hxxps://cdn[.]discordapp[.]com/attachments/1234488074650517647/1237864702739218442/SolaraBETA3[.]rar?ex=663d32d7&is=663be157&hm=7d93c929d809a1f2aa9862e9037cca938b072623346f0fc313795132710daee0&

Analysis

max time kernel
281s
max time network
308s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1234488074650517647/1237864702739218442/SolaraBETA3.rar?ex=663d32d7&is=663be157&hm=7d93c929d809a1f2aa9862e9037cca938b072623346f0fc313795132710daee0&

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4124900551-4068476067-3491212533-1000\{BFBC30C0-9F71-418F-A125-D038B70FAB80}	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3388	msedge.exe
3388	msedge.exe
2896	msedge.exe
2896	msedge.exe
3912	identity_helper.exe
3912	identity_helper.exe
1172	msedge.exe
1172	msedge.exe
3316	msedge.exe
3316	msedge.exe
6088	msedge.exe
6088	msedge.exe
6088	msedge.exe
6088	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
4992	OpenWith.exe
4992	OpenWith.exe
4992	OpenWith.exe
4992	OpenWith.exe
4992	OpenWith.exe
4992	OpenWith.exe
4992	OpenWith.exe
4992	OpenWith.exe
4992	OpenWith.exe
3996	AcroRd32.exe
3996	AcroRd32.exe
3996	AcroRd32.exe
3996	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 3812	2896	msedge.exe	80
PID 2896 wrote to memory of 3812	2896	msedge.exe	80
PID 2896 wrote to memory of 4816	2896	msedge.exe	82
PID 2896 wrote to memory of 4816	2896	msedge.exe	82
PID 2896 wrote to memory of 4816	2896	msedge.exe	82
PID 2896 wrote to memory of 4816	2896	msedge.exe	82
PID 2896 wrote to memory of 4816	2896	msedge.exe	82
PID 2896 wrote to memory of 4816	2896	msedge.exe	82
PID 2896 wrote to memory of 4816	2896	msedge.exe	82
PID 2896 wrote to memory of 4816	2896	msedge.exe	82
PID 2896 wrote to memory of 4816	2896	msedge.exe	82
PID 2896 wrote to memory of 4816	2896	msedge.exe	82
PID 2896 wrote to memory of 4816	2896	msedge.exe	82
PID 2896 wrote to memory of 4816	2896	msedge.exe	82
PID 2896 wrote to memory of 4816	2896	msedge.exe	82
PID 2896 wrote to memory of 4816	2896	msedge.exe	82
PID 2896 wrote to memory of 4816	2896	msedge.exe	82
PID 2896 wrote to memory of 4816	2896	msedge.exe	82
PID 2896 wrote to memory of 4816	2896	msedge.exe	82
PID 2896 wrote to memory of 4816	2896	msedge.exe	82
PID 2896 wrote to memory of 4816	2896	msedge.exe	82
PID 2896 wrote to memory of 4816	2896	msedge.exe	82
PID 2896 wrote to memory of 4816	2896	msedge.exe	82
PID 2896 wrote to memory of 4816	2896	msedge.exe	82
PID 2896 wrote to memory of 4816	2896	msedge.exe	82
PID 2896 wrote to memory of 4816	2896	msedge.exe	82
PID 2896 wrote to memory of 4816	2896	msedge.exe	82
PID 2896 wrote to memory of 4816	2896	msedge.exe	82
PID 2896 wrote to memory of 4816	2896	msedge.exe	82
PID 2896 wrote to memory of 4816	2896	msedge.exe	82
PID 2896 wrote to memory of 4816	2896	msedge.exe	82
PID 2896 wrote to memory of 4816	2896	msedge.exe	82
PID 2896 wrote to memory of 4816	2896	msedge.exe	82
PID 2896 wrote to memory of 4816	2896	msedge.exe	82
PID 2896 wrote to memory of 4816	2896	msedge.exe	82
PID 2896 wrote to memory of 4816	2896	msedge.exe	82
PID 2896 wrote to memory of 4816	2896	msedge.exe	82
PID 2896 wrote to memory of 4816	2896	msedge.exe	82
PID 2896 wrote to memory of 4816	2896	msedge.exe	82
PID 2896 wrote to memory of 4816	2896	msedge.exe	82
PID 2896 wrote to memory of 4816	2896	msedge.exe	82
PID 2896 wrote to memory of 4816	2896	msedge.exe	82
PID 2896 wrote to memory of 3388	2896	msedge.exe	83
PID 2896 wrote to memory of 3388	2896	msedge.exe	83
PID 2896 wrote to memory of 1276	2896	msedge.exe	84
PID 2896 wrote to memory of 1276	2896	msedge.exe	84
PID 2896 wrote to memory of 1276	2896	msedge.exe	84
PID 2896 wrote to memory of 1276	2896	msedge.exe	84
PID 2896 wrote to memory of 1276	2896	msedge.exe	84
PID 2896 wrote to memory of 1276	2896	msedge.exe	84
PID 2896 wrote to memory of 1276	2896	msedge.exe	84
PID 2896 wrote to memory of 1276	2896	msedge.exe	84
PID 2896 wrote to memory of 1276	2896	msedge.exe	84
PID 2896 wrote to memory of 1276	2896	msedge.exe	84
PID 2896 wrote to memory of 1276	2896	msedge.exe	84
PID 2896 wrote to memory of 1276	2896	msedge.exe	84
PID 2896 wrote to memory of 1276	2896	msedge.exe	84
PID 2896 wrote to memory of 1276	2896	msedge.exe	84
