8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3

Analysis

max time kernel
51s
max time network
46s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
04-01-2025 06:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bootstrapper.exe
Size

800KB
MD5

02c70d9d6696950c198db93b7f6a835e
SHA1

30231a467a49cc37768eea0f55f4bea1cbfb48e2
SHA256

8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3
SHA512

431d9b9918553bff4f4a5bc2a5e7b7015f8ad0e2d390bb4d5264d08983372424156524ef5587b24b67d1226856fc630aaca08edc8113097e0094501b4f08efeb
SSDEEP

12288:qhd8cjaLXVh84wEFkW1mocaBj6WtiRPpptHxQ0z:2ycjar84w5W4ocaBj6y2tHDz

Score

9^/10

discovery evasion phishing themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Solara.exe

A potential corporate email address has been identified in the URL: [email protected]
phishing

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Solara.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Solara.exe

Executes dropped EXE 2 IoCs

pid	Process
2808	BootstrapperV2.12.exe
548	Solara.exe

Loads dropped DLL 2 IoCs

pid	Process
548	Solara.exe
548	Solara.exe

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x001900000002ad0f-256.dat	themida
behavioral1/memory/548-259-0x0000000180000000-0x0000000181107000-memory.dmp	themida
behavioral1/memory/548-261-0x0000000180000000-0x0000000181107000-memory.dmp	themida
behavioral1/memory/548-260-0x0000000180000000-0x0000000181107000-memory.dmp	themida
behavioral1/memory/548-262-0x0000000180000000-0x0000000181107000-memory.dmp	themida
behavioral1/memory/548-475-0x0000000180000000-0x0000000181107000-memory.dmp	themida
behavioral1/memory/548-517-0x0000000180000000-0x0000000181107000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Solara.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
3	discord.com
7	pastebin.com
13	discord.com
25	pastebin.com
37	pastebin.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
548	Solara.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3732	msedgewebview2.exe
772	msedgewebview2.exe
2752	msedgewebview2.exe
2248	msedgewebview2.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2332	ipconfig.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3973800497-2716210218-310192997-1000\{DF9BAEF9-74A3-47A4-9954-2AE63DB25DFC}	msedge.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
2808	BootstrapperV2.12.exe
1460	msedge.exe
1460	msedge.exe
3104	msedge.exe
3104	msedge.exe
4228	msedge.exe
4228	msedge.exe
2056	msedge.exe
2056	msedge.exe
3948	identity_helper.exe
3948	identity_helper.exe
548	Solara.exe
548	Solara.exe
548	Solara.exe
548	Solara.exe
548	Solara.exe
3176	msedgewebview2.exe
3176	msedgewebview2.exe
548	Solara.exe
548	Solara.exe
548	Solara.exe
548	Solara.exe
548	Solara.exe
548	Solara.exe
548	Solara.exe
548	Solara.exe
548	Solara.exe
548	Solara.exe
548	Solara.exe
548	Solara.exe
548	Solara.exe
548	Solara.exe
548	Solara.exe
548	Solara.exe
2248	msedgewebview2.exe
2248	msedgewebview2.exe
548	Solara.exe
548	Solara.exe
548	Solara.exe
548	Solara.exe
548	Solara.exe
548	Solara.exe
548	Solara.exe
548	Solara.exe
548	Solara.exe
548	Solara.exe
548	Solara.exe
548	Solara.exe
548	Solara.exe
548	Solara.exe
548	Solara.exe
548	Solara.exe
548	Solara.exe
548	Solara.exe
548	Solara.exe
548	Solara.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
4336	msedgewebview2.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2756	WMIC.exe
Token: SeSecurityPrivilege	2756	WMIC.exe
Token: SeTakeOwnershipPrivilege	2756	WMIC.exe
Token: SeLoadDriverPrivilege	2756	WMIC.exe
Token: SeSystemProfilePrivilege	2756	WMIC.exe
Token: SeSystemtimePrivilege	2756	WMIC.exe
Token: SeProfSingleProcessPrivilege	2756	WMIC.exe
Token: SeIncBasePriorityPrivilege	2756	WMIC.exe
Token: SeCreatePagefilePrivilege	2756	WMIC.exe
Token: SeBackupPrivilege	2756	WMIC.exe
Token: SeRestorePrivilege	2756	WMIC.exe
Token: SeShutdownPrivilege	2756	WMIC.exe
Token: SeDebugPrivilege	2756	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2756	WMIC.exe
Token: SeRemoteShutdownPrivilege	2756	WMIC.exe
Token: SeUndockPrivilege	2756	WMIC.exe
Token: SeManageVolumePrivilege	2756	WMIC.exe
Token: 33	2756	WMIC.exe
Token: 34	2756	WMIC.exe
Token: 35	2756	WMIC.exe
Token: 36	2756	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2756	WMIC.exe
Token: SeSecurityPrivilege	2756	WMIC.exe
Token: SeTakeOwnershipPrivilege	2756	WMIC.exe
