44caliber | hxxps://cdn[.]discordapp[.]com/attachments/1255285720042442864/1255532278541582336/revival[.]rar?ex=667d790d&is=667c278d&hm=0add3c927ace34fc380b174a7f51042773b200c8c4c11af02d32165f024c6a54&

Analysis

max time kernel
182s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 03:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1255285720042442864/1255532278541582336/revival.rar?ex=667d790d&is=667c278d&hm=0add3c927ace34fc380b174a7f51042773b200c8c4c11af02d32165f024c6a54&

Score

10^/10

44caliber evasion spyware stealer themida trojan

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/1169713279464120370/GUIw2wEmQMllUHEfRf3MNeS3DBNrZN-RuTQ9QbFfAqIZNVHtIlkj1yiD5QqgrIlv8gQi

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

cd57e4c171d6e8f5ea8b8f824a6a7316.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ cd57e4c171d6e8f5ea8b8f824a6a7316.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cd57e4c171d6e8f5ea8b8f824a6a7316.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SolaraBootstrapper.exeSolaraBootstrapper.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe

Executes dropped EXE 4 IoCs

Processes:

SolaraBootstrapper.exeSolaraBootstrapper.execd57e4c171d6e8f5ea8b8f824a6a7316.exeInsidious.exe

pid process

5096 SolaraBootstrapper.exe
2396 SolaraBootstrapper.exe
560 cd57e4c171d6e8f5ea8b8f824a6a7316.exe
3864 Insidious.exe

pid	process
5096	SolaraBootstrapper.exe
2396	SolaraBootstrapper.exe
560	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
3864	Insidious.exe

Loads dropped DLL 5 IoCs

Processes:

cd57e4c171d6e8f5ea8b8f824a6a7316.exe

pid	process
560	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
560	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
560	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
560	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
560	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.dll	themida
behavioral1/memory/560-2319-0x0000000180000000-0x0000000180B0D000-memory.dmp	themida
behavioral1/memory/560-2324-0x0000000180000000-0x0000000180B0D000-memory.dmp	themida
behavioral1/memory/560-2323-0x0000000180000000-0x0000000180B0D000-memory.dmp	themida
behavioral1/memory/560-2322-0x0000000180000000-0x0000000180B0D000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

cd57e4c171d6e8f5ea8b8f824a6a7316.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

Processes:

flow	ioc
165	raw.githubusercontent.com
168	raw.githubusercontent.com
153	raw.githubusercontent.com
154	raw.githubusercontent.com
157	raw.githubusercontent.com
158	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

160 freegeoip.app
161 freegeoip.app
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

cd57e4c171d6e8f5ea8b8f824a6a7316.exe

pid process

560 cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
160	freegeoip.app
161	freegeoip.app

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2080292272-204036150-2159171770-1000\{C0F082A9-437C-408B-9537-954E4CFE6FD1}	msedge.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exeSolaraBootstrapper.exeInsidious.execd57e4c171d6e8f5ea8b8f824a6a7316.exe

pid	process
4232	msedge.exe
4232	msedge.exe
4436	msedge.exe
4436	msedge.exe
4716	identity_helper.exe
4716	identity_helper.exe
664	msedge.exe
664	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
3168	msedge.exe
3168	msedge.exe
2396	SolaraBootstrapper.exe
2396	SolaraBootstrapper.exe
2396	SolaraBootstrapper.exe
3864	Insidious.exe
3864	Insidious.exe
3864	Insidious.exe
3864	Insidious.exe
560	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
560	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
560	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
560	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

Processes:

msedge.exe

pid	process
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

7zG.exeSolaraBootstrapper.exeInsidious.execd57e4c171d6e8f5ea8b8f824a6a7316.exe

description	pid	process
Token: SeRestorePrivilege	2544	7zG.exe
Token: 35	2544	7zG.exe
Token: SeSecurityPrivilege	2544	7zG.exe
Token: SeSecurityPrivilege	2544	7zG.exe
Token: SeDebugPrivilege	2396	SolaraBootstrapper.exe
Token: SeDebugPrivilege	3864	Insidious.exe
Token: SeDebugPrivilege	560	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

