lumma | 001a8f9939e4f664c56ca5fa424e3a94875eb537077a6004f62bcaef7a3d33b9

Analysis

max time kernel
89s
max time network
91s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2024 15:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

solara-github-v3
Size

249KB
MD5

daadf00c9fd279edae7aee4e9a794674
SHA1

e2cbda2edd5e73f9329758309bc727712c972554
SHA256

001a8f9939e4f664c56ca5fa424e3a94875eb537077a6004f62bcaef7a3d33b9
SHA512

ffe021091373d37312ffc5371540598651f1445914116b10f87f7d691320ff7a95c89ae0502d4f54aa446c80729900c6645557786f67d1ece68ada44b69c837a
SSDEEP

6144:n1s4+pOL/saqkPV9FemLtcsDSsmwL9gvZJT3CqbMrhryf65NRPaCieMjAkvCJv1a:1s4+pOL/saqkPV9FemLtcsDSsmwL9gvt

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://p3ar11fter.sbs

https://3xp3cts1aim.sbs

https://owner-vacat10n.sbs

https://peepburry828.sbs

https://p10tgrace.sbs

https://befall-sm0ker.sbs

https://librari-night.sbs

https://processhol.sbs

https://cook-rain.sbs

Extracted

Family

lumma

https://cook-rain.sbs/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

Processes:

flow	ioc
110	raw.githubusercontent.com
111	raw.githubusercontent.com
112	raw.githubusercontent.com

Suspicious use of SetThreadContext 6 IoCs

Processes:

Solara.exeSolara.exeSolara.exeSolara.exeSolara.exeSolara.exe

description	pid	Process	procid_target
PID 3608 set thread context of 3168	3608	Solara.exe	113
PID 1512 set thread context of 1540	1512	Solara.exe	117
PID 3744 set thread context of 1916	3744	Solara.exe	120
PID 3452 set thread context of 2252	3452	Solara.exe	129
PID 4336 set thread context of 1368	4336	Solara.exe	130
PID 3212 set thread context of 4292	3212	Solara.exe	132

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Solara.exeSolara.exeSolara.exeSolara.exeSolara.exeSolara.exeSolara.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Solara.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Solara.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Solara.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Solara.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Solara.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Solara.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Solara.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133771087294708523"	chrome.exe

Modifies registry class 2 IoCs

Processes:

chrome.exeOpenWith.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

NOTEPAD.EXE

pid	Process
768	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

chrome.exe

pid	Process
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid	Process
3412	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

chrome.exe

pid	Process
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	Process
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

Processes:

chrome.exe

pid	Process
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	Process
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe

Suspicious use of SetWindowsHookEx 25 IoCs

Processes:

OpenWith.exe

pid	Process
3412	OpenWith.exe
3412	OpenWith.exe
3412	OpenWith.exe
3412	OpenWith.exe
3412	OpenWith.exe
3412	OpenWith.exe
3412	OpenWith.exe
3412	OpenWith.exe
3412	OpenWith.exe
3412	OpenWith.exe
3412	OpenWith.exe
3412	OpenWith.exe
3412	OpenWith.exe
3412	OpenWith.exe
3412	OpenWith.exe
3412	OpenWith.exe
3412	OpenWith.exe
3412	OpenWith.exe
3412	OpenWith.exe
3412	OpenWith.exe
3412	OpenWith.exe
3412	OpenWith.exe
3412	OpenWith.exe
3412	OpenWith.exe
3412	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	Process	procid_target
PID 2848 wrote to memory of 2668	2848	chrome.exe	93
PID 2848 wrote to memory of 2668	2848	chrome.exe	93
PID 2848 wrote to memory of 2812	2848	chrome.exe	94
PID 2848 wrote to memory of 2812	2848	chrome.exe	94
PID 2848 wrote to memory of 2812	2848	chrome.exe	94
PID 2848 wrote to memory of 2812	2848	chrome.exe	94
PID 2848 wrote to memory of 2812	2848	chrome.exe	94
PID 2848 wrote to memory of 2812	2848	chrome.exe	94
PID 2848 wrote to memory of 2812	2848	chrome.exe	94
PID 2848 wrote to memory of 2812	2848	chrome.exe	94
PID 2848 wrote to memory of 2812	2848	chrome.exe	94
PID 2848 wrote to memory of 2812	2848	chrome.exe	94
PID 2848 wrote to memory of 2812	2848	chrome.exe	94
PID 2848 wrote to memory of 2812	2848	chrome.exe	94
PID 2848 wrote to memory of 2812	2848	chrome.exe	94
PID 2848 wrote to memory of 2812	2848	chrome.exe	94
PID 2848 wrote to memory of 2812	2848	chrome.exe	94
PID 2848 wrote to memory of 2812	2848	chrome.exe	94
PID 2848 wrote to memory of 2812	2848	chrome.exe	94
PID 2848 wrote to memory of 2812	2848	chrome.exe	94
PID 2848 wrote to memory of 2812	2848	chrome.exe	94
PID 2848 wrote to memory of 2812	2848	chrome.exe	94
PID 2848 wrote to memory of 2812	2848	chrome.exe	94
PID 2848 wrote to memory of 2812	2848	chrome.exe	94
PID 2848 wrote to memory of 2812	2848	chrome.exe	94
PID 2848 wrote to memory of 2812	2848	chrome.exe	94
PID 2848 wrote to memory of 2812	2848	chrome.exe	94
PID 2848 wrote to memory of 2812	2848	chrome.exe	94
PID 2848 wrote to memory of 2812	2848	chrome.exe	94
PID 2848 wrote to memory of 2812	2848	chrome.exe	94
PID 2848 wrote to memory of 2812	2848	chrome.exe	94
PID 2848 wrote to memory of 2812	2848	chrome.exe	94
PID 2848 wrote to memory of 5068	2848	chrome.exe	95
PID 2848 wrote to memory of 5068	2848	chrome.exe	95
PID 2848 wrote to memory of 3632	2848	chrome.exe	96
PID 2848 wrote to memory of 3632	2848	chrome.exe	96
PID 2848 wrote to memory of 3632	2848	chrome.exe	96
PID 2848 wrote to memory of 3632	2848	chrome.exe	96
PID 2848 wrote to memory of 3632	2848	chrome.exe	96
PID 2848 wrote to memory of 3632	2848	chrome.exe	96
PID 2848 wrote to memory of 3632	2848	chrome.exe	96
PID 2848 wrote to memory of 3632	2848	chrome.exe	96
PID 2848 wrote to memory of 3632	2848	chrome.exe	96
PID 2848 wrote to memory of 3632	2848	chrome.exe	96
PID 2848 wrote to memory of 3632	2848	chrome.exe	96
PID 2848 wrote to memory of 3632	2848	chrome.exe	96
PID 2848 wrote to memory of 3632	2848	chrome.exe	96
PID 2848 wrote to memory of 3632	2848	chrome.exe	96
PID 2848 wrote to memory of 3632	2848	chrome.exe	96
PID 2848 wrote to memory of 3632	2848	chrome.exe	96
PID 2848 wrote to memory of 3632	2848	chrome.exe	96
PID 2848 wrote to memory of 3632	2848	chrome.exe	96
PID 2848 wrote to memory of 3632	2848	chrome.exe	96
PID 2848 wrote to memory of 3632	2848	chrome.exe	96
PID 2848 wrote to memory of 3632	2848	chrome.exe	96
PID 2848 wrote to memory of 3632	2848	chrome.exe	96
PID 2848 wrote to memory of 3632	2848	chrome.exe	96
PID 2848 wrote to memory of 3632	2848	chrome.exe	96
PID 2848 wrote to memory of 3632	2848	chrome.exe	96
PID 2848 wrote to memory of 3632	2848	chrome.exe	96
PID 2848 wrote to memory of 3632	2848	chrome.exe	96
PID 2848 wrote to memory of 3632	2848	chrome.exe	96
PID 2848 wrote to memory of 3632	2848	chrome.exe	96
PID 2848 wrote to memory of 3632	2848	chrome.exe	96