Token: SeLoadDriverPrivilege	2756	WMIC.exe
Token: SeSystemProfilePrivilege	2756	WMIC.exe
Token: SeSystemtimePrivilege	2756	WMIC.exe
Token: SeProfSingleProcessPrivilege	2756	WMIC.exe
Token: SeIncBasePriorityPrivilege	2756	WMIC.exe
Token: SeCreatePagefilePrivilege	2756	WMIC.exe
Token: SeBackupPrivilege	2756	WMIC.exe
Token: SeRestorePrivilege	2756	WMIC.exe
Token: SeShutdownPrivilege	2756	WMIC.exe
Token: SeDebugPrivilege	2756	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2756	WMIC.exe
Token: SeRemoteShutdownPrivilege	2756	WMIC.exe
Token: SeUndockPrivilege	2756	WMIC.exe
Token: SeManageVolumePrivilege	2756	WMIC.exe
Token: 33	2756	WMIC.exe
Token: 34	2756	WMIC.exe
Token: 35	2756	WMIC.exe
Token: 36	2756	WMIC.exe
Token: SeDebugPrivilege	4796	Bootstrapper.exe
Token: SeDebugPrivilege	2808	BootstrapperV2.12.exe
Token: SeDebugPrivilege	548	Solara.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
4336	msedgewebview2.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 4524	4796	Bootstrapper.exe	78
PID 4796 wrote to memory of 4524	4796	Bootstrapper.exe	78
PID 4524 wrote to memory of 2332	4524	cmd.exe	80
PID 4524 wrote to memory of 2332	4524	cmd.exe	80
PID 4796 wrote to memory of 3316	4796	Bootstrapper.exe	81
PID 4796 wrote to memory of 3316	4796	Bootstrapper.exe	81
PID 3316 wrote to memory of 2756	3316	cmd.exe	83
PID 3316 wrote to memory of 2756	3316	cmd.exe	83
PID 4796 wrote to memory of 2808	4796	Bootstrapper.exe	85
PID 4796 wrote to memory of 2808	4796	Bootstrapper.exe	85
PID 2808 wrote to memory of 3104	2808	BootstrapperV2.12.exe	86
PID 2808 wrote to memory of 3104	2808	BootstrapperV2.12.exe	86
PID 3104 wrote to memory of 4540	3104	msedge.exe	87
PID 3104 wrote to memory of 4540	3104	msedge.exe	87
PID 3104 wrote to memory of 3684	3104	msedge.exe	88
PID 3104 wrote to memory of 3684	3104	msedge.exe	88
PID 3104 wrote to memory of 3684	3104	msedge.exe	88
PID 3104 wrote to memory of 3684	3104	msedge.exe	88
PID 3104 wrote to memory of 3684	3104	msedge.exe	88
PID 3104 wrote to memory of 3684	3104	msedge.exe	88
PID 3104 wrote to memory of 3684	3104	msedge.exe	88
PID 3104 wrote to memory of 3684	3104	msedge.exe	88
PID 3104 wrote to memory of 3684	3104	msedge.exe	88
PID 3104 wrote to memory of 3684	3104	msedge.exe	88
PID 3104 wrote to memory of 3684	3104	msedge.exe	88
PID 3104 wrote to memory of 3684	3104	msedge.exe	88
PID 3104 wrote to memory of 3684	3104	msedge.exe	88
PID 3104 wrote to memory of 3684	3104	msedge.exe	88
PID 3104 wrote to memory of 3684	3104	msedge.exe	88
PID 3104 wrote to memory of 3684	3104	msedge.exe	88
PID 3104 wrote to memory of 3684	3104	msedge.exe	88
PID 3104 wrote to memory of 3684	3104	msedge.exe	88
PID 3104 wrote to memory of 3684	3104	msedge.exe	88
PID 3104 wrote to memory of 3684	3104	msedge.exe	88
PID 3104 wrote to memory of 3684	3104	msedge.exe	88
PID 3104 wrote to memory of 3684	3104	msedge.exe	88
PID 3104 wrote to memory of 3684	3104	msedge.exe	88
PID 3104 wrote to memory of 3684	3104	msedge.exe	88
PID 3104 wrote to memory of 3684	3104	msedge.exe	88
PID 3104 wrote to memory of 3684	3104	msedge.exe	88
PID 3104 wrote to memory of 3684	3104	msedge.exe	88
PID 3104 wrote to memory of 3684	3104	msedge.exe	88
PID 3104 wrote to memory of 3684	3104	msedge.exe	88
PID 3104 wrote to memory of 3684	3104	msedge.exe	88
PID 3104 wrote to memory of 3684	3104	msedge.exe	88
PID 3104 wrote to memory of 3684	3104	msedge.exe	88
PID 3104 wrote to memory of 3684	3104	msedge.exe	88
PID 3104 wrote to memory of 3684	3104	msedge.exe	88
PID 3104 wrote to memory of 3684	3104	msedge.exe	88
PID 3104 wrote to memory of 3684	3104	msedge.exe	88
PID 3104 wrote to memory of 3684	3104	msedge.exe	88
PID 3104 wrote to memory of 3684	3104	msedge.exe	88
PID 3104 wrote to memory of 3684	3104	msedge.exe	88
PID 3104 wrote to memory of 3684	3104	msedge.exe	88
PID 3104 wrote to memory of 1460	3104	msedge.exe	89
PID 3104 wrote to memory of 1460	3104	msedge.exe	89
PID 3104 wrote to memory of 5116	3104	msedge.exe	90
PID 3104 wrote to memory of 5116	3104	msedge.exe	90
PID 3104 wrote to memory of 5116	3104	msedge.exe	90
PID 3104 wrote to memory of 5116	3104	msedge.exe	90
PID 3104 wrote to memory of 5116	3104	msedge.exe	90
PID 3104 wrote to memory of 5116	3104	msedge.exe	90
PID 3104 wrote to memory of 5116	3104	msedge.exe	90
PID 3104 wrote to memory of 5116	3104	msedge.exe	90

