2510be907ec476e8375ac7b5431536ae9a32bf99fe77ab695a5100852b111b96

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2024, 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SolaraB/Solara/SolaraBootstrapper.exe
Size

13KB
MD5

6557bd5240397f026e675afb78544a26
SHA1

839e683bf68703d373b6eac246f19386bb181713
SHA256

a7fecfc225dfdd4e14dcd4d1b4ba1b9f8e4d1984f1cdd8cda3a9987e5d53c239
SHA512

f2399d34898a4c0c201372d2dd084ee66a66a1c3eae949e568421fe7edada697468ef81f4fcab2afd61eaf97bcb98d6ade2d97295e2f674e93116d142e892e97
SSDEEP

192:konexQO0FoAWyEfJkVIaqaLHmr/XKT0ifnTJ1jvVXctNjA:HnexHAWyEfJoIaqayzKAifd1LVEj

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe

Executes dropped EXE 1 IoCs

pid	Process
1884	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Loads dropped DLL 5 IoCs

pid	Process
1884	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
1884	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
1884	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
1884	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
1884	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000700000002343b-1486.dat	themida
behavioral2/memory/1884-1494-0x0000000180000000-0x0000000180B28000-memory.dmp	themida
behavioral2/memory/1884-1495-0x0000000180000000-0x0000000180B28000-memory.dmp	themida
behavioral2/memory/1884-1496-0x0000000180000000-0x0000000180B28000-memory.dmp	themida
behavioral2/memory/1884-1497-0x0000000180000000-0x0000000180B28000-memory.dmp	themida
behavioral2/memory/1884-1501-0x0000000180000000-0x0000000180B28000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
74	raw.githubusercontent.com
14	raw.githubusercontent.com
16	raw.githubusercontent.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1884	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133610465009795948"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1396	SolaraBootstrapper.exe
1396	SolaraBootstrapper.exe
1232	chrome.exe
1232	chrome.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe

Suspicious use of AdjustPrivilegeToken 61 IoCs

description	pid	Process
Token: SeDebugPrivilege	1396	SolaraBootstrapper.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
1884	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
1884	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1396 wrote to memory of 1884	1396	SolaraBootstrapper.exe	109
PID 1396 wrote to memory of 1884	1396	SolaraBootstrapper.exe	109
PID 1232 wrote to memory of 2024	1232	chrome.exe	121
PID 1232 wrote to memory of 2024	1232	chrome.exe	121
PID 1232 wrote to memory of 1636	1232	chrome.exe	122
PID 1232 wrote to memory of 1636	1232	chrome.exe	122
PID 1232 wrote to memory of 1636	1232	chrome.exe	122
PID 1232 wrote to memory of 1636	1232	chrome.exe	122
PID 1232 wrote to memory of 1636	1232	chrome.exe	122
PID 1232 wrote to memory of 1636	1232	chrome.exe	122
PID 1232 wrote to memory of 1636	1232	chrome.exe	122
PID 1232 wrote to memory of 1636	1232	chrome.exe	122
PID 1232 wrote to memory of 1636	1232	chrome.exe	122
PID 1232 wrote to memory of 1636	1232	chrome.exe	122
PID 1232 wrote to memory of 1636	1232	chrome.exe	122
PID 1232 wrote to memory of 1636	1232	chrome.exe	122
PID 1232 wrote to memory of 1636	1232	chrome.exe	122
PID 1232 wrote to memory of 1636	1232	chrome.exe	122
PID 1232 wrote to memory of 1636	1232	chrome.exe	122
PID 1232 wrote to memory of 1636	1232	chrome.exe	122
PID 1232 wrote to memory of 1636	1232	chrome.exe	122
PID 1232 wrote to memory of 1636	1232	chrome.exe	122
PID 1232 wrote to memory of 1636	1232	chrome.exe	122
PID 1232 wrote to memory of 1636	1232	chrome.exe	122
PID 1232 wrote to memory of 1636	1232	chrome.exe	122
PID 1232 wrote to memory of 1636	1232	chrome.exe	122
PID 1232 wrote to memory of 1636	1232	chrome.exe	122
PID 1232 wrote to memory of 1636	1232	chrome.exe	122
PID 1232 wrote to memory of 1636	1232	chrome.exe	122
PID 1232 wrote to memory of 1636	1232	chrome.exe	122
PID 1232 wrote to memory of 1636	1232	chrome.exe	122
PID 1232 wrote to memory of 1636	1232	chrome.exe	122
PID 1232 wrote to memory of 1636	1232	chrome.exe	122
PID 1232 wrote to memory of 1636	1232	chrome.exe	122
PID 1232 wrote to memory of 1636	1232	chrome.exe	122
PID 1232 wrote to memory of 4596	1232	chrome.exe	123
PID 1232 wrote to memory of 4596	1232	chrome.exe	123
PID 1232 wrote to memory of 1088	1232	chrome.exe	124
PID 1232 wrote to memory of 1088	1232	chrome.exe	124
PID 1232 wrote to memory of 1088	1232	chrome.exe	124
PID 1232 wrote to memory of 1088	1232	chrome.exe	124
PID 1232 wrote to memory of 1088	1232	chrome.exe	124
PID 1232 wrote to memory of 1088	1232	chrome.exe	124
PID 1232 wrote to memory of 1088	1232	chrome.exe	124
PID 1232 wrote to memory of 1088	1232	chrome.exe	124
PID 1232 wrote to memory of 1088	1232	chrome.exe	124
PID 1232 wrote to memory of 1088	1232	chrome.exe	124
PID 1232 wrote to memory of 1088	1232	chrome.exe	124
PID 1232 wrote to memory of 1088	1232	chrome.exe	124
PID 1232 wrote to memory of 1088	1232	chrome.exe	124
PID 1232 wrote to memory of 1088	1232	chrome.exe	124
PID 1232 wrote to memory of 1088	1232	chrome.exe	124
PID 1232 wrote to memory of 1088	1232	chrome.exe	124
PID 1232 wrote to memory of 1088	1232	chrome.exe	124
PID 1232 wrote to memory of 1088	1232	chrome.exe	124
PID 1232 wrote to memory of 1088	1232	chrome.exe	124
PID 1232 wrote to memory of 1088	1232	chrome.exe	124
PID 1232 wrote to memory of 1088	1232	chrome.exe	124
PID 1232 wrote to memory of 1088	1232	chrome.exe	124
PID 1232 wrote to memory of 1088	1232	chrome.exe	124
PID 1232 wrote to memory of 1088	1232	chrome.exe	124
PID 1232 wrote to memory of 1088	1232	chrome.exe	124
PID 1232 wrote to memory of 1088	1232	chrome.exe	124
PID 1232 wrote to memory of 1088	1232	chrome.exe	124

