discordrat | 152b7fd3a13aa795e5595624ab38482b67054ac00fa4a44642584d6f87f53b56

Analysis

max time kernel
33s
max time network
33s
platform
windows11-21h2_x64
resource
win11-20250210-en
resource tags

arch:x64arch:x86image:win11-20250210-enlocale:en-usos:windows11-21h2-x64system
submitted
10/02/2025, 18:58

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Solara.exe
Size

2.8MB
MD5

81d5f68b29a52cc6b377efeda2dba50e
SHA1

6ed4ee24fe54795277c91b9b89caae9acc1aa7ac
SHA256

152b7fd3a13aa795e5595624ab38482b67054ac00fa4a44642584d6f87f53b56
SHA512

41cc179a805c5a8781b410e75fa4052c2a845b48a34441832acf9995e486323cb5fbd9d5af9410753a51e1efadf64c77e577b5e579fbfbee90ac64f3405acfb4
SSDEEP

49152:kDjlabwz9SxZCoaKzEtNv0pS5A2yP3t8YXQc7ZEtySwZ3bFwbWvmkBdz4iiDm738:0qwAGoaYELcEByP3S29WyHZ3bFGqRK

Score

10^/10

discordrat defense_evasion discovery execution persistence rat rootkit stealer themida trojan

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMxOTM1MTE1MDM2OTE4MTc4Ng.GhTORv.7TYxVVKGyzEoJDzqxZxw3WiemuXUrw_-lNIJk8
server_id
1313127388531523726

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Solara.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3636	powershell.exe
2496	powershell.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Solara.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Solara.exe

Executes dropped EXE 3 IoCs

pid	Process
1716	Bootstrapper_v2.19.exe
3444	Solara.exe
4008	Client-built.exe

Loads dropped DLL 2 IoCs

pid	Process
3444	Solara.exe
3444	Solara.exe

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x001900000002afae-129.dat	themida
behavioral1/memory/3444-143-0x0000000180000000-0x0000000181111000-memory.dmp	themida
behavioral1/memory/3444-146-0x0000000180000000-0x0000000181111000-memory.dmp	themida
behavioral1/memory/3444-147-0x0000000180000000-0x0000000181111000-memory.dmp	themida
behavioral1/memory/3444-148-0x0000000180000000-0x0000000181111000-memory.dmp	themida
behavioral1/memory/3444-181-0x0000000180000000-0x0000000181111000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Solara.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
6	pastebin.com
27	discord.com
29	discord.com
3	pastebin.com
5	discord.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3444	Solara.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	msedgewebview2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedgewebview2.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
3636	powershell.exe
3636	powershell.exe
2496	powershell.exe
2496	powershell.exe
3444	Solara.exe
3444	Solara.exe
3444	Solara.exe
3444	Solara.exe
3444	Solara.exe
3444	Solara.exe
3444	Solara.exe
3444	Solara.exe
3444	Solara.exe
3444	Solara.exe
3444	Solara.exe
3444	Solara.exe
3444	Solara.exe
3444	Solara.exe
3444	Solara.exe
3444	Solara.exe
3444	Solara.exe
3444	Solara.exe
3444	Solara.exe
3444	Solara.exe
3444	Solara.exe
3444	Solara.exe
3444	Solara.exe
3444	Solara.exe
3444	Solara.exe
3444	Solara.exe
3444	Solara.exe
3444	Solara.exe
3444	Solara.exe
3444	Solara.exe
3444	Solara.exe
3444	Solara.exe
3444	Solara.exe
3444	Solara.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs

pid	Process
4448	msedgewebview2.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3636	powershell.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	1716	Bootstrapper_v2.19.exe
Token: SeDebugPrivilege	3444	Solara.exe
Token: SeDebugPrivilege	4008	Client-built.exe
Token: SeShutdownPrivilege	4008	Client-built.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 964 wrote to memory of 1716	964	Solara.exe	84
PID 964 wrote to memory of 1716	964	Solara.exe	84
PID 1716 wrote to memory of 3636	1716	Bootstrapper_v2.19.exe	88
PID 1716 wrote to memory of 3636	1716	Bootstrapper_v2.19.exe	88
PID 1716 wrote to memory of 2496	1716	Bootstrapper_v2.19.exe	90
PID 1716 wrote to memory of 2496	1716	Bootstrapper_v2.19.exe	90
PID 1716 wrote to memory of 3444	1716	Bootstrapper_v2.19.exe	92
PID 1716 wrote to memory of 3444	1716	Bootstrapper_v2.19.exe	92
PID 964 wrote to memory of 4008	964	Solara.exe	93
PID 964 wrote to memory of 4008	964	Solara.exe	93
PID 3444 wrote to memory of 4448	3444	Solara.exe	94
PID 3444 wrote to memory of 4448	3444	Solara.exe	94
PID 4448 wrote to memory of 3456	4448	msedgewebview2.exe	95
PID 4448 wrote to memory of 3456	4448	msedgewebview2.exe	95
PID 4448 wrote to memory of 4992	4448	msedgewebview2.exe	96
PID 4448 wrote to memory of 4992	4448	msedgewebview2.exe	96
PID 4448 wrote to memory of 4992	4448	msedgewebview2.exe	96
PID 4448 wrote to memory of 4992	4448	msedgewebview2.exe	96
PID 4448 wrote to memory of 4992	4448	msedgewebview2.exe	96
PID 4448 wrote to memory of 4992	4448	msedgewebview2.exe	96
PID 4448 wrote to memory of 4992	4448	msedgewebview2.exe	96
PID 4448 wrote to memory of 4992	4448	msedgewebview2.exe	96
PID 4448 wrote to memory of 4992	4448	msedgewebview2.exe	96
PID 4448 wrote to memory of 4992	4448	msedgewebview2.exe	96
PID 4448 wrote to memory of 4992	4448	msedgewebview2.exe	96
PID 4448 wrote to memory of 4992	4448	msedgewebview2.exe	96
PID 4448 wrote to memory of 4992	4448	msedgewebview2.exe	96
PID 4448 wrote to memory of 4992	4448	msedgewebview2.exe	96
PID 4448 wrote to memory of 4992	4448	msedgewebview2.exe	96
PID 4448 wrote to memory of 4992	4448	msedgewebview2.exe	96
PID 4448 wrote to memory of 4992	4448	msedgewebview2.exe	96
PID 4448 wrote to memory of 4992	4448	msedgewebview2.exe	96
PID 4448 wrote to memory of 4992	4448	msedgewebview2.exe	96
PID 4448 wrote to memory of 4992	4448	msedgewebview2.exe	96
PID 4448 wrote to memory of 4992	4448	msedgewebview2.exe	96
PID 4448 wrote to memory of 4992	4448	msedgewebview2.exe	96
PID 4448 wrote to memory of 4992	4448	msedgewebview2.exe	96
PID 4448 wrote to memory of 4992	4448	msedgewebview2.exe	96
PID 4448 wrote to memory of 4992	4448	msedgewebview2.exe	96
PID 4448 wrote to memory of 4992	4448	msedgewebview2.exe	96
PID 4448 wrote to memory of 4992	4448	msedgewebview2.exe	96
PID 4448 wrote to memory of 4992	4448	msedgewebview2.exe	96
PID 4448 wrote to memory of 4992	4448	msedgewebview2.exe	96
PID 4448 wrote to memory of 4992	4448	msedgewebview2.exe	96
PID 4448 wrote to memory of 4992	4448	msedgewebview2.exe	96
PID 4448 wrote to memory of 4992	4448	msedgewebview2.exe	96
PID 4448 wrote to memory of 4992	4448	msedgewebview2.exe	96
PID 4448 wrote to memory of 4992	4448	msedgewebview2.exe	96
PID 4448 wrote to memory of 4992	4448	msedgewebview2.exe	96
PID 4448 wrote to memory of 4992	4448	msedgewebview2.exe	96
PID 4448 wrote to memory of 4992	4448	msedgewebview2.exe	96
PID 4448 wrote to memory of 4992	4448	msedgewebview2.exe	96
PID 4448 wrote to memory of 4992	4448	msedgewebview2.exe	96
PID 4448 wrote to memory of 4992	4448	msedgewebview2.exe	96
PID 4448 wrote to memory of 4992	4448	msedgewebview2.exe	96
PID 4448 wrote to memory of 4992	4448	msedgewebview2.exe	96
PID 4448 wrote to memory of 4992	4448	msedgewebview2.exe	96
PID 4448 wrote to memory of 4992	4448	msedgewebview2.exe	96
PID 4448 wrote to memory of 4992	4448	msedgewebview2.exe	96
PID 4448 wrote to memory of 4992	4448	msedgewebview2.exe	96
PID 4448 wrote to memory of 4992	4448	msedgewebview2.exe	96
PID 4448 wrote to memory of 4992	4448	msedgewebview2.exe	96
PID 4448 wrote to memory of 4992	4448	msedgewebview2.exe	96
PID 4448 wrote to memory of 4992	4448	msedgewebview2.exe	96