msedge.exe7zG.exe

pid	process
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
2544	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4436 wrote to memory of 4384	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4384	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4420	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4420	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4420	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4420	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4420	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4420	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4420	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4420	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4420	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4420	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4420	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4420	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4420	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4420	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4420	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4420	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4420	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4420	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4420	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4420	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4420	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4420	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4420	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4420	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4420	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4420	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4420	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4420	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4420	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4420	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4420	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4420	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4420	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4420	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4420	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4420	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4420	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4420	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4420	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4420	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4232	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4232	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 1564	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 1564	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 1564	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 1564	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 1564	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 1564	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 1564	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 1564	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 1564	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 1564	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 1564	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 1564	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 1564	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 1564	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 1564	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 1564	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 1564	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 1564	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 1564	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 1564	4436	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1255285720042442864/1255532278541582336/revival.rar?ex=667d790d&is=667c278d&hm=0add3c927ace34fc380b174a7f51042773b200c8c4c11af02d32165f024c6a54&
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa7e8c46f8,0x7ffa7e8c4708,0x7ffa7e8c4718
  2⤵
  PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,5196749096446398853,6421698094098920714,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:4420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,5196749096446398853,6421698094098920714,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,5196749096446398853,6421698094098920714,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8
  2⤵
  PID:1564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5196749096446398853,6421698094098920714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5196749096446398853,6421698094098920714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,5196749096446398853,6421698094098920714,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8
  2⤵
  PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,5196749096446398853,6421698094098920714,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5196749096446398853,6421698094098920714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
  2⤵
  PID:1452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5196749096446398853,6421698094098920714,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:3168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5196749096446398853,6421698094098920714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:1440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5196749096446398853,6421698094098920714,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
  2⤵
  PID:1220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5196749096446398853,6421698094098920714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
  2⤵
  PID:3116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5196749096446398853,6421698094098920714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1120 /prefetch:1
  2⤵
  PID:3728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2104,5196749096446398853,6421698094098920714,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6076 /prefetch:8
  2⤵
  PID:1452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2104,5196749096446398853,6421698094098920714,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=1812 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5196749096446398853,6421698094098920714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3104 /prefetch:1
  2⤵
  PID:3004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5196749096446398853,6421698094098920714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
  2⤵
  PID:2816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5196749096446398853,6421698094098920714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:1
  2⤵
  PID:1400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5196749096446398853,6421698094098920714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:1
  2⤵
  PID:4148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,5196749096446398853,6421698094098920714,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6312 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5196749096446398853,6421698094098920714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
  2⤵
  PID:3796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5196749096446398853,6421698094098920714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6644 /prefetch:1
  2⤵
  PID:2076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,5196749096446398853,6421698094098920714,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5560 /prefetch:8
  2⤵
  PID:2460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5196749096446398853,6421698094098920714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6836 /prefetch:1
  2⤵
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,5196749096446398853,6421698094098920714,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5964 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3168

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4936

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2804

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1004

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Solara\" -ad -an -ai#7zMap28889:74:7zEvent28912
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2544

C:\Users\Admin\Downloads\Solara\Solara\SolaraB\SolaraBootstrapper.exe
"C:\Users\Admin\Downloads\Solara\Solara\SolaraB\SolaraBootstrapper.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:5096
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\SolaraBootstrapper.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\SolaraBootstrapper.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2396
- - C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe
    "C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:560
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Insidious.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Insidious.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\44\Browsers\Cookies_Edge(76).txt

Filesize
952B

MD5
48dc7ed2307d1d3b8c114ab8aa3071a9

SHA1
ea130becbbe1badcb77e30a73ca6b482bc7d6fcb

SHA256
1484a4ba9593644ccc446ccd37e808c374cd2af9a8ac0eb36174d9bc626d3b70

SHA512
b9e3de51bf5aa1e00508f336229b796834b009c4f2db35068819442469384661561533761f3994d28cc19a4066433f181dd0bfd23650d2170672a14f620e1458