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\solara-github-v3
1⤵
PID:744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffee870cc40,0x7ffee870cc4c,0x7ffee870cc58
  2⤵
  PID:2668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2020,i,11708090286468437753,15125573261028527271,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2016 /prefetch:2
  2⤵
  PID:2812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1908,i,11708090286468437753,15125573261028527271,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2072 /prefetch:3
  2⤵
  PID:5068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2112,i,11708090286468437753,15125573261028527271,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2416 /prefetch:8
  2⤵
  PID:3632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,11708090286468437753,15125573261028527271,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3132 /prefetch:1
  2⤵
  PID:976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,11708090286468437753,15125573261028527271,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:2432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4500,i,11708090286468437753,15125573261028527271,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3796 /prefetch:1
  2⤵
  PID:2820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4820,i,11708090286468437753,15125573261028527271,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4828 /prefetch:8
  2⤵
  PID:1616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4976,i,11708090286468437753,15125573261028527271,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4996 /prefetch:8
  2⤵
  PID:4084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5000,i,11708090286468437753,15125573261028527271,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4796 /prefetch:1
  2⤵
  PID:1476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3448,i,11708090286468437753,15125573261028527271,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:1604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3412,i,11708090286468437753,15125573261028527271,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4984 /prefetch:8
  2⤵
  PID:1400

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1432

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1044

C:\Users\Admin\Downloads\Solara\Solara.exe
"C:\Users\Admin\Downloads\Solara\Solara.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3608
- C:\Users\Admin\Downloads\Solara\Solara.exe
  "C:\Users\Admin\Downloads\Solara\Solara.exe"
  2⤵
  PID:4104
- C:\Users\Admin\Downloads\Solara\Solara.exe
  "C:\Users\Admin\Downloads\Solara\Solara.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3168

C:\Users\Admin\Downloads\Solara\Solara.exe
"C:\Users\Admin\Downloads\Solara\Solara.exe"
1⤵
- Suspicious use of SetThreadContext
PID:1512
- C:\Users\Admin\Downloads\Solara\Solara.exe
  "C:\Users\Admin\Downloads\Solara\Solara.exe"
  2⤵
  PID:2332
- C:\Users\Admin\Downloads\Solara\Solara.exe
  "C:\Users\Admin\Downloads\Solara\Solara.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1540

C:\Users\Admin\Downloads\Solara\Solara.exe
"C:\Users\Admin\Downloads\Solara\Solara.exe"
1⤵
- Suspicious use of SetThreadContext
PID:3744
- C:\Users\Admin\Downloads\Solara\Solara.exe
  "C:\Users\Admin\Downloads\Solara\Solara.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1916

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3412

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Solara\config.ini
1⤵
- Opens file in notepad (likely ransom note)
PID:768

C:\Users\Admin\Downloads\Solara\Solara.exe
"C:\Users\Admin\Downloads\Solara\Solara.exe"
1⤵
- Suspicious use of SetThreadContext
PID:3452
- C:\Users\Admin\Downloads\Solara\Solara.exe
  "C:\Users\Admin\Downloads\Solara\Solara.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2252

C:\Users\Admin\Downloads\Solara\Solara.exe
"C:\Users\Admin\Downloads\Solara\Solara.exe"
1⤵
- Suspicious use of SetThreadContext
PID:4336
- C:\Users\Admin\Downloads\Solara\Solara.exe
  "C:\Users\Admin\Downloads\Solara\Solara.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1368

C:\Users\Admin\Downloads\Solara\Solara.exe
"C:\Users\Admin\Downloads\Solara\Solara.exe"
1⤵
- Suspicious use of SetThreadContext
PID:3212
- C:\Users\Admin\Downloads\Solara\Solara.exe
  "C:\Users\Admin\Downloads\Solara\Solara.exe"
  2⤵
  PID:4412
- C:\Users\Admin\Downloads\Solara\Solara.exe
  "C:\Users\Admin\Downloads\Solara\Solara.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
e01c9809d2d2a7675ee47831f5ff30ed

SHA1
8e7d5943c2ef7b8e32dec6365f13f66a46e4dbf3

SHA256
1014b1a7ffcf79153fe910988e8d8ded95c8f9db866360f24c7ab770595b41cc

SHA512
dc473729f8c3413d376f67a4d7a635013a02e07030950ceeeebe1be302133ced89923158f5302ae8ddf073a83287bb8310651834e9a53a08b960381987c7e021

