meduza | hxxps://github[.]com/Solara-Hash/solara-download-executor

Analysis

max time kernel
149s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2024 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Solara-Hash/solara-download-executor

Score

10^/10

meduza collection discovery spyware stealer

Malware Config

Extracted

Family

meduza

45.130.145.152

Attributes

anti_dbg
true
anti_vm
true
build_name
Oxoxox
extensions
.txt;.doc;.docx;.pdf;.xls;.xlsx;.log;.db;.sqlite
grabber_max_size
3.145728e+06
port
15666
self_destruct
true

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 41 IoCs

resource	yara_rule
behavioral1/memory/2548-701-0x000001E988870000-0x000001E988A6A000-memory.dmp	family_meduza
behavioral1/memory/2548-700-0x000001E988870000-0x000001E988A6A000-memory.dmp	family_meduza
behavioral1/memory/2548-697-0x000001E988870000-0x000001E988A6A000-memory.dmp	family_meduza
behavioral1/memory/2548-696-0x000001E988870000-0x000001E988A6A000-memory.dmp	family_meduza
behavioral1/memory/2548-694-0x000001E988870000-0x000001E988A6A000-memory.dmp	family_meduza
behavioral1/memory/2548-706-0x000001E988870000-0x000001E988A6A000-memory.dmp	family_meduza
behavioral1/memory/2548-707-0x000001E988870000-0x000001E988A6A000-memory.dmp	family_meduza
behavioral1/memory/2548-703-0x000001E988870000-0x000001E988A6A000-memory.dmp	family_meduza
behavioral1/memory/2548-702-0x000001E988870000-0x000001E988A6A000-memory.dmp	family_meduza
behavioral1/memory/2548-695-0x000001E988870000-0x000001E988A6A000-memory.dmp	family_meduza
behavioral1/memory/2548-714-0x000001E988870000-0x000001E988A6A000-memory.dmp	family_meduza
behavioral1/memory/2548-715-0x000001E988870000-0x000001E988A6A000-memory.dmp	family_meduza
behavioral1/memory/2548-719-0x000001E988870000-0x000001E988A6A000-memory.dmp	family_meduza
behavioral1/memory/2548-720-0x000001E988870000-0x000001E988A6A000-memory.dmp	family_meduza
behavioral1/memory/2548-731-0x000001E988870000-0x000001E988A6A000-memory.dmp	family_meduza
behavioral1/memory/2548-730-0x000001E988870000-0x000001E988A6A000-memory.dmp	family_meduza
behavioral1/memory/2548-727-0x000001E988870000-0x000001E988A6A000-memory.dmp	family_meduza
behavioral1/memory/2548-726-0x000001E988870000-0x000001E988A6A000-memory.dmp	family_meduza
behavioral1/memory/2548-761-0x000001E988870000-0x000001E988A6A000-memory.dmp	family_meduza
behavioral1/memory/2548-772-0x000001E988870000-0x000001E988A6A000-memory.dmp	family_meduza
behavioral1/memory/2548-773-0x000001E988870000-0x000001E988A6A000-memory.dmp	family_meduza
behavioral1/memory/2548-767-0x000001E988870000-0x000001E988A6A000-memory.dmp	family_meduza
behavioral1/memory/2548-766-0x000001E988870000-0x000001E988A6A000-memory.dmp	family_meduza
behavioral1/memory/2548-763-0x000001E988870000-0x000001E988A6A000-memory.dmp	family_meduza
behavioral1/memory/2548-760-0x000001E988870000-0x000001E988A6A000-memory.dmp	family_meduza
behavioral1/memory/2548-755-0x000001E988870000-0x000001E988A6A000-memory.dmp	family_meduza
behavioral1/memory/2548-754-0x000001E988870000-0x000001E988A6A000-memory.dmp	family_meduza
behavioral1/memory/2548-749-0x000001E988870000-0x000001E988A6A000-memory.dmp	family_meduza
behavioral1/memory/2548-748-0x000001E988870000-0x000001E988A6A000-memory.dmp	family_meduza
behavioral1/memory/2548-745-0x000001E988870000-0x000001E988A6A000-memory.dmp	family_meduza
behavioral1/memory/2548-743-0x000001E988870000-0x000001E988A6A000-memory.dmp	family_meduza
behavioral1/memory/2548-739-0x000001E988870000-0x000001E988A6A000-memory.dmp	family_meduza
behavioral1/memory/2548-733-0x000001E988870000-0x000001E988A6A000-memory.dmp	family_meduza
behavioral1/memory/2548-732-0x000001E988870000-0x000001E988A6A000-memory.dmp	family_meduza
behavioral1/memory/2548-742-0x000001E988870000-0x000001E988A6A000-memory.dmp	family_meduza
behavioral1/memory/2548-737-0x000001E988870000-0x000001E988A6A000-memory.dmp	family_meduza
behavioral1/memory/2548-736-0x000001E988870000-0x000001E988A6A000-memory.dmp	family_meduza
behavioral1/memory/2548-775-0x000001E988870000-0x000001E988A6A000-memory.dmp	family_meduza
behavioral1/memory/2548-779-0x000001E988870000-0x000001E988A6A000-memory.dmp	family_meduza
behavioral1/memory/2548-778-0x000001E988870000-0x000001E988A6A000-memory.dmp	family_meduza
behavioral1/memory/2548-774-0x000001E988870000-0x000001E988A6A000-memory.dmp	family_meduza

