Resubmissions
09-08-2024 11:45
240809-nwqfaatgkg 10Analysis
-
max time kernel
157s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09-08-2024 11:45
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/quivings/Solara/blob/main/Files/SolaraB.zip
Resource
win10v2004-20240802-en
General
-
Target
https://github.com/quivings/Solara/blob/main/Files/SolaraB.zip
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/1256365156401680444/Q4ybvTW8-P8cHM7v5CKOThKUJqTZ4f03jPUNC4To8TouPRnWl442RcsKLBOptm6uvg63
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Executes dropped EXE 2 IoCs
Processes:
SolaraBootstrapper.exeSolaraBootstrapper.exepid process 572 SolaraBootstrapper.exe 3196 SolaraBootstrapper.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 118 freegeoip.app 119 freegeoip.app 121 freegeoip.app -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 2 IoCs
Processes:
msedge.exemsedge.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1302416131-1437503476-2806442725-1000\{04EB43C2-719E-4EEB-A3DE-201A6BB66712} msedge.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exeSolaraBootstrapper.exeSolaraBootstrapper.exepid process 3812 msedge.exe 3812 msedge.exe 1608 msedge.exe 1608 msedge.exe 3116 identity_helper.exe 3116 identity_helper.exe 2416 msedge.exe 2416 msedge.exe 4280 msedge.exe 4280 msedge.exe 312 msedge.exe 312 msedge.exe 312 msedge.exe 312 msedge.exe 572 SolaraBootstrapper.exe 572 SolaraBootstrapper.exe 572 SolaraBootstrapper.exe 3196 SolaraBootstrapper.exe 3196 SolaraBootstrapper.exe 3196 SolaraBootstrapper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
Processes:
msedge.exepid process 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
7zG.exeSolaraBootstrapper.exeSolaraBootstrapper.exedescription pid process Token: SeRestorePrivilege 3176 7zG.exe Token: 35 3176 7zG.exe Token: SeSecurityPrivilege 3176 7zG.exe Token: SeSecurityPrivilege 3176 7zG.exe Token: SeDebugPrivilege 572 SolaraBootstrapper.exe Token: SeDebugPrivilege 3196 SolaraBootstrapper.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
Processes:
msedge.exe7zG.exepid process 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 3176 7zG.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 1608 wrote to memory of 632 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 632 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1180 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1180 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1180 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1180 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1180 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1180 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1180 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1180 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1180 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1180 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1180 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1180 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1180 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1180 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1180 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1180 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1180 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1180 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1180 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1180 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1180 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1180 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1180 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1180 