C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c ipconfig /all
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4524
- - C:\Windows\system32\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:2332
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3316
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2756
- C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.12.exe
  "C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.12.exe" --oldBootstrapper "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe" --isUpdate true
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/w9yACJan55
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3104
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb95353cb8,0x7ffb95353cc8,0x7ffb95353cd8
      4⤵
      PID:4540
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,2298798821039944114,14155749370511905849,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:2
      4⤵
      PID:3684
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,2298798821039944114,14155749370511905849,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1460
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1936,2298798821039944114,14155749370511905849,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2588 /prefetch:8
      4⤵
      PID:5116
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,2298798821039944114,14155749370511905849,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
      4⤵
      PID:1864
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,2298798821039944114,14155749370511905849,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
      4⤵
      PID:1204
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,2298798821039944114,14155749370511905849,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1
      4⤵
      PID:4976
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1936,2298798821039944114,14155749370511905849,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3876 /prefetch:8
      4⤵
      PID:3524
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1936,2298798821039944114,14155749370511905849,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4552 /prefetch:8
      4⤵
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      PID:4228
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1936,2298798821039944114,14155749370511905849,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4520 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2056
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,2298798821039944114,14155749370511905849,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
      4⤵
      PID:448
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,2298798821039944114,14155749370511905849,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
      4⤵
      PID:636
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,2298798821039944114,14155749370511905849,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
      4⤵
      PID:1756
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,2298798821039944114,14155749370511905849,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
      4⤵
      PID:3604
  - - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1936,2298798821039944114,14155749370511905849,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5784 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3948
- - C:\ProgramData\Solara\Solara.exe
    "C:\ProgramData\Solara\Solara.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:548
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=Solara.exe --webview-exe-version=3.0.0.0 --user-data-dir="C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=1 --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --mojo-named-platform-channel-pipe=548.2416.14062142322554746326
      4⤵
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      PID:4336
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Crashpad --metrics-dir=C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x1a8,0x7ffb95353cb8,0x7ffb95353cc8,0x7ffb95353cd8
        5⤵
        