Meduza family
meduza
Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Solara.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	292a13ac-72f2-4726-bd7c-8c993c866145.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Solara.exe

Executes dropped EXE 4 IoCs

pid	Process
552	Solara.exe
2548	292a13ac-72f2-4726-bd7c-8c993c866145.exe
4428	Solara.exe
5004	34862637-c0a0-4846-85ee-b4f089c7831c.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	292a13ac-72f2-4726-bd7c-8c993c866145.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	292a13ac-72f2-4726-bd7c-8c993c866145.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	292a13ac-72f2-4726-bd7c-8c993c866145.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	292a13ac-72f2-4726-bd7c-8c993c866145.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	292a13ac-72f2-4726-bd7c-8c993c866145.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
18	camo.githubusercontent.com
29	camo.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
105	api.ipify.org
106	api.ipify.org

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2292	cmd.exe
2992	PING.EXE

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Delays execution with timeout.exe 19 IoCs

evasion

pid	Process
116	timeout.exe
468	timeout.exe
5100	timeout.exe
1152	timeout.exe
3080	timeout.exe
432	timeout.exe
468	timeout.exe
2284	timeout.exe
2964	timeout.exe
1884	timeout.exe
1984	timeout.exe
1672	timeout.exe
908	timeout.exe
4980	timeout.exe
3892	timeout.exe
2884	timeout.exe
1396	timeout.exe
5108	timeout.exe
1040	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133771918372664879"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	chrome.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2992	PING.EXE

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
4048	chrome.exe
4048	chrome.exe
2548	292a13ac-72f2-4726-bd7c-8c993c866145.exe
2548	292a13ac-72f2-4726-bd7c-8c993c866145.exe
2548	292a13ac-72f2-4726-bd7c-8c993c866145.exe
2548	292a13ac-72f2-4726-bd7c-8c993c866145.exe
2548	292a13ac-72f2-4726-bd7c-8c993c866145.exe
2548	292a13ac-72f2-4726-bd7c-8c993c866145.exe
2548	292a13ac-72f2-4726-bd7c-8c993c866145.exe
2548	292a13ac-72f2-4726-bd7c-8c993c866145.exe
2548	292a13ac-72f2-4726-bd7c-8c993c866145.exe
2548	292a13ac-72f2-4726-bd7c-8c993c866145.exe
2548	292a13ac-72f2-4726-bd7c-8c993c866145.exe
2548	292a13ac-72f2-4726-bd7c-8c993c866145.exe
2548	292a13ac-72f2-4726-bd7c-8c993c866145.exe
2548	292a13ac-72f2-4726-bd7c-8c993c866145.exe
2548	292a13ac-72f2-4726-bd7c-8c993c866145.exe
2548	292a13ac-72f2-4726-bd7c-8c993c866145.exe
2548	292a13ac-72f2-4726-bd7c-8c993c866145.exe
2548	292a13ac-72f2-4726-bd7c-8c993c866145.exe
2548	292a13ac-72f2-4726-bd7c-8c993c866145.exe
2548	292a13ac-72f2-4726-bd7c-8c993c866145.exe
2548	292a13ac-72f2-4726-bd7c-8c993c866145.exe
2548	292a13ac-72f2-4726-bd7c-8c993c866145.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4296	7zG.exe
5028	7zG.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe

Suspicious use of SendNotifyMessage 43 IoCs

pid	Process
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2548	292a13ac-72f2-4726-bd7c-8c993c866145.exe
5004	34862637-c0a0-4846-85ee-b4f089c7831c.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4048 wrote to memory of 4788	4048	chrome.exe	83
PID 4048 wrote to memory of 4788	4048	chrome.exe	83
PID 4048 wrote to memory of 2016	4048	chrome.exe	84
PID 4048 wrote to memory of 2016	4048	chrome.exe	84
PID 4048 wrote to memory of 2016	4048	chrome.exe	84
PID 4048 wrote to memory of 2016	4048	chrome.exe	84
PID 4048 wrote to memory of 2016	4048	chrome.exe	84
PID 4048 wrote to memory of 2016	4048	chrome.exe	84
PID 4048 wrote to memory of 2016	4048	chrome.exe	84
PID 4048 wrote to memory of 2016	4048	chrome.exe	84
PID 4048 wrote to memory of 2016	4048	chrome.exe	84
PID 4048 wrote to memory of 2016	4048	chrome.exe	84
PID 4048 wrote to memory of 2016	4048	chrome.exe	84
PID 4048 wrote to memory of 2016	4048	chrome.exe	84
PID 4048 wrote to memory of 2016	4048	chrome.exe	84
PID 4048 wrote to memory of 2016	4048	chrome.exe	84
PID 4048 wrote to memory of 2016	4048	chrome.exe	84
PID 4048 wrote to memory of 2016	4048	chrome.exe	84
PID 4048 wrote to memory of 2016	4048	chrome.exe	84
PID 4048 wrote to memory of 2016	4048	chrome.exe	84
PID 4048 wrote to memory of 2016	4048	chrome.exe	84
PID 4048 wrote to memory of 2016	4048	chrome.exe	84
PID 4048 wrote to memory of 2016	4048	chrome.exe	84
PID 4048 wrote to memory of 2016	4048	chrome.exe	84
PID 4048 wrote to memory of 2016	4048	chrome.exe	84
PID 4048 wrote to memory of 2016	4048	chrome.exe	84
PID 4048 wrote to memory of 2016	4048	chrome.exe	84
PID 4048 wrote to memory of 2016	4048	chrome.exe	84
PID 4048 wrote to memory of 2016	4048	chrome.exe	84
PID 4048 wrote to memory of 2016	4048	chrome.exe	84
PID 4048 wrote to memory of 2016	4048	chrome.exe	84
PID 4048 wrote to memory of 2016	4048	chrome.exe	84
PID 4048 wrote to memory of 4696	4048	chrome.exe	85
PID 4048 wrote to memory of 4696	4048	chrome.exe	85
PID 4048 wrote to memory of 208	4048	chrome.exe	86
PID 4048 wrote to memory of 208	4048	chrome.exe	86
PID 4048 wrote to memory of 208	4048	chrome.exe	86
PID 4048 wrote to memory of 208	4048	chrome.exe	86
PID 4048 wrote to memory of 208	4048	chrome.exe	86
PID 4048 wrote to memory of 208	4048	chrome.exe	86
PID 4048 wrote to memory of 208	4048	chrome.exe	86
PID 4048 wrote to memory of 208	4048	chrome.exe	86
PID 4048 wrote to memory of 208	4048	chrome.exe	86
PID 4048 wrote to memory of 208	4048	chrome.exe	86
PID 4048 wrote to memory of 208	4048	chrome.exe	86
PID 4048 wrote to memory of 208	4048	chrome.exe	86
PID 4048 wrote to memory of 208	4048	chrome.exe	86
PID 4048 wrote to memory of 208	4048	chrome.exe	86
PID 4048 wrote to memory of 208	4048	chrome.exe	86
PID 4048 wrote to memory of 208	4048	chrome.exe	86
PID 4048 wrote to memory of 208	4048	chrome.exe	86
PID 4048 wrote to memory of 208	4048	chrome.exe	86
PID 4048 wrote to memory of 208	4048	chrome.exe	86
PID 4048 wrote to memory of 208	4048	chrome.exe	86
PID 4048 wrote to memory of 208	4048	chrome.exe	86
PID 4048 wrote to memory of 208	4048	chrome.exe	86
PID 4048 wrote to memory of 208	4048	chrome.exe	86
PID 4048 wrote to memory of 208	4048	chrome.exe	86
PID 4048 wrote to memory of 208	4048	chrome.exe	86
PID 4048 wrote to memory of 208	4048	chrome.exe	86
PID 4048 wrote to memory of 208	4048	chrome.exe	86
PID 4048 wrote to memory of 208	4048	chrome.exe	86
PID 4048 wrote to memory of 208	4048	chrome.exe	86
PID 4048 wrote to memory of 208	4048	chrome.exe	86