C:\Users\Admin\AppData\Local\Temp\Solara.exe
"C:\Users\Admin\AppData\Local\Temp\Solara.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:964
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Bootstrapper_v2.19.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Bootstrapper_v2.19.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command "Get-MpPreference | Select-Object -ExpandProperty ExclusionPath"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3636
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData\Solara'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2496
- - C:\ProgramData\Solara\Solara.exe
    "C:\ProgramData\Solara\Solara.exe" --bootstrapperPath "C:\Users\Admin\AppData\Local\Temp\RarSFX0"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3444
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=Solara.exe --webview-exe-version=3.0.0.0 --user-data-dir="C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=1 --mojo-named-platform-channel-pipe=3444.2244.17350156013192078569
      4⤵
      Drops file in Windows directory
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of WriteProcessMemory
      PID:4448
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=132.0.2957.140 --initial-client-data=0x160,0x164,0x168,0x13c,0x170,0x7ff8144bb078,0x7ff8144bb084,0x7ff8144bb090
        5⤵
        
        PID:3456
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=gpu-process --string-annotations --noerrdialogs --user-data-dir="C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView" --webview-exe-name=Solara.exe --webview-exe-version=3.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=1660,i,13388719792314791021,16150061279075945758,262144 --variations-seed-version --mojo-platform-channel-handle=1636 /prefetch:2
        5⤵
        
        PID:4992
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView" --webview-exe-name=Solara.exe --webview-exe-version=3.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --always-read-main-dll --field-trial-handle=1996,i,13388719792314791021,16150061279075945758,262144 --variations-seed-version --mojo-platform-channel-handle=2008 /prefetch:11
        5⤵
        
        PID:4900
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView" --webview-exe-name=Solara.exe --webview-exe-version=3.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --always-read-main-dll --field-trial-handle=1664,i,13388719792314791021,16150061279075945758,262144 --variations-seed-version --mojo-platform-channel-handle=2256 /prefetch:13
        5⤵
        
        PID:2744
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView" --webview-exe-name=Solara.exe --webview-exe-version=3.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --always-read-main-dll --field-trial-handle=3572,i,13388719792314791021,16150061279075945758,262144 --variations-seed-version --mojo-platform-channel-handle=3596 /prefetch:1
        5⤵
        
        PID:3120
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Solara\Microsoft.Web.WebView2.Core.dll

Filesize
557KB

MD5
b037ca44fd19b8eedb6d5b9de3e48469

SHA1
1f328389c62cf673b3de97e1869c139d2543494e

SHA256
11e88b2ca921e5c88f64567f11bd83cbc396c10365d40972f3359fcc7965d197

SHA512
fa89ab3347fd57486cf3064ad164574f70e2c2b77c382785479bfd5ab50caa0881de3c2763a0932feac2faaf09479ef699a04ba202866dc7e92640246ba9598b

Download Submit
C:\ProgramData\Solara\Microsoft.Web.WebView2.Wpf.dll

Filesize
50KB

MD5
e107c88a6fc54cc3ceb4d85768374074

SHA1
a8d89ae75880f4fca7d7167fae23ac0d95e3d5f6

SHA256
8f821f0c818f8d817b82f76c25f90fde9fb73ff1ae99c3df3eaf2b955653c9c8

SHA512
b39e07b0c614a0fa88afb1f3b0d9bb9ba9c932e2b30899002008220ccf1acb0f018d5414aee64d92222c2c39f3ffe2c0ad2d9962d23aaa4bf5750c12c7f3e6fe

