rhadamanthys | hxxps://github[.]com/user-attachments/files/16829393/Solara[.]zip

Analysis

max time kernel
71s
max time network
66s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01-09-2024 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/user-attachments/files/16829393/Solara.zip

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Extracted

Family

rhadamanthys

https://144.76.133.166:8034/5502b8a765a7d7349/k5851jfq.guti6

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 5736 created 2648	5736	Solara.exe	44

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5636 set thread context of 5736	5636	Solara.exe	119
PID 1368 set thread context of 1480	1368	Solara.exe	130

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 4 IoCs

pid	pid_target	Process	procid_target
5904	5736	WerFault.exe	119
5932	5736	WerFault.exe	119
5380	1480	WerFault.exe	130
5400	1480	WerFault.exe	130

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Solara.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Solara.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Solara.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Solara.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3452	msedge.exe
3452	msedge.exe
4480	msedge.exe
4480	msedge.exe
628	identity_helper.exe
628	identity_helper.exe
2176	msedge.exe
2176	msedge.exe
5736	Solara.exe
5736	Solara.exe
5808	openwith.exe
5808	openwith.exe
5808	openwith.exe
5808	openwith.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
6088	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	6088	taskmgr.exe
Token: SeSystemProfilePrivilege	6088	taskmgr.exe
Token: SeCreateGlobalPrivilege	6088	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe
6088	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 1340	4480	msedge.exe	83
PID 4480 wrote to memory of 1340	4480	msedge.exe	83
PID 4480 wrote to memory of 3064	4480	msedge.exe	84
PID 4480 wrote to memory of 3064	4480	msedge.exe	84
PID 4480 wrote to memory of 3064	4480	msedge.exe	84
PID 4480 wrote to memory of 3064	4480	msedge.exe	84
PID 4480 wrote to memory of 3064	4480	msedge.exe	84
PID 4480 wrote to memory of 3064	4480	msedge.exe	84
PID 4480 wrote to memory of 3064	4480	msedge.exe	84
PID 4480 wrote to memory of 3064	4480	msedge.exe	84
PID 4480 wrote to memory of 3064	4480	msedge.exe	84
PID 4480 wrote to memory of 3064	4480	msedge.exe	84
PID 4480 wrote to memory of 3064	4480	msedge.exe	84
PID 4480 wrote to memory of 3064	4480	msedge.exe	84
PID 4480 wrote to memory of 3064	4480	msedge.exe	84
PID 4480 wrote to memory of 3064	4480	msedge.exe	84
PID 4480 wrote to memory of 3064	4480	msedge.exe	84
PID 4480 wrote to memory of 3064	4480	msedge.exe	84
PID 4480 wrote to memory of 3064	4480	msedge.exe	84
PID 4480 wrote to memory of 3064	4480	msedge.exe	84
PID 4480 wrote to memory of 3064	4480	msedge.exe	84
PID 4480 wrote to memory of 3064	4480	msedge.exe	84
PID 4480 wrote to memory of 3064	4480	msedge.exe	84
PID 4480 wrote to memory of 3064	4480	msedge.exe	84
PID 4480 wrote to memory of 3064	4480	msedge.exe	84
PID 4480 wrote to memory of 3064	4480	msedge.exe	84
PID 4480 wrote to memory of 3064	4480	msedge.exe	84
PID 4480 wrote to memory of 3064	4480	msedge.exe	84
PID 4480 wrote to memory of 3064	4480	msedge.exe	84
PID 4480 wrote to memory of 3064	4480	msedge.exe	84
PID 4480 wrote to memory of 3064	4480	msedge.exe	84
PID 4480 wrote to memory of 3064	4480	msedge.exe	84
PID 4480 wrote to memory of 3064	4480	msedge.exe	84
PID 4480 wrote to memory of 3064	4480	msedge.exe	84
PID 4480 wrote to memory of 3064	4480	msedge.exe	84
PID 4480 wrote to memory of 3064	4480	msedge.exe	84
PID 4480 wrote to memory of 3064	4480	msedge.exe	84
PID 4480 wrote to memory of 3064	4480	msedge.exe	84
PID 4480 wrote to memory of 3064	4480	msedge.exe	84
PID 4480 wrote to memory of 3064	4480	msedge.exe	84
PID 4480 wrote to memory of 3064	4480	msedge.exe	84
PID 4480 wrote to memory of 3064	4480	msedge.exe	84
PID 4480 wrote to memory of 3452	4480	msedge.exe	85
PID 4480 wrote to memory of 3452	4480	msedge.exe	85
PID 4480 wrote to memory of 2656	4480	msedge.exe	86
PID 4480 wrote to memory of 2656	4480	msedge.exe	86
PID 4480 wrote to memory of 2656	4480	msedge.exe	86
PID 4480 wrote to memory of 2656	4480	msedge.exe	86
PID 4480 wrote to memory of 2656	4480	msedge.exe	86
PID 4480 wrote to memory of 2656	4480	msedge.exe	86
PID 4480 wrote to memory of 2656	4480	msedge.exe	86
PID 4480 wrote to memory of 2656	4480	msedge.exe	86
PID 4480 wrote to memory of 2656	4480	msedge.exe	86
PID 4480 wrote to memory of 2656	4480	msedge.exe	86
PID 4480 wrote to memory of 2656	4480	msedge.exe	86
PID 4480 wrote to memory of 2656	4480	msedge.exe	86
PID 4480 wrote to memory of 2656	4480	msedge.exe	86
PID 4480 wrote to memory of 2656	4480	msedge.exe	86
PID 4480 wrote to memory of 2656	4480	msedge.exe	86
PID 4480 wrote to memory of 2656	4480	msedge.exe	86
PID 4480 wrote to memory of 2656	4480	msedge.exe	86
PID 4480 wrote to memory of 2656	4480	msedge.exe	86
PID 4480 wrote to memory of 2656	4480	msedge.exe	86
PID 4480 wrote to memory of 2656	4480	msedge.exe	86

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2648
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/user-attachments/files/16829393/Solara.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff84c9246f8,0x7ff84c924708,0x7ff84c924718
  2⤵
  PID:1340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,16091688799093092095,4740648362037697789,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:3064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,16091688799093092095,4740648362037697789,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2436 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,16091688799093092095,4740648362037697789,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
  2⤵
  PID:2656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,16091688799093092095,4740648362037697789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,16091688799093092095,4740648362037697789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:4420
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,16091688799093092095,4740648362037697789,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:8
  2⤵
  PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,16091688799093092095,4740648362037697789,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,16091688799093092095,4740648362037697789,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4720 /prefetch:8
  2⤵
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,16091688799093092095,4740648362037697789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:1
  2⤵
  PID:3056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,16091688799093092095,4740648362037697789,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,16091688799093092095,4740648362037697789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
  2⤵
  PID:3988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,16091688799093092095,4740648362037697789,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
  2⤵
  PID:4168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,16091688799093092095,4740648362037697789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6356 /prefetch:1
  2⤵
  PID:5184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,16091688799093092095,4740648362037697789,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6332 /prefetch:1
  2⤵
  PID:5192

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4732

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2368

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4268

C:\Users\Admin\Downloads\Solara\Solara\Solara.exe
"C:\Users\Admin\Downloads\Solara\Solara\Solara.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5636
- C:\Users\Admin\Downloads\Solara\Solara\Solara.exe
  "C:\Users\Admin\Downloads\Solara\Solara\Solara.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5736
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5736 -s 460
    3⤵
    - Program crash
    PID:5904
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5736 -s 456
    3⤵
    - Program crash
    PID:5932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5736 -ip 5736
1⤵
PID:5864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5736 -ip 5736
1⤵
PID:5920

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6088

C:\Users\Admin\Downloads\Solara\Solara\Solara.exe
"C:\Users\Admin\Downloads\Solara\Solara\Solara.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1368
- C:\Users\Admin\Downloads\Solara\Solara\Solara.exe
  "C:\Users\Admin\Downloads\Solara\Solara\Solara.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1480
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 180
    3⤵
    - Program crash
    PID:5380
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 436
    3⤵
    - Program crash
    PID:5400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1480 -ip 1480
1⤵
PID:4220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1480 -ip 1480
1⤵
PID:5376

C:\Windows\System32\0zy1bv.exe
"C:\Windows\System32\0zy1bv.exe"
1⤵
PID:5616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Solara.exe.log

Filesize
617B

MD5
99e770c0d4043aa84ef3d3cbc7723c25

SHA1
19829c5c413fccba750a3357f938dfa94486acad

SHA256
33c7dd4c852dae6462c701337f8e0a8647602847ccaee656fa6f1149cccfb5d5

SHA512
ba521e2f57d7e1db19445201948caa7af6d953e1c1340228934888f8ec05b8984ad492122d0bf0550b5e679614d8a713ecf68f91916ffa6e5d8f75bf003aae39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53bc70ecb115bdbabe67620c416fe9b3

SHA1
af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

SHA256
b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

SHA512
cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
265B

MD5
f5cd008cf465804d0e6f39a8d81f9a2d

SHA1
6b2907356472ed4a719e5675cc08969f30adc855

SHA256
fcea95cc39dc6c2a925f5aed739dbedaa405ee4ce127f535fcf1c751b2b8fb5d

SHA512
dc97034546a4c94bdaa6f644b5cfd1e477209de9a03a5b02a360c254a406c1d647d6f90860f385e27387b35631c41f0886cb543ede9116436941b9af6cd3285d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fb3816ef8dcf7012b550cb3f5190b592

