154317539,1908893167853013445,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
  2⤵
  PID:724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,5631283565154317539,1908893167853013445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,5631283565154317539,1908893167853013445,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:8
  2⤵
  PID:1216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5631283565154317539,1908893167853013445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:3068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5631283565154317539,1908893167853013445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:1352
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,5631283565154317539,1908893167853013445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:8
  2⤵
  PID:3412
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,5631283565154317539,1908893167853013445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5631283565154317539,1908893167853013445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
  2⤵
  PID:3292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5631283565154317539,1908893167853013445,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:1264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5631283565154317539,1908893167853013445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:2460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5631283565154317539,1908893167853013445,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1
  2⤵
  PID:3796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2104,5631283565154317539,1908893167853013445,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5648 /prefetch:8
  2⤵
  PID:3400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,5631283565154317539,1908893167853013445,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6028 /prefetch:8
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5631283565154317539,1908893167853013445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
  2⤵
  PID:2724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2104,5631283565154317539,1908893167853013445,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6460 /prefetch:8
  2⤵
  PID:1080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,5631283565154317539,1908893167853013445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3180
- C:\Users\Admin\Downloads\SolaraBootstrapper.exe
  "C:\Users\Admin\Downloads\SolaraBootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2164
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5136
- C:\Users\Admin\Downloads\SolaraBootstrapper.exe
  "C:\Users\Admin\Downloads\SolaraBootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5416
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5504

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2904

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2932

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x30c 0x404
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4548

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5668

C:\Users\Admin\Downloads\SolaraBootstrapper.exe
"C:\Users\Admin\Downloads\SolaraBootstrapper.exe"
1⤵
- Executes dropped EXE
PID:5744
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:5828

C:\Users\Admin\Downloads\SolaraBootstrapper.exe
"C:\Users\Admin\Downloads\SolaraBootstrapper.exe"
1⤵
- Executes dropped EXE
PID:5912
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:5996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SolaraBootstrapper.exe.log

Filesize
1KB

MD5
8094b248fe3231e48995c2be32aeb08c

SHA1
2fe06e000ebec919bf982d033c5d1219c1f916b6

SHA256
136c30d964f4abbb5279bdc86d0e00578333782f15f05f0d2d050730dcb7a9bc

SHA512
bf27a3822008796370e2c506c910a40992b9240606ea1bc19f683b2fee86b81897660ac0cf8e746ca093dae9e408949e2e9002ded75678a69f020d3b0452801f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ff63763eedb406987ced076e36ec9acf

SHA1
16365aa97cd1a115412f8ae436d5d4e9be5f7b5d

SHA256
8f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c

SHA512
ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2783c40400a8912a79cfd383da731086

SHA1
001a131fe399c30973089e18358818090ca81789

SHA256
331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5

SHA512
b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
f91b42abd4faf213aa09f6f435a80259

SHA1
03f052a97476ca84895f83660b19bf437429b83e

SHA256
d4e8a7dd8701fe80a62c457bebe70e5efc7955521962b13fe25edd4521d42aec

SHA512
dd12fb13c63d6cbac80e783ba79a2d06241cc1d2e7dfb2345af609adead47cb86f03f4aaac34176baec6ba1b4622f05ebeb38babd484f30bf58cc988624af3df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
188B

MD5
008114e1a1a614b35e8a7515da0f3783

SHA1
3c390d38126c7328a8d7e4a72d5848ac9f96549b

SHA256
7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18

SHA512
a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
03072c42f1e091eec19e6c18464c0aff

SHA1
bc9468cecb21353382e69ce3cfd8e8e8693f4e53

SHA256
e66962f5e655518767400de2d7c48ffe89a7d6da51d482266b7f62f6fa183070

SHA512
5cf5366f76e254500fe8621396028ca4d976b6c20a47c0e7775554bfb726957bf3270714dc2df5e35a019e65637a2e5fbe08465bdefa200da6c23ff1cfefed2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b7b824b58d6c232ffcaaf118f332942f

SHA1
6533e117c7614eaa2536c1c0b5d23bab615bca80

SHA256
0efc42322fc95bef9f3ae7b84057b5a9d6665f971db6dd6d514c7adb67b3b053

SHA512
23ac91bd27c275fd4fa65f860922b7516ed6a754746f97eb64725d9dfcb69a484e62e78e5782cba84233f335c20366e7ed398df29cf0fb52cf9c09ca5c52d5d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8d3c289ab0e6255e917b8a4d1ab196dd

SHA1
6445ddc1eff278a190b27e4ef15fb2f6187da7d7

SHA256
d3a61218200ac5247c8042c32c32e3190baaa3e30c85accdf5913d1fde36674e

SHA512
677c7479211904aa94386e2876ced0dcad57951e15e14a81543a3c06736fd4b791496e2c593d2a3862065cb98c729a19da01a86616f6b2e7139cce6c4eaebf7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
ebce345c52e1a1fb5b7ee0d584ab65b8

SHA1
ac7aa189c7d6957ad499049ca67c1e5a5103d590

SHA256
dcab0a8671cabc245fe03f8391b5d862c8bbf78c57d98d532139aa38869d946e

SHA512
f23295b2c9cb074497d12976880464d54d0537ad1c608fe49dbe44660160a2afae440c46d11bd777c4772b8716c5da79563a53d3383fd0434ff4ffb25ecba5ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57d254.TMP

Filesize
48B

MD5
2b83f1b6d34617a132986eb8555bd9f7

SHA1
5d8c0c4d09e190b18fded4184f5bba0fc2548fee

SHA256
246065cd335d06a4c8c18e953d886e7737bab87c3e43def3ad17a73d87716b86

SHA512
d31447f66f6d6e964245c8795fb1a14b54f6b607ebf13142f61192ed96242fcdcad27e79ec80962741be5d31e27ceb2436dcf8ff5ff0ea222b0936cad45b3237

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e134bc2a69547c21c997dfe731af5ef3

SHA1
ee6bfad52c36ae7cce971d622d9fb8a6f6ccf28b

SHA256
9f29730aa92cf7e1b1c126680d1b46414e214875b43eec2f3d2dc1d5a3c25fb1

SHA512
a1ec1aba045c0a622eefd36f9eab9f50054d8f111f48f8d243bb4421515921d50ea169bdc75247c80939fe9a0827182027385f9e5d24491e532f69539041679d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fe14bedaa8b645aff45f797f01bdb8c7

SHA1
769a16c9902a7d0bb4639918be9aac99e478aade

SHA256
9a82a4aa0508c1c4b17835d60730493114e0404b478a52c0ad1ba2271e7d8180

SHA512
a72249900baf2f37779c3689bbcc902b5c703fb2bce2381945ba0ebbb8ca3b4e394eb5db7a8afd037ec547ea5a7d43292f853cb6afc714d1d280f74cd27c84b4

Download Submit
C:\Users\Admin\Downloads\SolaraBootstrapper.exe

Filesize
229KB

MD5
e93ba95b178b2b323781bd84d4017283

SHA1
daadad893097c97411079afc5562bf83fff2d8fd

SHA256
5da646ee8d4baa9aabd1e7b6c3f4b1cfa7f306c7938a748766496f82097ccd38

SHA512
2cdd77fb23bfbf56a1db3e81f02ada19aa29954fcf4c1b23adb380c3ebdd1184a348a5ffe495fe01231ab28f9241d9af710e3778fa43d76b2b8890a484fdb55d

Download Submit
memory/2164-209-0x0000010B3F790000-0x0000010B3F7D0000-memory.dmp

Filesize
256KB

Download