Resubmissions
24-10-2024 19:59
241024-yqt7dsscpl 624-10-2024 19:55
241024-yndfvssclj 1024-10-2024 19:54
241024-ymwk2ssckm 824-10-2024 12:40
241024-pwm6la1hmn 1024-10-2024 12:34
241024-psafbs1gkr 1024-10-2024 12:24
241024-pk4zza1drl 1022-10-2024 13:05
241022-qbwsnsybrr 10Analysis
-
max time kernel
115s -
max time network
117s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
24-10-2024 19:55
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://raw.githubusercontent.com/ByterCode/Solara-Excutor/refs/heads/main/Solara%20NEW.zip
Resource
win10ltsc2021-20241023-en
General
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 4240 powershell.exe 956 powershell.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
reg.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion reg.exe -
Drops startup file 2 IoCs
Processes:
javaw.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinSFX.exe javaw.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinSFX.exe javaw.exe -
Executes dropped EXE 1 IoCs
Processes:
WinSFX.exepid process 4696 WinSFX.exe -
Loads dropped DLL 1 IoCs
Processes:
javaw.exepid process 2884 javaw.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
javaw.exedescription ioc process File opened (read-only) \??\F: javaw.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
Processes:
flow ioc 18 discord.com 19 discord.com 20 discord.com 22 raw.githubusercontent.com 2 raw.githubusercontent.com 3 discord.com 4 raw.githubusercontent.com -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 api.ipify.org 2 ip-api.com 16 api.ipify.org -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Solara NEW.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Solara NEW.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings msedge.exe -
Modifies registry key 1 TTPs 1 IoCs
-
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Solara NEW.zip:Zone.Identifier msedge.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exejavaw.exepowershell.exepowershell.exepid process 3760 msedge.exe 3760 msedge.exe 3280 msedge.exe 3280 msedge.exe 5088 msedge.exe 5088 msedge.exe 124 identity_helper.exe 124 identity_helper.exe 4508 msedge.exe 4508 msedge.exe 2884 javaw.exe 2884 javaw.exe 2884 javaw.exe 2884 javaw.exe 2884 javaw.exe 2884 javaw.exe 2884 javaw.exe 2884 javaw.exe 2884 javaw.exe 2884 javaw.exe 2884 javaw.exe 2884 javaw.exe 2884 javaw.exe 2884 javaw.exe 2884 javaw.exe 2884 javaw.exe 2884 javaw.exe 2884 javaw.exe 2884 javaw.exe 2884 javaw.exe 2884 javaw.exe 2884 javaw.exe 956 powershell.exe 956 powershell.exe 4240 powershell.exe 4240 powershell.exe 956 powershell.exe 4240 powershell.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
Processes:
msedge.exepid process 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
Processes:
javaw.exewmic.exepowershell.exepowershell.exedescription pid process Token: SeBackupPrivilege 2884 javaw.exe Token: SeBackupPrivilege 2884 javaw.exe Token: SeSecurityPrivilege 2884 javaw.exe Token: SeDebugPrivilege 2884 javaw.exe Token: SeIncreaseQuotaPrivilege 2792 wmic.exe Token: SeSecurityPrivilege 2792 wmic.exe Token: SeTakeOwnershipPrivilege 2792 wmic.exe Token: SeLoadDriverPrivilege 2792 wmic.exe Token: SeSystemProfilePrivilege 2792 wmic.exe Token: SeSystemtimePrivilege 2792 wmic.exe Token: SeProfSingleProcessPrivilege 2792 wmic.exe Token: SeIncBasePriorityPrivilege 2792 wmic.exe Token: SeCreatePagefilePrivilege 2792 wmic.exe Token: SeBackupPrivilege 2792 wmic.exe Token: SeRestorePrivilege 2792 wmic.exe Token: SeShutdownPrivilege 2792 wmic.exe Token: SeDebugPrivilege 2792 wmic.exe Token: SeSystemEnvironmentPrivilege 2792 wmic.exe Token: SeRemoteShutdownPrivilege 2792 wmic.exe Token: SeUndockPrivilege 2792 wmic.exe Token: SeManageVolumePrivilege 2792 wmic.exe Token: 33 2792 wmic.exe Token: 34 2792 wmic.exe Token: 35 2792 wmic.exe Token: 36 2792 wmic.exe Token: SeIncreaseQuotaPrivilege 2792 wmic.exe Token: SeSecurityPrivilege 2792 wmic.exe Token: SeTakeOwnershipPrivilege 2792 wmic.exe Token: SeLoadDriverPrivilege 2792 wmic.exe Token: SeSystemProfilePrivilege 2792 wmic.exe Token: SeSystemtimePrivilege 2792 wmic.exe Token: SeProfSingleProcessPrivilege 2792 wmic.exe Token: SeIncBasePriorityPrivilege 2792 wmic.exe Token: SeCreatePagefilePrivilege 2792 wmic.exe Token: SeBackupPrivilege 2792 wmic.exe Token: SeRestorePrivilege 2792 wmic.exe Token: SeShutdownPrivilege 2792 wmic.exe Token: SeDebugPrivilege 2792 wmic.exe Token: SeSystemEnvironmentPrivilege 2792 wmic.exe Token: SeRemoteShutdownPrivilege 2792 wmic.exe Token: SeUndockPrivilege 2792 wmic.exe Token: SeManageVolumePrivilege 2792 wmic.exe Token: 33 2792 wmic.exe Token: 34 2792 wmic.exe Token: 35 2792 wmic.exe Token: 36 2792 wmic.exe Token: SeDebugPrivilege 4240 powershell.exe Token: SeDebugPrivilege 956 powershell.exe Token: SeRestorePrivilege 2884 javaw.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exepid process 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