C:\Users\Admin\AppData\Local\Temp\SolaraB\Solara\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB\Solara\SolaraBootstrapper.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe
  "C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of FindShellTrayWindow
  PID:1884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb5b5aab58,0x7ffb5b5aab68,0x7ffb5b5aab78
  2⤵
  PID:2024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=2032,i,4216090865671676751,7440140815868272172,131072 /prefetch:2
  2⤵
  PID:1636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1988 --field-trial-handle=2032,i,4216090865671676751,7440140815868272172,131072 /prefetch:8
  2⤵
  PID:4596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2084 --field-trial-handle=2032,i,4216090865671676751,7440140815868272172,131072 /prefetch:8
  2⤵
  PID:1088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3112 --field-trial-handle=2032,i,4216090865671676751,7440140815868272172,131072 /prefetch:1
  2⤵
  PID:1624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3132 --field-trial-handle=2032,i,4216090865671676751,7440140815868272172,131072 /prefetch:1
  2⤵
  PID:1084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4368 --field-trial-handle=2032,i,4216090865671676751,7440140815868272172,131072 /prefetch:1
  2⤵
  PID:4584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4496 --field-trial-handle=2032,i,4216090865671676751,7440140815868272172,131072 /prefetch:8
  2⤵
  PID:1056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4216 --field-trial-handle=2032,i,4216090865671676751,7440140815868272172,131072 /prefetch:8
  2⤵
  PID:1272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4752 --field-trial-handle=2032,i,4216090865671676751,7440140815868272172,131072 /prefetch:8
  2⤵
  PID:4148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4916 --field-trial-handle=2032,i,4216090865671676751,7440140815868272172,131072 /prefetch:8
  2⤵
  PID:4796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4776 --field-trial-handle=2032,i,4216090865671676751,7440140815868272172,131072 /prefetch:8
  2⤵
  PID:1552
- C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:2888
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff708caae48,0x7ff708caae58,0x7ff708caae68
    3⤵
    PID:2932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4716 --field-trial-handle=2032,i,4216090865671676751,7440140815868272172,131072 /prefetch:1
  2⤵
  PID:3284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3396 --field-trial-handle=2032,i,4216090865671676751,7440140815868272172,131072 /prefetch:1
  2⤵
  PID:3484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3328 --field-trial-handle=2032,i,4216090865671676751,7440140815868272172,131072 /prefetch:1
  2⤵
  PID:2016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3128 --field-trial-handle=2032,i,4216090865671676751,7440140815868272172,131072 /prefetch:1
  2⤵
  PID:3980

