b20a675a73f1940c54dda5cad8f5455bf4baa31d77edce3f391b12995d0abe85

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SolaraB/Solara/SolaraBootstrapper.exe
Size

12KB
MD5

74494703e5f44eeb9aa037f0f50bf682
SHA1

fcfd8813e63cd61c5bfd2db605827fb9070fe8e9
SHA256

3e4f692506d372bebc12d344c5f1543b67fa1dbe095c910aab78456510d7fe66
SHA512

dbd2a8d928c797c70c4286d8ebabe202902445ed60e94eeccf33c7e3d794c7e362139187dcd1a57a4919503c1c791cfbe38f6f6eff454248382b3c4e023791fe
SSDEEP

192:WrnDHbLupIapaLPr/XKnxxTc1l6VXtrNjA:WrnzHUIapazzKxm1cVdZj

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

XcHvYYrNa.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ XcHvYYrNa.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	XcHvYYrNa.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

XcHvYYrNa.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	XcHvYYrNa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	XcHvYYrNa.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SolaraBootstrapper.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe

Executes dropped EXE 1 IoCs

Processes:

XcHvYYrNa.exe

pid process

3288 XcHvYYrNa.exe
Loads dropped DLL 6 IoCs

Processes:

XcHvYYrNa.exe

pid process

3288 XcHvYYrNa.exe
3288 XcHvYYrNa.exe
3288 XcHvYYrNa.exe
3288 XcHvYYrNa.exe
3288 XcHvYYrNa.exe
3288 XcHvYYrNa.exe

Themida packer 9 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\XcHvYYrNa.dll	themida
behavioral1/memory/3288-1499-0x0000000180000000-0x0000000180C2E000-memory.dmp	themida
behavioral1/memory/3288-1500-0x0000000180000000-0x0000000180C2E000-memory.dmp	themida
behavioral1/memory/3288-1502-0x0000000180000000-0x0000000180C2E000-memory.dmp	themida
behavioral1/memory/3288-1503-0x0000000180000000-0x0000000180C2E000-memory.dmp	themida
behavioral1/memory/3288-1504-0x0000000180000000-0x0000000180C2E000-memory.dmp	themida
behavioral1/memory/3288-1540-0x0000000180000000-0x0000000180C2E000-memory.dmp	themida
behavioral1/memory/3288-1900-0x0000000180000000-0x0000000180C2E000-memory.dmp	themida
behavioral1/memory/3288-1907-0x0000000180000000-0x0000000180C2E000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

XcHvYYrNa.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA XcHvYYrNa.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

13 raw.githubusercontent.com
14 raw.githubusercontent.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

XcHvYYrNa.exe

pid process

3288 XcHvYYrNa.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	XcHvYYrNa.exe

flow	ioc
13	raw.githubusercontent.com
14	raw.githubusercontent.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133607931429184300"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

4956 chrome.exe
4956 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

chrome.exe

pid process

4956 chrome.exe
4956 chrome.exe
4956 chrome.exe
4956 chrome.exe
4956 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

SolaraBootstrapper.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	3968	SolaraBootstrapper.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

XcHvYYrNa.exechrome.exe

pid	process
3288	XcHvYYrNa.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SolaraBootstrapper.exechrome.exe

description	pid	process	target process
PID 3968 wrote to memory of 3288	3968	SolaraBootstrapper.exe	XcHvYYrNa.exe
PID 3968 wrote to memory of 3288	3968	SolaraBootstrapper.exe	XcHvYYrNa.exe
PID 4956 wrote to memory of 3784	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 3784	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 5104	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 5104	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 5104	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 5104	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 5104	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 5104	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 5104	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 5104	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 5104	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 5104	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 5104	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 5104	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 5104	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 5104	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 5104	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 5104	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 5104	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 5104	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 5104	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 5104	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 5104	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 5104	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 5104	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 5104	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 5104	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 5104	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 5104	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 5104	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 5104	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 5104	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 5104	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 4276	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 4276	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 4256	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 4256	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 4256	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 4256	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 4256	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 4256	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 4256	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 4256	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 4256	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 4256	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 4256	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 4256	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 4256	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 4256	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 4256	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 4256	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 4256	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 4256	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 4256	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 4256	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 4256	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 4256	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 4256	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 4256	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 4256	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 4256	4956	chrome.exe	chrome.exe
PID 4956 wrote to memory of 4256	4956	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\SolaraB\Solara\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB\Solara\SolaraBootstrapper.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3968

C:\Users\Admin\AppData\Local\Temp\Solara.Dir\XcHvYYrNa.exe
"C:\Users\Admin\AppData\Local\Temp\Solara.Dir\XcHvYYrNa.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of FindShellTrayWindow
PID:3288

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff825b8ab58,0x7ff825b8ab68,0x7ff825b8ab78
2⤵
PID:3784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1696 --field-trial-handle=2024,i,1806769730557025530,1576011033522718444,131072 /prefetch:2
2⤵
PID:5104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1848 --field-trial-handle=2024,i,1806769730557025530,1576011033522718444,131072 /prefetch:8
2⤵
PID:4276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2240 --field-trial-handle=2024,i,1806769730557025530,1576011033522718444,131072 /prefetch:8
2⤵
PID:4256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=2024,i,1806769730557025530,1576011033522718444,131072 /prefetch:1
2⤵
PID:2072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3092 --field-trial-handle=2024,i,1806769730557025530,1576011033522718444,131072 /prefetch:1
2⤵
PID:3260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4372 --field-trial-handle=2024,i,1806769730557025530,1576011033522718444,131072 /prefetch:1
2⤵
PID:1772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4324 --field-trial-handle=2024,i,1806769730557025530,1576011033522718444,131072 /prefetch:8
2⤵
PID:3228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4408 --field-trial-handle=2024,i,1806769730557025530,1576011033522718444,131072 /prefetch:8
2⤵
PID:1252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4584 --field-trial-handle=2024,i,1806769730557025530,1576011033522718444,131072 /prefetch:1
2⤵
PID:4660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4344 --field-trial-handle=2024,i,1806769730557025530,1576011033522718444,131072 /prefetch:8
2⤵
PID:1516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3184 --field-trial-handle=2024,i,1806769730557025530,1576011033522718444,131072 /prefetch:8
2⤵
PID:740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 --field-trial-handle=2024,i,1806769730557025530,1576011033522718444,131072 /prefetch:8
2⤵
PID:4820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5112 --field-trial-handle=2024,i,1806769730557025530,1576011033522718444,131072 /prefetch:1
2⤵
PID:2040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1556 --field-trial-handle=2024,i,1806769730557025530,1576011033522718444,131072 /prefetch:2
2⤵
PID:4488

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1568

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
cd9c63059d5acdb3d110bf76423cc31d

SHA1
b3659d9665d0afff48cc9ad00199c26df1c44f4d

SHA256
ca6d67f719072929420b841879037d5efdc4b700917289f4bcfe089f2c972ff1

SHA512
3d74c29135246454b2c34b693e253495491450cd73e165da7e480de376ff027ab09cfec60f0f5abded1e3b9a7b923e3641438e3f78f10138deb5b7a6a7336988

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
4KB

MD5
17710e0e4999e48dc0951643dfdb352c

SHA1
84684fe97b8c8b68c656fdbfd299293fd4fd0a8e

SHA256
fcdd3f1c4ba44f4bdb815e2e813480e9a8c2038792629656602f5677f04573ec

SHA512
1915845036fe2675883f446ead25830577addb105293feb96d2eabf7b4887f7d4a187085da0d33cb7440671295158c0be89393d3c2a0f0980b862661868bad42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
25a6e37a7f6f0fa1ef7fc06271e8b297

SHA1
fe1665859c70d6fad85b7f70e54b1b66e609084c

SHA256
1e192cb8367c16afd2141e739d081c0230aa8f09137dafdc06cc308049fa7256

SHA512
c4911e5b54c98c0a984f6dfe71469e23bb9738afe338699939ffbfc52655711c00aa6d182addb47433c56f8d4897b0d64020716b7350275ea8d7e91259a67891

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
690B

MD5
d4d72fd25a09169ca80a73a71178be80

SHA1
bf1c86004d30832434a900d705246ccbf2eaba47

SHA256
8e3b094f164e0d7e5ebb61a7d4a08d66eb6c28a37a3c90596b7a688c08fbdd67

SHA512
c2b7c37b0308bc2e7eaa9970c1bbf40a879f5814a6429f34142a17cbf6a9625711d3afc3336e8ba3198ea232ed7bd17d062efbebda3ed784c3b5672bbf4d77fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
cf6c5d0c2aed5ddfdd34ad7952694281

SHA1
b5d24f11587a80c38b2dc16ec90608122b2867bf

SHA256
462bbdfe7f7342407a5ea22397d54dcf4a90e60d09e0206efd9177e0b0b40bfc

SHA512
24d0420de56ac39909eee05a775cffe0499dcb5f531d058bade2bbef35b559c9fa832ef70fdc7fee0b195eb2f08323e959cdafd5dad9f3a248d9cb2f77756098

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
e70cc746e6dabfe2e7e73a0a4f97c142

SHA1
e0e51a1ac0391da17bec513a328fee64aae1b00e

SHA256
e24b338e1e30e0d70d8465d7be43eddd6de8960555eb2e61836ab7eb46f50edd

SHA512
08f11a3347e8d2fabd3411fbf8b6170c3052280fff046289894636f9e2f5cef73b3486aa6960ad15f2743e997b74c662409a72c0c5e40f0ba40e4c2929987c61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
f00660258f1c18762fd84b425efdc7ca

SHA1
3be34a3af4bf827315154259e8a1175e842eccc0

SHA256
d780a3a85251a81f62409740dbc23fb12d42a02cf313e2c0c8123f4a12040523

SHA512
9cab4837a0c2cf2fea6584c7ab6aef717bfd55ec5629611be3868d91b8a15c68b2823d4167b907cf2719af8a7655c56b3ac31eff4c13df91822c362bee2640b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
0d8e25b2f2d995cd8f48b80892e764fa

SHA1
3e3c6206d989252059af843c89608312b1855440

SHA256
0cf113cef5831e3439cff4c28c38c4da184df8f353af5ad94040f1401d78e518

SHA512
6f35eb806a6d6c7b16a9a978b5bf5f61b9025f40c56c481d0a2dcc1f7cb2c564b3aaa6db263b9ba0df363328561690026b1391796ec2b01a70b85a0d097cc8ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
c21457482f6deab0c73993f16b259b5d

SHA1
5d290ac31669feb5323cae764de21efa95da2520

SHA256
0503f76e97c156290a3e2d625e338e344a3b5c90dcff18acbd9420dbd6a7de70

SHA512
ab472ef246130b81aa6911f0c4f88d8cada84512fc7bea140e6d2d0ff99ac3f246ddf1b3a4ea2bd837f0c70d873488f1d3233c8fa87003a4083c6879b8af607a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
7b0356113ed942a9e8770d8998d1a4fe

SHA1
b7c9f645837084effd223c67c368093b31bfc4bd

SHA256
78b37edd1b3bc827a047e8614c26b43c0c1f4024604e53f017d924c633a53607

SHA512
2016c049c85dc443fe2318b598ae2019b3fae6c2838714ebf99de1f89ad8061abca9e18b2169e0dec3cd36ed027bfeb5c03a437f41989bf9f0e83db6961fb4f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
259KB

MD5
6820eceda1e9e708c77ba05fd03abaa2

SHA1
f490c8201441cc1edbdb27ce089133ae221a535e

SHA256
81f154c4cb1e59c60dfc9c1329a182975f4326548bb75a9bcb2a99e8101f25f3

SHA512
092055e9f5fee1ad876f9debbc778039515d1bc35d08b8a00f76679b1b63386939ef38b838611fc112777641c7b473125c2f1e96760110ebdcd871bff41df4e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Microsoft.Web.WebView2.Core.dll
Filesize
488KB

MD5
851fee9a41856b588847cf8272645f58

SHA1
ee185a1ff257c86eb19d30a191bf0695d5ac72a1

SHA256
5e7faee6b8230ca3b97ce9542b914db3abbbd1cb14fd95a39497aaad4c1094ca

SHA512
cf5c70984cf33e12cf57116da1f282a5bd6433c570831c185253d13463b0b9a0b9387d4d1bf4dddab3292a5d9ba96d66b6812e9d7ebc5eb35cb96eea2741348f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Microsoft.Web.WebView2.Wpf.dll
Filesize
43KB

MD5
34ec990ed346ec6a4f14841b12280c20

SHA1
6587164274a1ae7f47bdb9d71d066b83241576f0

SHA256
1e987b22cd011e4396a0805c73539586b67df172df75e3dded16a77d31850409

SHA512
b565015ca4b11b79ecbc8127f1fd40c986948050f1caefdd371d34ed2136af0aabf100863dc6fd16d67e3751d44ee13835ea9bf981ac0238165749c4987d1ae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\get-intrinsic\.nycrc
Filesize
139B

MD5
d0104f79f0b4f03bbcd3b287fa04cf8c

SHA1
54f9d7adf8943cb07f821435bb269eb4ba40ccc2

SHA256
997785c50b0773e5e18bf15550fbf57823c634fefe623cd37b3c83696402ad0a

SHA512
daf9b5445cfc02397f398adfa0258f2489b70699dfec6ca7e5b85afe5671fdcabe59edee332f718f5e5778feb1e301778dffe93bb28c1c0914f669659bad39c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\has-proto\.eslintrc
Filesize
43B

MD5
c28b0fe9be6e306cc2ad30fe00e3db10

SHA1
af79c81bd61c9a937fca18425dd84cdf8317c8b9

SHA256
0694050195fc694c5846b0a2a66b437ac775da988f0a779c55fb892597f7f641

SHA512
e3eca17804522ffa4f41e836e76e397a310a20e8261a38115b67e8b644444153039d04198fb470f45be2997d2c7a72b15bd4771a02c741b3cbc072ea6ef432e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\hasown\.nycrc
Filesize
216B

MD5
c2ab942102236f987048d0d84d73d960

SHA1
95462172699187ac02eaec6074024b26e6d71cff

SHA256
948366fea3b423a46366326d0bb2e54b08abd1cf0b243678ba6625740c40da5a

SHA512
e36b20c16ceeb090750f3865efc8d7fd983ae4e8b41c30cc3865d2fd4925bf5902627e1f1ed46c0ff2453f076ef9de34be899ef57754b29cd158440071318479

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\vary\LICENSE
Filesize
1KB

MD5
13babc4f212ce635d68da544339c962b

SHA1
4881ad2ec8eb2470a7049421047c6d076f48f1de

SHA256
bd47ce7b88c7759630d1e2b9fcfa170a0f1fde522be09e13fb1581a79d090400

SHA512
40e30174433408e0e2ed46d24373b12def47f545d9183b7bce28d4ddd8c8bb528075c7f20e118f37661db9f1bba358999d81a14425eb3e0a4a20865dfcb53182

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\VCRUNTIME140.dll
Filesize
99KB

MD5
7a2b8cfcd543f6e4ebca43162b67d610

SHA1
c1c45a326249bf0ccd2be2fbd412f1a62fb67024

SHA256
7d7ca28235fba5603a7f40514a552ac7efaa67a5d5792bb06273916aa8565c5f

SHA512
e38304fb9c5af855c1134f542adf72cde159fab64385533eafa5bb6e374f19b5a29c0cb5516fc5da5c0b5ac47c2f6420792e0ac8ddff11e749832a7b7f3eb5c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Wpf.Ui.dll
Filesize
5.2MB

MD5
aead90ab96e2853f59be27c4ec1e4853

SHA1
43cdedde26488d3209e17efff9a51e1f944eb35f

SHA256
46cfbe804b29c500ebc0b39372e64c4c8b4f7a8e9b220b5f26a9adf42fcb2aed

SHA512
f5044f2ee63906287460b9adabfcf3c93c60b51c86549e33474c4d7f81c4f86cd03cd611df94de31804c53006977874b8deb67c4bf9ea1c2b70c459b3a44b38d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\XcHvYYrNa.dll
Filesize
5.2MB

MD5
85b0dcb64053e35280477d88e1e05505

SHA1
70ebc4da4ac422bb47c1c49114d935d01848436b

SHA256
0c11716983653fef7d0f403c31429d9730c3c182eecc2e518ab98b4de6dd6730

SHA512
2f79e49f093fd0aaef79cbda75924ddec34a8172182a5cb7ddcde5227897f46e9e55dccf310779918afd1144f2af9a003d58939b5e631ecda147c81b95ad4d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\XcHvYYrNa.exe
Filesize
85KB

MD5
5e1bc1ad542dc2295d546d25142d9629

SHA1
dd697d1faceee724b5b6ae746116e228fe202d98

SHA256
9cc1a5b9fd49158f5cca4b28475a518cb60330e0cad98539d2a56d9930bdf9f9

SHA512
dc9dbecec37e47dd756cd00517f1bfe5b27832bd43c77f365defc649922cb7967eb7e5de76d79478b6ebfd99a1cc2e7e6b5119a05a42fd51a1c091b6f00f2456

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\libcurl.dll
Filesize
522KB

MD5
e31f5136d91bad0fcbce053aac798a30

SHA1
ee785d2546aec4803bcae08cdebfd5d168c42337

SHA256
ee94e2201870536522047e6d7fe7b903a63cd2e13e20c8fffc86d0e95361e671

SHA512
a1543eb1d10d25efb44f9eaa0673c82bfac5173055d04c0f3be4792984635a7c774df57a8e289f840627754a4e595b855d299070d469e0f1e637c3f35274abe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\runtimes\win-x64\native\WebView2Loader.dll
Filesize
133KB

MD5
a0bd0d1a66e7c7f1d97aedecdafb933f

SHA1
dd109ac34beb8289030e4ec0a026297b793f64a3

SHA256
79d7e45f8631e8d2541d01bfb5a49a3a090be72b3d465389a2d684680fee2e36

SHA512
2a50ae5c7234a44b29f82ebc2e3cfed37bf69294eb00b2dc8905c61259975b2f3a059c67aeab862f002752454d195f7191d9b82b056f6ef22d6e1b0bb3673d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\zlib1.dll
Filesize
113KB

MD5
75365924730b0b2c1a6ee9028ef07685

SHA1
a10687c37deb2ce5422140b541a64ac15534250f

SHA256
945e7f5d09938b7769a4e68f4ef01406e5af9f40db952cba05ddb3431dd1911b

SHA512
c1e31c18903e657203ae847c9af601b1eb38efa95cb5fa7c1b75f84a2cba9023d08f1315c9bb2d59b53256dfdb3bac89930252138475491b21749471adc129a1

Download Submit
\??\pipe\crashpad_4956_EPZGKQCVYWLTXOJM
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3288-1499-0x0000000180000000-0x0000000180C2E000-memory.dmp

Filesize
12.2MB

Download
memory/3288-1559-0x00007FF82DC70000-0x00007FF82E731000-memory.dmp

Filesize
10.8MB

Download
memory/3288-1500-0x0000000180000000-0x0000000180C2E000-memory.dmp

Filesize
12.2MB

Download
memory/3288-1502-0x0000000180000000-0x0000000180C2E000-memory.dmp

Filesize
12.2MB

Download
memory/3288-1503-0x0000000180000000-0x0000000180C2E000-memory.dmp

Filesize
12.2MB

Download
memory/3288-1504-0x0000000180000000-0x0000000180C2E000-memory.dmp

Filesize
12.2MB

Download
memory/3288-1505-0x000001D5E5620000-0x000001D5E5628000-memory.dmp

Filesize
32KB

Download
memory/3288-1507-0x000001D5E56A0000-0x000001D5E56AE000-memory.dmp

Filesize
56KB

Download
memory/3288-1506-0x000001D5E56D0000-0x000001D5E5708000-memory.dmp

Filesize
224KB

Download
memory/3288-1907-0x0000000180000000-0x0000000180C2E000-memory.dmp

Filesize
12.2MB

Download
memory/3288-1486-0x000001D5CBC00000-0x000001D5CBC0E000-memory.dmp

Filesize
56KB

Download
memory/3288-1542-0x00007FF82DC73000-0x00007FF82DC75000-memory.dmp

Filesize
8KB

Download
memory/3288-1540-0x0000000180000000-0x0000000180C2E000-memory.dmp

Filesize
12.2MB

Download
memory/3288-1501-0x00007FF828A60000-0x00007FF828A84000-memory.dmp

Filesize
144KB

Download
memory/3288-1484-0x000001D5E4AD0000-0x000001D5E4B4E000-memory.dmp

Filesize
504KB

Download
memory/3288-1482-0x000001D5E4A10000-0x000001D5E4ACA000-memory.dmp

Filesize
744KB

Download
memory/3288-1481-0x00007FF82DC70000-0x00007FF82E731000-memory.dmp

Filesize
10.8MB

Download
memory/3288-1480-0x000001D5E4D60000-0x000001D5E529C000-memory.dmp

Filesize
5.2MB

Download
memory/3288-1900-0x0000000180000000-0x0000000180C2E000-memory.dmp

Filesize
12.2MB

Download
memory/3288-1476-0x00007FF82DC73000-0x00007FF82DC75000-memory.dmp

Filesize
8KB

Download
memory/3288-1477-0x000001D5CA040000-0x000001D5CA05A000-memory.dmp

Filesize
104KB

Download
memory/3968-5-0x00000000055C0000-0x00000000055D2000-memory.dmp

Filesize
72KB

Download
memory/3968-3-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/3968-2-0x00000000025E0000-0x00000000025EA000-memory.dmp

Filesize
40KB

Download
memory/3968-1-0x0000000000340000-0x000000000034A000-memory.dmp

Filesize
40KB

Download
memory/3968-1478-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/3968-0-0x00000000749CE000-0x00000000749CF000-memory.dmp

Filesize
4KB

Download