Solara NEW.exejavaw.exepid process 240 Solara NEW.exe 2884 javaw.exe 2884 javaw.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 3280 wrote to memory of 1776 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 1776 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 4128 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 4128 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 4128 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 4128 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 4128 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 4128 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 4128 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 4128 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 4128 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 4128 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 4128 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 4128 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 4128 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 4128 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 4128 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 4128 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 4128 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 4128 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 4128 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 4128 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 4128 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 4128 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 4128 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 4128 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 4128 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 4128 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 4128 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 4128 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 4128 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 4128 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 4128 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 4128 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 4128 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 4128 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 4128 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 4128 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 4128 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 4128 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 4128 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 4128 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 3760 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 3760 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 1140 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 1140 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 1140 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 1140 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 1140 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 1140 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 1140 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 1140 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 1140 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 1140 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 1140 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 1140 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 1140 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 1140 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 1140 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 1140 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 1140 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 1140 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 1140 3280 msedge.exe msedge.exe PID 3280 wrote to memory of 1140 3280 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://raw.githubusercontent.com/ByterCode/Solara-Excutor/refs/heads/main/Solara%20NEW.zip1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa9dd43cb8,0x7ffa9dd43cc8,0x7ffa9dd43cd82⤵PID:1776
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,13348274961938684565,130258922997257091,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:22⤵PID:4128
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1872,13348274961938684565,130258922997257091,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3760 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1872,13348274961938684565,130258922997257091,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:82⤵PID:1140
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,13348274961938684565,130258922997257091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:12⤵PID:4256
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,13348274961938684565,130258922997257091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵PID:4956
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,13348274961938684565,130258922997257091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:12⤵PID:3704
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,13348274961938684565,130258922997257091,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:12⤵PID:2784
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,13348274961938684565,130258922997257091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4184 /prefetch:12⤵PID:2304
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,13348274961938684565,130258922997257091,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4136 /prefetch:12⤵PID:1928
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1872,13348274961938684565,130258922997257091,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4852 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5088 -
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1872,13348274961938684565,130258922997257091,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:124 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1872,13348274961938684565,130258922997257091,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5336 /prefetch:82⤵PID:3912
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,13348274961938684565,130258922997257091,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:12⤵PID:3328
