Analysis Overview
SHA256
bfe67e1a79d38ecc6d3464065e1c70b38fa19c57b6877a4536f40703b92bc386
Threat Level: Likely malicious
The file 240613-tgchrszbmn_pw_infected.zip was found to be: Likely malicious.
Malicious Activity Summary
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Loads dropped DLL
Executes dropped EXE
Checks BIOS information in registry
Themida packer
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: LoadsDriver
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Modifies registry class
Enumerates system info in registry
Uses Task Scheduler COM API
Suspicious use of SetWindowsHookEx
Modifies data under HKEY_USERS
Checks processor information in registry
Checks SCSI registry key(s)
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-16 20:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-16 20:03
Reported
2024-06-16 20:04
Platform
win11-20240611-en
Max time kernel
71s
Max time network
75s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe | N/A |
Loads dropped DLL
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_2E7CFE77A8A24BD594A0189D565F654D.dat | C:\Windows\system32\utilman.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_2E7CFE77A8A24BD594A0189D565F654D.dat | C:\Windows\system32\utilman.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1033-110-WINMO-DNN\Attributes\AudioFormats = "6;18;22" | C:\Windows\system32\utilman.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1033-110-WINMO-DNN\Models\1033\ = "L1033" | C:\Windows\system32\utilman.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens | C:\Windows\system32\utilman.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_enUS_MarkM\Attributes\Language = "409" | C:\Windows\system32\utilman.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US\CachedLanguageName = "@Winlangdb.dll,-1121" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\AudioInput\TokenEnums\MMAudioIn\CLSID = "{14E74C62-DC97-43B0-8F2F-581496A65D60}" | C:\Windows\system32\utilman.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\Universal\ = "Universal Phone Converter" | C:\Windows\system32\utilman.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\Universal\PhoneMap = "I 0069 Y 0079 IX 0268 YX 0289 UU 026F U 0075 IH 026A YH 028F UH 028A E 0065 EU 00F8 EX 0258 OX 0275 OU 0264 O 006F AX 0259 EH 025B OE 0153 ER 025C UR 025E AH 028C AO 0254 AE 00E6 AEX 0250 A 0061 AOE 0276 AA 0251 Q 0252 EI 006503610069 AU 00610361028A OI 025403610069 AI 006103610069 IYX 006903610259 UYX 007903610259 EHX 025B03610259 UWX 007503610259 OWX 006F03610259 AOX 025403610259 EN 00650303 AN 00610303 ON 006F0303 OEN 01530303 P 0070 B 0062 M 006D BB 0299 PH 0278 BH 03B2 MF 0271 F 0066 V 0076 VA 028B TH 03B8 DH 00F0 T 0074 D 0064 N 006E RR 0072 DX 027E S 0073 Z 007A LSH 026C LH 026E RA 0279 L 006C SH 0283 ZH 0292 TR 0288 DR 0256 NR 0273 DXR 027D SR 0282 ZR 0290 R 027B LR 026D CT 0063 JD 025F NJ 0272 C 00E7 CJ 029D J 006A LJ 028E W 0077 K 006B G 0067 NG 014B X 0078 GH 0263 GA 0270 GL 029F QT 0071 QD 0262 QN 0274 QQ 0280 QH 03C7 RH 0281 HH 0127 HG 0295 GT 0294 H 0068 WJ 0265 PF 007003610066 TS 007403610073 CH 007403610283 JH 006403610292 JJ 006A0361006A DZ 00640361007A CC 007403610255 JC 006403610291 TSR 007403610282 WH 028D ESH 029C EZH 02A2 ET 02A1 SC 0255 ZC 0291 LT 027A SHX 0267 HZ 0266 PCK 0298 TCK 01C0 NCK 0021 CCK 01C2 LCK 01C1 BIM 0253 DIM 0257 QIM 029B GIM 0260 JIM 0284 S1 02C8 S2 02CC . 002E _| 007C _|| 2016 lng 02D0 hlg 02D1 xsh 02D8 _^ 203F _! 0001 _& 0002 _, 0003 _s 0004 _. 2198 _? 2197 T5 030B T4 0301 T3 0304 T2 0300 T1 030F T- 2193 T+ 2191 vls 030A vcd 032C bvd 0324 cvd 0330 asp 02B0 mrd 0339 lrd 031C adv 031F ret 0331 cen 0308 mcn 033D syl 0329 nsy 032F rho 02DE lla 033C lab 02B7 pal 02B2 vel 02E0 phr 02E4 vph 0334 rai 031D low 031E atr 0318 rtr 0319 den 032A api 033A lam 033B nas 0303 nsr 207F lar 02E1 nar 031A ejc 02BC + 0361 bva 02B1 G2 0261 rte 0320 vsl 0325 NCK3 0297 NCK2 01C3 LCK2 0296 TCK2 0287 JC2 02A5 CC2 02A8 LG 026B DZ2 02A3 TS2 02A6 JH2 02A4 CH2 02A7 SHC 0286 rhz 02B4 QOM 02A0 xst 0306 T= 2192 ERR 025D AXR 025A ZHJ 0293" | C:\Windows\system32\utilman.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{f8b0d461-47ef-4ab0-8cca-47677992aa4a}\Attributes\Technology = "MMSys" | C:\Windows\system32\utilman.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_enUS_ZiraM\Attributes\Vendor = "Microsoft" | C:\Windows\system32\utilman.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_enUS_ZiraM\Attributes\SampleText = "You have selected %1 as the default voice." | C:\Windows\system32\utilman.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\LANGUAGE | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\Spanish\PhoneMap = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 2 0009 a 000a e 000b i 000c o 000d u 000e t 000f d 0010 p 0011 b 0012 k 0013 g 0014 ch 0015 jj 0016 f 0017 s 0018 x 0019 m 001a n 001b nj 001c l 001d ll 001e r 001f rr 0020 j 0021 w 0022 th 0023" | C:\Windows\system32\utilman.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\Universal\Attributes\Language = "436;41c;401;801;c01;1001;1401;1801;1c01;2001;2401;2801;2c01;3001;3401;3801;3c01;4001;42b;42c;82c;42d;423;402;455;403;c04;1004;1404;41a;405;406;465;413;813;809;c09;1009;1409;1809;1c09;2009;2409;2809;2c09;3009;3409;425;438;429;40b;80c;c0c;100c;140c;180c;456;437;807;c07;1007;1407;408;447;40d;439;40e;40f;421;410;810;44b;457;412;812;440;426;427;827;42f;43e;83e;44e;450;414;814;415;416;816;446;418;419;44f;c1a;81a;41b;424;80a;100a;140a;180a;1c0a;200a;240a;280a;2c0a;300a;340a;380a;3c0a;400a;440a;480a;4c0a;500a;430;441;41d;81d;45a;449;444;44a;41e;41f;422;420;820;443;843;42a;540a" | C:\Windows\system32\utilman.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1033-110-WINMO-DNN\AlternatesCLSID = "{06405088-BC01-4E08-B392-5303E75090C8}" | C:\Windows\system32\utilman.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_CURRENT_USER | C:\Windows\system32\utilman.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1033-110-WINMO-DNN\Attributes\Language = "409;9" | C:\Windows\system32\utilman.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1033-110-WINMO-DNN\Attributes\Vendor = "Microsoft" | C:\Windows\system32\utilman.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1033-110-WINMO-DNN\TextNorm\Datafile = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\tn1033.bin" | C:\Windows\system32\utilman.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_enUS_ZiraM\Attributes\DataVersion = "11.0.2013.1022" | C:\Windows\system32\utilman.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1033-110-WINMO-DNN\Attributes\WildcardInCFG = "Anywhere;Trailing" | C:\Windows\system32\utilman.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1033-110-WINMO-DNN\Models\1033\L1033\AMs | C:\Windows\system32\utilman.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_enUS_MarkM\Attributes | C:\Windows\system32\utilman.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_enUS_ZiraM\CLSID = "{179F3D56-1B0B-42B2-A962-59B7EF59FE1B}" | C:\Windows\system32\utilman.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\VoiceActivation\Tokens\en-US-SW\SidUbmFile = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\sidubm.table" | C:\Windows\system32\utilman.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech\CurrentUserLexicon\ = "Current User Lexicon" | C:\Windows\system32\utilman.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore | C:\Windows\system32\utilman.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\German | C:\Windows\system32\utilman.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\Spanish | C:\Windows\system32\utilman.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\TraditionalChinese\Attributes\NumericPhones | C:\Windows\system32\utilman.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_enUS_ZiraM\Attributes\Language = "409" | C:\Windows\system32\utilman.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\VoiceActivation\Tokens\en-US-SW\Attributes\Language = "409" | C:\Windows\system32\utilman.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\UXLanguages\Tokens\en-US | C:\Windows\system32\utilman.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1033-110-WINMO-DNN\Lookup\Datafile = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\lsr1033.lxa" | C:\Windows\system32\utilman.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_enUS_DavidM\Attributes\Language = "409" | C:\Windows\system32\utilman.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\Chinese | C:\Windows\system32\utilman.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000 | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\TraditionalChinese\Attributes | C:\Windows\system32\utilman.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\VoiceActivation\Tokens\en-US-HW\CLSID = "{E164F996-FF93-4675-BDD8-6C47AB0B86B1}" | C:\Windows\system32\utilman.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\UXLanguages\Tokens\en-US\VoiceGender = "1" | C:\Windows\system32\utilman.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_enUS_MarkM\409 = "Microsoft Mark - English (United States)" | C:\Windows\system32\utilman.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_enUS_DavidM\Attributes\NarratorTuned = "1" | C:\Windows\system32\utilman.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\ShowCasing = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\Spanish\Attributes\Language = "40A;C0A" | C:\Windows\system32\utilman.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\Universal | C:\Windows\system32\utilman.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_enUS_DavidM\Attributes\SampleText = "You have selected %1 as the default voice." | C:\Windows\system32\utilman.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\VoiceActivation\Tokens\en-US-HW\409 = "Microsoft Speech HW Voice Activation - English (United States)" | C:\Windows\system32\utilman.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Control Panel\Quick Actions\Pinned\ | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\SpeechUXPlugins\Tokens\SpeechUXPlugin\Attributes | C:\Windows\system32\utilman.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1033-110-WINMO-DNN\Lts\Datafile = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\r1033sr.lxa" | C:\Windows\system32\utilman.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_enUS_MarkM\CLSID = "{179F3D56-1B0B-42B2-A962-59B7EF59FE1B}" | C:\Windows\system32\utilman.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\UXLanguages\Tokens\en-US\Recognizer = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN" | C:\Windows\system32\utilman.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1033-110-WINMO-DNN\Lts | C:\Windows\system32\utilman.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_enUS_MarkM\Attributes\DataVersion = "11.0.2013.1022" | C:\Windows\system32\utilman.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1033-110-WINMO-DNN\Models | C:\Windows\system32\utilman.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_enUS_DavidM\ = "Microsoft David - English (United States)" | C:\Windows\system32\utilman.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech\CurrentUserLexicon\{C9E37C15-DF92-4727-85D6-72E5EEB6995A}\Files | C:\Windows\system32\utilman.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\TIP | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\KeyboardLayout = "67699721" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\AudioInput | C:\Windows\system32\utilman.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\LogonUI.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\LogonUI.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
| N/A | N/A | C:\Windows\system32\utilman.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe
"C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe"
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=1 --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --mojo-named-platform-channel-pipe=1148.680.11998402781633772306
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x1b0,0x7ff9b9e93cb8,0x7ff9b9e93cc8,0x7ff9b9e93cd8
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1916,6227364174563953033,16143028279685830096,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,6227364174563953033,16143028279685830096,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=2196 /prefetch:3
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,6227364174563953033,16143028279685830096,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=2460 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1916,6227364174563953033,16143028279685830096,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3052 /prefetch:1
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,6227364174563953033,16143028279685830096,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=3888 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2888.0.1423424903\1641756369" -parentBuildID 20230214051806 -prefsHandle 1784 -prefMapHandle 1776 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4a4ddc9-92a0-43a7-8999-3dbea0bf011f} 2888 "\\.\pipe\gecko-crash-server-pipe.2888" 1864 2825230e158 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2888.1.2041209598\1392614839" -parentBuildID 20230214051806 -prefsHandle 2360 -prefMapHandle 2356 -prefsLen 22110 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c6fc6fc2-4e50-4668-8d75-02380a466336} 2888 "\\.\pipe\gecko-crash-server-pipe.2888" 2388 28245688758 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2888.2.1013531448\2009172595" -childID 1 -isForBrowser -prefsHandle 2688 -prefMapHandle 2732 -prefsLen 22148 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5c1944fc-ab4e-4fe5-be43-64fe00297d15} 2888 "\\.\pipe\gecko-crash-server-pipe.2888" 3088 28254b06158 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2888.3.412959834\602186863" -childID 2 -isForBrowser -prefsHandle 3576 -prefMapHandle 3572 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc4f1916-35bf-45f8-930b-db8f88f6a791} 2888 "\\.\pipe\gecko-crash-server-pipe.2888" 3588 28257ae4158 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2888.4.22882457\1953997415" -childID 3 -isForBrowser -prefsHandle 4948 -prefMapHandle 5040 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {88f5d540-2bfd-41a1-b989-25afb52153a2} 2888 "\\.\pipe\gecko-crash-server-pipe.2888" 5048 28259752858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2888.5.1914822218\1217450387" -childID 4 -isForBrowser -prefsHandle 5144 -prefMapHandle 5148 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f943c35-0881-41f2-a607-eabb394921b6} 2888 "\\.\pipe\gecko-crash-server-pipe.2888" 5136 2825a38c158 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2888.6.437894373\1336681551" -childID 5 -isForBrowser -prefsHandle 5036 -prefMapHandle 5124 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5fe8273e-a0b9-41b5-89f4-81528a9fd21d} 2888 "\\.\pipe\gecko-crash-server-pipe.2888" 5356 2825a38ca58 tab
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39e0855 /state1:0x41c64e6d
C:\Windows\system32\utilman.exe
utilman.exe /debug
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004C0
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| N/A | 127.0.0.1:51228 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.jsdelivr.net | udp |
| US | 8.8.8.8:53 | cdnjs.cloudflare.com | udp |
| US | 151.101.1.229:443 | cdn.jsdelivr.net | tcp |
| US | 151.101.1.229:443 | cdn.jsdelivr.net | tcp |
| US | 151.101.1.229:443 | cdn.jsdelivr.net | tcp |
| US | 151.101.1.229:443 | cdn.jsdelivr.net | tcp |
| US | 104.17.25.14:443 | cdnjs.cloudflare.com | tcp |
| US | 172.64.147.188:443 | kit-pro.fontawesome.com | tcp |
| GB | 13.87.96.169:443 | nav.smartscreen.microsoft.com | tcp |
| NL | 23.63.101.171:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | 14.25.17.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 188.147.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.96.87.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.20.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.101.63.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.197.79.204.in-addr.arpa | udp |
| GB | 172.165.61.93:443 | data-edge.smartscreen.microsoft.com | tcp |
| GB | 172.165.61.93:443 | data-edge.smartscreen.microsoft.com | tcp |
| GB | 172.165.61.93:443 | data-edge.smartscreen.microsoft.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| N/A | 127.0.0.1:9911 | tcp | |
| N/A | 127.0.0.1:9911 | tcp | |
| N/A | 127.0.0.1:9911 | tcp | |
| N/A | 127.0.0.1:9911 | tcp | |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.4.4:443 | dns.google | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 34.160.144.191:443 | prod.content-signature-chains.prod.webservices.mozgcp.net | tcp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 52.42.69.239:443 | shavar.prod.mozaws.net | tcp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.107.243.93:443 | push.services.mozilla.com | tcp |
| US | 34.107.243.93:443 | push.services.mozilla.com | tcp |
| US | 34.120.5.221:443 | prod.pocket.prod.cloudops.mozgcp.net | tcp |
| N/A | 127.0.0.1:51447 | tcp | |
| N/A | 127.0.0.1:51454 | tcp | |
| GB | 2.18.66.72:443 | tcp | |
| NL | 52.178.17.234:443 | browser.pipe.aria.microsoft.com | tcp |
| NL | 23.62.61.97:443 | r.bing.com | tcp |
| NL | 23.62.61.97:443 | r.bing.com | tcp |
| NL | 23.62.61.97:443 | r.bing.com | tcp |
| NL | 23.62.61.97:443 | r.bing.com | tcp |
| NL | 23.62.61.97:443 | r.bing.com | tcp |
| NL | 23.62.61.97:443 | r.bing.com | tcp |
Files
memory/4836-0-0x000000007462E000-0x000000007462F000-memory.dmp
memory/4836-1-0x0000000000210000-0x000000000021A000-memory.dmp
memory/4836-2-0x00000000024A0000-0x00000000024AA000-memory.dmp
memory/4836-3-0x0000000074620000-0x0000000074DD1000-memory.dmp
memory/4836-5-0x00000000056B0000-0x00000000056C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\get-intrinsic\.nycrc
| MD5 | d0104f79f0b4f03bbcd3b287fa04cf8c |
| SHA1 | 54f9d7adf8943cb07f821435bb269eb4ba40ccc2 |
| SHA256 | 997785c50b0773e5e18bf15550fbf57823c634fefe623cd37b3c83696402ad0a |
| SHA512 | daf9b5445cfc02397f398adfa0258f2489b70699dfec6ca7e5b85afe5671fdcabe59edee332f718f5e5778feb1e301778dffe93bb28c1c0914f669659bad39c6 |
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\hasown\.nycrc
| MD5 | c2ab942102236f987048d0d84d73d960 |
| SHA1 | 95462172699187ac02eaec6074024b26e6d71cff |
| SHA256 | 948366fea3b423a46366326d0bb2e54b08abd1cf0b243678ba6625740c40da5a |
| SHA512 | e36b20c16ceeb090750f3865efc8d7fd983ae4e8b41c30cc3865d2fd4925bf5902627e1f1ed46c0ff2453f076ef9de34be899ef57754b29cd158440071318479 |
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\has-proto\.eslintrc
| MD5 | c28b0fe9be6e306cc2ad30fe00e3db10 |
| SHA1 | af79c81bd61c9a937fca18425dd84cdf8317c8b9 |
| SHA256 | 0694050195fc694c5846b0a2a66b437ac775da988f0a779c55fb892597f7f641 |
| SHA512 | e3eca17804522ffa4f41e836e76e397a310a20e8261a38115b67e8b644444153039d04198fb470f45be2997d2c7a72b15bd4771a02c741b3cbc072ea6ef432e9 |
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\vary\LICENSE
| MD5 | 13babc4f212ce635d68da544339c962b |
| SHA1 | 4881ad2ec8eb2470a7049421047c6d076f48f1de |
| SHA256 | bd47ce7b88c7759630d1e2b9fcfa170a0f1fde522be09e13fb1581a79d090400 |
| SHA512 | 40e30174433408e0e2ed46d24373b12def47f545d9183b7bce28d4ddd8c8bb528075c7f20e118f37661db9f1bba358999d81a14425eb3e0a4a20865dfcb53182 |
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe
| MD5 | d213a75b1956398e4c36bcc2f93339bf |
| SHA1 | 6a2739cc0e67f5593c744fbcbc8f00f12eef9954 |
| SHA256 | ece75d080f94df4b3699389021337b1536cfed229d1325f09b03f0b0d6d85ab4 |
| SHA512 | d32ddaf4c6f8f8df6c390d683e6c039f3b0d8f35f68f690b28bf88b17caedf0e11abd3aeb2e46238d0cd0a91b2db095cca0782b4e27f04453ea4cb6db38f4dd7 |
memory/1148-1471-0x00007FF9C3C13000-0x00007FF9C3C15000-memory.dmp
memory/1148-1472-0x000002202E130000-0x000002202E14A000-memory.dmp
memory/4836-1473-0x0000000074620000-0x0000000074DD1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Wpf.Ui.dll
| MD5 | aead90ab96e2853f59be27c4ec1e4853 |
| SHA1 | 43cdedde26488d3209e17efff9a51e1f944eb35f |
| SHA256 | 46cfbe804b29c500ebc0b39372e64c4c8b4f7a8e9b220b5f26a9adf42fcb2aed |
| SHA512 | f5044f2ee63906287460b9adabfcf3c93c60b51c86549e33474c4d7f81c4f86cd03cd611df94de31804c53006977874b8deb67c4bf9ea1c2b70c459b3a44b38d |
memory/1148-1475-0x00007FF9C3C10000-0x00007FF9C46D2000-memory.dmp
memory/1148-1476-0x0000022048E60000-0x000002204939C000-memory.dmp
memory/1148-1477-0x0000022048920000-0x00000220489DA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Microsoft.Web.WebView2.Wpf.dll
| MD5 | 34ec990ed346ec6a4f14841b12280c20 |
| SHA1 | 6587164274a1ae7f47bdb9d71d066b83241576f0 |
| SHA256 | 1e987b22cd011e4396a0805c73539586b67df172df75e3dded16a77d31850409 |
| SHA512 | b565015ca4b11b79ecbc8127f1fd40c986948050f1caefdd371d34ed2136af0aabf100863dc6fd16d67e3751d44ee13835ea9bf981ac0238165749c4987d1ae0 |
memory/1148-1479-0x00000220486B0000-0x00000220486BE000-memory.dmp
memory/1148-1480-0x00007FF9C3C10000-0x00007FF9C46D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Microsoft.Web.WebView2.Core.dll
| MD5 | 851fee9a41856b588847cf8272645f58 |
| SHA1 | ee185a1ff257c86eb19d30a191bf0695d5ac72a1 |
| SHA256 | 5e7faee6b8230ca3b97ce9542b914db3abbbd1cb14fd95a39497aaad4c1094ca |
| SHA512 | cf5c70984cf33e12cf57116da1f282a5bd6433c570831c185253d13463b0b9a0b9387d4d1bf4dddab3292a5d9ba96d66b6812e9d7ebc5eb35cb96eea2741348f |
memory/1148-1482-0x0000022049420000-0x000002204949E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\WebView2Loader.dll
| MD5 | a0bd0d1a66e7c7f1d97aedecdafb933f |
| SHA1 | dd109ac34beb8289030e4ec0a026297b793f64a3 |
| SHA256 | 79d7e45f8631e8d2541d01bfb5a49a3a090be72b3d465389a2d684680fee2e36 |
| SHA512 | 2a50ae5c7234a44b29f82ebc2e3cfed37bf69294eb00b2dc8905c61259975b2f3a059c67aeab862f002752454d195f7191d9b82b056f6ef22d6e1b0bb3673d50 |
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\libcurl.dll
| MD5 | e31f5136d91bad0fcbce053aac798a30 |
| SHA1 | ee785d2546aec4803bcae08cdebfd5d168c42337 |
| SHA256 | ee94e2201870536522047e6d7fe7b903a63cd2e13e20c8fffc86d0e95361e671 |
| SHA512 | a1543eb1d10d25efb44f9eaa0673c82bfac5173055d04c0f3be4792984635a7c774df57a8e289f840627754a4e595b855d299070d469e0f1e637c3f35274abe6 |
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\vcruntime140.dll
| MD5 | 7a2b8cfcd543f6e4ebca43162b67d610 |
| SHA1 | c1c45a326249bf0ccd2be2fbd412f1a62fb67024 |
| SHA256 | 7d7ca28235fba5603a7f40514a552ac7efaa67a5d5792bb06273916aa8565c5f |
| SHA512 | e38304fb9c5af855c1134f542adf72cde159fab64385533eafa5bb6e374f19b5a29c0cb5516fc5da5c0b5ac47c2f6420792e0ac8ddff11e749832a7b7f3eb5c8 |
memory/1148-1493-0x00007FF9C3C10000-0x00007FF9C46D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\zlib1.dll
| MD5 | 75365924730b0b2c1a6ee9028ef07685 |
| SHA1 | a10687c37deb2ce5422140b541a64ac15534250f |
| SHA256 | 945e7f5d09938b7769a4e68f4ef01406e5af9f40db952cba05ddb3431dd1911b |
| SHA512 | c1e31c18903e657203ae847c9af601b1eb38efa95cb5fa7c1b75f84a2cba9023d08f1315c9bb2d59b53256dfdb3bac89930252138475491b21749471adc129a1 |
memory/1148-1494-0x0000000180000000-0x0000000180AB4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.dll
| MD5 | fee348eb64504fd06b527d6694e1762b |
| SHA1 | 2b4f6598394f65a3a469e201005edec58ceff206 |
| SHA256 | 3988950e51bbab918762ca18d6bd5dfb94207942864813b7ad64ae7c46afb4fd |
| SHA512 | db766b02cd289a48d3581a9043031285a0a2cb9a6529023c391f30956fb114e99d84ce7f7f5414fdcb7ce0839f6fd26052084ff4f3f90d2fca09d0128a19f37a |
memory/1148-1495-0x0000000180000000-0x0000000180AB4000-memory.dmp
memory/1148-1496-0x0000000180000000-0x0000000180AB4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\bin\path.txt
| MD5 | 0e2184f1c7464b6617329fb18f107b4f |
| SHA1 | 6f22f98471e33c9db10d6f6f1728e98852e25b8f |
| SHA256 | dbf5f44e1b84a298dbbcad3c31a617d2f6cfa08eb5d16e05a5c28726c574d4eb |
| SHA512 | 8e745c0215d52e15702551f29efb882a5eba97b5f279ccc29293b1a9b1b8661bf71b548569f9a99fa35c35a15d1b6b288d3c381c1292418c36dc89e2fa0b3a37 |
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Microsoft.Web.WebView2.WinForms.dll
| MD5 | 4cf94ffa50fd9bdc0bb93cceaede0629 |
| SHA1 | 3e30eca720f4c2a708ec53fd7f1ba9e778b4f95f |
| SHA256 | 50b2e46c99076f6fa9c33e0a98f0fe3a2809a7c647bb509066e58f4c7685d7e6 |
| SHA512 | dc400518ef2f68920d90f1ce66fbb8f4dde2294e0efeecd3d9329aa7a66e1ab53487b120e13e15f227ea51784f90208c72d7fbfa9330d9b71dd9a1a727d11f98 |
memory/1148-1500-0x0000022049400000-0x0000022049408000-memory.dmp
memory/1148-1497-0x0000000180000000-0x0000000180AB4000-memory.dmp
memory/1148-1501-0x000002204C750000-0x000002204C788000-memory.dmp
memory/1148-1502-0x000002204C720000-0x000002204C72E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Crashpad\throttle_store.dat
| MD5 | 9e4e94633b73f4a7680240a0ffd6cd2c |
| SHA1 | e68e02453ce22736169a56fdb59043d33668368f |
| SHA256 | 41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304 |
| SHA512 | 193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337 |
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Crashpad\settings.dat
| MD5 | 15494a51ccd01bb2d6d79841f3fd0355 |
| SHA1 | 9e545a8c549019fc6842856ca56110fbcaf7837f |
| SHA256 | 15c976bffb9b1c62457d5cef99d52dd71771118b39377f30ddfc3595e94b2f3f |
| SHA512 | ba26139cc3441c9a467ff52c99de79537e6d9ee78f6c9caebb383a269ea9143d0182aab5a82f466824d06ae9fb3ec2d3bb1c6e4b52c187d2ee44f13f989caa07 |
memory/4852-1522-0x00007FF9E3480000-0x00007FF9E3481000-memory.dmp
\??\pipe\LOCAL\crashpad_924_UPIDRELGMNVYEHSK
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Default\Sync Data\LevelDB\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Default\Local Storage\leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Crashpad\settings.dat
| MD5 | d2733620f8ef3dbb6f277c8b485544b2 |
| SHA1 | c55d453da1d609bb8b090fdc8afe13a508a27b3a |
| SHA256 | 027b2d69cae51a59c6923d3fdf9d8e9f684f729d4e5ba1fef0e05a559dce5861 |
| SHA512 | 1482fd1a2e8aa2e74120c1ff6a0f8e7605a926e5e7a7b51cde9de9d74bea3ba3adc88453762fe80db4dc83821f3509eca351b23531e3d6cc59ac7b0df484801f |
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\index.html
| MD5 | 08d9ac1e35385587b0c3c8a73ea97234 |
| SHA1 | d1db15b5e97152be999339d90630f68ed06a6b78 |
| SHA256 | 016cadaa9a8494b15efea920a5ea9c02b441e90dbc7c444e73db3b307f93a741 |
| SHA512 | 8061a5a92f828642ea2fcb319571efa406ed67a75b4d4da1aeb3da96391a72fcde670e3e52efef62d37ddc17f7eca5afa0d35aa02bfd1bcadd8e86240cb802a6 |
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\vs\loader.js
| MD5 | 8a3086f6c6298f986bda09080dd003b1 |
| SHA1 | 8c7d41c586bfa015fb5cc50a2fdc547711b57c3c |
| SHA256 | 0512d9ed3e5bb3daef94aa5c16a6c3e2ee26ffed9de00d1434ffe46a027b16b9 |
| SHA512 | 9e586742f4e19938132e41145deec584a7b8c7e111b3c6e9254f8d11db632ebe4d66898458ed7bcfc0614d06e20eb33d5a6a8eb8b32d91110557255cf1dbf017 |
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\vs\editor\editor.main.js
| MD5 | 9399a8eaa741d04b0ae6566a5ebb8106 |
| SHA1 | 5646a9d35b773d784ad914417ed861c5cba45e31 |
| SHA256 | 93d28520c07fbca09e20886087f28797bb7bd0e6cf77400153aab5ae67e3ce18 |
| SHA512 | d37ef5a848e371f7db9616a4bf8b5347449abb3e244a5527396756791583cad455802450ceeb88dce39642c47aceaf2be6b95bede23b9ed68b5d4b7b9022b9c8 |
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\vs\editor\editor.main.css
| MD5 | 233217455a3ef3604bf4942024b94f98 |
| SHA1 | 95cd3ce46f4ca65708ec25d59dddbfa3fc44e143 |
| SHA256 | 2ec118616a1370e7c37342da85834ca1819400c28f83abfcbbb1ef50b51f7701 |
| SHA512 | 6f4cb7b88673666b7dc1beab3ec2aec4d7d353e6da9f6f14ed2fee8848c7da34ee5060d9eb34ecbb5db71b5b98e3f8582c09ef3efe4f2d9d3135dea87d497455 |
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\vs\editor\editor.main.nls.js
| MD5 | 74dd2381ddbb5af80ce28aefed3068fc |
| SHA1 | 0996dc91842ab20387e08a46f3807a3f77958902 |
| SHA256 | fdd9d64ce5284373d1541528d15e2aa8aa3a4adc11b51b3d71d3a3953f8bcc48 |
| SHA512 | 8841e0823905cf3168f388a7aeaf5edd32d44902035ba2078202193354caf8cd74cb4cab920e455404575739f35e19ea5f3d88eab012c4ebefc0ccb1ed19a46e |
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\vs\basic-languages\lua\lua.js
| MD5 | 8706d861294e09a1f2f7e63d19e5fcb7 |
| SHA1 | fa5f4bdc6c2f1728f65c41fb5c539211a24b6f23 |
| SHA256 | fc2d6fb52a524a56cd8ac53bfe4bad733f246e76dc73cbec4c61be32d282ac42 |
| SHA512 | 1f9297eb4392db612630f824069afdc9d49259aba6361fb0b87372123ada067bc27d10d0623dc1eb7494da55c82840c5521f6fef74c1ada3b0fd801755234f1f |
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
memory/1148-1644-0x00007FF9D1370000-0x00007FF9D1394000-memory.dmp
memory/1148-1643-0x0000000180000000-0x0000000180AB4000-memory.dmp
memory/1148-1655-0x00007FF9C3C13000-0x00007FF9C3C15000-memory.dmp
memory/2228-1656-0x0000018855500000-0x0000018855501000-memory.dmp
memory/2228-1658-0x0000018855500000-0x0000018855501000-memory.dmp
memory/2228-1657-0x0000018855500000-0x0000018855501000-memory.dmp
memory/2228-1662-0x0000018855500000-0x0000018855501000-memory.dmp
memory/2228-1665-0x0000018855500000-0x0000018855501000-memory.dmp
memory/2228-1666-0x0000018855500000-0x0000018855501000-memory.dmp
memory/2228-1664-0x0000018855500000-0x0000018855501000-memory.dmp
memory/2228-1663-0x0000018855500000-0x0000018855501000-memory.dmp
memory/2228-1667-0x0000018855500000-0x0000018855501000-memory.dmp
memory/2228-1668-0x0000018855500000-0x0000018855501000-memory.dmp
memory/1148-1669-0x00007FF9C3C10000-0x00007FF9C46D2000-memory.dmp
memory/1148-1670-0x0000000180000000-0x0000000180AB4000-memory.dmp
memory/1148-1672-0x00007FF9C3C10000-0x00007FF9C46D2000-memory.dmp
memory/1148-1673-0x0000000180000000-0x0000000180AB4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\b254ea77-e5ee-46af-ad08-4c6fa6605ee3.tmp
| MD5 | d8fa8c4f88891181b633c2783604a648 |
| SHA1 | afa64d8791ca30343b42431a22a18540a6785ef1 |
| SHA256 | 544fe816b9e1387dc48e34c24e099c2bf773ae61fdc1b8dcf50c9dcecdbeaeb6 |
| SHA512 | d2623ba34a1e6f3445013d1170b7c7d1599393cf1029c4e0861612b6faf37241df7a5bfbce404577e65d4075108f0e7bdf35f176ca2c77ef3e50549afeaa0c95 |
memory/1148-1683-0x0000000180000000-0x0000000180AB4000-memory.dmp
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7l3zro2y.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | 88469ab8c529b52add5509c78baca695 |
| SHA1 | 538410f14592b5c8d6c236b140f0c0e5739e4935 |
| SHA256 | a3be0813aed4ee7ac8346d1b4c617c1f1a85763e023aa2bcd83309164387efb3 |
| SHA512 | e1740781ece02f19e402e8fb94255dd1a39f2c6e1e872daa8b351cb22049ecfa34918507a61cae1640ca9c6c08501d192868c0267f53fc63b0d8ca22797cffdd |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7l3zro2y.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | 91512e875f80b71c37381fa564dee23a |
| SHA1 | 41f62fcd46bb46ca6b073e822c373f9e4e16307f |
| SHA256 | b82e6d107187a3f6cfb0e98b77050be281712a7a4011e274edc8b55714bd4c37 |
| SHA512 | 93836273380bfe3486b195ffc9c638976c06a49b4a4404893aa8820d4b77e15e537b353c1248992eaf3cfd9c03347504762d8692c534446b4fc5b12b162e6f12 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7l3zro2y.default-release\prefs.js
| MD5 | 187976b04b5307e7684268868f6eb78a |
| SHA1 | 2508337a238614ec6a7d68c1e39aacb3a4367564 |
| SHA256 | e3fc6b8de5549d9e7cc3d1fc800e6269211f69eda1408679d7d963941444d384 |
| SHA512 | 0d193f50efb7837247defe1637dfd0c0ae091cab117a97f1d79d32bf34a7a78e7cc5791a62664852efc6e1d65cb49a9687d9940079ae1f0152c8b2427973add3 |
memory/1148-1740-0x0000000180000000-0x0000000180AB4000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
| MD5 | ebdb4566a509bf737e7f3726b8e5d003 |
| SHA1 | bfabb2b07b9cad82a182d5564c4bf61a6a40d61b |
| SHA256 | 29704bfd9a2326469e78055f8e9b54d6e0affbc5982608478beeb1c91a4cb6f8 |
| SHA512 | 30f4cacb2db6a19f221f90e1547d4ecea075de7f73dffb0573cc3a2971a2bf92f4c2ea02bc0b622fcc6fb5ba47a8f21d656dc552f676476e0abf779e8a52b77d |
C:\ProgramData\Microsoft\Windows\SystemData\S-1-5-21-2394516847-3409208829-2230326962-1000\ReadOnly\LockScreen_Z\LockScreen___1280_0720_notdimmed.jpg
| MD5 | 6cb7e9f13c79d1dd975a8aa005ab0256 |
| SHA1 | eac7fc28cc13ac1e9c85f828215cd61f0c698ae3 |
| SHA256 | af2537d470fddbeda270c965b8dbdf7e9ccf480ed2f525012e2f1035112a6d67 |
| SHA512 | 3a40359d8e4cc8792be78a022dc04daed5c1cc55d78fe9cf3e061ea5587baa15023ce2152238f5be5cc5124cd468f220cf9dab54344d93edd3dfcd400b24469d |
memory/1148-1760-0x0000000180000000-0x0000000180AB4000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7l3zro2y.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 9a468bc06e6185b9aecd5a2b0b11b5c8 |
| SHA1 | 80846957d6cf595159cf92751c67f7ebf4d038dc |
| SHA256 | 20979522da12fc78a6352ac5f1c4d1ffe24ae5dc2216c1fa65f6ea8282639b72 |
| SHA512 | b2f6f5501f48792b0e8370da0035ffe779f26b478985d6705d65e4f95784642cf5bbffc89dce78c6a7a84511719162c9af41fd11b12d8e349ef9a6baf8f87f31 |
memory/1148-1779-0x0000000180000000-0x0000000180AB4000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7l3zro2y.default-release\prefs-1.js
| MD5 | 26b13462288209aff8392e8edc61d512 |
| SHA1 | 82110ac20084ce2511427349af0d7755d551823c |
| SHA256 | b8d193fb4d217d5036127de3e851f3fea69e10bcdd1029ebbf673f7f7095e3f4 |
| SHA512 | a8641d70d33811b9421e6e3882ebdb50ca7611953d88acc5a086ca6e8e5601ffb6ddb91898d7e575ecbc22beab3343fd5167d62a58081e66ad877d049b2769de |
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Default\Preferences
| MD5 | 991412f14616bd2a4ebf209619a8e77c |
| SHA1 | 25e976f85588e6efcf87075a5df400f2a616a58d |
| SHA256 | afbe3f14d187fdac1f5d86446d7a03fa6279230d0913217b12fb1e9bcb955591 |
| SHA512 | 7ade4f345bcd61d4d0efb905d13edbf4d3b441c7142c046060573fd4a4481d0ec62b654348c5a76cbd6eec9c50a66d3e170034d32e01229ed68ecfeda3566e73 |
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Default\Preferences~RFe5849d5.TMP
| MD5 | 4ab552eefd0462dee39dd24d779417e0 |
| SHA1 | 466465589acc48ade181b2b63d5302763d882dcc |
| SHA256 | 9d2eb5f39307e35eb1f16589d11f9ad8458d70ed483529c2c2781d870878fc65 |
| SHA512 | 14dea55e89ed05671c2fb05b3a2bfafcc49f9d5087a89c472bd1c3ddeeb4de2b1e887572369966e6c7b10b26413bdab832534d997a0f30737d4b9297a4222108 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7l3zro2y.default-release\sessionCheckpoints.json.tmp
| MD5 | c8dc58eff0c029d381a67f5dca34a913 |
| SHA1 | 3576807e793473bcbd3cf7d664b83948e3ec8f2d |
| SHA256 | 4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17 |
| SHA512 | b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7l3zro2y.default-release\sessionstore.jsonlz4
| MD5 | 9f7e1c15ab21aea1ce93a071b5a6e547 |
| SHA1 | 78521985f5929f861aa0d6e3421d90229b301f5b |
| SHA256 | f7070de45a0f4fead7e773a1cf5028477ec8c0bd68eeb8403b71d625964144d3 |
| SHA512 | faf7c93ddc763b8ea58d01805824126c1e2e75fcfce6e8af5078866c8f359050d38bd4d5d980b91ffa4281bca9cc56e8b0a29cf933ed6d3083bd3be938513d2e |
memory/1148-1851-0x00007FF9C3C10000-0x00007FF9C46D2000-memory.dmp
memory/1148-1829-0x0000000180000000-0x0000000180AB4000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7l3zro2y.default-release\prefs-1.js
| MD5 | 1b61c9f5d9884e9fde0b7b7b5b69e828 |
| SHA1 | 02f79fe1123eef769b6b07281c2572d8291b95ed |
| SHA256 | a9910c1c0e92f4e839f43378d9fb5ec55170be2b25e28f9ebeaf7860f2df76db |
| SHA512 | d37e40c0b4ac55617c406c50ea47770b124abb6148e25dce854e80e3f57ef06c282dd84b21d350d68264f2d14ab28b1bf29959107fa9b98bdfe96d4603f7b2b0 |