Overview
overview
10Static
static
3Solara.zip
windows10-2004-x64
10Solara/Sol...on.dll
windows10-2004-x64
1Solara/Sol...er.dll
windows10-2004-x64
1Solara/Sol...ce.dll
windows10-2004-x64
1Solara/Sol...ce.dll
windows10-2004-x64
1Solara/Sol...ra.exe
windows10-2004-x64
10Solara/Sol...pl.dll
windows10-2004-x64
1Solara/Sol...rn.dll
windows10-2004-x64
1Solara/Sol...fg.dll
windows10-2004-x64
1Analysis
-
max time kernel
123s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
30-08-2024 08:13
Static task
static1
Behavioral task
behavioral1
Sample
Solara.zip
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
Solara/Solara/Debug/Addition.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
Solara/Solara/Debug/Helper.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
Solara/Solara/Debug/Resource.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
Solara/Solara/Packaged/Resource.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral6
Sample
Solara/Solara/Solara.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
Solara/Solara/accessibilitycpl.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral8
Sample
Solara/Solara/oleprn.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
Solara/Solara/wwancfg.dll
Resource
win10v2004-20240802-en
General
-
Target
Solara.zip
-
Size
14.9MB
-
MD5
23fa82e27232128a195e621a69bd88a7
-
SHA1
b2d66dba43d8c5415c44f47687f0d4823f16326b
-
SHA256
a281f5e7c6754fc54b941696d4f6cbe7fccbbf72a4978b13997f65961f0da53a
-
SHA512
b9dc0285bafac82de59b727f4ac352e98b00101b4f32e1b1db753e0ceb0e535469f9a6845ac8c84c7ecbd683f99cfa615dfe35441ca0c70b5b5ba6270e84ec97
-
SSDEEP
393216:9AUFhD0H/KYTb+ipl5PdX3qg08I1k2hLeRr8mWd5:9As8KOb+ipx332WcywmK5
Malware Config
Extracted
rhadamanthys
https://144.76.133.166:8034/5502b8a765a7d7349/k5851jfq.guti6
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 4536 created 2588 4536 Solara.exe 44 -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
flow ioc 94 camo.githubusercontent.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5352 set thread context of 4536 5352 Solara.exe 131 -
Program crash 2 IoCs
pid pid_target Process procid_target 5960 4536 WerFault.exe 131 5996 4536 WerFault.exe 131 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Solara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language openwith.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Solara.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 432 msedge.exe 432 msedge.exe 3288 msedge.exe 3288 msedge.exe 220 identity_helper.exe 220 identity_helper.exe 5892 msedge.exe 5892 msedge.exe 4536 Solara.exe 4536 Solara.exe 5216 openwith.exe 5216 openwith.exe 5216 openwith.exe 5216 openwith.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 6044 taskmgr.exe Token: SeSystemProfilePrivilege 6044 taskmgr.exe Token: SeCreateGlobalPrivilege 6044 taskmgr.exe Token: 33 6044 taskmgr.exe Token: SeIncBasePriorityPrivilege 6044 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe -
Suspicious use of SendNotifyMessage 60 IoCs
pid Process 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3288 wrote to memory of 4436 3288 msedge.exe 102 PID 3288 wrote to memory of 4436 3288 msedge.exe 102 PID 3288 wrote to memory of 1908 3288 msedge.exe 103 PID 3288 wrote to memory of 1908 3288 msedge.exe 103 PID 3288 wrote to memory of 1908 3288 msedge.exe 103 PID 3288 wrote to memory of 1908 3288 msedge.exe 103 PID 3288 wrote to memory of 1908 3288 msedge.exe 103 PID 3288 wrote to memory of 1908 3288 msedge.exe 103 PID 3288 wrote to memory of 1908 3288 msedge.exe 103 PID 3288 wrote to memory of 1908 3288 msedge.exe 103 PID 3288 wrote to memory of 1908 3288 msedge.exe 103 PID 3288 wrote to memory of 1908 3288 msedge.exe 103 PID 3288 wrote to memory of 1908 3288 msedge.exe 103 PID 3288 wrote to memory of 1908 3288 