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
52989665eb514fc0cc437b0a5cf8ba06

SHA1
e4c97fbf54ad7d906e7d89e36911558b9cc6337b

SHA256
4d2a90750d1f948206322a5d566a1ad50fa4048d0f35430a7eef604dd0316d4f

SHA512
ada944b30ab780fed3cbefc7106d8e9f30e4998f4f390bc02be05f04ac3ba79a94d46176c72ce828c8a8ad9a37aaf4199558d9e7ba8d68496495ebfc48a9f2e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
3c60213cfca9f5e23632691699193039

SHA1
e2c1274c7d4eb86d867524f743904b9455cf34eb

SHA256
b9e4ae6876cf4fa025043f368cb545aaa5025f63f5cbbd3675138031d9c9bd19

SHA512
ffbd6b1dcaa031bdd9b831eaee38f3094f8a91feb2cbabeaad271f68f233aedf1ad0d96b22929c7ba2832b1917f64a728c396e430301b2ce40eafaa3e4036fa9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5ca64ee4a5a2cafa02d485cda7c31bb3

SHA1
6f5272d54966076eb076e5fb1a8237fc83e67270

SHA256
190a7f7d586c5013ae1d45d316a9f80518fa0df1fdba33cc3eb7804b766b6370

SHA512
272ab15bec206540223e25632e4b200568fe9085ac478aec1eff2f787333439dc63853331738885de1b1d23605a62d20bf7dd5ea78a0ff68408949cfa8d27e59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
0eb7f0fa5af1e5802c697c17f84d3fdd

SHA1
b752ee2004d512833e794ca4ff0a888fd50614d9

SHA256
36c1dd89271ec3a7337aeb9c84664b1e50abc39d12c3602b431104ecf4e76c90

SHA512
8cab6c3aa0e94acf5905437e46a5e0898697222013aa0df1635af2d235a83fb935ebece8e6e9554f036896b471607f0c5f8b51f342bf4336a233570b60fab899

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
58b8bd82db0c722b5e96a117365da995

SHA1
89a469c0deec5b2ddc2e98deeff89a61efd263d5

SHA256
be6b5076429021bdbf5bf582388822d0941d2408685c30742ce02a4d1a59feed

SHA512
6bf8f311cdbc14a7d71d4a4a6c2bf700224e3b387830a125708e14f0c4f5cd9414d5205e2beafe7257f2090f1eeb9b7b91851aa8985ecf81ba616c609936c479

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
996a46e7701351c935c56de84af135f0

SHA1
7a6be5eb7776e686f9dc89d472f60765285e1fd8

SHA256
f1bd628945557d10844589cbf9301df29f905ad5a0226bc4992c36a4f23b5b79

SHA512
92163cadb34f7ed534b9c0b252891ca31e5a39e9d07cf89a636ad6dc581cdf5271d20f730124f9c97fc8595c96e5963abac837744c8cc6c2e4f8fed467de1365

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e08a951daf26f6aa7d5201b90a0b48fc

SHA1
c836bbf1e35d2da3288be750d72e2e2955358c46

SHA256
d80ef2fa2e97cabce62b05395776b0ec08b2d6d1545376d96387ce928a3bafaf

SHA512
1d8a08c1b10df5e44624946f33dae28dca0298a20201ec210096e6a1ddceefaf4d1d34586b39fd9c23a032d37c54a40931167d6eadc730731d8bcba2cbc16f44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2346d9889fc7d157c32da21e8a9a1479

SHA1
5387ad1425fdaae6e6d2e38bb90476105ae5093e

SHA256
af188c91b971b6e9c9cd92467ef4a0cf58d8c5826f7ea1b7964bfea7130e1e71

SHA512
62d1ce4711a5beaf11117433775e62c8fd2498abaa6fb454bbfb3764a141ba464c9ea951da7b43a0cdb8496d5ecc189274041d0b4291cee793650ba8e9bf73c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d752148b216a332c362db5db854813c3

SHA1
ca68a5a32e2257c221f2229c11d7908e3fe4a351

SHA256
90bf1f23a6e6350a0313b812168533399ff29415253212acec30cef27422a72d

SHA512
fd1f6d897eba28203bd321d2428d6763fbca27a016efa899ed6d73b6ff21cd4381f1a6b4d1e747895572ee45424c9696836cc11eb5d102a768b7d781d83618f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b4982cf4b196da23cf43f0b7ec7db9ab