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	292a13ac-72f2-4726-bd7c-8c993c866145.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	292a13ac-72f2-4726-bd7c-8c993c866145.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Solara-Hash/solara-download-executor
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe3fd9cc40,0x7ffe3fd9cc4c,0x7ffe3fd9cc58
  2⤵
  PID:4788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1808,i,10368974947171270204,16235822786737503000,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1800 /prefetch:2
  2⤵
  PID:2016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2140,i,10368974947171270204,16235822786737503000,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  PID:4696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,10368974947171270204,16235822786737503000,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2248 /prefetch:8
  2⤵
  PID:208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,10368974947171270204,16235822786737503000,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:1040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,10368974947171270204,16235822786737503000,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:5088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4600,i,10368974947171270204,16235822786737503000,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4608 /prefetch:8
  2⤵
  PID:2384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4788,i,10368974947171270204,16235822786737503000,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4632 /prefetch:1
  2⤵
  PID:4316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4472,i,10368974947171270204,16235822786737503000,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4960 /prefetch:1
  2⤵
  PID:3304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4620,i,10368974947171270204,16235822786737503000,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3460 /prefetch:1
  2⤵
  PID:1200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5236,i,10368974947171270204,16235822786737503000,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5192 /prefetch:1
  2⤵
  PID:4588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3464,i,10368974947171270204,16235822786737503000,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  PID:4440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4944,i,10368974947171270204,16235822786737503000,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5380 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5028

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4700

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4168

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Update_v4\" -spe -an -ai#7zMap12133:80:7zEvent13268
1⤵
- Suspicious use of FindShellTrayWindow
PID:4296

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Update_v4\Update_v4(password_github)\" -spe -an -ai#7zMap17125:134:7zEvent8067
1⤵
- Suspicious use of FindShellTrayWindow
PID:5028

C:\Users\Admin\Downloads\Update_v4\Update_v4(password_github)\Solara.exe
"C:\Users\Admin\Downloads\Update_v4\Update_v4(password_github)\Solara.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:552
- C:\Users\Admin\AppData\Local\Temp\e241393c-d755-47dc-b001-4aeecb6b4e64\292a13ac-72f2-4726-bd7c-8c993c866145.exe
  "C:\Users\Admin\AppData\Local\Temp\e241393c-d755-47dc-b001-4aeecb6b4e64\292a13ac-72f2-4726-bd7c-8c993c866145.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - outlook_office_path
  - outlook_win_path
  PID:2548
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\e241393c-d755-47dc-b001-4aeecb6b4e64\292a13ac-72f2-4726-bd7c-8c993c866145.exe"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2292
  - - C:\Windows\system32\PING.EXE
      ping 1.1.1.1 -n 1 -w 3000
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2992

C:\Users\Admin\Downloads\Update_v4\Update_v4(password_github)\Solara.exe
"C:\Users\Admin\Downloads\Update_v4\Update_v4(password_github)\Solara.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:4428
- C:\Users\Admin\AppData\Local\Temp\0fb7b107-5cd6-454f-a69f-c63f7765b25c\34862637-c0a0-4846-85ee-b4f089c7831c.exe
  "C:\Users\Admin\AppData\Local\Temp\0fb7b107-5cd6-454f-a69f-c63f7765b25c\34862637-c0a0-4846-85ee-b4f089c7831c.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0fb7b107-5cd6-454f-a69f-c63f7765b25c\cleanup.bat""
  2⤵
  PID:832
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:5108
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:1040
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:1672
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:468
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:4980
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:2284
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:116
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:3892
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:5100
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:2884
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:1152
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:1396
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:3080
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:468
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:908
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:2964
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:1884
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:432
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:1984

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
06535757dcbcc6f0446eb1c5b445c382

SHA1
fe15558ca863ff60557ba50d650b12378035e329

SHA256
14336b5269793d3fa2dee22271f7808a4030b571fa3c90e26247999324891ac5

SHA512
a4d817b5c2cf1ed8c040070f772609e6bb3bcce300454c0a287ae5f7e4ee52cc2c90e8759265810bc2b454b810681a487342ebb718a55090b9d03669a7af0fdc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
2b537331e9802de2c79f61b40b103375