Download Submit
C:\ProgramData\Solara\Monaco\combined.html

Filesize
14KB

MD5
2a0506c7902018d7374b0ec4090c53c0

SHA1
26c6094af2043e1e8460023ac6b778ba84463f30

SHA256
cad1e2eef6e20e88699fac5ef31d495890df118e58c86fc442ea6337aac7a75a

SHA512
4a9856512e7866b8623565886e5f3aebf15c824cb127e24be9afa2a5501a83fa95d209875a8777566bcac9973b38881e18caf6ad160c8d01366a508cafc2164b

Download Submit
C:\ProgramData\Solara\Monaco\index.html

Filesize
14KB

MD5
610eb8cecd447fcf97c242720d32b6bd

SHA1
4b094388e0e5135e29c49ce42ff2aa099b7f2d43

SHA256
107d8d9d6c94d2a86ac5af4b4cec43d959c2e44d445017fea59e2e0a5efafdc7

SHA512
cf15f49ef3ae578a5f725e24bdde86c33bbc4fd30a6eb885729fd3d9b151a4b13822fa8c35d3e0345ec43d567a246111764812596fd0ecc36582b8ee2a76c331

Download Submit
C:\ProgramData\Solara\Monaco\vs\basic-languages\lua\lua.js

Filesize
5KB

MD5
8706d861294e09a1f2f7e63d19e5fcb7

SHA1
fa5f4bdc6c2f1728f65c41fb5c539211a24b6f23

SHA256
fc2d6fb52a524a56cd8ac53bfe4bad733f246e76dc73cbec4c61be32d282ac42

SHA512
1f9297eb4392db612630f824069afdc9d49259aba6361fb0b87372123ada067bc27d10d0623dc1eb7494da55c82840c5521f6fef74c1ada3b0fd801755234f1f

Download Submit
C:\ProgramData\Solara\Monaco\vs\editor\editor.main.css

Filesize
171KB

MD5
6af9c0d237b31c1c91f7faa84b384bdf

SHA1
c349b06cad41c2997f5018a9b88baedd0ba1ea11

SHA256
fb2cbf2ee64286bc010a6c6fe6a81c6c292c145a2f584d0240c674f56e3015b0

SHA512
3bda519fed1cfa5352f463d3f91194122cf6bf7c3c7ab6927c8ca3eea159d35deb39328576e7cbd982cfdf1f101b2a46c3165221501b36919dbde6f1e94bf5ff

Download Submit
C:\ProgramData\Solara\Monaco\vs\editor\editor.main.js

Filesize
2.0MB

MD5
9399a8eaa741d04b0ae6566a5ebb8106

SHA1
5646a9d35b773d784ad914417ed861c5cba45e31

SHA256
93d28520c07fbca09e20886087f28797bb7bd0e6cf77400153aab5ae67e3ce18

SHA512
d37ef5a848e371f7db9616a4bf8b5347449abb3e244a5527396756791583cad455802450ceeb88dce39642c47aceaf2be6b95bede23b9ed68b5d4b7b9022b9c8

Download Submit
C:\ProgramData\Solara\Monaco\vs\editor\editor.main.nls.js

Filesize
31KB

MD5
74dd2381ddbb5af80ce28aefed3068fc

SHA1
0996dc91842ab20387e08a46f3807a3f77958902

SHA256
fdd9d64ce5284373d1541528d15e2aa8aa3a4adc11b51b3d71d3a3953f8bcc48

SHA512
8841e0823905cf3168f388a7aeaf5edd32d44902035ba2078202193354caf8cd74cb4cab920e455404575739f35e19ea5f3d88eab012c4ebefc0ccb1ed19a46e

Download Submit
C:\ProgramData\Solara\Monaco\vs\loader.js

Filesize
27KB

MD5
8a3086f6c6298f986bda09080dd003b1

SHA1
8c7d41c586bfa015fb5cc50a2fdc547711b57c3c

SHA256
0512d9ed3e5bb3daef94aa5c16a6c3e2ee26ffed9de00d1434ffe46a027b16b9

SHA512
9e586742f4e19938132e41145deec584a7b8c7e111b3c6e9254f8d11db632ebe4d66898458ed7bcfc0614d06e20eb33d5a6a8eb8b32d91110557255cf1dbf017