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1180 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1180 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1180 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1180 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1180 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1180 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1180 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1180 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1180 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1180 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1180 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1180 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1180 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1180 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1180 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1180 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 3812 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 3812 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 3600 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 3600 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 3600 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 3600 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 3600 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 3600 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 3600 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 3600 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 3600 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 3600 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 3600 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 3600 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 3600 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 3600 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 3600 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 3600 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 3600 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 3600 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 3600 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 3600 1608 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/quivings/Solara/blob/main/Files/SolaraB.zip1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd2a9f46f8,0x7ffd2a9f4708,0x7ffd2a9f47182⤵PID:632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,4952771496674638905,8648269830743133991,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:22⤵PID:1180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,4952771496674638905,8648269830743133991,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3812
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,4952771496674638905,8648269830743133991,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:82⤵PID:3600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4952771496674638905,8648269830743133991,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:12⤵PID:4444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4952771496674638905,8648269830743133991,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:12⤵PID:4456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,4952771496674638905,8648269830743133991,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:82⤵PID:4304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,4952771496674638905,8648269830743133991,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4952771496674638905,8648269830743133991,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:12⤵PID:3276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4952771496674638905,8648269830743133991,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:12⤵PID:5016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4952771496674638905,8648269830743133991,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:12⤵PID:1476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4952771496674638905,8648269830743133991,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:12⤵PID:3436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2100,4952771496674638905,8648269830743133991,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4092 /prefetch:82⤵PID:2908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2100,4952771496674638905,8648269830743133991,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3640 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4952771496674638905,8648269830743133991,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:12⤵PID:996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4952771496674638905,8648269830743133991,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:12⤵PID:1304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4952771496674638905,8648269830743133991,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:12⤵PID:1644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4952771496674638905,8648269830743133991,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:12⤵PID:4512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4952771496674638905,8648269830743133991,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:12⤵PID:2136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2100,4952771496674638905,8648269830743133991,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3244 /prefetch:82⤵PID:2860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4952771496674638905,8648269830743133991,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:12⤵PID:3496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4952771496674638905,8648269830743133991,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:12⤵PID:4132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,4952771496674638905,8648269830743133991,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5220 /prefetch:82⤵PID:3864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4952771496674638905,8648269830743133991,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2688 /prefetch:12⤵PID:3012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,4952771496674638905,8648269830743133991,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5344 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,4952771496674638905,8648269830743133991,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4932 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:312
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1688
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1680
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2736
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Solara\" -ad -an -ai#7zMap25432:70:7zEvent68241⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3176
-
C:\Users\Admin\Desktop\Solara\Solara\SolaraBootstrapper.exe"C:\Users\Admin\Desktop\Solara\Solara\SolaraBootstrapper.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:572
-
C:\Users\Admin\Desktop\Solara\Solara\SolaraBootstrapper.exe"C:\Users\Admin\Desktop\Solara\Solara\SolaraBootstrapper.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3196
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD500dbaea57ca18279378e579e6dbc2bfb
SHA15c7e319c92c5fedb287400805956d16b8b53b4f3
SHA256a762c8143e6e6b3ea88bf9ad6cd30664f550aa2619a45491197a5271e437d133