msedge.exe 103 PID 3288 wrote to memory of 1908 3288 msedge.exe 103 PID 3288 wrote to memory of 1908 3288 msedge.exe 103 PID 3288 wrote to memory of 1908 3288 msedge.exe 103 PID 3288 wrote to memory of 1908 3288 msedge.exe 103 PID 3288 wrote to memory of 1908 3288 msedge.exe 103 PID 3288 wrote to memory of 1908 3288 msedge.exe 103 PID 3288 wrote to memory of 1908 3288 msedge.exe 103 PID 3288 wrote to memory of 1908 3288 msedge.exe 103 PID 3288 wrote to memory of 1908 3288 msedge.exe 103 PID 3288 wrote to memory of 1908 3288 msedge.exe 103 PID 3288 wrote to memory of 1908 3288 msedge.exe 103 PID 3288 wrote to memory of 1908 3288 msedge.exe 103 PID 3288 wrote to memory of 1908 3288 msedge.exe 103 PID 3288 wrote to memory of 1908 3288 msedge.exe 103 PID 3288 wrote to memory of 1908 3288 msedge.exe 103 PID 3288 wrote to memory of 1908 3288 msedge.exe 103 PID 3288 wrote to memory of 1908 3288 msedge.exe 103 PID 3288 wrote to memory of 1908 3288 msedge.exe 103 PID 3288 wrote to memory of 1908 3288 msedge.exe 103 PID 3288 wrote to memory of 1908 3288 msedge.exe 103 PID 3288 wrote to memory of 1908 3288 msedge.exe 103 PID 3288 wrote to memory of 1908 3288 msedge.exe 103 PID 3288 wrote to memory of 1908 3288 msedge.exe 103 PID 3288 wrote to memory of 1908 3288 msedge.exe 103 PID 3288 wrote to memory of 1908 3288 msedge.exe 103 PID 3288 wrote to memory of 1908 3288 msedge.exe 103 PID 3288 wrote to memory of 1908 3288 msedge.exe 103 PID 3288 wrote to memory of 1908 3288 msedge.exe 103 PID 3288 wrote to memory of 432 3288 msedge.exe 104 PID 3288 wrote to memory of 432 3288 msedge.exe 104 PID 3288 wrote to memory of 4840 3288 msedge.exe 105 PID 3288 wrote to memory of 4840 3288 msedge.exe 105 PID 3288 wrote to memory of 4840 3288 msedge.exe 105 PID 3288 wrote to memory of 4840 3288 msedge.exe 105 PID 3288 wrote to memory of 4840 3288 msedge.exe 105 PID 3288 wrote to memory of 4840 3288 msedge.exe 105 PID 3288 wrote to memory of 4840 3288 msedge.exe 105 PID 3288 wrote to memory of 4840 3288 msedge.exe 105 PID 3288 wrote to memory of 4840 3288 msedge.exe 105 PID 3288 wrote to memory of 4840 3288 msedge.exe 105 PID 3288 wrote to memory of 4840 3288 msedge.exe 105 PID 3288 wrote to memory of 4840 3288 msedge.exe 105 PID 3288 wrote to memory of 4840 3288 msedge.exe 105 PID 3288 wrote to memory of 4840 3288 msedge.exe 105 PID 3288 wrote to memory of 4840 3288 msedge.exe 105 PID 3288 wrote to memory of 4840 3288 msedge.exe 105 PID 3288 wrote to memory of 4840 3288 msedge.exe 105 PID 3288 wrote to memory of 4840 3288 msedge.exe 105 PID 3288 wrote to memory of 4840 3288 msedge.exe 105 PID 3288 wrote to memory of 4840 3288 msedge.exe 105
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2588
-
C:\Windows\SysWOW64\openwith.exe"C:\Windows\system32\openwith.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5216
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Solara.zip1⤵PID:2184
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5068
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffec0b846f8,0x7ffec0b84708,0x7ffec0b847182⤵PID:4436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,4884025703545449865,1157215409294296482,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:22⤵PID:1908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,4884025703545449865,1157215409294296482,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,4884025703545449865,1157215409294296482,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2544 /prefetch:82⤵PID:4840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4884025703545449865,1157215409294296482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:12⤵PID:2504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4884025703545449865,1157215409294296482,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:12⤵PID:5116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4884025703545449865,1157215409294296482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4264 /prefetch:12⤵PID:5080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4884025703545449865,1157215409294296482,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4592 /prefetch:12⤵PID:3788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,4884025703545449865,1157215409294296482,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3636 /prefetch:82⤵PID:868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,4884025703545449865,1157215409294296482,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3636 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4884025703545449865,1157215409294296482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:12⤵PID:2928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4884025703545449865,1157215409294296482,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:12⤵PID:3988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4884025703545449865,1157215409294296482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:12⤵PID:5200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4884025703545449865,1157215409294296482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:12⤵PID:5608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4884025703545449865,1157215409294296482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:12⤵PID:5696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,4884025703545449865,1157215409294296482,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3052 /prefetch:82⤵PID:5544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4884025703545449865,1157215409294296482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:12⤵PID:5492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,4884025703545449865,1157215409294296482,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5968 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5892
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3764
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2156
-
C:\Users\Admin\Downloads\Solara\Solara\Solara.exe"C:\Users\Admin\Downloads\Solara\Solara\Solara.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5352 -
C:\Users\Admin\Downloads\Solara\Solara\Solara.exe"C:\Users\Admin\Downloads\Solara\Solara\Solara.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4536 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 4603⤵
- Program crash
PID:5960
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 4563⤵
- Program crash
PID:5996
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4536 -ip 45361⤵PID:5872
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4536 -ip 45361⤵PID:5988
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6044
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD553bc70ecb115bdbabe67620c416fe9b3
SHA1af66ec51a13a59639eaf54d62ff3b4f092bb2fc1
SHA256b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771
SHA512cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921
-
Filesize
152B
MD5e765f3d75e6b0e4a7119c8b14d47d8da
SHA1cc9f7c7826c2e1a129e7d98884926076c3714fc0
SHA256986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89
SHA512a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD528c93b0a8e84baf05ad40a66e37c61a8
SHA16b9a4816dfd06280f26a0b0f346602a482b4887d
SHA25602d8c274073b99286fa78981ac0afc54f96ef741ca9af81780e5c7aa93167aae
SHA512b5e07009768bcf0610dfa3d8ccd2939826f72c45a87625ec85f0f3e0d0b194d1236dd54e3975c153e3a3c7486d4e4cc85634719ba178719e8553aad9ac9628f7
-
Filesize
566B
MD532e00885c44d5c3bba4c993c54862ac1
SHA1367b00f40f49cee09a13cb2f0b6c5df922367668
SHA25684cc6dd3285dd490f185d3098912288933077699d9839ad4c607fdc9526048e7
SHA512cf1f5fa1c8f8bbac9da7b54f984bccb3d98f32543c6fdfe8c4066f8eab7042e9e9ec308f9acc70f86e632d4aa88fabbc3e4cff1358959f147c0012a66d964a99
-
Filesize
6KB
MD50af04579b8dfe8d6b63fb3cf144bcc5c
SHA14a26a82244d0eddec0158d709c1398076629d1aa
SHA2569813a39603c83f1f007a0f5486956009023be694630ca230739a32492a41b787
SHA512c27f81ccf27875353b15da2e86ac89c2c49cd13afc98011026bd30bbdc6a57ebc0c4d5037e10e046e29c0442cbfc94a2ad898e027597e69f49762d95cf500c7c
-
Filesize
6KB
MD573d6d559be5e06f4836f523a1cea07ae
SHA182707d754b24954c1e88ce59024b7a81376acd70
SHA2562b836f76e958b4314179b43f311e30ea721331417f35783365aa3b0d1df41018
SHA51246a086c09fb3cede2cb651e38f56b7f5760be98d732d60df0ff2261287c4fae1b3dbe6087195f57366500444d89fdf16af79392b1e356824d2a4e8fef972122d
-
Filesize
5KB
MD5865769af3c8dc2e7b9cd6f2e7beeb598
SHA18671f9def1b7fba750bedb8acc91b3a8e387e596
SHA256970b2b30a92fe1a2c59e2afdbc0ab4be6617de6757edcf315d0c34ef37c59613
SHA5124f51ae63797450583d73903a3b9e4792ba92c31022d4567e3d751e1006bebe23aaeaa1babeb3674fffb5feadd352669574b84aff00f37eeb98c74d9bfe5e555f
-
Filesize
6KB
MD5f5b90cc4564545f75a6361b905e024c2
SHA115d5abc6d0098694906b41b3d47017e9b1fc031f
SHA2568fe0b40691e45f11dd70009cb14416764f1775ef538274092fd3bd05fc7db2e8
SHA5121d8f6c3ec221af5d1d1c2631f7e64b06eab335c95490e12e3f32c8a40fa808cb7942d12f817688250f000d554e7d98be09a56ec61035cfc00f4ea19e523229fa
-
Filesize
6KB
MD5bcf869edc460bd69e05d97aee3c11e85
SHA17ffc5831c3f6a2de913581b7d2ddc036ee07d90c
SHA25632606c02ae9d43ddc79f8f90329dbd5fcdf2a1b6c779cafc1c06db4f798be2f3
SHA5122cae89c5daa910148442a61356b344d3210bcce921905f634a468b2906a540771b20ba75f3c78a37bf8a88cdbff27057f8539cc479dfdc646da7970a4003c362
-
Filesize
1KB
MD5d3d28dc7d8f50359d1db53d5a4e0785c
SHA14d67e391b5bed7de6ac95285c0730355f6a602a5
SHA256fa24ddada1a6b549fe645be5a2ca9f892696ba24ecbea13b90eca0d3383a0e2b
SHA5121680f6a84860995b00cea4764b71d1213a1d60b3cd4bfb8cb331477c9d5bf028b85f4f663f5e27de8430112113d9caea7a9251c79ab9f6ea2741b4fa2885c089
-
Filesize
1KB
MD527a53e75beefaae3c7c05720a35b8d13
SHA176aa477c63a88bc2b19279c17151561d5c6de58e
SHA25617d181831f57aeecf7ec00837b856a1670f0a91ec921d51d04478ca501ee612a
SHA512c60796c8bbbd6d359f8de69e9a2375da9186d62745a76ec60bbcac8a8c26369e41c3371634aa3b6cae13a3f397d3453643ce2885d315d6065d2124beb77e3ceb
-
Filesize
1KB
MD5476b33fff2fe48d3fb2e915c02aaf642
SHA1db6f93283afd534137b9f8d230d0e85c933930a8
SHA256777ab157c7f821ad83a0f12cd345ac6ee161eb16fc676e3d10cfc69c5bd1ae7f
SHA5123ede1f4e58878389ec737c890d1469685133ebbfcb08dcaa4138cb93ab1c69d0b49b5a6fc8cb9c9e287d5dedf2059d8a556f29d0e46aa46b6e4f1fca1528077d
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
12KB
MD5bdb157f7b2a58a29d43c8a9b9b47255a
SHA187d00beff6457b91143d08dcd64a0688540a9abe
SHA2568c3f09ea663281abc2e56f82694c11ce0792944354e18602e49a0f85ccb8a3b9
SHA512bef729ae02b8711345b37083bbd05450bbe6852cec4a80a06d85050ebcc5f0d57be2cd62c20038f3bf7f03be7b70d38d04cc3e3d565b06740db54f04be462aad
-
Filesize
12KB
MD5591034dbb759f84d77b0977a104cdfe3
SHA168097a588927a3a5c3becf267eee814e4af7877c
SHA25692a490c0436961cd5bfc509cf910daf1ece3cd464127734a750451b28d2f229f
SHA5124e4469521e8177c8f2e8eb5513982cbaf8f23f4d004bd9655f0130cf2c9d75b18bd7496487a1b304d24c43dc4ee4d8b7cb5ae77785b3304582ca50941dc81f24
-
Filesize
11KB
MD537f70e3f2ef454fc905ffd44278eca50
SHA18d02d5b9b1c8ac5760dc293098e98c64ac048d39
SHA2563d1804b15bc6c58776f4250e0bd843be00e419a001d811195755429e9bf1fd2a
SHA512c75e3311420cb935f263dc688dfc064053e5865b9b4f5aa74a8f9d56bbc932e0789960fec0982800ec2aa2c895f0b3831831f97d04939fa4f79e12b8e7885293
-
Filesize
14.9MB
MD5456adec7a01fff85c1204428b5123a66
SHA126165fe003a01a3a59dc64070fbf2e96187214d7
SHA256b6127458de06667662655e158e7d1adc6cf505d08d9dffe243a0b308b3166090
SHA5123b2cbfaf171297da578c0db840e54a156a1aec481a0f441acaddfe127d20f1013d62a74c99fdbb8a44bc9ced109aa25509dad05131cc5cfe99ade170027fcc41