Download Submit
C:\ProgramData\Solara\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\ProgramData\Solara\Solara.exe

Filesize
619KB

MD5
91f5d6abf1fc57cb3e6222f10c51bff1

SHA1
fd1183ba06cf793f12de674d8aa31bd8bfbe1172

SHA256
c48c486f8655d33b4b0d7fc169adf5cbc964c723161953ef5877e99e45833840

SHA512
4538dc6b1c0c21f09fcce5a496538c25cbbc88bd5bb484806fa9426753691df7d798882085be0bdf4ee542da793c04a0d45675265a6ced2f4ea61b691909597a

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Crashpad\settings.dat

Filesize
280B

MD5
ac57fefae6a7504ad5eea7bb257a00a6

SHA1
3dd5e3638f989e497c486efb8113784718e6f754

SHA256
1bc5d4d5c2aee00c5606bcc6df9bf71457c03e78c9ab3bd31201db7183eb2ce7

SHA512
567c9c68429fe3d233e7b5be3e8b44c7164e6e78192d6c7b6e592edc2a5adb448e81d2682eb83ef961cbb327363ba1050292b7bde5b907760c43761fa2736426

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Crashpad\settings.dat

Filesize
280B

MD5
b841b415456da273b5cb14247ad57060

SHA1
da3640fdc0fe1c48a9c755e248592115fa193046

SHA256
db7f67456c0ea31220ef61ebb573c7635f3f45753439110ce860e1aa04880596

SHA512
c1700e75e21563183a17d27ae47ba62bd4b01a5261644cc1f91aec39d59efdbac009e8e4d25240a2879abc4cd5a99382123699e37d3ce895d80f2631bd13566e

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Default\DawnGraphiteCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Default\DawnWebGPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Default\DawnWebGPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Default\DawnWebGPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Default\Extension Rules\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Default\Sync Data\LevelDB\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Local State

Filesize
1KB

MD5
6a8f9e3c8270eb87c19a1fbf8b132ecb

SHA1
2cd70c9d426c97fec3355d0741b331483fe1f371

SHA256
1bc3264ba40f6d2f14ee6df56f462eed048561e54ae1bf94b6752b732596b39d

SHA512
fc5545846bdb8f1cee0c73207a97e801d190298dbbd4a492c2fd9414bc8417e3ff88f195984a3c3b2302de1e6ebdddd1617e4fdbb452ebdc242a8cdfa1a2d8d8

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Local State

Filesize
2KB

MD5
61fd9a10633be6e906321d36540fe61c

SHA1
fef274566cec6efc21855fac2eecaf4410633372

SHA256
62b3975c4c995e4dfe23d90937aa21edf304c3d2a8bc018f3f2bf742eb71b864

SHA512
b79f52442faaf8ae9e6ad213e5af5d0688b56cc702109585b9e7bfb498aa1894fb7fc7c5d94e28ce893e3f3177919c51358fe2f28cd1bab053e04d580137c16d

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Local State

Filesize
3KB

MD5
add2d3112b5613b2d6003ec30ea76d61

SHA1
4cd3347d1cffcb720cd2e4e815a127542dd43132

SHA256
9a74b58425ddcc7b99bb33cc1189ad90bd05f8b7755558ca08b8b43140c92089

SHA512
bcbc3f4b9767ff82b92c54db08b505d8ba9ca2dc8d83ea487a168197b0988fd0193f05f579d6ba0621c1c48e6209127216a9cf54d506e8c728deff1d7aec8560

Download Submit
C:\ProgramData\Solara\Solara.exe.WebView2\EBWebView\Local State~RFe580f8b.TMP

Filesize
1KB

MD5
3bb8dca1adec324e9c9d0fedcd7bb185

SHA1
38f57a1b382ba1661cac182b7b70b0226fa66fde

SHA256
ea3e12bf5f2d854e0e15d18045f2036fd6d255564e0591c7e15bae0666d5375d

SHA512
62941aaa26b6b46f26b9f8e1a7bf276137f974207056c11551c958a52151fe5247fb441b6e2b9a5680dfb91b03995f4dfe020226328f23333626faabf67c0c3b