Download Submit
C:\Users\Admin\AppData\Local\44\Browsers\Cookies_Edge(76).txt

Filesize
4KB

MD5
f905cb2ea13f9c1cf633d05cecf52814

SHA1
d5ed963ed5f14795c9af41e252cca51c2a0f81d0

SHA256
0d81b09b2f100d75a3a53edbbc8dd677d5d94e45c99e5ecfcf87ab2500f6347c

SHA512
d4c11e91198d2a3f490dd4d01ef0d83e5fd223b677a8173b23a8169a248449bf0c1b4689070b96ea9abcd935134d8a02a9a8d4d5c818122a6b97af9e0cc5d7b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
81e892ca5c5683efdf9135fe0f2adb15

SHA1
39159b30226d98a465ece1da28dc87088b20ecad

SHA256
830f394548cff6eed3608476190a7ee7d65fe651adc638c5b27ce58639a91e17

SHA512
c943f4cfe8615ac159cfac13c10b67e6c0c9093851dd3ac6dda3b82e195d3554e3c37962010a2d0ae5074828d376402624f0dda5499c9997e962e4cfd26444c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56067634f68231081c4bd5bdbfcc202f

SHA1
5582776da6ffc75bb0973840fc3d15598bc09eb1

SHA256
8c08b0cbceb301c8f960aa674c6e7f6dbf40b4a1c2684e6fb0456ec5ff0e56b4

SHA512
c4657393e0b9ec682570d7e251644a858d33e056ccd0f3eebffd0fde25244b3a699b8d9244bcdac00d6f74b49833629b270e099c2b557f729a9066922583f784

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
31fa295cde2afa3f7acbce1fc851abb9

SHA1
1ab6cf2c0fbc7704ff885b0939db26084ae2c2ff

SHA256
787641d2d75eda5006ca2fa8a93d8590e7b790e572c6df3606c2d941d9c8a895

SHA512
9f21f235c50c2fadef1de242c04bf5f2cfa7a61886956671cf36247bf3b3641d686ee760f691b63370ef3e0f01cf523a84a0519d5d321d676a2bdb510efb8881

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
a80a647f1491a38f48163e7db293086b

SHA1
a576ad2d78c1454b2bfc494a8b19ae3838c19620

SHA256
bbfbbc6518b24167f630c5ebff8629e76cac1a9f3d8d4c37f03892449848e8b8

SHA512
b6d2a3bc7c7480b48638db11bd15ea1854affdcfc5732313c8125d0d9df8fa423abfc2f6ad18d837ffae755d0bb9789ab88ccc7c1ee19874ed0232ba74f09464

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
3c3997b8652210493b7ffe34759afe5e

SHA1
37a361a58b9ae856b097a0eb02ef379d0ba7173a

SHA256
76d836cfed2a3213cdd1321b0a266606d49e15f755b7e89677f09ec9d40ebf50

SHA512
a05a611139af18822a094979de78e6d8b09bab6959533533c43a7bf0d4771cc5d590e99f42700027abf2e2b8ddf6306c5ba47530d23ebb495cbb0c2347c3dd83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
28KB

MD5
99234524258e70196b3ceb22b5b63694

SHA1
096ec672081a9c39373fa1aa058053e54f9ee60b

SHA256
e4ffcc77f13de5d88661d87c4337f510caf3ba9a5b278588954d285ce17ed160

SHA512
1173f3199cc35aeac89c72aa36af119669a4c3668a4f1dab2611fdb09d793aacb01aef11a2a4ef5dfddeea2593fe9f80d7b2cb21c907d8c5b6b0037b9203d973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
3aca6798e37dacb8f3956b373966f91b

SHA1
071576cf04f8cecbc356c9ee23e4d4f9c9adb5d5

SHA256
803595c092379584a21c116afb69e9f37f50896d0a6df61e79a802685ab9fb40

SHA512
9ec46364432c9ce67d96cccc99670e4ce7a7c46c597431da6ae6d057276ab2895a9f11952d532075ad6c800cbdde0e98d3c11528f1a6ee36f200ed2530019884

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
546B

MD5
03694be22de8c5506390e1a79006d684

SHA1
49101258f1e47fb73ad82d544689f5b038ec9f35

SHA256
6cfc77f754415eabb3d8f4d1c22ccec86e2057e2555e8690c19b2d4a4f2927eb

SHA512
7b429f6cffaf663999196767a7b7c087373b7b3cbf7075b6b477f34c362115b5f6c25e248a2dadaf7de83669503cfe5c7fb94b71c49c22da288f605a3a489f4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2240b6548062c71b38fac14b2539d8e0