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
840B

MD5
83e13ae30682535c7b2ae77a9988150e

SHA1
6f79d1be7e115221efcbb7621fea4d07eec42b37

SHA256
b377890a840b9a93efe14531efc0ff2f6d969c85d252875a12a96740e2bd6c2b

SHA512
81a00a57bf074751ff3d028f511c344896963407086131437d9df7b3c1cf6584b2c0b5ae0305112a1b865d87438f015fb080de5734da561ac3e6d5330151cd8b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
292ddac38b243d0c72c35670c6dcc0f1

SHA1
6957b036e354109f98f6e39616d96805aa5c884d

SHA256
e376cbf814b6d0d2fe699faffdca9629be835b2ff94b3fd3e6f6973b554a99a6

SHA512
1e28dc91925be7319a91ec41d47a196affebc41235ecb6bda957ef9a955c71abc1c1c26600a316eb019407357b20cf2d49ebc70b6e599ca0cc5b70f522ac4e3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
ae53e337659cea236811d2fdc1deb05f

SHA1
fa8a89dd83bf0a08aabb1146fe2cc62cd2828fdd

SHA256
9b7842ad7b16b670cdf2288122a54a029178b53a405d9e6f16300c267e6f98a4

SHA512
1626cb6f3f876fbca2d72d6fdddf6cd34714e19fb8471a8c102ee12a1eca322121236d446e3e14b8783a2f83952eac74f0dd660e1b8d8c43b8425efae3e8be4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
689B

MD5
79aaa9d855480fe372a25f159cfd09df

SHA1
e0892d39941326a85a1a1081ae3e1782fa3ea5b3

SHA256
6149a9d7b84dad29da8809a19bbcf74e03279ee8c1b9e0e00608fb5adacbe96f

SHA512
88be8e7cdf3e0c22a91bde0449078abb4f9d05ae2ec31923a1f1c9efba04b4046c893673d6bf8dcfde6a54bfa6fb45c23b0d930343e718676104ef579f6cf48e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1023B

MD5
242883bb5d7e6783da1264288af4b240

SHA1
2f4816a54ab1cf919348f2638a549901c4ac9a1c

SHA256
735bbe6026c9c92d673be19dbd09ea594eac5349f05c16ad0ea553bace61fff6

SHA512
25cc1459cc27046cfb6cf7fd3d1df175c86f381790f682750e85b24ec052c164baa6d627b283c9bdec90c81855fd25c8f4001b6cfad08e69256314b30f46b984

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
918619de6501f43926c07d85905fc645

SHA1
64ecf2549a32dccea61cc46093ca070fea183e0b

SHA256
0f5ae05b58ccfac7599275047bbdd35235df64cc0442f6e1e4afde321bb3c8c1

SHA512
396a39b5e844b04a7dd6ffe42e5cf62333997be02b80653b4875eac3b9d2254953b4e64c6a726327eafbb118c35ade6576570d0dc85fd3a24201a4465ecf3ef1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
c921305f47ef4b6b3744a812cf2bb81c

SHA1
0abdb19649213484fc47d695ee315469c2517151

SHA256
d58a48a1e8a6fba13e563e03a24d883e41ce2d064ba4755741385679965472e3

SHA512
d06a554bfc1150e89d14bcbdcd50f0a3a6c35237faeecfa25a407fddde302c915397ef62dd66098636be0c73eedc25acfc8c5d96efd0d4f011f93277cd675d34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
d8a6b799500039b7cb00dc68f4e8d538

SHA1
38699d2f4bcdc6b33e99fe752d976754f781a383

SHA256
da9b2b59a214c285a6f69df0728bf33722b8a5767b87598f8d8da6930fd7c48c

SHA512
365f46f66f3507379e586c25bcfd16a6760eea6d528c43462ff60db5c3489bbf00cb15052c8147da5c5e4e8f60f7432a7d962f77e0025c9483f1b810f550e376

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
2ec81df46ac78234483f4e50d3e58662

SHA1
b618ed84c485f033ec9293960d095d4758d5ea7e

SHA256
e9f42e0634828ffd12741caa43c3cb2f95357456a89c6db563664ff7192106ee

SHA512
f5dbca8c15f39e4ec153416c7f36b4337300632394ccb2c8657092148e9913f097d07ac2f9e1518c642f1a1dfaf257bf4102d91c8707edd5246be8e773249412

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
56B

MD5
94275bde03760c160b707ba8806ef545

SHA1
aad8d87b0796de7baca00ab000b2b12a26427859

SHA256
c58cb79fa4a9ade48ed821dd9f98957b0adfda7c2d267e3d07951c2d371aa968

SHA512
2aabd49bc9f0ed3a5c690773f48a92dbbbd60264090a0db2fe0f166f8c20c767a74d1e1d7cc6a46c34cfbd1587ddb565e791d494cd0d2ca375ab8cc11cd8f930

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
120B

MD5
fd92992200e6b852d5908b168f2c6a51

SHA1
d8e75c50125d84772d7e9365e8675a2d687394e5

SHA256
1bc80a90ab6b813d8fd83b059f3ac71f06a9355a4696a9d689734e0f6770102d

SHA512
b2b350fcc71c507b358e6a5fe0f85b4ce8f0fb0b04c92eebdd69c84d90f5a2c3e9edb6e84851967cf31e2afbdbb15b3507f5935a54dea3a303542ecf2c9e27d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe593157.TMP

Filesize
120B

MD5
b91542dec5fa10b1c48cc4f6f10a9a58

SHA1
5b7030b3f36b0259d097e1821584c5918215cee9

SHA256
8f4e0f7b9226deb838525484dd409e2ce775923eb31cb60f4823dc788be50a10

SHA512
c46eb8f5ce51d7eae8f73d0f3a131e6ae13849bdf0403843d54468a2429c70603d5fc566ffded91f6e6b1cc5a0db4ea2381b155e1e22dbaf456cf1e27794d349

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
260KB

MD5
86476ef564470ac13224bd8d2be32cb5

SHA1
59740e0cd99ee33ceb92e452096b2036f4c6a49d

SHA256
e5401f65c424e53f9509e9b98ec4bbb88e0bc002d74f2285c2b1452769122beb

SHA512
74a48ee31d05264ee41219d7de4269079de06e82e8497f7f2e9e5673f36e81a012fde5446a7ce5838b628aa735a5a6f9f4a0ac39b111bccfa07d5e5df7bbc8d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
260KB

MD5
549b915f6c8b4e2cf1f23fada7f69195

SHA1
9d8a6f8eac8d1a911351f92bb77fce5966d31861

SHA256
5e45f4d45fcf4d2b646727902bc5b2b2a77b6e1649ee9be79216a41a56ecdb90

SHA512
157d5ce6d20749b222460f99148dad0f21c2edb80bd860f890a220dcaece2bb50b64498a1d343e4b39fcdfc778071a479d73e07cad46b25cccd3daade56e778b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Microsoft.Web.WebView2.Core.dll

Filesize
488KB

MD5
851fee9a41856b588847cf8272645f58

SHA1
ee185a1ff257c86eb19d30a191bf0695d5ac72a1

SHA256
5e7faee6b8230ca3b97ce9542b914db3abbbd1cb14fd95a39497aaad4c1094ca

SHA512
cf5c70984cf33e12cf57116da1f282a5bd6433c570831c185253d13463b0b9a0b9387d4d1bf4dddab3292a5d9ba96d66b6812e9d7ebc5eb35cb96eea2741348f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Microsoft.Web.WebView2.Wpf.dll

Filesize
43KB

MD5
34ec990ed346ec6a4f14841b12280c20

SHA1
6587164274a1ae7f47bdb9d71d066b83241576f0

SHA256
1e987b22cd011e4396a0805c73539586b67df172df75e3dded16a77d31850409

SHA512
b565015ca4b11b79ecbc8127f1fd40c986948050f1caefdd371d34ed2136af0aabf100863dc6fd16d67e3751d44ee13835ea9bf981ac0238165749c4987d1ae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\get-intrinsic\.nycrc

Filesize
139B

MD5
d0104f79f0b4f03bbcd3b287fa04cf8c

SHA1
54f9d7adf8943cb07f821435bb269eb4ba40ccc2

SHA256
997785c50b0773e5e18bf15550fbf57823c634fefe623cd37b3c83696402ad0a

SHA512
daf9b5445cfc02397f398adfa0258f2489b70699dfec6ca7e5b85afe5671fdcabe59edee332f718f5e5778feb1e301778dffe93bb28c1c0914f669659bad39c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\has-proto\.eslintrc

Filesize
43B

MD5
c28b0fe9be6e306cc2ad30fe00e3db10

SHA1
af79c81bd61c9a937fca18425dd84cdf8317c8b9

SHA256
0694050195fc694c5846b0a2a66b437ac775da988f0a779c55fb892597f7f641

SHA512
e3eca17804522ffa4f41e836e76e397a310a20e8261a38115b67e8b644444153039d04198fb470f45be2997d2c7a72b15bd4771a02c741b3cbc072ea6ef432e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\hasown\.nycrc

Filesize
216B

MD5
c2ab942102236f987048d0d84d73d960

SHA1
95462172699187ac02eaec6074024b26e6d71cff

SHA256
948366fea3b423a46366326d0bb2e54b08abd1cf0b243678ba6625740c40da5a

SHA512
e36b20c16ceeb090750f3865efc8d7fd983ae4e8b41c30cc3865d2fd4925bf5902627e1f1ed46c0ff2453f076ef9de34be899ef57754b29cd158440071318479

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\vary\LICENSE

Filesize
1KB

MD5
13babc4f212ce635d68da544339c962b

SHA1
4881ad2ec8eb2470a7049421047c6d076f48f1de

SHA256
bd47ce7b88c7759630d1e2b9fcfa170a0f1fde522be09e13fb1581a79d090400

SHA512
40e30174433408e0e2ed46d24373b12def47f545d9183b7bce28d4ddd8c8bb528075c7f20e118f37661db9f1bba358999d81a14425eb3e0a4a20865dfcb53182

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\WebView2Loader.dll

Filesize
133KB

MD5
a0bd0d1a66e7c7f1d97aedecdafb933f

SHA1
dd109ac34beb8289030e4ec0a026297b793f64a3

SHA256
79d7e45f8631e8d2541d01bfb5a49a3a090be72b3d465389a2d684680fee2e36

SHA512
2a50ae5c7234a44b29f82ebc2e3cfed37bf69294eb00b2dc8905c61259975b2f3a059c67aeab862f002752454d195f7191d9b82b056f6ef22d6e1b0bb3673d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Wpf.Ui.dll

Filesize
5.2MB

MD5
aead90ab96e2853f59be27c4ec1e4853

SHA1
43cdedde26488d3209e17efff9a51e1f944eb35f

SHA256
46cfbe804b29c500ebc0b39372e64c4c8b4f7a8e9b220b5f26a9adf42fcb2aed

SHA512
f5044f2ee63906287460b9adabfcf3c93c60b51c86549e33474c4d7f81c4f86cd03cd611df94de31804c53006977874b8deb67c4bf9ea1c2b70c459b3a44b38d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.dll

Filesize
4.3MB

MD5
48521b6f8acefe8cd61b4ffc80b1d28d

SHA1
f553cca3439424585eefe2ecebeaeaa6b447950d

SHA256
69415bde05f368f24b38418244c6038c405cc0d3ff52d87a089e37c0100bc922

SHA512
4b7e87140370e5f0134da35734e18d7f8f60265241cbf7050c202474da8bd98505923113bcf51951d7e73ce79bddf14c8f1b6e4a9296cca140b7b326d2c90415

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Filesize
85KB

MD5
f8f4522d11178a26e97e2046f249dfa7

SHA1
8b591d9a37716e235260fb6b3f601e4ccbebf15d

SHA256
3c372a8919c28dc76414b2f30da423c3e1018b1a8444527949ce20cc3fc93ed0

SHA512
52ea881cad501cf1d5e8ac47355e862ac1bd39cb6e1ff3d362d392b6f2d676e74878832505d17a552aaa3bc8f3977da11fa3f9903722eedd23716fb46ddb7492

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\libcurl.dll

Filesize
522KB

MD5
e31f5136d91bad0fcbce053aac798a30

SHA1
ee785d2546aec4803bcae08cdebfd5d168c42337

SHA256
ee94e2201870536522047e6d7fe7b903a63cd2e13e20c8fffc86d0e95361e671

SHA512
a1543eb1d10d25efb44f9eaa0673c82bfac5173055d04c0f3be4792984635a7c774df57a8e289f840627754a4e595b855d299070d469e0f1e637c3f35274abe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\vcruntime140.dll