PID 2896 wrote to memory of 1276	2896	msedge.exe	84
PID 2896 wrote to memory of 1276	2896	msedge.exe	84
PID 2896 wrote to memory of 1276	2896	msedge.exe	84
PID 2896 wrote to memory of 1276	2896	msedge.exe	84
PID 2896 wrote to memory of 1276	2896	msedge.exe	84
PID 2896 wrote to memory of 1276	2896	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1234488074650517647/1237864702739218442/SolaraBETA3.rar?ex=663d32d7&is=663be157&hm=7d93c929d809a1f2aa9862e9037cca938b072623346f0fc313795132710daee0&
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffea74146f8,0x7ffea7414708,0x7ffea7414718
  2⤵
  PID:3812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,11097684467950245040,13574312569324743724,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
  2⤵
  PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,11097684467950245040,13574312569324743724,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,11097684467950245040,13574312569324743724,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
  2⤵
  PID:1276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11097684467950245040,13574312569324743724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11097684467950245040,13574312569324743724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:1652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11097684467950245040,13574312569324743724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
  2⤵
  PID:3520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11097684467950245040,13574312569324743724,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
  2⤵
  PID:3572
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,11097684467950245040,13574312569324743724,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3564 /prefetch:8
  2⤵
  PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,11097684467950245040,13574312569324743724,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3564 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,11097684467950245040,13574312569324743724,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3600 /prefetch:8
  2⤵
  PID:2648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11097684467950245040,13574312569324743724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
  2⤵
  PID:4124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,11097684467950245040,13574312569324743724,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5968 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11097684467950245040,13574312569324743724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1
  2⤵
  PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11097684467950245040,13574312569324743724,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
  2⤵
  PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11097684467950245040,13574312569324743724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:1
  2⤵
  PID:3916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11097684467950245040,13574312569324743724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2088,11097684467950245040,13574312569324743724,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3952 /prefetch:8
  2⤵
  PID:1032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2088,11097684467950245040,13574312569324743724,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4944 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11097684467950245040,13574312569324743724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:5316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11097684467950245040,13574312569324743724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:5920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11097684467950245040,13574312569324743724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
  2⤵
  PID:5940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11097684467950245040,13574312569324743724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
  2⤵
  PID:5192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,11097684467950245040,13574312569324743724,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3016 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6088