SHA1
65846aa318e946128bf703c3a3dbaef3bef82014

SHA256
f2d2408d4f400d073d108661a2606469e052de9683ebc271450f59b4e04639e3

SHA512
028762ebacd9f16d6a91211e7abd46c0a5b6fcbb1be3f432dde72e3f015d226626c3ba454d6a13e80ffe815fca7c3d308b09933b0132c01dd30dc2d94a3686eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
50a865453f3be92b3f5c0c3ed1e396c7

SHA1
0fa6a207e92e02eeef3e85ec82707168679aaf46

SHA256
dec229028848be3d4fa4e04f350c3e4a0ad7c8e8f0aee9e73ade11d94db5dc54

SHA512
6423519c83aa063a4047f2fdf6386d3081ce3a00aec1c85cb3dcd15f6d858d241a5b77a887966b0dac33e79bf1b5b712a158af1477e3986ccf1791a0ec811689

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5ca49057a1c3f55c2469a70160bf787a

SHA1
d2b574b86475118356595d3b5c720af7c5ddb13b

SHA256
5e50b7e2792f28e29020b8028eda036fcb7f56fa7b7cbd3aeaac3882bc17f959

SHA512
abb6259e0a83229f5491c0ae01cceedde11276ed4973f011853cb03f64998b37e7cd6803e6b01d257a6611203f326d293bbea99bd5cde1dd8232389c3f0826e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
80e47a124cd1198744fa7ab534f42132

SHA1
74bb392da03f766fc67d372ef795f8fe1dfeb8f1

SHA256
2c94adb813406f52f1d948a88f2de775969d62070555cddb9f980440649f6dfb

SHA512
063db70323168294521e16255e470b7fe6e42c3d629a3838ec3c2ea64284551e366545fdc9901d37425d35eaec67299c95a1cfb23ad8f91d3e3a9bfac9d02278

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4096cde419ba13b3baecf10c8ffbbdbc

SHA1
991adc7b8e262be7c99ae0bf3cab79ee7e62fe82

SHA256
de09972784a450f9da04f5080e02ea81a35bf1038ed2ab4bf48a535b651f5609

SHA512
a45c829fa7d844a9381ab9ce33216f1ce46ba45848ed7773e277018d6efdfcd1522e06db093d75519f65d4e35d6a1d90f6c33fad38155a060cc037cdca97396d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
bab702fe2a86c0042ebe7e0f2cca7d34

SHA1
62d91f8bc3d95a6ac1c97c9b5106ea3fc372ceba

SHA256
4f80f93596d72814f0b15e2c28286704f1e1062366b4421cce1116bb79391663

SHA512
0857dc11ff26a462128bc3285916652536f865cd64ebbfc6748f228d355ac8522fb4a13b741f058a4e5330c69e46ff318cac11c85398b106d948f33901c9add7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
662d229db09e9eb64848aa087175cfb1

SHA1
aae9149900810d26b3849f682ee9cd0bb96ff4c2

SHA256
efb0e859c6a226a9134c67cc7fe97a5d58088272b1ec06eb1ed57d4bb520eee0

SHA512
75a82a3b0cbbb384d626b152eda132f182874e3f8d1d4dbfe96e5e84d7ac147174afcd3e2c2075d94c235ac1a4117171c8481183423146f3a5599fa555b05d8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
ef366a68582f0d6a4482bea3af888135

SHA1
26c58844ad3a15b42c08183deebcf170142cc7bc

SHA256
26443ef7c1e0f9040acc6a14ca14e4d6cc9301656a072463b3bb059f462341e2

SHA512
37c392de9accd71c03acb33cd56c92e839abefc2fb122a2c42c2c0344aeff90b6225fea4ddbeb712b879cc0963ea61284dd587dd1651509bb0a8b5216f9ff37d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d07e5ac0b78c7253432aee2159f7952d

SHA1
f8b1bccc87096cb801bf6d3e8c3eae292f523ef7

SHA256
23ef633971cf9b9a387aa73197d428af6dcca6bccf5c89dd57a65a39b2612f34

SHA512
4477ba5cc14f6934921e38a7e4696cd9442d7b8d61f6e3524fd6e3a9367951205a6926648dd64be80cd384fc384b80a33c6d90147b78b411742f169a9fb6d314