        PID:4592
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1916,15653941156641789737,5480963170822084925,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --noerrdialogs --user-data-dir="C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView" --webview-exe-name=Solara.exe --webview-exe-version=3.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1944 /prefetch:2
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3732
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,15653941156641789737,5480963170822084925,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView" --webview-exe-name=Solara.exe --webview-exe-version=3.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=2036 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3176
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,15653941156641789737,5480963170822084925,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView" --webview-exe-name=Solara.exe --webview-exe-version=3.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=2460 /prefetch:8
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:772
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1916,15653941156641789737,5480963170822084925,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --noerrdialogs --user-data-dir="C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView" --webview-exe-name=Solara.exe --webview-exe-version=3.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:1
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2752
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,15653941156641789737,5480963170822084925,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView" --webview-exe-name=Solara.exe --webview-exe-version=3.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=3884 /prefetch:8
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2248

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:772

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3140

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4952

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Solara\Microsoft.Web.WebView2.Core.dll

Filesize
557KB

MD5
b037ca44fd19b8eedb6d5b9de3e48469

SHA1
1f328389c62cf673b3de97e1869c139d2543494e

SHA256
11e88b2ca921e5c88f64567f11bd83cbc396c10365d40972f3359fcc7965d197

SHA512
fa89ab3347fd57486cf3064ad164574f70e2c2b77c382785479bfd5ab50caa0881de3c2763a0932feac2faaf09479ef699a04ba202866dc7e92640246ba9598b

Download Submit
C:\ProgramData\Solara\Microsoft.Web.WebView2.Wpf.dll

Filesize
50KB

MD5
e107c88a6fc54cc3ceb4d85768374074

SHA1
a8d89ae75880f4fca7d7167fae23ac0d95e3d5f6

SHA256
8f821f0c818f8d817b82f76c25f90fde9fb73ff1ae99c3df3eaf2b955653c9c8

SHA512
b39e07b0c614a0fa88afb1f3b0d9bb9ba9c932e2b30899002008220ccf1acb0f018d5414aee64d92222c2c39f3ffe2c0ad2d9962d23aaa4bf5750c12c7f3e6fe

Download Submit
C:\ProgramData\Solara\Monaco\combined.html

Filesize
14KB

MD5
788024049100b3cef877ccaf46ea07dd

SHA1
665d44f7e84c6164d37d6dfffaf1c3183ab4caa4

SHA256
fd72c608b381b88370fcd4882235149a3f9093ae7aa9ae37cea4a14aff201599

SHA512
79b0512cb62c80868648ba9ed5a205127f941cc113dab0e6f2cc1c3101d6fe9e7ac6854b0c706ab49d3c448ed8eb4ebfdcb2caebb07eb1f9369331a6986a146d

Download Submit
C:\ProgramData\Solara\Monaco\index.html

Filesize
14KB

MD5
610eb8cecd447fcf97c242720d32b6bd

SHA1
4b094388e0e5135e29c49ce42ff2aa099b7f2d43

SHA256
107d8d9d6c94d2a86ac5af4b4cec43d959c2e44d445017fea59e2e0a5efafdc7

SHA512
cf15f49ef3ae578a5f725e24bdde86c33bbc4fd30a6eb885729fd3d9b151a4b13822fa8c35d3e0345ec43d567a246111764812596fd0ecc36582b8ee2a76c331