SHA1
b5d3740ddb71c01f289e2bf51d7602c55656e87e

SHA256
46b9ab1a4abaf41c4e6cf785722a4ba0977d127147c64bd3dd861812ab558904

SHA512
fdf596999913c6ca39fb8c215efb34cf0e29b98693d4a95a16ba6e639e5dd875c7b335ab7d62c205c7fb5d7601da322c19782afca2c071da4fa2d3defe2e4084

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

Filesize
160KB

MD5
843c2f5deb4bf6ef2e608306a4f1ac00

SHA1
28aef0e39910ee4b90a59d2c19bad0f8a6d6a116

SHA256
84a435509299ec6081a7cbfdfcda7f8a86ffcef07cb213dad231f43a4f7012d4

SHA512
018eeccf1b5c01337361470113cf033ea38f88d84f39bd60561fcf54296aa1bc9067c90f36f2dd68057ad8376146086d510acbf76b94b1dcf93b7aaafee8868c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log

Filesize
13KB

MD5
336dfd3ed56786fa4f6a8bfe195cf916

SHA1
e7a0214976717fa1635665a0a350abbc6e40e65f

SHA256
4d1bf773ea9ac8cd4930917a42e1bbd15211d8346754c2f912453bd6a09960bb

SHA512
1992092b3b82526cbc74ce1e97a381ae760fe448db46ba71f6b5383297c6f676979c1f4ed3f97d87469b4ab35c3475c93c3ec8540a98a72079a1817470047837

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG

Filesize
329B

MD5
30bd41b64cae8c57236551720ed312f4

SHA1
f0374bee3eb1f20608fba0b16d039275aab8524f

SHA256
45479f4c56c5f109d259cfa2ece53993ed6cedb8aee3cff1c9da8d18d277f128

SHA512
5795ae1e3c88eeaf77cd4aa797ee220df8e5c668f17bf6658faeb791ccf91bb8b193197918f7831d0660c2dbca2095666c9712374515794f0a6f9ca9be1fbce7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
20KB

MD5
0231eac7a01b5a4a737acc1e27cc08aa

SHA1
3612fdf403d043569e0e7e54da168549a48488d7

SHA256
19887308ae142c25b810408b0ab1c8ddde918287c9e1d05142c7682a30f31c64

SHA512
203461fcf6dd25b95296bb4caf5b5acd45476a982559eefc1cf86eab3cedb771c0b0bfe0ecee35ec6c93d0e664c3c719ac00004482a64bcf402d4ccab490aeee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
c15135f6940719e9dffb0c4fb0a69588

SHA1
7d3984e99cdcca730bae80b9973f81eddae9faf4

SHA256
911a62c5ddd3769ec978b7cfbad1327d57bc0c125f3a9814fb791a39ed812919

SHA512
95db5950aac657e01a198826ecd8835eed6c164360d3a08936031a7767a3ec6ea953e26a5118fa67e9ff6a993082a86896787f9bad95571faf1dec371f956bf4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7ee7ee03fd30e93d2725715ed4a4f950

SHA1
b8f3cfb012b99f3312712de438d004b24ace69f0

SHA256
96d8757162e882902d8db0cac5087efe3d04473afc49f7014340643ea6f25425

SHA512
d5f35cc5b907a3ec5e3326a5a0f04f7203305523730ca1f63b0d733bdd1ef22aa71b74e422569c84911d508cdf89d6e8b9fdd8c60bc81940cc28fef970addb69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
12f9840f0b8c0de6500035e1baba57cd

SHA1
0fa0e831e6ad0ddf5c52f84e2bee98fc75a0d266

SHA256
ca41f4fc5796f1215b7d4060d7dfb781e89a564e9606d65ef669fc6ae1e0c820

SHA512
7a24a469f81149273403123fdf5a8c00e69ef82d9623ed36b8e4c82bd95300b71f8bfdfdc53f2e91252d67ec7b7aeb09599754ffac11c9058c9656bac42c7ca3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b8d820532c1ca831aabd971ec190ec49

SHA1
bd3f823f21e44862516f2771868b7bde4aef860f

SHA256
9bfb277a9684c90371f88723702fbfaf049e0fd0f2cc1f5792226d003c72e936

SHA512
0361c42a556ee9e38c07344ee0b3dde7349870a5345622c52dd50dc6ef4de4ca3e30828008d118620480964b74941e9563b3b321383d369e17dda63f142ae9b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6654a4e1820c3b78e37e378a7127526c