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3944

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3688

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4992
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\SolaraBETA3.rar"
  2⤵
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3996
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    PID:3136
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4C62ECBEC5946D8157671F062F99A657 --mojo-platform-channel-handle=1716 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:4276
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=5AFC49F0E2D9A77F3EBA281808E7AA5C --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=5AFC49F0E2D9A77F3EBA281808E7AA5C --renderer-client-id=2 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:2644
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7E4CB0B54BCF64F795E169942D9D5929 --mojo-platform-channel-handle=2288 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:3356
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FA5E75D5EC9444DED56F5191AA9F35C8 --mojo-platform-channel-handle=1788 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:1032
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3193A912062BD034400062FB401FF24C --mojo-platform-channel-handle=1796 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:4036

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
86d9a10bcd3bc45fc058119d2a7ef712

SHA1
d116f56578addab0ba284134da7ab52cc7112b73

SHA256
378d8d46171ae08c1058f11c7df30e5578158c1d33c27dfe2078e2df526fd6d8

SHA512
49391ff7fecd189f3cacb89402ad9e8bc1995a736a13c5fda7510e3744ab762882ec01f34a814e0e74e6b5d71fd8c270a45fc464b9340d22fc9d0a7ee595df47

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
ac13632e055df536f1ad6990e9c85ba1

SHA1
bf566f64faef8b5c17cf8c07e3e08a6bffda43d6

SHA256
3dd070e8d4a052e1b54bf10e6754ff99715fcef7925a4b08cf61c8b6425b052d

SHA512
6599f1fe2430baa4e0e8a3968bdb273566ffeee280d3d5acc0e9742bb6147cf12d1351a57739e3c8daf046afb0ac102a5cd6133157e626b0927c79ad1006f3e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\034a8e16-cfae-478d-a7f0-bc15f88a9160.tmp

Filesize
1KB

MD5
732ce81947b163ed6c0d736e8b026303

SHA1
ab4bff9b19737e234467e2183e991f655a41d32d

SHA256
b43eb84a19ac122ff4eef2ea3879dd9749b08f2b24ce27ed71aedf0cbb045446

SHA512
778c975c04eed3d184e8da8cfb75ac5a3505ec6f5c6d826d1ff75df53bc526bcc978fc3192aa5c3573b5b390f126362003085690022c72c081320656b1dd5c1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\7d86e486-5a93-43e1-98a1-df078a51d744.tmp

Filesize
6KB

MD5
13ff9273168476f1bff079f5d028f245

SHA1
1be465a62f667e3b391c9bdafd7103d3c031d7f1

SHA256
75c86c38e745472f84a81dd327c44f1902439fa8b0a0bccaf55d107e995b31ae

SHA512
48b6c51ba9bfd947d60f87e3dac9079a00139ab8aa1e2767af03e9b9865d2f5d391863306c6bff30b6392559c72f48c8f35d8977f4af021afa53f6238634ab57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
9bc190c9903e15966a0aa02e9228bee9

SHA1
914600b97b12793043aaff880ef9fefab8ca32dc

SHA256
58c9dd0f06d2f653ffc4f13a5522daef655d0e282d695d74d831eda7387dbad1

SHA512
8baf8512e263877d756cbb1bda721c7d40723be13b6c6b9c8a33efcf77b336845c7f7c753ad428a3eafdbaa3ada01ef04ff11382e138c7453e237e19feccfb7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
b2708a1e5c18cd628205e1e34638f5ef

SHA1
105a722d0367311adc421265f75050f26c4caf27

SHA256
dd532118e0d24c4357cde72855f8e7812f24a3264938e05d32b81fd1d45bab50

SHA512
7bf8975ce80eda58041fea62481de3526e7ea852edacfabf0203f45423510c647d639baa548287f944975c2345528593987e69f5c465762dc858d9a8ad4e3d78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
d61645fd279701a9dfd9dc42200f764f

SHA1
2083a2fe7b4a6365b0dbdc53f4b8c01af05724d4

SHA256
270d7365041bc18e9a1bf7ce86226b597ce0e9a1ed081f46b08cc3593657b882

SHA512
f240275d2760166b893286b1327664b4d93cf86fb685e704e0c642de86fc63ceb0fa570b7f76244d6f34115be1ab4957514df3cad7e21522dc3226ddecfde93b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
810ac5f4b6882c85cbd1576b1e40c808