Download Submit
C:\ProgramData\Solara\SolaraV3.dll

Filesize
6.6MB

MD5
10d99a6d714e98f1e7989dda7052b837

SHA1
b2293ba8e3bb04b266c9d9cf50075d9c883067c0

SHA256
b70b77c0c0ff6d0ee35c06e4ea0166f1e5b0ca87c99d328ee4fd61544cf739fe

SHA512
bfe0866eac5f983163d3aa329a33856ad390c5a4c1533687e3e4f7bf9267e1a9e1af1e18caeca7c831e7e266a1c561262e15094ad82ddd78afe8c1a9e5e2fe40

Download Submit
C:\ProgramData\Solara\WebView2Loader.dll

Filesize
133KB

MD5
a0bd0d1a66e7c7f1d97aedecdafb933f

SHA1
dd109ac34beb8289030e4ec0a026297b793f64a3

SHA256
79d7e45f8631e8d2541d01bfb5a49a3a090be72b3d465389a2d684680fee2e36

SHA512
2a50ae5c7234a44b29f82ebc2e3cfed37bf69294eb00b2dc8905c61259975b2f3a059c67aeab862f002752454d195f7191d9b82b056f6ef22d6e1b0bb3673d50

Download Submit
C:\ProgramData\Solara\Wpf.Ui.dll

Filesize
5.2MB

MD5
aead90ab96e2853f59be27c4ec1e4853

SHA1
43cdedde26488d3209e17efff9a51e1f944eb35f

SHA256
46cfbe804b29c500ebc0b39372e64c4c8b4f7a8e9b220b5f26a9adf42fcb2aed

SHA512
f5044f2ee63906287460b9adabfcf3c93c60b51c86549e33474c4d7f81c4f86cd03cd611df94de31804c53006977874b8deb67c4bf9ea1c2b70c459b3a44b38d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Bootstrapper_v2.19.exe

Filesize
2.9MB

MD5
e398a0557b44366c849b85fbe26a63e1

SHA1
d20b6b46fc572a435e4e5eb7f5dbd3e601725bac

SHA256
63466a7b4c4ca557cbb2e8b57c125db52fffb234fdbfa38f31eb61b040411e7d

SHA512
a4c0a608ea1f4a33bd39a5536dc4b2105598e3fa4a9ff9033b2279f885a7251684761e1f4ac7b1ba5226de2b0ca777fdc971f0a7f22e65f66f0a3b9c601291d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe

Filesize
78KB

MD5
26ef72c4414f2f546f91abe2bf3e5cd8

SHA1
7b992dd6744693c0f2257fc379c9ac3e3ef9b50e

SHA256
237f9d9f1a4fbe0c658e386194faeab399b8591e5b1ddb52f2e4ed51bbb9ae59

SHA512
178eb6f48b895b634aaf06fe1186b770dc25bd7bbba073aa3b5f74ed0e085d1ae4372a8aa00b37f5bfdf35aaaddaa53c8e850b7e2051bb2a7ff52467376343e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zexdt1jq.3q1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1716-20-0x000001ED564D0000-0x000001ED564DE000-memory.dmp