SHA51203d7f8e67889346663f252e1d28b42c2e3fda29b0260fdb8b85b718e26f8c3321185bf7b38d951e77f8572cb85539c864f7c22689b593413157c86f3d02466bb
-
Filesize
152B
MD5f9664c896e19205022c094d725f820b6
SHA1f8f1baf648df755ba64b412d512446baf88c0184
SHA2567121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e
SHA5123fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae
-
Filesize
152B
MD5847d47008dbea51cb1732d54861ba9c9
SHA1f2099242027dccb88d6f05760b57f7c89d926c0d
SHA25610292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1
SHA512bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f
-
Filesize
37KB
MD5da4c2d9295fbab7844d4f29079dbb8d5
SHA12e214261c9f3394badf103af57a2b9bd6f89a68c
SHA256b2f523dc352a436652fdfa66e899f589653015929b1add2da64eeb9650a7febd
SHA51283a66de2c3593c960f5e7567f8c315f983245334f63bda67c7490570753bce7e865a1f752d15a5b6f795fb4cc4aa2a122ce6bcfb86bf3e116f00df7a558a92c7
-
Filesize
37KB
MD5a2ade5db01e80467e87b512193e46838
SHA140b35ee60d5d0388a097f53a1d39261e4e94616d
SHA256154a7cfc19fb8827601d1f8eda3788b74e2018c96779884b13da73f6b1853a15
SHA5121c728558e68ed5c0a7d19d8f264ad3e3c83b173b3e3cd5f53f5f3b216ed243a16944dbe6b2159cfe40ee4a3813ca95a834f162073a296b72bbdedc15546be8f8
-
Filesize
21KB
MD5a6d2a865e9f16ea305950181afef4fcf
SHA1082145d33593f3a47d29c552276c88cf51beae8e
SHA2562e5d94863281987de0afa1cfd58c86fde38fd3677c695268585161bc2d0448a2
SHA5126aa871d6b2b0d1af0bda0297d164e2d685bc53f09983e5a4e1205f4eb972a2017323c99c3cc627c3fb01381b66816e570f61d013d3775cddad285ac1b604cdc9
-
Filesize
20KB
MD5c4b8e9bc1769a58f5265bbe40f7785ef
SHA107ff14df16d4b882361e1a0be6c2f10711ddce50
SHA2562786986a3139e9722e667f81b4902609a4cf458e1c16206cd11feceee0254192
SHA512a39157460b523ee2b9e1eacccf7aed99ff002767a8f87287c1c4662b6711b97f7d4955df64a86a882417fe71e598719e3934e14f787c1e6b3348c8a4c813e3ad
-
Filesize
18KB
MD52e23d6e099f830cf0b14356b3c3443ce
SHA1027db4ff48118566db039d6b5f574a8ac73002bc
SHA2567238196a5bf79e1b83cacb9ed4a82bf40b32cd789c30ef790e4eac0bbf438885
SHA512165b1de091bfe0dd9deff0f8a3968268113d95edc9fd7a8081b525e0910f4442cfb3b4f5ac58ecfa41991d9dcabe5aa8b69f7f1c77e202cd17dd774931662717
-
Filesize
57KB
MD5919d13ecf08e3da7e9f337e7b60d6dec
SHA13d9bd4aa100f69cf46ad175259edd6ce9864830c
SHA2569d4575044d2efd5e90503beda65571b5158a3f32d999191ac1f82d1a5ee62ad0
SHA51298d8236ed1c44826b4489b9fb7b76c62502a032547374446c53dcf2eee2f5fe3548c6587fce66df9d075294bc2ab6be97c3cb21457bc899451ebd3b476715985
-
Filesize
53KB
MD5cfff8fc00d16fc868cf319409948c243
SHA1b7e2e2a6656c77a19d9819a7d782a981d9e16d44
SHA25651266cbe2741a46507d1bb758669d6de3c2246f650829774f7433bc734688a5a
SHA5129d127abfdf3850998fd0d2fb6bd106b5a40506398eb9c5474933ff5309cdc18c07052592281dbe1f15ea9d6cb245d08ff09873b374777d71bbbc6e0594bde39b
-
Filesize
137KB
MD5a336ad7a2818eb9c1d9b7d0f4cc7d456
SHA1d5280cb38af2010e0860b7884a23de0484d18f62
SHA25683bdfb7d266fd8436312f6145c1707ddf0fb060825527acfe364c5db859887a3
SHA512fa69455b3bfc162ab86a12332fe13322dfd8749be456779c93a6ab93e1d628e246a31a0a55cdba0c45adb3085acd62ba0a094b2115529d70cb9f693f3b1da327
-
Filesize
23KB
MD5bd96190c3723c6828cc6601ee39d46d4
SHA18ec0068e12d9f113b01d6077cf634f19079cbf53
SHA256ed8fd1c5a4f0e11544b694ca505105c2a8fb4b643b41bae87b2b4f1ba14f8d1f
SHA5127c649fdad52f9fe2bf76af6249b3d7de40ccdde73618c5b929fb16fe32e51873f7a73734e64b54e918a31d42d6430128c8801787e4ff5ee89fd9265ba9875dbd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD5297cbcb74c884fb2917a3d8c3a9ec636
SHA195b7f7050fdac151ae32f11eccadb9736331dcfc
SHA2565a4a6be152bf79cf40fd57ca81bb57005a8dac2518b2cc699b6bafadd2e7ebea
SHA512d2f7ed3f152e520cfb4e007c7ec5db65b33e2978699fdc15329d01482dc7c1f8caa094c454543eccfdd7267cdba04e205dcf9d58210e32199ea57932e3dc6a70
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD5259f03c51ff2563276965de9073bca74
SHA110776f5219b3f7602ad0cc910c31a04ebd8c470b
SHA256d438ceb75bf16e647abef46c35e01a34134e59241d7a42a9cb4100735900e05e
SHA51205504fea407f067ce0047c57623b559ee433bd22d85135ed77f7a5babf8c828b219ae47bf54c6756bb5951b1fc12d88e426452a0c4197d470a0fe30ff503dd8e
-
Filesize
28KB
MD538828da04ea0b6abd1291200263feed1
SHA19477c8e7ec54899d40912c3254cc69636b4b4e1c
SHA2569c0cb26b65985c9d7f3275d198755f066d409a1dc69299189c24184457ea7cdd
SHA512f2e544f6d984e7c4fb643bbe5685f4fe097ef39258afc0fa589036de0dc9f8ca1721054b408a614b4600a59d8aed3d2cb88f1012b386d3065d449b8917c40c01
-
Filesize
1KB
MD5046f5626e7808322329a205d33082ed9
SHA11128524f409958b1d2b29544fd10ced448810040
SHA256e69ac0ccaf14ebfb1106b8fc04105379187a7e244963af70709916ed7d4b9681
SHA51228aad8cdfa8c24413e3e621465e4d139774ecffa076a3185dd4ab59b94c2fc4b09f8acef7cd062fe5ded028ec6c5448b760944a4a8e70f3f4d5a06f06873ca51
-
Filesize
1KB
MD59afbb2cd62a7438f0fa42348404b17c2
SHA1a12cefa502a7dffbe3c1ed3d5b933b847dc10e03
SHA256fa86a36040d2ce0634b3bf36d5a686ff6178836014111bfef18aa9ccc0614094
SHA512dfdd39e6d86686108c75441da42f40c5b9f2e839130bd4ae1eb8092d9c228cbf74b97cf3520aa5c953f4b72b40708b50f9ecd87b185ec3ffd0faf1c706cbcc55
-
Filesize
6KB
MD58f5cbed72117e9f4fe441b57b30f5fd2
SHA15b1b5ef7d2087eb2ac3236f98c5ce967c7991575
SHA2564996fda3ce46513cc4d1991fbfdaa0c491e3cc34ef9e20b0197d01031cfa0550
SHA512ddf2be31014af000329584c879f17fb8c34fed80de888caec10574810f20fbf70b591ccfec3d17afee3c380a5887905deafbd3bbc388aa1b0d04d1c071c1d34c
-
Filesize
6KB
MD59c1c173e8d5c706b49e06562b8e9c989
SHA1b453729a8b06f96270b36ade24ed3087bf3908b7
SHA256e58a2d55364f972ecf25ba3fa254ed35b6dbfb47e86fb379e8f304a728fadad2
SHA5122e7f8bc1f686d3b7baa1c7c21f0b7b431fc513f13c3d3a6a32488124aaa4762d8c9b947b2d8b593bd897d4eeeb51a9b1b03d9db75c1da22dea7b1e10855edba3
-
Filesize
7KB
MD5ac6eeb39ba97d9e344c0e31b11a3d248
SHA19d06597f0502d7928ae269b3f102ef7435ec649b
SHA256024a06b21b3cbd3a256895e463ff5fe0f0f426da40f9dd2c7bd9e3467d681059
SHA512d661b724dd89d36788aa8642c382ea1670e9b9fe67602463239eddb46091a848ea6009a25ec948a43cd97e016e5b12192adb5bce4b9834d537990760513ba20b
-
Filesize
7KB
MD5ffbbf0d885805524555659eabfea82d4
SHA1db289433d84a1917c39a0c51fb881150e0d3769a
SHA2562d1cbc31c42fb31c4ef19d8108eb2a40b708aa7d905ce9487c0260983874b795
SHA51231ffaf37d895ab92786db2dc810f5b63e0204f6fb6cdba09fc3bb108d48ce9bcc0da22014829e6213ffdc3a5e4ad4fd24aea4d3df1b6ac22b0605c5e2fb91d32
-
Filesize
7KB
MD54d9b13c1836b6a756f4f6a4b8c8a986f
SHA1e994f0feb4231dfbca64facb54552f6b4b01c117
SHA256a51443dd0e76edf8762006e406b30435f610f5c9e4e89600f4b77b072bef667a
SHA5121c5605ab02c182d706c47ce0ad40ae6a9cd717e150107cffe9b19a289158d2c08360954dd20888b61f67939b106757d7e7fbda8358f59585d589e0ad56300efa
-
Filesize
7KB
MD5344c5a79681c93030ca9b9c7a805fcf8
SHA1836c4003c7b0961e2fee6c50cf284f01806ce9c6
SHA256ff6357064ab4c615dde385c0822e32212cbeeab7fb48ec6a61cfaa05ddf55a53
SHA51203c338141e1b844e2d92add81a6b4d4ec25ccd484a3cc8fe4ddc96c26e8ec27e16efa76144bd1d120b78bfddb571bd3bade44a1c0bcd3cf2eec500885ef74bca
-
Filesize
7KB
MD5b5757b66eb4c02aaa2d3b2fff003b06a
SHA197f1f7812ed9aa6689917a91c3c0dbba80b45a8d
SHA256e900b4e78bb811e7c6f6ecd44746e84679fa87c3e46975e44b2e7a20446f9486
SHA5125b17597ee2a7a60c0a6e5c97f55fa0956236e8964cafcfb845dda318a30fcec69d56129e2d824fcd7803a9a45706b27db86b9c85aa9153aaf39d29097112a88e
-
Filesize
1KB
MD5325a82cbd59919a63cd6cd96b58ad4d8
SHA17d4f8ae36040030f9bac199153d2b1a2dccc8759
SHA256d8d0fe5afc04eeb14f312804535937718ed54251a30ab3d750ba3d2e34471c8e
SHA5126d6a8153ec52206b207ce3b598df1a22eb2110cd9fd400e5e5a9e04e48289fb426730ed667f089a9398f603d2312b32f6cd7c09427333245adddb4da990714d1
-
Filesize
1KB
MD523b11b16005bd45bab1911b0b6099b5e
SHA16a747fff0b015e72e1047b04d57e450b74a27f00
SHA256eda3b208d1a6acd34be04b3a30f5c3391b3747e90a4af679961281e7edd8d8b2
SHA512f349448d7f30f5df5267cc3d8b521024aca6edf1eef400d71d22344ebf30012491579a1f70a3acccf89891566da595b73fe2d4388cdd9149c941a7738e0e53b4
-
Filesize
1KB
MD58384afa2ebd7bad1e4b318a946720b55
SHA1435afbc808d6bca99b5e52b9797062773acf63a0
SHA2567d8b80f039a59fe4261b378f9f0ebc964be3cc734b9473bc4166eb771e5aba88
SHA512d869660aff27b3032892d107b356bc89bb2284d65fc36959239cb437c53547b048a7a1e904d9c35edf5f068f84c203d29172f870c94c4b8da6602da4dee12b96
-
Filesize
1KB
MD5da0bf086a2bfd4b3f2a68c9d0e83b369
SHA16a819487af0c7c8242d7f28ad68855589a1d673b
SHA25661d64900130db1908e63c68f9a0233b9ec1080378bd6e6baa362e80363093c73
SHA512570dc949f151f78675a9215ffbdf22d7284456c74183e6791c8785fa983aba22b0c5296cdf67334463d1327c9c71290c1ab5f325de8d0bf7f9d43a3867377cc9
-
Filesize
1KB
MD5574e4052601543fe5a497e21d1dae480
SHA1f4883c06818f342bf28776cffe9d168754a0a7b1
SHA256de477ed312f0df05fbbfb6ca4d03a8d354d7a652b90b93da3288b5e945901091
SHA512c7040c56ec6856fd4b5019b6bab96d616bb8f6da87af500ba1dfeeb33a3ce8d1a3c5d3505902eba9827020714495f5d2b244a3e5166dce0cb0a140f1ea466976
-
Filesize
539B
MD5e8d7ba99393e4640ef3684e9d0e922df
SHA156400d0472e0e6225a60be3afec8ebe6ed255aa4
SHA256078190b020238dccf67a26c934a4409bc75b029558e16c7d8bd7dcc76265c78c
SHA512f7a38e468c91441ffcf4ffbc0dd4684b195f11c40a026a7881725503a6863cdb88dc1a2f26fddc61d49e78ebe8379c68be120305f9419ebfc04464feae422c67
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD5c19a7314b0b33b0b79c0186765984481
SHA129a6e22e26fb7eafce5707e888546c77e8426ca8
SHA256c0d74dfc9660356e1f57395b5f39f1f05b475da1390d6443691ea863ffcbf08f
SHA5125e69a3d9e43acedb39a599a31fbc0520179784ef900e31a224fb2ee51e365851ada76f59756f0841f85004057f70d722445acb543d31277ed3b90afa9a82685f
-
Filesize
11KB
MD5991e157b046c6663991a23ea881b9ea9
SHA186f65fc41ecf57d8307e6257a96cdbccbcc94c17
SHA2561a68a1a33a9131383418543deaf1ee4df715fae320e70a4bf510497f9ee05598
SHA512c7f8039f4fc9e259b85a22bfd1f8eb14314c4440935725551a0e000e7e2bddc846bd3b5ee6fe91c77905612b5b0961e9710019efd5b73733777bab29b4daef09
-
Filesize
11KB
MD501ff1de112b3acfeb46c46cd0d4c24c7
SHA1c37a62574ae207edae2d4757d3226b0ca033c74e
SHA256eff6da7c1e169dc1f447b2cc538a794d1c211395060155e0c14a540b674939c4
SHA5120aa19b4959cd1986f2a6d33cbcc4b462a07238016a1498a021ae50fe7d465b170a2d215791993f65d053b987771e40d857d661681956aa485a961aa4b14fdede
-
Filesize
116KB
MD5d043c3b1dd97ab7bd50595da14179f63
SHA1babc8e16e8135d3522d5429d537a72ef06949937
SHA256c40239ec5709d58a8788bea0025cb224fdf425c9b95bf1c4e45a176f80d7b8cb
SHA512bc6addacb7d7f7a446732eebc5074e03114ee54cfc3347d04a943d829968483099424e08c709cda1a4b26a7d2484ff7e54356147d6ac7681e674216bff7198de
-
Filesize
114KB
MD5e228c51c082ab10d054c3ddc12f0d34c
SHA179b5574c9ce43d2195dcbfaf32015f473dfa4d2e
SHA25602f65483e90802c728726ce1d16f2b405158f666c36e2c63090e27877ae4e309
SHA512233ca5e06591e1646edfadb84a31bdfc12632fb73c47240a2109020accfbd1e337371bcc3340eae7a1f04140bbdeb0b416ce2de00fa85671671bb5f6c04aa822
-
Filesize
303KB
MD57553c649cdd15e01bc47cfa2dc88fdae
SHA11ad33f546146e52d05e667f0907262c1e55cb958
SHA25612a8d265fe2c0fb139d2dc9994ebdfaf7aea93a2ecc18dc4e132f1a04d36eda6
SHA512b40c066725b3f9ece6f75dd11598ad73f702b608253a4fa990774d2a61433b7a8218e19c3f5b348b62d18f533069f0cb228bcd5904497e98cd8f77d94a9d1849
-
Filesize
122KB
MD5113afd4831b0045f71fbce54640c7239
SHA1f80f9f9efa86fe1d4f3da65d24dcb261b09905cd
SHA256513448a67fb15ee1589b05a326adea54e2851f589467a8f52326757aafc97742
SHA51263882646ad6326a30db54d6212a1fe5159d53ae8b4568311f84ac91a3ac1eadfc30badba6676b6758b4d6fb1df198cd3b6aa171c9de5fb8c36cd4d776a38b293
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e