SHA1
c82bb451a4e27440d41e0c42f1ad0c588ddd3c90

SHA256
fab3855dee6bcb3748a96f0fa94eb370fa3850a9ad8cfa94cb9d96a74eb69db8

SHA512
c7d4af0278a4f35fffa82cc666173db49efc81ac3e641211ef84afa0abc0236e0e63adfae3e5a974f70be485ce3ac4102923d18c076e4b64958883a244a86b0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
63a2c17b67059c2687a8e628366c7588

SHA1
492efd075954774da026d576beaec2d93b4858e1

SHA256
dcc51beef59e8e462706345435559089e54312cff9e2aae1da1f6ae229e6203a

SHA512
9d4ce5773d96ab02b26061cdb67c7fb141e5ef081356390dfd55470fb0f5831f8cdaa9ef72a184765a49f494d9823a6792323b116a55227fc72307ddee192554

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4d5e96ffb1047d08524e1331651da26d

SHA1
85d494a33bc9a7115eaf7ea1bb65314d74a820db

SHA256
e699ac5862e7e38b4e8058386babb850ef1f91052e3567ab0c8a48c473bb7bd3

SHA512
9325d1de84bd503b46d4f3ee6a74a4d078b21389934b4212f66857861c23984e436d6a7ab3118e0a73b0671b87fa1674860c8da0362beb21becb5e762bc24355

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
700cf5918319d09506c6680369a666ce

SHA1
f0ed9f55cfbf867eaccfc1682b5fcf17b231786e

SHA256
d70bed2316b2ed2040a961df49630451b2d19875b8b9d46e184f75c0a8ff88e1

SHA512
11df0b4a42b8aabb34410d6a1308cb2454a11b6db76452843e01585d1a9fd8bda6335536a7f6b561b48c61e44c82c756d4c80f029a3806596985d2b400268293

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b174db421229b48436550c5bef569991

SHA1
3de63020a78f9e559742295c95c1c7f33816d483

SHA256
b5800e9443bb1898890bd6fc46aea0e4d47e29f9a3e034594f816d5212158eae

SHA512
95b2c45f5cd62b48b39934237190d9a1a49c293c2c4d4fd70dc6c25c79ed36f5b884da80c803edfb7bdf4c2073033e677289541ee099c785c9cd122eb546bee7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
14473cd1be4af814335c11f20a80e017

SHA1
5ef1bd73ae4c530b9ebdec5ab724e6015304b9cf

SHA256
12200254926fefe31838470a895ffc04a215b865548a5d36dcc4f1828f6ec1b5

SHA512
18536c493a112dc32e5e91cbb131c600ebea5927c577fe3b0d258aa6faaa9fab79aa58136cfe1764fb712be4e071682ffbd90dacabd85c534291bffa5d89e3db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
eadd0dd4751abf2d9f1f5a6b6e4d1a7b

SHA1
6e931a062a164aa1c16e9bd778849ef886c6f925

SHA256
a1282adf84940dc73ca6e844c0a5d5c6c6d8028648c870e86e86c318b228ab93

SHA512
253042b6e1fef9a1981c6cf0acec48f19a879ff5e06ee12f219d4b928ce9d56084bc32d8e791d358cf87a0bd4bc00634687ac49562f45283a74056487e079667

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b67c701300dc4b0ed5389a309e008d37

SHA1
89afff85b2fb429e11e172192a441ef4c8f6fc1f

SHA256
d62140308674e70b87838b0ed58ffff9a2b564bd94d79843c6672771e917b2a9

SHA512
17d6fd1f750fe7d4b9d5623fb437a9859b41e029c355d706d08c943070d8063f3d66dbaf740ee4d0e7847755ca9a5af04969bd07b40797c35f38e293da0d19d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c01fad1dcf862e523c5d469054ad6b37

SHA1
8cdfdbdaff53a26d7530f24588f1d4fb55ba7f84

SHA256
ad98035f2ad54401c78c5e563f5b0d1115f5fc575080613fa9108305591b5e5d

SHA512
0ba82fd57ea67fa5b59d0db56389eb9011c3df72b644ce63299c93b34abffc7888b50af0e1754130df7bfa636f4f4366200522c0ecc756cd766514d7a1467ba6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
4933c329adecb5ebefd44283ad3839a5