Filesize
56KB

Download
memory/1716-21-0x000001ED57110000-0x000001ED57210000-memory.dmp

Filesize
1024KB

Download
memory/1716-18-0x000001ED564B0000-0x000001ED564B8000-memory.dmp

Filesize
32KB

Download
memory/1716-57-0x000001ED7FF90000-0x000001ED7FF9A000-memory.dmp

Filesize
40KB

Download
memory/1716-17-0x000001ED38870000-0x000001ED38880000-memory.dmp

Filesize
64KB

Download
memory/1716-19-0x000001ED570D0000-0x000001ED57108000-memory.dmp

Filesize
224KB

Download
memory/1716-54-0x00007FF81F3C0000-0x00007FF81FE82000-memory.dmp

Filesize
10.8MB

Download
memory/1716-16-0x00007FF81F3C0000-0x00007FF81FE82000-memory.dmp

Filesize
10.8MB

Download
memory/1716-15-0x000001ED380A0000-0x000001ED38382000-memory.dmp

Filesize
2.9MB

Download
memory/1716-132-0x00007FF81F3C0000-0x00007FF81FE82000-memory.dmp

Filesize
10.8MB

Download
memory/1716-14-0x00007FF81F3C3000-0x00007FF81F3C5000-memory.dmp

Filesize
8KB

Download
memory/1716-53-0x000001ED145F0000-0x000001ED146A2000-memory.dmp

Filesize
712KB

Download
memory/1716-22-0x000001ED56A60000-0x000001ED56A6A000-memory.dmp

Filesize
40KB

Download
memory/1716-24-0x000001ED570C0000-0x000001ED570C8000-memory.dmp

Filesize
32KB

Download
memory/1716-26-0x000001ED56A80000-0x000001ED56A8A000-memory.dmp

Filesize
40KB

Download
memory/1716-25-0x000001ED57210000-0x000001ED57226000-memory.dmp

Filesize
88KB

Download
memory/1716-23-0x000001ED57090000-0x000001ED570B6000-memory.dmp

Filesize
152KB

Download
memory/1716-27-0x000001ED56A70000-0x000001ED56A7A000-memory.dmp

Filesize
40KB

Download
memory/1716-56-0x000001ED146B0000-0x000001ED146CE000-memory.dmp

Filesize
120KB

Download
memory/1716-28-0x000001ED57240000-0x000001ED57248000-memory.dmp

Filesize
32KB

Download
memory/1716-59-0x000001ED7FFF0000-0x000001ED80002000-memory.dmp

Filesize
72KB

Download
memory/1716-30-0x00007FF81F3C3000-0x00007FF81F3C5000-memory.dmp

Filesize
8KB

Download
memory/2496-52-0x000001FE7E660000-0x000001FE7E7AF000-memory.dmp

Filesize
1.3MB

Download
memory/3120-269-0x00007FF83F330000-0x00007FF83F331000-memory.dmp

Filesize
4KB

Download
memory/3444-126-0x00000170EA720000-0x00000170EA7B0000-memory.dmp

Filesize
576KB

Download
memory/3444-121-0x00000170E99B0000-0x00000170E99C0000-memory.dmp

Filesize
64KB

Download
memory/3444-181-0x0000000180000000-0x0000000181111000-memory.dmp

Filesize
17.1MB

Download
memory/3444-114-0x00000170E7AD0000-0x00000170E7B70000-memory.dmp

Filesize
640KB

Download
memory/3444-148-0x0000000180000000-0x0000000181111000-memory.dmp

Filesize
17.1MB

Download
memory/3444-147-0x0000000180000000-0x0000000181111000-memory.dmp

Filesize
17.1MB

Download
memory/3444-146-0x0000000180000000-0x0000000181111000-memory.dmp

Filesize
17.1MB

Download
memory/3444-180-0x00000170EA160000-0x00000170EA2AF000-memory.dmp

Filesize
1.3MB

Download
memory/3444-116-0x00000170EA7F0000-0x00000170EAD2C000-memory.dmp

Filesize
5.2MB

Download
memory/3444-117-0x00000170EA4A0000-0x00000170EA55A000-memory.dmp

Filesize
744KB

Download
memory/3444-119-0x00000170EA560000-0x00000170EA612000-memory.dmp

Filesize
712KB

Download
memory/3444-143-0x0000000180000000-0x0000000181111000-memory.dmp

Filesize
17.1MB

Download
memory/3636-41-0x00000211FF2F0000-0x00000211FF43F000-memory.dmp

Filesize
1.3MB

Download
memory/3636-39-0x00000211FF200000-0x00000211FF222000-memory.dmp

Filesize
136KB

Download
memory/4008-144-0x000001FE50CF0000-0x000001FE50D08000-memory.dmp

Filesize
96KB

Download
memory/4008-145-0x000001FE6B530000-0x000001FE6B6F2000-memory.dmp

Filesize
1.8MB

Download
memory/4008-149-0x000001FE6C6B0000-0x000001FE6CBD8000-memory.dmp

Filesize
5.2MB

Download
memory/4992-176-0x00007FF83F330000-0x00007FF83F331000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads