hxxps://github[.]com/quivings/Solara/raw/main/Files/Solara[.]Dir[.]zip

Analysis

max time kernel
364s
max time network
367s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/quivings/Solara/raw/main/Files/Solara.Dir.zip

Score

9^/10

evasion themida

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

XcHvYYrNa.exeXcHvYYrNa.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	XcHvYYrNa.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	XcHvYYrNa.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

XcHvYYrNa.exeXcHvYYrNa.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	XcHvYYrNa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	XcHvYYrNa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	XcHvYYrNa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	XcHvYYrNa.exe

Themida packer 13 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/4952-199-0x0000000180000000-0x0000000180ACA000-memory.dmp	themida
behavioral1/memory/4952-200-0x0000000180000000-0x0000000180ACA000-memory.dmp	themida
behavioral1/memory/4952-201-0x0000000180000000-0x0000000180ACA000-memory.dmp	themida
behavioral1/memory/4952-202-0x0000000180000000-0x0000000180ACA000-memory.dmp	themida
behavioral1/memory/4952-206-0x0000000180000000-0x0000000180ACA000-memory.dmp	themida
behavioral1/memory/4952-209-0x0000000180000000-0x0000000180ACA000-memory.dmp	themida
behavioral1/memory/4952-213-0x0000000180000000-0x0000000180ACA000-memory.dmp	themida
behavioral1/memory/2948-217-0x0000000180000000-0x0000000180ACA000-memory.dmp	themida
behavioral1/memory/2948-219-0x0000000180000000-0x0000000180ACA000-memory.dmp	themida
behavioral1/memory/2948-220-0x0000000180000000-0x0000000180ACA000-memory.dmp	themida
behavioral1/memory/2948-218-0x0000000180000000-0x0000000180ACA000-memory.dmp	themida
behavioral1/memory/2948-221-0x0000000180000000-0x0000000180ACA000-memory.dmp	themida
behavioral1/memory/2948-226-0x0000000180000000-0x0000000180ACA000-memory.dmp	themida

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

16 raw.githubusercontent.com
17 raw.githubusercontent.com
93 raw.githubusercontent.com
94 raw.githubusercontent.com
102 raw.githubusercontent.com
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

XcHvYYrNa.exeXcHvYYrNa.exe

pid process

4952 XcHvYYrNa.exe
2948 XcHvYYrNa.exe

flow	ioc
16	raw.githubusercontent.com
17	raw.githubusercontent.com
93	raw.githubusercontent.com
94	raw.githubusercontent.com
102	raw.githubusercontent.com

pid	process
4952	XcHvYYrNa.exe
2948	XcHvYYrNa.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133608601167677173"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings chrome.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

chrome.exechrome.exeXcHvYYrNa.exe

pid process

1632 chrome.exe
1632 chrome.exe
1632 chrome.exe
1632 chrome.exe
2664 chrome.exe
2664 chrome.exe
4952 XcHvYYrNa.exe
4952 XcHvYYrNa.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

1632 chrome.exe
1632 chrome.exe
1632 chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe

Suspicious use of SendNotifyMessage 40 IoCs

Processes:

chrome.exe

pid	process
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1632 wrote to memory of 4656	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 4656	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 396	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 396	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 396	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 396	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 396	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 396	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 396	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 396	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 396	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 396	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 396	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 396	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 396	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 396	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 396	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 396	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 396	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 396	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 396	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 396	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 396	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 396	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 396	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 396	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 396	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 396	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 396	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 396	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 396	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 396	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 396	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 388	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 388	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 1520	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 1520	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 1520	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 1520	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 1520	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 1520	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 1520	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 1520	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 1520	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 1520	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 1520	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 1520	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 1520	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 1520	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 1520	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 1520	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 1520	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 1520	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 1520	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 1520	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 1520	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 1520	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 1520	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 1520	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 1520	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 1520	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 1520	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 1520	1632	chrome.exe	chrome.exe
PID 1632 wrote to memory of 1520	1632	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/quivings/Solara/raw/main/Files/Solara.Dir.zip
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff1b97ab58,0x7fff1b97ab68,0x7fff1b97ab78
2⤵
PID:4656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1608 --field-trial-handle=1920,i,17923644180959990480,13114703279846874345,131072 /prefetch:2
2⤵
PID:396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1920,i,17923644180959990480,13114703279846874345,131072 /prefetch:8
2⤵
PID:388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2252 --field-trial-handle=1920,i,17923644180959990480,13114703279846874345,131072 /prefetch:8
2⤵
PID:1520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3044 --field-trial-handle=1920,i,17923644180959990480,13114703279846874345,131072 /prefetch:1
2⤵
PID:3196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3052 --field-trial-handle=1920,i,17923644180959990480,13114703279846874345,131072 /prefetch:1
2⤵
PID:4708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 --field-trial-handle=1920,i,17923644180959990480,13114703279846874345,131072 /prefetch:8
2⤵
PID:3544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4360 --field-trial-handle=1920,i,17923644180959990480,13114703279846874345,131072 /prefetch:8
2⤵
PID:1956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4380 --field-trial-handle=1920,i,17923644180959990480,13114703279846874345,131072 /prefetch:1
2⤵
PID:3864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 --field-trial-handle=1920,i,17923644180959990480,13114703279846874345,131072 /prefetch:8
2⤵
PID:1788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4140 --field-trial-handle=1920,i,17923644180959990480,13114703279846874345,131072 /prefetch:8
2⤵
PID:648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 --field-trial-handle=1920,i,17923644180959990480,13114703279846874345,131072 /prefetch:8
2⤵
PID:3468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=736 --field-trial-handle=1920,i,17923644180959990480,13114703279846874345,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2932 --field-trial-handle=1920,i,17923644180959990480,13114703279846874345,131072 /prefetch:8
2⤵
PID:1080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1540 --field-trial-handle=1920,i,17923644180959990480,13114703279846874345,131072 /prefetch:8
2⤵
PID:1120

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2508

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3528

C:\Users\Admin\Desktop\Solara.Dir\XcHvYYrNa.exe
"C:\Users\Admin\Desktop\Solara.Dir\XcHvYYrNa.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4952

C:\Users\Admin\Desktop\Solara.Dir\XcHvYYrNa.exe
"C:\Users\Admin\Desktop\Solara.Dir\XcHvYYrNa.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2948

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
45498d84d2f1db88788658c3a2f80239

SHA1
6d1d656a4a06d2be889e4ed156a08a8122f1d3ff

SHA256
26b0260761c1c694340eb71fc492f1d69219f34591b32144b736fbbd9eaf5b90

SHA512
dc7d6da468d73843ba6e7663f9189ecc75e754b146aeeabaceff435fb35177304892b99e3c35d52211cf384f0c1f53166f311e02273ea1996a43ac46ffe0b0a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
691B

MD5
0ec55d5ad1587fc618437aaba0e91501

SHA1
634d02de8450ee1f43da4f8c7c68defb2ebbee84

SHA256
162eaacb5d130e042107492539d05699e1dcebc6ecd3a7569cedaaea3f90a571

SHA512
50e9ab4b72dfe2f971ef8ba54367ad73633c604f319fa914d70fd27af0453f75767c908989b74e4535b8c273cd5ca2536bca81832b3a162eecad4d17b0b89795

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
b17096d963f8a237b44c56c47f440705

SHA1
31a3514784c6906a3004e8c52c04c49cfe30733a

SHA256
1959f67ec87b655fdff7d76bf16172c02bf7d867481099f92ff446b1e8bdfc51

SHA512
48c1d7dd9dd19d5f41971e1943d852bb74c63f3f8fb293b5d71f0063b571ad8095b04d3d4d67c45fea33dabfc3562db60bd1190490b93be0608ff7687e45aef7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
11ee0d8e4a829c3c86695b24a6da4cd7

SHA1
b3b7d17f2c6d993722c154178100cd3ce2b96404

SHA256
8bcd3e2ce82e39f77c1fd9c4cfda3ebab284571c80094c451affe6abcf4aa377

SHA512
1111c44dc4b238d5b737320cc39d9908e60be2c736339286caa05e6e53ed3f4b2d7bc16e1339bd97c72c5ef35d9822a30636f2049a2155c8fc738dbc397cf310

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
d1cbf9930ccb7fec097f6437612bbeac

SHA1
31104c44f43f63cb81eaccff6c452164fbf1c4b3

SHA256
48f8009a1f4b60ee4df32d57dc84ac7be009620eeedaa1d777bcc0cb79604cdb

SHA512
68836bb6349bd73dfef34f98a56826e6908665a79fa658e3b4983201d4a679a197d4bc0d405e914e38d022eca2eae801a77921927ed73a75e0a707125280cba6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
8d8b337087460e943e5070a6ae91101b

SHA1
4650b4b9274ed987f8db3ca7ddfb47b6dfc3c380

SHA256
74e9cee701f3ff6ebbdffb68b0f5f5f8eae00579cedfaf8d26f5bcd4c9822c4e

SHA512
6cba7fc8e56b29e8627cb3f9652bbfa63aabd906ad38605ec0530327ca94e70c7f71fadf88e802827c21df21a1098ff17f729f088e368c302c2f86cf11fca38a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
131KB

MD5
5995b02ea09296f13c0df414b3d32ab9

SHA1
f6d1499ceab72b697d54c1cdc84f7fb337393071

SHA256
064945f5f20bb562bc4e365551904df21fa8a6778deda560f868525badccb951

SHA512
3f8280fe862bbf95a16599c90d7a628d718de0978872c75d5a535a05dd1f4140a98990aa663f78e6f6825a2a1c10f767a4dd615e7e4e677ab1ba0cd8bd8b361a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
179KB

MD5
e13fb2e6f22ff0eac1e1aad60c3bd92a

SHA1
ff3f77860fe0e9d9fe87c33a49ba85645d274f03

SHA256
d7539ea775fa8534eb9fdc27811900666592b3e4a7f8ad76176e1927ef4378dd

SHA512
0a0169fd8ed22b58bb4a1b3162a28449351e51298e8f1a3775fd8aa720065fbbd222fc45b4b377b6d7ef91185f7be3bae0c0f00a346935265c44ed05d8502b62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
131KB

MD5
4d5b92d8eb5d8fdb58b64988eea3fda0

SHA1
b2f6c7b231f063ede92725721f71351240a24447

SHA256
611243b6ec716cf65d93e289356d2fe4d6988fcbe8fe338e2ebe6d35900a6e07

SHA512
830bbbebe4f9adc78dd0cdba5b885eb3aa3dd87290ba25a3a473f022dbb8588b1b1d6db38b29801c8484d6d38857281f5ae23b36604f7995762853ef9b2770ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
132KB

MD5
6eee131af60082bccf44e77f8c3b7b04

SHA1
7b4fc94a0bec2a3febe8563a9820e1c0ba96447a

SHA256
d58f5258189e85680e4fbf76bd527c66f51bdbf8c5952602542a8098d4b0dc85

SHA512
6fffcb882dbd8a766aec90aa1925ac945d704ea10a8b671dccf365605418238705e4f101dd47375ee7b9121036956ce8caa6c007650251636312a67dc31ce607

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
100KB

MD5
3597bd86cd9e87fc6296903fa066440e

SHA1
8f45957249971fa43452334e461de4c54e85a248

SHA256
7df89a565291341dd2aa65e2e2c57119acb2f732fff5b41f6cab2af225a6c04a

SHA512
a545303c84ba22661bb75c65ee957544077f9138315ab609d88a3b20e359b9ceb988c5062bbe8e4225450937c2a704a5621c0071b63745997138ef21d0caf1c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
97KB

MD5
42f465746e3140c53eabfb01084a1949

SHA1
ae4d999e86f8ffce40a922b7a61b8ba51b5f6962

SHA256
0d3bd4384ee05086e61e05e04e443e2c0730d4b66293a00c8ce3acf1ed524785

SHA512
6ec560edbc5571757be57e673040842a2e822b4dc06f6b769c9f2767f87b3f0a3122eed5bf5b127e31388894344a351910948f795596d3d59c3c7592277cb574

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57e2bf.TMP
Filesize
94KB

MD5
625da85d68060e7137b60c0b54f1217f

SHA1
f88267cf6e8cbb00d6b3ab684c3194b784caed64

SHA256
ec79ff68eba4bd7d018943595018028424607f8d5c26451bc957244240bc18de

SHA512
1e02d1d1361916662a967de7e4cdb99aa747c4169ffbc0cd76be7256afff1280e065a8e7b6b986b24cb1affcdb89da9aee1cb4734a831f4cfd84183461f4ebcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XcHvYYrNa.exe.log
Filesize
2KB

MD5
8c9436251789a0999a8427e36683ba0f

SHA1
d2ba9cecc3de898d51c621009645333f9c3a3a3a

SHA256
291ed070026e473f8dede25fa632e71ab9caaa8818457b44ab262a65c9d90935

SHA512
fed920c0e07c0f578669ec5ff5fd7e7efbae496ed6631ad5e7534c4844349b2a4a3a1ff62b8f19c8cfba61e6883ef253d3a10a1084ae3457f29bcdad3e62d002

Download Submit
C:\Users\Admin\Downloads\Solara.Dir.zip
Filesize
18.3MB

MD5
a62d08fb06f1bf433987cb131add0829

SHA1
e53d618dc83b9d766d7f0b5e356b5d87936a0d9d

SHA256
c6af335a3a7aea8fa96aa8997a2a37b520bebf5ab61df098b85d85e387d6581f

SHA512
5e8b02c635889d44e0745260794bb6cd9a7d3d1c29cd40d038debe15d346d31295b14a3145caf7924f4deaf4c8c48a8f88d6edc03b17ea9361038cda5ad6007e

Download Submit
\??\pipe\crashpad_1632_HWNGUMPQSOIRTLVM
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2948-226-0x0000000180000000-0x0000000180ACA000-memory.dmp

Filesize
10.8MB

Download
memory/2948-225-0x00000202B96F0000-0x00000202B97A2000-memory.dmp

Filesize
712KB

Download
memory/2948-221-0x0000000180000000-0x0000000180ACA000-memory.dmp

Filesize
10.8MB

Download
memory/2948-222-0x00007FFF09000000-0x00007FFF09024000-memory.dmp

Filesize
144KB

Download
memory/2948-218-0x0000000180000000-0x0000000180ACA000-memory.dmp

Filesize
10.8MB

Download
memory/2948-220-0x0000000180000000-0x0000000180ACA000-memory.dmp

Filesize
10.8MB

Download
memory/2948-219-0x0000000180000000-0x0000000180ACA000-memory.dmp

Filesize
10.8MB

Download
memory/2948-217-0x0000000180000000-0x0000000180ACA000-memory.dmp

Filesize
10.8MB

Download
memory/4952-198-0x000001EE7A530000-0x000001EE7A53E000-memory.dmp

Filesize
56KB

Download
memory/4952-202-0x0000000180000000-0x0000000180ACA000-memory.dmp

Filesize
10.8MB

Download
memory/4952-203-0x000001EE7A7A0000-0x000001EE7A7A8000-memory.dmp

Filesize
32KB

Download
memory/4952-204-0x000001EE7F730000-0x000001EE7F768000-memory.dmp

Filesize
224KB

Download
memory/4952-205-0x000001EE7AB50000-0x000001EE7AB5E000-memory.dmp

Filesize
56KB

Download
memory/4952-207-0x00007FFF09690000-0x00007FFF096B4000-memory.dmp

Filesize
144KB

Download
memory/4952-206-0x0000000180000000-0x0000000180ACA000-memory.dmp

Filesize
10.8MB

Download
memory/4952-208-0x00007FFF06DE3000-0x00007FFF06DE5000-memory.dmp

Filesize
8KB

Download
memory/4952-209-0x0000000180000000-0x0000000180ACA000-memory.dmp

Filesize
10.8MB

Download
memory/4952-211-0x00007FFF06DE0000-0x00007FFF078A1000-memory.dmp

Filesize
10.8MB

Download
memory/4952-215-0x00007FFF06DE0000-0x00007FFF078A1000-memory.dmp

Filesize
10.8MB

Download
memory/4952-214-0x00007FFF09690000-0x00007FFF096B4000-memory.dmp

Filesize
144KB

Download
memory/4952-213-0x0000000180000000-0x0000000180ACA000-memory.dmp

Filesize
10.8MB

Download
memory/4952-201-0x0000000180000000-0x0000000180ACA000-memory.dmp

Filesize
10.8MB

Download
memory/4952-200-0x0000000180000000-0x0000000180ACA000-memory.dmp

Filesize
10.8MB

Download
memory/4952-199-0x0000000180000000-0x0000000180ACA000-memory.dmp

Filesize
10.8MB

Download
memory/4952-197-0x000001EE7A710000-0x000001EE7A78E000-memory.dmp

Filesize
504KB

Download
memory/4952-196-0x000001EE7A7D0000-0x000001EE7A88A000-memory.dmp

Filesize
744KB

Download
memory/4952-195-0x00007FFF06DE0000-0x00007FFF078A1000-memory.dmp

Filesize
10.8MB

Download
memory/4952-194-0x000001EE7AB60000-0x000001EE7B09C000-memory.dmp

Filesize
5.2MB

Download
memory/4952-193-0x000001EE5FFE0000-0x000001EE5FFFA000-memory.dmp

Filesize
104KB

Download
memory/4952-192-0x00007FFF06DE3000-0x00007FFF06DE5000-memory.dmp

Filesize
8KB

Download