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7b482ad71267200364cf4277bd29dcc7

SHA1
ac74b80b0ffec53af511b8324594264aefda73ac

SHA256
a677cc087a09f2232bd3029de62a27aae1eaea9127d4f1415387825c7bbf1735

SHA512
fc98ffc567f4b78a74079f306edd760b9be08cdc9735ec9f951ed42ce47cb561b0e52d90a3bb04f2c45e48dfd5dea3484869a10d0b1eaacd55c75ffbf45450f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e80402e54dce0c7883917fb971f09e4b

SHA1
3a16e249acae60eb5f26a3987ccf370972d23a1c

SHA256
7ca75b16ebcece8c21bdd12aa17ee1c165e526a9ed762c69d704ad3a17985380

SHA512
afe1c6524334822a415a4ff10d120ba74236b488415e57145a398588665d786bc69840287b581d5afe1e75126fbbe81ba7a0d6e4bb6d45cf7eb98194818ec4b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b3dbd8b736bda0bb1efb10226773a261

SHA1
8c615a9ac12429d949714bc4ab750e0ffd5a83a3

SHA256
54664e8fe06d2ff154cc35f5632548f6eb6a1acf2c8d571d167d33e35b2204ca

SHA512
8ce7a2603ea54c247274555dbdaf9db588ec58ed5a2fb18a2e78cd91bd9c3398ef2753f9992e2a024706b2796770603dcfcd3ae2893c312ba551c9e5d2646dbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58f41f.TMP

Filesize
700B

MD5
949ccc8e2ed238602f8d113271e816c0

SHA1
260ce24138967c2de29ad78fa5dc2376b8144d94

SHA256
d65cc2afd57a65e60cd1893b95987c4844b9820b2e850375625c5b448cbd002b

SHA512
ae27af78c3a0a1a734c934023b1ce619b476fa139a81fdf541dd0be80bd187f8d25665c4e32f7477d56a575b004d580186dcd9e12044f6c5e3bca1442594c64b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
116KB

MD5
f792151d98d5b8dfcc0fe48d56ba6771

SHA1
03983448f307c4ab8f71cce9d697f58e541ed805

SHA256
37a4202eb8edc96c17fd4a5fd8e1f0dee96eeed1c77da531c7d26c0604ec5619

SHA512
b125b058c17b4afc947509843f84d17489c8d3dc31d8443096cd617d30aaaa8d95a25c793e2e3e7794e9a39dc47f643e31f8b3a13895e597eb586d8be6ba5b8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ebe28eb8c9a5b1bef371e8551cb964ad

SHA1
f4b89727170c9f08293994fbac9c5e174bcd6b94

SHA256
ab8f52be164a759bf408575ae86d160b29e6435bec96b9d0f76b9015f21edac7

SHA512
4de01f2a8efa3e46c70fa26234bd3c799d1990d39708f0a51cda92165c2656afe21e691edad2d79477f523f4c6e8b245e40c939d3482f10a0d09c8d299fb8207

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\d5770881-f28d-4638-9919-ca3c5488529c.tmp

Filesize
12KB

MD5
b8b6e7fc42d4e2c1d42740fd4bde9573

SHA1
183696afe60e58856627f094de56c44883b909a3

SHA256
81a11832dceca2d9d6b98a48aa4f396ee43dfd3ff15feea3b5b251de9086655a

SHA512
f115e554b05a93a01c1b0a729529d31e6283bb760dad5238d2ac7e55740857e12b41f902db903f18f4c1d7a9395107913d388a726bab9ae45f854651e076c7e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Insidious.exe

Filesize
303KB

MD5
cf6fbbd85d69ed42107a937576028fc9

SHA1
d8f2ca741a8f0beb8e89a68407241c5332759303

SHA256
644455284cd1e2188564dcea09cc0d09448423c9bfdeb9d05a834600d593ec1a

SHA512
562f8004f6d406ed596ff2ad7487f616f1abb98d415d70d87c18f11f364b35a40b959800085966b1680737e6bc7e3793d3b8c60046ea680dc87a673badeab94e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\SolaraBootstrapper.exe

Filesize
13KB

MD5
6557bd5240397f026e675afb78544a26

SHA1
839e683bf68703d373b6eac246f19386bb181713

SHA256
a7fecfc225dfdd4e14dcd4d1b4ba1b9f8e4d1984f1cdd8cda3a9987e5d53c239

SHA512
f2399d34898a4c0c201372d2dd084ee66a66a1c3eae949e568421fe7edada697468ef81f4fcab2afd61eaf97bcb98d6ade2d97295e2f674e93116d142e892e97

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Microsoft.Web.WebView2.Core.dll

Filesize
488KB

MD5
851fee9a41856b588847cf8272645f58

SHA1
ee185a1ff257c86eb19d30a191bf0695d5ac72a1

SHA256
5e7faee6b8230ca3b97ce9542b914db3abbbd1cb14fd95a39497aaad4c1094ca

SHA512
cf5c70984cf33e12cf57116da1f282a5bd6433c570831c185253d13463b0b9a0b9387d4d1bf4dddab3292a5d9ba96d66b6812e9d7ebc5eb35cb96eea2741348f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Microsoft.Web.WebView2.WinForms.dll

Filesize
37KB

MD5
4cf94ffa50fd9bdc0bb93cceaede0629

SHA1
3e30eca720f4c2a708ec53fd7f1ba9e778b4f95f

SHA256
50b2e46c99076f6fa9c33e0a98f0fe3a2809a7c647bb509066e58f4c7685d7e6

SHA512
dc400518ef2f68920d90f1ce66fbb8f4dde2294e0efeecd3d9329aa7a66e1ab53487b120e13e15f227ea51784f90208c72d7fbfa9330d9b71dd9a1a727d11f98

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Microsoft.Web.WebView2.Wpf.dll

Filesize
43KB

MD5
34ec990ed346ec6a4f14841b12280c20

SHA1
6587164274a1ae7f47bdb9d71d066b83241576f0

SHA256
1e987b22cd011e4396a0805c73539586b67df172df75e3dded16a77d31850409

SHA512
b565015ca4b11b79ecbc8127f1fd40c986948050f1caefdd371d34ed2136af0aabf100863dc6fd16d67e3751d44ee13835ea9bf981ac0238165749c4987d1ae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\get-intrinsic\.nycrc

Filesize
139B

MD5
d0104f79f0b4f03bbcd3b287fa04cf8c

SHA1
54f9d7adf8943cb07f821435bb269eb4ba40ccc2

SHA256
997785c50b0773e5e18bf15550fbf57823c634fefe623cd37b3c83696402ad0a

SHA512
daf9b5445cfc02397f398adfa0258f2489b70699dfec6ca7e5b85afe5671fdcabe59edee332f718f5e5778feb1e301778dffe93bb28c1c0914f669659bad39c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\has-proto\.eslintrc

Filesize
43B

MD5
c28b0fe9be6e306cc2ad30fe00e3db10

SHA1
af79c81bd61c9a937fca18425dd84cdf8317c8b9

SHA256
0694050195fc694c5846b0a2a66b437ac775da988f0a779c55fb892597f7f641

SHA512
e3eca17804522ffa4f41e836e76e397a310a20e8261a38115b67e8b644444153039d04198fb470f45be2997d2c7a72b15bd4771a02c741b3cbc072ea6ef432e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\hasown\.nycrc

Filesize
216B

MD5
c2ab942102236f987048d0d84d73d960

SHA1
95462172699187ac02eaec6074024b26e6d71cff

SHA256
948366fea3b423a46366326d0bb2e54b08abd1cf0b243678ba6625740c40da5a

SHA512
e36b20c16ceeb090750f3865efc8d7fd983ae4e8b41c30cc3865d2fd4925bf5902627e1f1ed46c0ff2453f076ef9de34be899ef57754b29cd158440071318479

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\vary\LICENSE

Filesize
1KB

MD5
13babc4f212ce635d68da544339c962b

SHA1
4881ad2ec8eb2470a7049421047c6d076f48f1de

SHA256
bd47ce7b88c7759630d1e2b9fcfa170a0f1fde522be09e13fb1581a79d090400

SHA512
40e30174433408e0e2ed46d24373b12def47f545d9183b7bce28d4ddd8c8bb528075c7f20e118f37661db9f1bba358999d81a14425eb3e0a4a20865dfcb53182