SHA1
a1c3a4e056b05f3be81f91ae39b78fd6dfbe6088

SHA256
c102650dcbf2c2481ccd499a0340872dd83a3289f016a9c45583b0f818cc5960

SHA512
2a3c1c92ba86adef852347cba45bdde45137bc7490d48a972d3e737e47f122f3f6157b576556d2ccbb24687bcabbf3822a90b7fcecfc1dedb566d113a59edd5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
43f1ebb29cf91dd71fec08b8a3cb8bd3

SHA1
d9d2de96b372f71c04df24ba1bd218c0e492cb15

SHA256
e1cedd3683a204653b97e60c943da93baf05670b16ae553a881270bab564d655

SHA512
8003aa8703d17ecc1e8ba9b502667bb0e5168ade26e30eec565125cab688caf013b560cf54517adf78178402e79c8d46ade58f094fe14eac08d850b41b874a67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Solara.exe.log

Filesize
1KB

MD5
638ba0507fa15cd4462cdd879c2114fa

SHA1
f23dfc22ea05f6abb8f9aa11a855ef8f3c51d7f2

SHA256
f91ebecc8963ff1840636f0c2a8f5350beb6eebab8b7d99068ad0b19bcccb478

SHA512
23d440dc8ecfa6c43e89895de038c564bb5e09174a6818a5952d5d589296a6ae77e71a4fc5de3773a6bf27aebb69bdb670f2a2609cf8658668759b50dffc8520

Download Submit
C:\Users\Admin\AppData\Local\Temp\0fb7b107-5cd6-454f-a69f-c63f7765b25c\cleanup.bat

Filesize
379B

MD5
7d794999c2e6d6b3a2ca3d565f3a9de0

SHA1
061bd8e5ad0197a8677476db66e71ddcc7bce98a

SHA256
4719362dd66c3b5c8a766f01e912d030bb36e631364e525da7f689b6f98c2f79

SHA512
598f4f15b4c2f9384cd70b71c409646137f7eab4432a59305f29f9b279cede1d2f2278c6d3c287a5d8e05b6483d2f70400ae91186c4c74ac0e9916ea4e9095d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\e241393c-d755-47dc-b001-4aeecb6b4e64\292a13ac-72f2-4726-bd7c-8c993c866145.exe

Filesize
3.2MB

MD5
011f94bdd586dd10dfe0ecdc0f60ac38

SHA1
50f4c3146227526b95f125cccd71b4808752508c

SHA256
e57ff0cc203e686500317de1eb7a7912ee0e1ce4d8378c6c19c6d81e7de6c9f4

SHA512
26ccd364cf720a7c8b1f357a63eb23081d6c83580a38659482f0b3268ddbcc97c555482887aba3415f5a5b0d34ad77f3a663dcba6294ee91a3e6f359528c31a0

Download Submit
C:\Users\Admin\Downloads\Update_v4\Update_v4(password_github)\KeyFile\1049\sharedmanagementobjects_keyfile.dll

Filesize
23KB

MD5
5e54cb9759d1a9416f51ac1e759bbccf

SHA1
1a033a7aae7c294967b1baba0b1e6673d4eeefc6

SHA256
f7e5cae32e2ec2c35346954bfb0b7352f9a697c08586e52494a71ef00e40d948

SHA512
32dcca4432ec0d2a8ad35fe555f201fef828b2f467a2b95417b42ff5b5149aee39d626d244bc295dca8a00cd81ef33a20f9e681dd47eb6ee47932d5d8dd2c664