Download Submit
C:\ProgramData\Solara\Monaco\vs\basic-languages\lua\lua.js

Filesize
5KB

MD5
8706d861294e09a1f2f7e63d19e5fcb7

SHA1
fa5f4bdc6c2f1728f65c41fb5c539211a24b6f23

SHA256
fc2d6fb52a524a56cd8ac53bfe4bad733f246e76dc73cbec4c61be32d282ac42

SHA512
1f9297eb4392db612630f824069afdc9d49259aba6361fb0b87372123ada067bc27d10d0623dc1eb7494da55c82840c5521f6fef74c1ada3b0fd801755234f1f

Download Submit
C:\ProgramData\Solara\Monaco\vs\editor\editor.main.css

Filesize
171KB

MD5
6af9c0d237b31c1c91f7faa84b384bdf

SHA1
c349b06cad41c2997f5018a9b88baedd0ba1ea11

SHA256
fb2cbf2ee64286bc010a6c6fe6a81c6c292c145a2f584d0240c674f56e3015b0

SHA512
3bda519fed1cfa5352f463d3f91194122cf6bf7c3c7ab6927c8ca3eea159d35deb39328576e7cbd982cfdf1f101b2a46c3165221501b36919dbde6f1e94bf5ff

Download Submit
C:\ProgramData\Solara\Monaco\vs\editor\editor.main.js

Filesize
2.0MB

MD5
9399a8eaa741d04b0ae6566a5ebb8106

SHA1
5646a9d35b773d784ad914417ed861c5cba45e31

SHA256
93d28520c07fbca09e20886087f28797bb7bd0e6cf77400153aab5ae67e3ce18

SHA512
d37ef5a848e371f7db9616a4bf8b5347449abb3e244a5527396756791583cad455802450ceeb88dce39642c47aceaf2be6b95bede23b9ed68b5d4b7b9022b9c8

Download Submit
C:\ProgramData\Solara\Monaco\vs\editor\editor.main.nls.js

Filesize
31KB

MD5
74dd2381ddbb5af80ce28aefed3068fc

SHA1
0996dc91842ab20387e08a46f3807a3f77958902

SHA256
fdd9d64ce5284373d1541528d15e2aa8aa3a4adc11b51b3d71d3a3953f8bcc48

SHA512
8841e0823905cf3168f388a7aeaf5edd32d44902035ba2078202193354caf8cd74cb4cab920e455404575739f35e19ea5f3d88eab012c4ebefc0ccb1ed19a46e

Download Submit
C:\ProgramData\Solara\Monaco\vs\loader.js

Filesize
27KB

MD5
8a3086f6c6298f986bda09080dd003b1

SHA1
8c7d41c586bfa015fb5cc50a2fdc547711b57c3c

SHA256
0512d9ed3e5bb3daef94aa5c16a6c3e2ee26ffed9de00d1434ffe46a027b16b9

SHA512
9e586742f4e19938132e41145deec584a7b8c7e111b3c6e9254f8d11db632ebe4d66898458ed7bcfc0614d06e20eb33d5a6a8eb8b32d91110557255cf1dbf017

Download Submit
C:\ProgramData\Solara\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\ProgramData\Solara\Solara.exe

Filesize
613KB

MD5
efa26a96b7af259f6682bc888a8b6a14

SHA1
9800a30228504c30e7d8aea873ded6a7d7d133bb

SHA256
18f4dca864799d7cd00a26ae9fb7eccf5c7cf3883c51a5d0744fd92a60ca1953

SHA512
7ca4539ab544aee162c7d74ac94b290b409944dd746286e35c8a2712db045d255b9907d1ebea6377d1406ddd87f118666121d0ec1abe0e9415de1bba6799f76e

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Crashpad\settings.dat

Filesize
152B

MD5
0eea61232174f03f83fb244a792ed511

SHA1
c60fea263e3c45c292c4e151b80ab401ac42e819

SHA256
6a79867ee00e1086af7ff516bd4ceb71519713f3f694299241a3cb04689a36b4

SHA512
53c1c1ee7891ba7518753afe4ac1f2e897d7497f410ea3d2f704227f4bfa1f5cd3cc3c04372900110950e293d7a79fb4890dea94a6335e434b54e0ad772933ef