SHA1
48ad3427018b16372318fdc27e2c3c27ad83388c

SHA256
fe0792c0ee5983da5f366f698c70d8c3ecc2980779809661f035f5cb06761939

SHA512
3e9126a3cb34a21ae442b36b1f1af75ba26611e09f422b1cabbb35e3783d4adbf03c6f1cee0561733f37e3778cee1c1db901f0e1de04a4cddb7c18b5b29e8fbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0a7ed17a46a1a9b3aacf59ea9a850fda

SHA1
693bd0d4ef2a2862135362a155d8b699b6e6276e

SHA256
48f5eaf0239814ba9a288f624ebafedd6ec6920d4df8f49009bf59a30960c12f

SHA512
45ea8eaf963fc1a1287fed7e01abcb3140f4e988cb5df7acc8b2463dde9d0b64c84b3a0d66d5cb536da38a46903fd75bff6709c1cf5277a27cc7d614a82a9b40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2c23d98edb72ae9136dfc31aef45a065

SHA1
292081d549cdd98c15a82c6a201355d8d6cfa342

SHA256
ee76fabc95aa162e68c969c728bc7c3942d3e98bc6bf6ce85f037e8abc363c97

SHA512
ef23ac9393937d871aa8d7eef2259baf4870f9072787de7be9e4aec956e7e6abe61e9483e4f446555855affdf3abda93e2d2b22330433f11e4a91584c128294a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 262695.crdownload

Filesize
13.4MB

MD5
6fe0bb4598fba38e1c2dc25b084ae38e

SHA1
7514257cc85b0a2d4b218f43f9a8f4dd61c545cf

SHA256
ceaed51bfaf0862e89a1790376ff6969bcc7c266e2c7b73cf67f57ad3ca7a397

SHA512
232b90973680eadbf11851fa20dc1e0ffbcae86f14bd8b605964a593775705cdc69dcb3cd9a5ab66ce18785c2a098df75f58392b1c3d6a04f28c57541fdc632b

Download Submit
memory/1368-116-0x0000000004E60000-0x0000000004E82000-memory.dmp

Filesize
136KB

Download
memory/1480-118-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1480-120-0x0000000003DB0000-0x00000000041B0000-memory.dmp

Filesize
4.0MB

Download
memory/5636-72-0x00000000002F0000-0x00000000006C8000-memory.dmp

Filesize
3.8MB

Download
memory/5636-76-0x0000000005030000-0x0000000005052000-memory.dmp

Filesize
136KB

Download
memory/5636-75-0x0000000005880000-0x0000000005E24000-memory.dmp

Filesize
5.6MB

Download
memory/5636-74-0x00000000051B0000-0x00000000052D0000-memory.dmp

Filesize
1.1MB

Download
memory/5636-73-0x0000000005110000-0x00000000051AC000-memory.dmp

Filesize
624KB

Download
memory/5736-84-0x0000000077320000-0x0000000077535000-memory.dmp

Filesize
2.1MB

Download
memory/5736-82-0x00007FF85B650000-0x00007FF85B845000-memory.dmp

Filesize
2.0MB

Download
memory/5736-77-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/5736-79-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/5736-80-0x0000000004220000-0x0000000004620000-memory.dmp

Filesize
4.0MB

Download
memory/5736-81-0x0000000004220000-0x0000000004620000-memory.dmp

Filesize
4.0MB

Download
memory/5808-87-0x0000000002CE0000-0x00000000030E0000-memory.dmp

Filesize
4.0MB

Download
memory/5808-90-0x0000000077320000-0x0000000077535000-memory.dmp

Filesize
2.1MB

Download
memory/5808-88-0x00007FF85B650000-0x00007FF85B845000-memory.dmp

Filesize
2.0MB

Download
memory/5808-85-0x0000000001090000-0x0000000001099000-memory.dmp

Filesize
36KB

Download
memory/6088-104-0x000002BC4A940000-0x000002BC4A941000-memory.dmp

Filesize
4KB

Download
memory/6088-102-0x000002BC4A940000-0x000002BC4A941000-memory.dmp

Filesize
4KB

Download
memory/6088-101-0x000002BC4A940000-0x000002BC4A941000-memory.dmp

Filesize
4KB

Download
memory/6088-100-0x000002BC4A940000-0x000002BC4A941000-memory.dmp

Filesize
4KB

Download
memory/6088-99-0x000002BC4A940000-0x000002BC4A941000-memory.dmp

Filesize
4KB

Download
memory/6088-103-0x000002BC4A940000-0x000002BC4A941000-memory.dmp

Filesize
4KB

Download
memory/6088-105-0x000002BC4A940000-0x000002BC4A941000-memory.dmp

Filesize
4KB

Download
memory/6088-93-0x000002BC4A940000-0x000002BC4A941000-memory.dmp

Filesize
4KB

Download
memory/6088-92-0x000002BC4A940000-0x000002BC4A941000-memory.dmp

Filesize
4KB

Download
memory/6088-91-0x000002BC4A940000-0x000002BC4A941000-memory.dmp

Filesize
4KB

Download