SHA1
71e248cdaf5dbc345da810fcb29dc47564a2ff62

SHA256
d281a5cfd9b2df540e4902171c8daaf2ef6f113f1cc351335ce4b1fe19e37292

SHA512
591e0f93e72b85d322f41f79aeb6a6e0530f7f8d89c949798f6eeda7b2e41862adbad19e883b6e757c44e50c060f96f267187aff75e896962af0753e7a29a3cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ead632b8689edf6250a42dc2bebe808e

SHA1
68ee51e9b66a709873a13768a22f23c1e4c66326

SHA256
385b930e82451d60b38fa319802ef6b7ebb7ec1d908c75803148e50d77c6e5f7

SHA512
525559d078310b3f5325d35bd13f16f23f5c6da296bd3a2b50835637b236f22b118e610029edab387e1371e0941416c5fb0b5b011e44014aaf73dd29fc3fa81d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
36f02853bbfbd709016a5d3827bc246d

SHA1
a965c448b47adc86f6155406affa59dc40f3185e

SHA256
d3680b536f21638439921f572b51a2f873ef09bb86b5c6d7f68244f068e48ed9

SHA512
f16b09fbeec4231cce0bd6f55a5108fef0041ffd6b009a7043bdff005f50e1273ea20416a3692da698dc7aa895f6df88d33121047835e1ca4265f34af3603419

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
45ec99bd6244f3b5336ee92897fb12ec

SHA1
7c00704b4334fe92a0540619cf836c0854ac50b4

SHA256
d5c72fc114ab51c4daf1158bb2cd121bdd007837014a2650f90d173a70a68c54

SHA512
c34df5c9cbedb3b2af10fcd93d51e248e72633989170e45c2c4e5a9418cd3357b47d901159f80b9008a632fde20e35ded5bdf20aa2656330da0228fff601e582

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58680c.TMP

Filesize
538B

MD5
51d3a37a4cfc12faae35bd443e179bd0

SHA1
d4559dc533e653187d20eac8e75982dba4d37b08

SHA256
da602f41333aef3b74fd0ff93e83f1a8c0f90abd634ab38f7ae259d94b94b57e

SHA512
c0dc9de25dba4f320a3ae7a22d923e3c7bb0713a415b0e8f870aea9d9f3bd37ee35050a30a35a380354cff3d6d248dcbc12656705ba8124ba2392937796c294e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9b4b56795264a19e997e5e147405c650

SHA1
30436884e3d6a0883ef764cc0943aec8bafeec35

SHA256
fa2cd0cd9c192c825aef50c742d0eb0c9fb24a96c1c3326fde23a21bd3e4b57e

SHA512
720de3bd7ae8c6aa09a2450a64869275b166ee174a3e6ac8b58fd68119195fd26e771b389bcff4849bd5f91194f0b01a5d5e06f6ccfd09645d9027ed2f27b439

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8e7d7659ec405441695255fdd9ac56b8

SHA1
c6b537b3517b63974e06eef622d02d9f9560a07a

SHA256
8316981889ad162dcfa5700f29284511dbbcc3d1c3f2c79d683c715114a83139

SHA512
b386961ada6760bcb63243048539cda06f61d18ed0e4660d7451e9a40629f447a54a1ccbd65a58a2f57ebbee3c58c2a97f3d3814df57588c7e2d861b7fdc2738

Download Submit
C:\Users\Admin\Downloads\SolaraBETA3.rar

Filesize
14.3MB

MD5
a6d8949e3f607cdcc0dab3a8a238e392

SHA1
cebd6a5f7119992718631c1c31dbeb836f60a8eb

SHA256
168a76679d03d1e2e72cfc68f665ac3e9a498a8f1c3e603b808dd92723694c4f

SHA512
71d6417939c535cc0dd6e60b1772d22c840d95977a662d3e18d8f7debde41cd5d343095ca14a7ccc6226b437c8c6c66127a1b2a2d99c053fcbf4ba7f18226d03

Download Submit