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Crashpad\settings.dat

Filesize
152B

MD5
66dafa462c21826dc7292ded4e25bab5

SHA1
12bd0b5ade529d4c155c309ffc7875d507e9bd0d

SHA256
9e5e2b034d8abec322f7e05467864f23234ab0b5608d090211ea9b1404e43bb8

SHA512
9522e8f26741821c732079f18ed6c03247d04c1ee768ed52ef375c7e2d9b683dd3c126d698aa8a52aa3f6b317e332b0f43ae77003f34e39a1a7b94b966963b86

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Default\Site Characteristics Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Default\Sync Data\LevelDB\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\ProgramData\Solara\SolaraV3.dll

Filesize
6.6MB

MD5
5ddea7243d5fc4cad4fea7345b5786a6

SHA1
e1305c340bb224403c79829b1dfcfca8131ce3b8

SHA256
68c9d0c6040d0f8b7ecfcd53b4732603336dc5e90d62c3b2c8318a3323bda332

SHA512
9920609f8b8976244285cdce236e26f26af62587e8ebd77e9b95edd508e0fa6e7abeafdf98ab08bf46c24b2acab9dfdef6cd61c85457c9c33b1451bad0f6dff5

Download Submit
C:\ProgramData\Solara\WebView2Loader.dll

Filesize
133KB

MD5
a0bd0d1a66e7c7f1d97aedecdafb933f

SHA1
dd109ac34beb8289030e4ec0a026297b793f64a3

SHA256
79d7e45f8631e8d2541d01bfb5a49a3a090be72b3d465389a2d684680fee2e36

SHA512
2a50ae5c7234a44b29f82ebc2e3cfed37bf69294eb00b2dc8905c61259975b2f3a059c67aeab862f002752454d195f7191d9b82b056f6ef22d6e1b0bb3673d50

Download Submit
C:\ProgramData\Solara\Wpf.Ui.dll

Filesize
5.2MB

MD5
aead90ab96e2853f59be27c4ec1e4853

SHA1
43cdedde26488d3209e17efff9a51e1f944eb35f

SHA256
46cfbe804b29c500ebc0b39372e64c4c8b4f7a8e9b220b5f26a9adf42fcb2aed

SHA512
f5044f2ee63906287460b9adabfcf3c93c60b51c86549e33474c4d7f81c4f86cd03cd611df94de31804c53006977874b8deb67c4bf9ea1c2b70c459b3a44b38d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e11c77d0fa99af6b1b282a22dcb1cf4a

SHA1
2593a41a6a63143d837700d01aa27b1817d17a4d

SHA256
d96f9bfcc81ba66db49a3385266a631899a919ed802835e6fb6b9f7759476ea0

SHA512
c8f69f503ab070a758e8e3ae57945c0172ead1894fdbfa2d853e5bb976ed3817ecc8f188eefd5092481effd4ef650788c8ff9a8d9a5ee4526f090952d7c859f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c0a1774f8079fe496e694f35dfdcf8bc

SHA1
da3b4b9fca9a3f81b6be5b0cd6dd700603d448d3

SHA256
c041da0b90a5343ede7364ccf0428852103832c4efa8065a0cd1e8ce1ff181cb

SHA512
60d9e87f8383fe3afa2c8935f0e5a842624bb24b03b2d8057e0da342b08df18cf70bf55e41fa3ae54f73bc40a274cf6393d79ae01f6a1784273a25fa2761728b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
576B

MD5
68304138c250a82eb44329bdb5aa18b3

SHA1
680a7797921f02a693f052db04e74297d4653382

SHA256
a62001209234a829b38ff0e44b1490db4e9e752f92f58a32507954e0625e0a3b

SHA512
b9d918b7f8ed82800379d3384c68d5c4dfb57f5bc4945c2fd2f6e830c1a5fff9977f937e578289fbbcabe44b56c1b0d1388a70654d8325840700a2564c71fa56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
537B

MD5
dbce74c530d55eed6b30bdfed097214c

SHA1
822f4e1663381c7e482fe0634ac8132a0be73fba

SHA256
7b96a372adcbc4c963385af40265517f6a7d2c2189f935ff965ecd9042a66fe7

SHA512
e21f0c06240831a7d27d6018ce1bfb62e08fc157c5c760a1158bb95ba1c447f2c6eb21dfe69acb726d24d505538e7b7daa2b1267995404c01a325f34d9ea098a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
03ab3f7c94747db9fdd2f51ef199817f

SHA1
11a4dc76544177a7dceec44e0111e953c7c5549b

SHA256
fa29f6c2d734a2906f818893a0e5fbde065f6490498cc9d01d77ea46570743b8

SHA512
ff3a8c50dc2613f335fe993b2ce6a305ffc27e9a2fcb80fff8c9efc98642c3b1d0db7636dc20cfcbe603f43c7707cc4a9757e1688eefb8ad4336c45993da3a44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d72b2255da067a822ec1704c636f5522

SHA1
132005cb603893ed1d6dc076dff89e71fd88e865

SHA256
661f9b28f546480c67e64d4d53c2cec8cc81e02d3b3f6a4aafc3d33dd624591a

SHA512
c9297864e7bd9edb2ed4049d3ac73ef021e02856d849b97c1bfac38bfac225b60ee17ac54d03696a2b3d007709f96e99c3de959d0ea2d6094aa8006052ca7aed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f1b81f1512e7ae657441944a0d7c0369

SHA1
7bc583330f28a4bd61574989741a148c98ffe010

SHA256
f8e03fa8acab52b88641a7dc552ea865f0385f8e253a435dbe9e034d409c1022

SHA512
6a3af4b45cc2821a486555539dcaf6baa81916900e1ffc4ae1a7af4ffbb9d7810904a43d3249b7e38a12163b6656e06bb445cb8297358147663f9caab96e546b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
18da2d14bb1167bde29a851787cdcf28

SHA1
0077be0630c360624cd9b6d05c01a1b085b584c3

SHA256
fb57ccca5c9ef3f90f6f85c96716552523828712fe728ca3c834818186a766a7

SHA512
101c1ffa8de0b9df7f283be2af5fa6bfb1137fcba28a391fdad308161c6327ced24da1f9a5d218b1435127ab71742f478f20d6c29d68127a555a10495561dc38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
24298bdd118c8004558320dfb1c75147

SHA1
d32b1501d23db7003af00c413cd44506909f228e

SHA256
7a63761258068bf00c86e5e868b7f795b9c9dc9ac11f39511f56323e52ff93e9

SHA512
e7d58a6871d24610bda35d02aae6ca765f2b372ea6a4b3bcde4c34e10db79fbe91055197d119bbbcff2199e35f38b90ee1ab8992452ad8890c5ff79d46dbae8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.12.exe

Filesize
2.9MB

MD5
a36750fe814c6cd0a94312ebaf85e07e

SHA1
9382378c4831247b2efc387581dc909c6352571f

SHA256
933acdb61d5d05bb55cd56957312b677719ac237a2daae0f1daf9d70dc68f2de

SHA512
d028e93cfe594c557e74376854916c33ad0614db1fa1efdf4a4477ff246ccb791510192c35296d5a32b81b376e9ee94ec5f5c0109f04f0320ed788ceda092f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\DISCORD

Filesize
29B

MD5
b86aef3d31fdcc68c0138b25a632f939

SHA1
5f2a826056fadf32b85a9f2f0d960c2bf4ee99eb

SHA256
9bed077bb37dd2f770ed6f960f9e1a22054174fb14ba1aa49cb13cf3008a8486

SHA512
dd6262a375d7195289bbe3f78163d8a1ec2b8db8d4eaee8e3434c3c686a2a38e9bec4fc0fc406aa1915e04475e0ca041b0bfcdd033f08829f1893d6fd0d06e19

Download Submit
memory/548-243-0x0000024344D70000-0x00000243452AC000-memory.dmp

Filesize
5.2MB

Download
memory/548-259-0x0000000180000000-0x0000000181107000-memory.dmp

Filesize
17.0MB

Download
memory/548-517-0x0000000180000000-0x0000000181107000-memory.dmp

Filesize
17.0MB

Download
memory/548-246-0x0000024344AA0000-0x0000024344B52000-memory.dmp

Filesize
712KB

Download
memory/548-241-0x00000243292F0000-0x000002432938C000-memory.dmp

Filesize
624KB

Download
memory/548-248-0x00000243438A0000-0x00000243438B0000-memory.dmp

Filesize
64KB

Download
memory/548-475-0x0000000180000000-0x0000000181107000-memory.dmp

Filesize
17.0MB

Download
memory/548-244-0x00000243449E0000-0x0000024344A9A000-memory.dmp

Filesize
744KB

Download
memory/548-262-0x0000000180000000-0x0000000181107000-memory.dmp

Filesize
17.0MB

Download
memory/548-253-0x0000024344C60000-0x0000024344CF0000-memory.dmp

Filesize
576KB

Download
memory/548-260-0x0000000180000000-0x0000000181107000-memory.dmp

Filesize
17.0MB

Download
memory/548-261-0x0000000180000000-0x0000000181107000-memory.dmp

Filesize
17.0MB

Download
memory/2808-30-0x000001DB35B70000-0x000001DB35B7A000-memory.dmp

Filesize
40KB

Download
memory/2808-24-0x000001DB35320000-0x000001DB3532A000-memory.dmp

Filesize
40KB

Download
memory/2808-172-0x000001DB7CD80000-0x000001DB7CE32000-memory.dmp

Filesize
712KB

Download
memory/2808-175-0x000001DB72AA0000-0x000001DB72ABE000-memory.dmp

Filesize
120KB

Download
memory/2808-32-0x000001DB35B30000-0x000001DB35B3A000-memory.dmp

Filesize
40KB

Download
memory/2808-177-0x000001DB72AD0000-0x000001DB72ADA000-memory.dmp

Filesize
40KB

Download
memory/2808-29-0x000001DB35B90000-0x000001DB35BA6000-memory.dmp

Filesize
88KB

Download
memory/2808-28-0x000001DB35B80000-0x000001DB35B88000-memory.dmp

Filesize
32KB

Download
memory/2808-27-0x000001DB35B40000-0x000001DB35B66000-memory.dmp

Filesize
152KB

Download
memory/2808-17-0x000001DB15B00000-0x000001DB15DE0000-memory.dmp

Filesize
2.9MB

Download
memory/2808-23-0x000001DB359C0000-0x000001DB35AC0000-memory.dmp

Filesize
1024KB

Download
memory/2808-33-0x000001DB35BC0000-0x000001DB35BC8000-memory.dmp

Filesize
32KB

Download
memory/2808-22-0x000001DB35300000-0x000001DB3530E000-memory.dmp

Filesize
56KB

Download
memory/2808-21-0x000001DB35330000-0x000001DB35368000-memory.dmp

Filesize
224KB

Download
memory/2808-20-0x000001DB352B0000-0x000001DB352B8000-memory.dmp

Filesize
32KB

Download
memory/2808-19-0x000001DB162D0000-0x000001DB162E0000-memory.dmp

Filesize
64KB

Download
memory/2808-187-0x000001DB72B40000-0x000001DB72B52000-memory.dmp

Filesize
72KB

Download
memory/3732-388-0x00007FFBA8240000-0x00007FFBA8241000-memory.dmp

Filesize
4KB

Download
memory/4796-4-0x000001E9ED850000-0x000001E9ED872000-memory.dmp

Filesize
136KB

Download
memory/4796-2-0x00007FFB882F0000-0x00007FFB88DB2000-memory.dmp

Filesize
10.8MB

Download
memory/4796-18-0x00007FFB882F0000-0x00007FFB88DB2000-memory.dmp

Filesize
10.8MB

Download
memory/4796-1-0x000001E9D1B60000-0x000001E9D1C2E000-memory.dmp

Filesize
824KB

Download
memory/4796-0-0x00007FFB882F3000-0x00007FFB882F5000-memory.dmp

Filesize
8KB

Download