SHA1
fcc4df96fc7cdab8ccfd58a2cde7d826847d5952

SHA256
3772e9bdce7da703f410c014457eb82b998bdd32e81e7798c33373f7fc22ac9e

SHA512
06fffd879e85dbe02f8cbbc1c7416011e65a6ec94f97c756d6795eb7789fa46ed5c341e7a19b5e4fade67e29e5c29d709fe0b5e8b3e681366cb4228cabf07c0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
bc6b97ae4d3a27412bb03b67e889fe32

SHA1
a1ec34c15d6e3000d83132e7832f16e302a9ac43

SHA256
d46522f8d9f4d027a8738b04fe521fd632d6229181a1081412bbe07f7eb9b2af

SHA512
65d1ec52ef16b080d84c109e98e3be2a3250113b3f49e2c3826cc5cecbca560537b4e818e49656623c4c212fa2c744c8dfacf68700f1d148ccfce0d92fa4ad1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
772cf98a1379bd88b0c9cd921cfd128f

SHA1
4064367e0e7edba129609721fbbffed37d2fc0f0

SHA256
475d2d4c430ea545b53152e3f1bd40e300c367793c1d674796667173f56d4266

SHA512
2a68dfa7da6fa534acb442b0ebb9a145fa7cb7f35946c8d2a78393725f81342df94880a9bcda93a81e793003e3ea69edda289e1f1746e5335c52196a93badf5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
9698db1f98a6e459d21e4f65b9c61bb8

SHA1
b11b9242bb7c6bdc86042119b8513022f657ed42

SHA256
e45d51cfe984475a48f6472b04f76ecb409c7f1ddb362f60838b1c2da9685b27

SHA512
3f86189ee27f8d87d0c78d6527278e512d01f6addd79d080da313033adba1c497d3104d8583d22275ccc87371ffa73c3fc7e63127ff3ecd04ef98e3fadf72dc3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
908d6eb9524ce9a0c05ba8d31ce6bf95

SHA1
99ec252bc15038aa69f3f0af7620024d18e6a868

SHA256
7af9c9197bb4fa814cb0db079f7cd683b9549d064bfe276bb89efd975a4afeee

SHA512
14181e5dede05c5e8f44a4faf82af33eb78846be30e21b30623a61936f7a8f91c08ad34f8462377fc3787a3f583adefcd26112ec600e32e8aec632b4bfc373e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
1d36eb66d8b71e6948184460a3907d81

SHA1
6798ec040d045f892de964fba271a4bd1cf0afad

SHA256
a564765d1ac8a0822fc3e46c3351121525980c32358b9c151953db3c9a56d9e1

SHA512
26db0fe2d9c78f1b6e59ad1c3aa7e76194b380aade0b9b1289d154a36351ed66004c99605318fd447a0f2a747c073bf9934646248452a0ad82e826a6087bcc3e

Download Submit
C:\Users\Admin\Downloads\Solara.zip

Filesize
454KB

MD5
cb6771f36dd1a5776569dbea5572b93c

SHA1
0258a254242f5577d73b69ded766b04266529380

SHA256
e7ba04202e9400812b5d834834ce9f6101740bd667951110c5e308371972aacc

SHA512
5a9012a7a647cb6bb26f443f2ed3b6075b87b642cde663feb8dad8c7355ad4bca76ce568fedc04eafb845b4917d4b83f5402b188212df11736ba749c95e3c67f

Download Submit
\??\pipe\crashpad_2848_NJMIZQUTINWCEFGD

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1512-416-0x0000000000EB0000-0x0000000000F42000-memory.dmp

Filesize
584KB

Download
memory/1512-419-0x0000000000EB0000-0x0000000000F42000-memory.dmp

Filesize
584KB

Download
memory/3168-403-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3168-405-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3168-406-0x0000000000EB0000-0x0000000000F42000-memory.dmp

Filesize
584KB

Download
memory/3608-402-0x0000000000EED000-0x0000000000EEE000-memory.dmp

Filesize
4KB

Download