Download Submit
memory/552-671-0x0000022C63BE0000-0x0000022C64BE0000-memory.dmp

Filesize
16.0MB

Download
memory/2548-763-0x000001E988870000-0x000001E988A6A000-memory.dmp

Filesize
2.0MB

Download
memory/2548-715-0x000001E988870000-0x000001E988A6A000-memory.dmp

Filesize
2.0MB

Download
memory/2548-714-0x000001E988870000-0x000001E988A6A000-memory.dmp

Filesize
2.0MB

Download
memory/2548-755-0x000001E988870000-0x000001E988A6A000-memory.dmp

Filesize
2.0MB

Download
memory/2548-719-0x000001E988870000-0x000001E988A6A000-memory.dmp

Filesize
2.0MB

Download
memory/2548-720-0x000001E988870000-0x000001E988A6A000-memory.dmp

Filesize
2.0MB

Download
memory/2548-691-0x00007FFE4E8D0000-0x00007FFE4EAC5000-memory.dmp

Filesize
2.0MB

Download
memory/2548-694-0x000001E988870000-0x000001E988A6A000-memory.dmp

Filesize
2.0MB

Download
memory/2548-731-0x000001E988870000-0x000001E988A6A000-memory.dmp

Filesize
2.0MB

Download
memory/2548-730-0x000001E988870000-0x000001E988A6A000-memory.dmp

Filesize
2.0MB

Download
memory/2548-727-0x000001E988870000-0x000001E988A6A000-memory.dmp

Filesize
2.0MB

Download
memory/2548-726-0x000001E988870000-0x000001E988A6A000-memory.dmp

Filesize
2.0MB

Download
memory/2548-696-0x000001E988870000-0x000001E988A6A000-memory.dmp

Filesize
2.0MB

Download
memory/2548-697-0x000001E988870000-0x000001E988A6A000-memory.dmp

Filesize
2.0MB

Download
memory/2548-761-0x000001E988870000-0x000001E988A6A000-memory.dmp

Filesize
2.0MB

Download
memory/2548-754-0x000001E988870000-0x000001E988A6A000-memory.dmp

Filesize
2.0MB

Download
memory/2548-773-0x000001E988870000-0x000001E988A6A000-memory.dmp

Filesize
2.0MB

Download
memory/2548-767-0x000001E988870000-0x000001E988A6A000-memory.dmp

Filesize
2.0MB

Download
memory/2548-766-0x000001E988870000-0x000001E988A6A000-memory.dmp

Filesize
2.0MB

Download
memory/2548-706-0x000001E988870000-0x000001E988A6A000-memory.dmp

Filesize
2.0MB

Download
memory/2548-703-0x000001E988870000-0x000001E988A6A000-memory.dmp

Filesize
2.0MB

Download
memory/2548-695-0x000001E988870000-0x000001E988A6A000-memory.dmp

Filesize
2.0MB

Download
memory/2548-772-0x000001E988870000-0x000001E988A6A000-memory.dmp

Filesize
2.0MB

Download
memory/2548-749-0x000001E988870000-0x000001E988A6A000-memory.dmp

Filesize
2.0MB

Download
memory/2548-748-0x000001E988870000-0x000001E988A6A000-memory.dmp

Filesize
2.0MB

Download
memory/2548-745-0x000001E988870000-0x000001E988A6A000-memory.dmp

Filesize
2.0MB

Download
memory/2548-743-0x000001E988870000-0x000001E988A6A000-memory.dmp

Filesize
2.0MB

Download
memory/2548-739-0x000001E988870000-0x000001E988A6A000-memory.dmp

Filesize
2.0MB

Download
memory/2548-733-0x000001E988870000-0x000001E988A6A000-memory.dmp

Filesize
2.0MB

Download
memory/2548-732-0x000001E988870000-0x000001E988A6A000-memory.dmp

Filesize
2.0MB

Download
memory/2548-742-0x000001E988870000-0x000001E988A6A000-memory.dmp

Filesize
2.0MB

Download
memory/2548-737-0x000001E988870000-0x000001E988A6A000-memory.dmp

Filesize
2.0MB

Download
memory/2548-736-0x000001E988870000-0x000001E988A6A000-memory.dmp

Filesize
2.0MB

Download
memory/2548-775-0x000001E988870000-0x000001E988A6A000-memory.dmp

Filesize
2.0MB

Download
memory/2548-779-0x000001E988870000-0x000001E988A6A000-memory.dmp

Filesize
2.0MB

Download
memory/2548-778-0x000001E988870000-0x000001E988A6A000-memory.dmp

Filesize
2.0MB

Download
memory/2548-774-0x000001E988870000-0x000001E988A6A000-memory.dmp

Filesize
2.0MB

Download
memory/2548-700-0x000001E988870000-0x000001E988A6A000-memory.dmp

Filesize
2.0MB

Download
memory/2548-701-0x000001E988870000-0x000001E988A6A000-memory.dmp

Filesize
2.0MB

Download
memory/2548-692-0x000001E988780000-0x000001E988781000-memory.dmp

Filesize
4KB

Download
memory/2548-702-0x000001E988870000-0x000001E988A6A000-memory.dmp

Filesize
2.0MB

Download
memory/2548-760-0x000001E988870000-0x000001E988A6A000-memory.dmp

Filesize
2.0MB

Download
memory/2548-707-0x000001E988870000-0x000001E988A6A000-memory.dmp

Filesize
2.0MB

Download