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=1872,13348274961938684565,130258922997257091,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=6080 /prefetch:82⤵PID:4040
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,13348274961938684565,130258922997257091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:12⤵PID:5056
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,13348274961938684565,130258922997257091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:12⤵PID:5020
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,13348274961938684565,130258922997257091,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4652 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4508
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4240
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:568
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3664
-
C:\Users\Admin\Downloads\Solara NEW\Solara NEW.exe"C:\Users\Admin\Downloads\Solara NEW\Solara NEW.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:240 -
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\Solara NEW\Solara NEW.exe"2⤵
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2884 -
C:\Windows\SYSTEM32\reg.exereg query HKLM\HARDWARE\DESCRIPTION\System /v SystemBiosVersion3⤵
- Checks BIOS information in registry
- Modifies registry key
PID:560 -
C:\Windows\System32\Wbem\wmic.exewmic diskdrive get model3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2792 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:SystemDrive) -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4240 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:SystemDrive) -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:956 -
C:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform\WinSFX.exeC:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform\WinSFX.exe3⤵
- Executes dropped EXE
PID:4696
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
152B
MD5e1544690d41d950f9c1358068301cfb5
SHA1ae3ff81363fcbe33c419e49cabef61fb6837bffa
SHA25653d69c9cc3c8aaf2c8b58ea6a2aa47c49c9ec11167dd9414cd9f4192f9978724
SHA5121e4f1fe2877f4f947d33490e65898752488e48de34d61e197e4448127d6b1926888de80b62349d5a88b96140eed0a5b952ef4dd7ca318689f76e12630c9029da
-
Filesize
152B
MD59314124f4f0ad9f845a0d7906fd8dfd8
SHA10d4f67fb1a11453551514f230941bdd7ef95693c
SHA256cbd58fa358e4b1851c3da2d279023c29eba66fb4d438c6e87e7ce5169ffb910e
SHA51287b9060ca4942974bd8f95b8998df7b2702a3f4aba88c53b2e3423a532a75407070368f813a5bbc0251864b4eae47e015274a839999514386d23c8a526d05d85
-
Filesize
193B
MD562fc8758c85fb0d08cd24eeddafeda2c
SHA1320fc202790b0ca6f65ff67e9397440c7d97eb20
SHA256ee0d15dce841e092ad1a2d4346a612410f8f950fdb019bc7b768f6346f2b5248
SHA512ca97e615bdcac137a936c10104a702e1529ed3470828f2c3a2f783345ebbef04cac8c051df636c714151671efea53a9b8912b6b0d0b5eafdac5fae1dfdc8f85d
-
Filesize
5KB
MD5b4a2c7fcd49b700710817f5799b96c88
SHA10877ee9c218e44637910e06d6f5e3d40d5f3e9a1
SHA2568904142d61d15415f253410d96e4a388e12bb9e2f091833de9aa946ce598e4c7
SHA512e75b5f98c675c518f12429dd1bb6570a974c3f9e801f8e75aa3f3c3c7341fee1f476058f2909ac12023b6ade14753f8475ddf503d7afe00a89d014d398e32a70
-
Filesize
6KB
MD519661f2a2900abd88a15924d1f461142
SHA1776d4df2701b5d3ac20d3335e454097ad66093c6
SHA256c46fa13319ebfe42f6d33c5e88cac621180b7ae4efce542c2fc797c64a928c3f
SHA5127e5d409cb65e40e84e57385bbf0a0560fe790a0ad9d2fcbbe5f648078d6e71463426b1ffc8a52234ada066963894e645616dfe1bf23f67765a8ecc19a2722030
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD53fa0649b0cbff05a79e7cd271be05e8e
SHA1495a2a32f3d3811c6ff4c687f4c3e948861b8c6b
SHA25609fe544b30deb90369a64e22b613e43cb5cc7fe8d1ff075a93d361ae35b12af2
SHA51201952740a66a162b913839d19ccd66f49838ed34b067783a96fcc38025eaadb740b9134a925da7089efb31abb53e378604b76e69db841c0aff55c13e433b0397
-
Filesize
11KB
MD530508921c05740374b43218eb6871d0d
SHA1921d88a53fb9e7c499492f5f7c39227fe3ed6e41
SHA2560ede745d4ac3666adce3fc9891a44ece51ba4d7c2824ad150b50be361e3df0a4
SHA5125de3f5e8011038129c87595732547ce86cd901af923c9ce7d7eb36e21a6dc7032112c37ba2e9840bfc6b19ab5288c7d2f70368c6e0fc7a90b988733f8106dbbe
-
Filesize
944B
MD51a9fa92a4f2e2ec9e244d43a6a4f8fb9
SHA19910190edfaccece1dfcc1d92e357772f5dae8f7
SHA2560ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888
SHA5125d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
248KB
MD5719d6ba1946c25aa61ce82f90d77ffd5
SHA194d2191378cac5719daecc826fc116816284c406
SHA25669c45175ecfd25af023f96ac0bb2c45e6a95e3ba8a5a50ee7969ccab14825c44
SHA512119152b624948b76921aa91a5024006ef7c8fdbfe5f6fe71b1ec9f2c0e504b22508ff438c4183e60fa8de93eb35a8c7ccdda3a686e3c2f65c8185f1dd2ef248b
-
Filesize
11.7MB
MD5428ffde3328ba281229a03357c965547
SHA172c6432ca8b64ac848ed2e85deeeb5ad0caaea7a
SHA2569c64fd58c0b9cace7bc05861965db2cb55017d24096eebb4d1569a3b556969d4
SHA5121e0f5fb54d46a4bed2776fa7e7fbb44adb3267901fe99428947a32de8b914401084b080a913a6a1e20bfaf8d769df64c7d3d9ab039fdbd0aca9b5ec1ccb2822a
-
Filesize
8.7MB
MD5506777f1d2016f6cbd053caa8d5a9bc7
SHA1c44d5eaf701a900982f51d0dfcb336c6eb507395
SHA256582e5bb83b7cea2fb71a1b3bbefcf18d8dda8a719e31b4da14f886d2016c97bc
SHA5126891eddd1218194378e762318fca8171465b2d663afae6c96a3092433c9bec911f87965dfa9ea932a0b32e31e8b7531328b89a4226ccbc98871e09367cfdb99d
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
6.3MB
MD51ec1ed8bb2dcea1c3f9d9f7542dbe245
SHA1d65d7a2fa1895d748194f560c757113ce903f088
SHA256b48e4eab11480e04415e8f202a0efccbde9f3e841b19e9399e579b63f39b60c9
SHA512ebe51a8074b884d44963b7bf82ed6206d15fda297fcaf530f1811c211771732c451e2b02d623031129cd8a27d569d667b04cdcca9acdef519c9862c5e374f3b2
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e