Filesize
99KB

MD5
7a2b8cfcd543f6e4ebca43162b67d610

SHA1
c1c45a326249bf0ccd2be2fbd412f1a62fb67024

SHA256
7d7ca28235fba5603a7f40514a552ac7efaa67a5d5792bb06273916aa8565c5f

SHA512
e38304fb9c5af855c1134f542adf72cde159fab64385533eafa5bb6e374f19b5a29c0cb5516fc5da5c0b5ac47c2f6420792e0ac8ddff11e749832a7b7f3eb5c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\zlib1.dll

Filesize
113KB

MD5
75365924730b0b2c1a6ee9028ef07685

SHA1
a10687c37deb2ce5422140b541a64ac15534250f

SHA256
945e7f5d09938b7769a4e68f4ef01406e5af9f40db952cba05ddb3431dd1911b

SHA512
c1e31c18903e657203ae847c9af601b1eb38efa95cb5fa7c1b75f84a2cba9023d08f1315c9bb2d59b53256dfdb3bac89930252138475491b21749471adc129a1

Download Submit
memory/1396-1473-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/1396-0-0x0000000074EEE000-0x0000000074EEF000-memory.dmp

Filesize
4KB

Download
memory/1396-1-0x0000000000EA0000-0x0000000000EAA000-memory.dmp

Filesize
40KB

Download
memory/1396-2-0x0000000003040000-0x000000000304A000-memory.dmp

Filesize
40KB

Download
memory/1396-3-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/1396-4-0x0000000074EEE000-0x0000000074EEF000-memory.dmp

Filesize
4KB

Download
memory/1396-5-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/1396-7-0x0000000006220000-0x0000000006232000-memory.dmp

Filesize
72KB

Download
memory/1884-1494-0x0000000180000000-0x0000000180B28000-memory.dmp

Filesize
11.2MB

Download
memory/1884-1477-0x00007FFB58DD0000-0x00007FFB59891000-memory.dmp

Filesize
10.8MB

Download
memory/1884-1508-0x0000020A505B0000-0x0000020A50662000-memory.dmp

Filesize
712KB

Download
memory/1884-1511-0x00007FFB58DD0000-0x00007FFB59891000-memory.dmp

Filesize
10.8MB

Download
memory/1884-1495-0x0000000180000000-0x0000000180B28000-memory.dmp

Filesize
11.2MB

Download
memory/1884-1498-0x0000020A4BB40000-0x0000020A4BB48000-memory.dmp

Filesize
32KB

Download
memory/1884-1483-0x0000020A32C60000-0x0000020A32C6E000-memory.dmp

Filesize
56KB

Download
memory/1884-1481-0x0000020A4B730000-0x0000020A4B7AE000-memory.dmp

Filesize
504KB

Download
memory/1884-1479-0x0000020A4B7F0000-0x0000020A4B8AA000-memory.dmp

Filesize
744KB

Download
memory/1884-1496-0x0000000180000000-0x0000000180B28000-memory.dmp

Filesize
11.2MB

Download
memory/1884-1478-0x0000020A4BB80000-0x0000020A4C0BC000-memory.dmp

Filesize
5.2MB

Download
memory/1884-1475-0x0000020A31020000-0x0000020A3103A000-memory.dmp

Filesize
104KB

Download
memory/1884-1504-0x00007FFB58DD0000-0x00007FFB59891000-memory.dmp

Filesize
10.8MB

Download
memory/1884-1474-0x00007FFB58DD3000-0x00007FFB58DD5000-memory.dmp

Filesize
8KB

Download
memory/1884-1501-0x0000000180000000-0x0000000180B28000-memory.dmp

Filesize
11.2MB

Download
memory/1884-1502-0x00007FFB6A7A0000-0x00007FFB6A7C4000-memory.dmp

Filesize
144KB

Download
memory/1884-1503-0x00007FFB58DD3000-0x00007FFB58DD5000-memory.dmp

Filesize
8KB

Download
memory/1884-1500-0x0000020A50720000-0x0000020A5072E000-memory.dmp

Filesize
56KB

Download
memory/1884-1499-0x0000020A50750000-0x0000020A50788000-memory.dmp

Filesize
224KB

Download
memory/1884-1497-0x0000000180000000-0x0000000180B28000-memory.dmp

Filesize
11.2MB

Download