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\WebView2Loader.dll

Filesize
133KB

MD5
a0bd0d1a66e7c7f1d97aedecdafb933f

SHA1
dd109ac34beb8289030e4ec0a026297b793f64a3

SHA256
79d7e45f8631e8d2541d01bfb5a49a3a090be72b3d465389a2d684680fee2e36

SHA512
2a50ae5c7234a44b29f82ebc2e3cfed37bf69294eb00b2dc8905c61259975b2f3a059c67aeab862f002752454d195f7191d9b82b056f6ef22d6e1b0bb3673d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Wpf.Ui.dll

Filesize
5.2MB

MD5
aead90ab96e2853f59be27c4ec1e4853

SHA1
43cdedde26488d3209e17efff9a51e1f944eb35f

SHA256
46cfbe804b29c500ebc0b39372e64c4c8b4f7a8e9b220b5f26a9adf42fcb2aed

SHA512
f5044f2ee63906287460b9adabfcf3c93c60b51c86549e33474c4d7f81c4f86cd03cd611df94de31804c53006977874b8deb67c4bf9ea1c2b70c459b3a44b38d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\bin\path.txt

Filesize
33B

MD5
7207978deac3d2df817c0efb6de01f45

SHA1
1b547cb35c2e709dcf4132452cdb5b6ccd66044f

SHA256
14056051c638d943e3f6cd8ae99b7b8b8b4419f6e6193861081e519eeb4dc808

SHA512
d38226a5eb755aafe7e8e3d707b00841aea985bd8dedf20556800f1bb7ac7c807fa195bdd1e21014087f89b319ab278bec922951b7c682e9edd3fbee147834ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.dll

Filesize
4.2MB

MD5
f71b342220b8f8935abe5ea0b1e5f30c

SHA1
a70d41dbc456d548e790af717575b1f83e3f38b5

SHA256
dec8c51c89452b183201e58e4cfceffb0924c4c1f7729841a739086711ff021f

SHA512
d6ba2d0eecb2bd70ea727c7bd86cce75fe535e4a7688eb6fc6334e30f568d24d0b6661b8873ddb88c1bb75dbf772fae215b101545ff85e6461a2b05b85dfe05f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Filesize
90KB

MD5
d84e7f79f4f0d7074802d2d6e6f3579e

SHA1
494937256229ef022ff05855c3d410ac3e7df721

SHA256
dcfc2b4fa3185df415855ec54395d9c36612f68100d046d8c69659da01f7d227

SHA512
ed7b0ac098c8184b611b83158eaa86619001e74dba079d398b34ac694ce404ba133c2baf43051840132d6a3a089a375550072543b9fab2549d57320d13502260

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\libcurl.dll

Filesize
522KB

MD5
e31f5136d91bad0fcbce053aac798a30

SHA1
ee785d2546aec4803bcae08cdebfd5d168c42337

SHA256
ee94e2201870536522047e6d7fe7b903a63cd2e13e20c8fffc86d0e95361e671

SHA512
a1543eb1d10d25efb44f9eaa0673c82bfac5173055d04c0f3be4792984635a7c774df57a8e289f840627754a4e595b855d299070d469e0f1e637c3f35274abe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\vcruntime140.dll

Filesize
99KB

MD5
7a2b8cfcd543f6e4ebca43162b67d610

SHA1
c1c45a326249bf0ccd2be2fbd412f1a62fb67024

SHA256
7d7ca28235fba5603a7f40514a552ac7efaa67a5d5792bb06273916aa8565c5f

SHA512
e38304fb9c5af855c1134f542adf72cde159fab64385533eafa5bb6e374f19b5a29c0cb5516fc5da5c0b5ac47c2f6420792e0ac8ddff11e749832a7b7f3eb5c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\zlib1.dll

Filesize
113KB

MD5
75365924730b0b2c1a6ee9028ef07685

SHA1
a10687c37deb2ce5422140b541a64ac15534250f

SHA256
945e7f5d09938b7769a4e68f4ef01406e5af9f40db952cba05ddb3431dd1911b

SHA512
c1e31c18903e657203ae847c9af601b1eb38efa95cb5fa7c1b75f84a2cba9023d08f1315c9bb2d59b53256dfdb3bac89930252138475491b21749471adc129a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
972e0aefbff3fec63158f6ca7a93f1ae

SHA1
016cde12cc310fac2705c9e897a339edb38d89b9

SHA256
f9455df43e791cd1721342cf033743f7f4ffbc3f55d7b5b96f8276db50436099

SHA512
37e6c3bbc396e2f3153f178aa54e36b42efe3a142400c55dfeb4ab1749d551c6da2e4c473880399d64b61b19c351bf5267ac8dfa07e2c0764e41506e9354e2fc

Download Submit
C:\Users\Admin\Downloads\Solara.zip

Filesize
400KB

MD5
20804935c8018d330c47fa7acde89358

SHA1
7e79e69996cf54bf3da5807e37805db03d23f34e

SHA256
65dcaf8699e4d8d8aaa1c177fc49bfe4ff69ad4fd3891d61f68c5239e217cb14

SHA512
7c7cf8a3e6d90376a1a958c57527750c5a04d6d27c90397aac458898a34601a36c5f345afeabaa72f0ece7f3701ac729b68b5bd9f93252552feb4a1f092fc398

Download Submit
C:\Users\Admin\Downloads\Solara\Solara\SolaraB\SolaraBootstrapper.exe

Filesize
826KB

MD5
886d05ab350457e2ddde2f569dc0668a

SHA1
3448ca0ce7b2f279694f8a360348c0ade71b9322

SHA256
286b6d3aa77caa78854b3648d96d80a1f207d7b94fb54103b44600a6f72839b5

SHA512
31186e5e079389f820a026843340468cf183c31ee18d60537d48e83b4ecb08b86f2e1b41012b4fa25ebbbd33a4fbc833986815e71010b74df3e04fdaf49d7962

Download Submit
\??\pipe\LOCAL\crashpad_4436_PLDHKQGMTNWVXCTW

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/560-2306-0x0000020D1BDE0000-0x0000020D1BDEE000-memory.dmp

Filesize
56KB

Download
memory/560-2319-0x0000000180000000-0x0000000180B0D000-memory.dmp

Filesize
11.1MB

Download
memory/560-2303-0x0000020D1BEE0000-0x0000020D1BF92000-memory.dmp

Filesize
712KB

Download
memory/560-2308-0x0000020D1C9E0000-0x0000020D1CA5E000-memory.dmp

Filesize
504KB

Download
memory/560-2301-0x0000020D1BE20000-0x0000020D1BEDA000-memory.dmp

Filesize
744KB

Download
memory/560-2300-0x0000020D1C2A0000-0x0000020D1C7DC000-memory.dmp

Filesize
5.2MB

Download
memory/560-2329-0x0000020D1CC40000-0x0000020D1CC78000-memory.dmp

Filesize
224KB

Download
memory/560-2330-0x0000020D1CC10000-0x0000020D1CC1E000-memory.dmp

Filesize
56KB

Download
memory/560-2328-0x0000020D1CA60000-0x0000020D1CA68000-memory.dmp

Filesize
32KB

Download
memory/560-2304-0x0000020D1C0E0000-0x0000020D1C102000-memory.dmp

Filesize
136KB

Download
memory/560-2324-0x0000000180000000-0x0000000180B0D000-memory.dmp

Filesize
11.1MB

Download
memory/560-2323-0x0000000180000000-0x0000000180B0D000-memory.dmp

Filesize
11.1MB

Download
memory/560-2322-0x0000000180000000-0x0000000180B0D000-memory.dmp

Filesize
11.1MB

Download
memory/560-2223-0x0000020D01690000-0x0000020D016AA000-memory.dmp

Filesize
104KB

Download
memory/2396-758-0x0000000006030000-0x0000000006042000-memory.dmp

Filesize
72KB

Download
memory/2396-756-0x0000000002E10000-0x0000000002E1A000-memory.dmp

Filesize
40KB

Download
memory/2396-755-0x0000000000B70000-0x0000000000B7A000-memory.dmp

Filesize
40KB

Download
memory/3864-2229-0x0000019905750000-0x00000199057A2000-memory.dmp

Filesize
328KB

Download