hxxps://github[.]com/quivings/Solara/blob/main/Files/Solara[.]Dir[.]zip

Analysis

max time kernel
149s
max time network
155s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
01-07-2024 00:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/quivings/Solara/blob/main/Files/Solara.Dir.zip

Score

9^/10

evasion themida

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

cd57e4c171d6e8f5ea8b8f824a6a7316.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ cd57e4c171d6e8f5ea8b8f824a6a7316.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cd57e4c171d6e8f5ea8b8f824a6a7316.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Themida packer 10 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/2836-317-0x0000000180000000-0x0000000180B0D000-memory.dmp	themida
behavioral1/memory/2836-319-0x0000000180000000-0x0000000180B0D000-memory.dmp	themida
behavioral1/memory/2836-318-0x0000000180000000-0x0000000180B0D000-memory.dmp	themida
behavioral1/memory/2836-320-0x0000000180000000-0x0000000180B0D000-memory.dmp	themida
behavioral1/memory/2836-325-0x0000000180000000-0x0000000180B0D000-memory.dmp	themida
behavioral1/memory/2836-329-0x0000000180000000-0x0000000180B0D000-memory.dmp	themida
behavioral1/memory/2836-333-0x0000000180000000-0x0000000180B0D000-memory.dmp	themida
behavioral1/memory/2836-334-0x0000000180000000-0x0000000180B0D000-memory.dmp	themida
behavioral1/memory/2836-336-0x0000000180000000-0x0000000180B0D000-memory.dmp	themida
behavioral1/memory/2836-338-0x0000000180000000-0x0000000180B0D000-memory.dmp	themida

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

33 raw.githubusercontent.com
34 raw.githubusercontent.com
48 raw.githubusercontent.com
49 raw.githubusercontent.com
52 raw.githubusercontent.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

cd57e4c171d6e8f5ea8b8f824a6a7316.exe

pid process

2836 cd57e4c171d6e8f5ea8b8f824a6a7316.exe

flow	ioc
33	raw.githubusercontent.com
34	raw.githubusercontent.com
48	raw.githubusercontent.com
49	raw.githubusercontent.com
52	raw.githubusercontent.com

pid	process
2836	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133642686738619996"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

Processes:

chrome.execd57e4c171d6e8f5ea8b8f824a6a7316.exechrome.exe

pid	process
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
2836	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2836	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2836	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2836	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2836	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2836	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2836	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2836	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2836	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2836	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2836	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2836	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2836	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2836	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2836	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2836	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2836	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2836	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2836	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2836	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2836	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
4140	chrome.exe
4140	chrome.exe
2836	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2836	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2836	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2836	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2836	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2836	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2836	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2836	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2836	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2836	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2836	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2836	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2836	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2836	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2836	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2836	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2836	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2836	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2836	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2836	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2836	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2836	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2836	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2836	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

4152 chrome.exe
4152 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe

Suspicious use of FindShellTrayWindow 47 IoCs

Processes:

chrome.exe

pid	process
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4152 wrote to memory of 2236	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 2236	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 656	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 656	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 656	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 656	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 656	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 656	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 656	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 656	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 656	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 656	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 656	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 656	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 656	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 656	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 656	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 656	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 656	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 656	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 656	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 656	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 656	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 656	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 656	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 656	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 656	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 656	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 656	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 656	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 656	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 656	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 656	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 656	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 656	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 656	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 656	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 656	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 656	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 656	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 216	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 216	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 5016	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 5016	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 5016	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 5016	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 5016	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 5016	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 5016	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 5016	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 5016	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 5016	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 5016	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 5016	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 5016	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 5016	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 5016	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 5016	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 5016	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 5016	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 5016	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 5016	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 5016	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 5016	4152	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/quivings/Solara/blob/main/Files/Solara.Dir.zip
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffac85d9758,0x7ffac85d9768,0x7ffac85d9778
2⤵
PID:2236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1596 --field-trial-handle=1904,i,4769805597213512008,12136127471457700966,131072 /prefetch:2
2⤵
PID:656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1736 --field-trial-handle=1904,i,4769805597213512008,12136127471457700966,131072 /prefetch:8
2⤵
PID:216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2064 --field-trial-handle=1904,i,4769805597213512008,12136127471457700966,131072 /prefetch:8
2⤵
PID:5016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2900 --field-trial-handle=1904,i,4769805597213512008,12136127471457700966,131072 /prefetch:1
2⤵
PID:2960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2948 --field-trial-handle=1904,i,4769805597213512008,12136127471457700966,131072 /prefetch:1
2⤵
PID:4888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 --field-trial-handle=1904,i,4769805597213512008,12136127471457700966,131072 /prefetch:8
2⤵
PID:1892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4892 --field-trial-handle=1904,i,4769805597213512008,12136127471457700966,131072 /prefetch:8
2⤵
PID:1948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 --field-trial-handle=1904,i,4769805597213512008,12136127471457700966,131072 /prefetch:8
2⤵
PID:3348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4868 --field-trial-handle=1904,i,4769805597213512008,12136127471457700966,131072 /prefetch:8
2⤵
PID:4264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5704 --field-trial-handle=1904,i,4769805597213512008,12136127471457700966,131072 /prefetch:8
2⤵
PID:4292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5808 --field-trial-handle=1904,i,4769805597213512008,12136127471457700966,131072 /prefetch:8
2⤵
PID:5080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5820 --field-trial-handle=1904,i,4769805597213512008,12136127471457700966,131072 /prefetch:8
2⤵
PID:4296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=880 --field-trial-handle=1904,i,4769805597213512008,12136127471457700966,131072 /prefetch:8
2⤵
PID:4544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5220 --field-trial-handle=1904,i,4769805597213512008,12136127471457700966,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4140

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4484

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3864

C:\Users\Admin\Downloads\Solara.Dir\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe
"C:\Users\Admin\Downloads\Solara.Dir\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2836

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
761c70f778c19dbb03e6b4904dc12201

SHA1
7577a9e6a7f4a485883adff6c452bfe38cbe70d3

SHA256
7e856679acb8ad604f956fa11f8271c4f2db6f558be9a93312e1bb78aa975ff6

SHA512
0949046564564d25d3e46718ee6c367006af16b309953977aefbab544e0cae4723ed196f7ee2f643f183fb490b3eb40b56ebd93a18b136a98e7fe8ff9dae40c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
e68f480b25cf83aa9468b101d35d2828

SHA1
cf338dc55850d026cf9058c6274780ff44944613

SHA256
36250303b08697089838bf0d9fc43a4c5748342a2e5b23477ed09f724efa876e

SHA512
f800a861bbb02538fab5d02d66caf10216549a0d1aa183b01aefc7f6b6f8c5e92a31ade1dd72f77bd99ed68fa932e090a1d5ef794ce77f6db724ec611d7b6659

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
8405cf6f3dabfee0592b1cb17dee1a0e

SHA1
38bfccfef72cf87a8ebc11d6310af00e6ddf1a65

SHA256
4faa91298c82bbdfde18b50e3911094200f072076f9901674d766eeb213e9453

SHA512
b7cd8d73dea4803f271263fe496add997f71b61c3fcd5b1f853db2c719cb9715f666e4491785ae59f68caa676e54a4c178662c75214c007ef0629b6b1c44d29e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
63d90cff66e3edc199321aee1d87a802

SHA1
a6a2e1e0ed7bd4e98b9ff7335a218d88650a0de5

SHA256
2feae76eb4dd7c8981e5c8579cb2391ff3a3be9948ab602f50b0eefa92b2b3d6

SHA512
e7966083e827028a3a60b36dab5f61369694511aa983a71d47b16bc663a434e6a77b488ab4c84d4cfefe5cf3c7fdd608cde8ca533cb416e54c01427992b46dfc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
9c1d5ba314931b77d1b295e97d7ae3d2

SHA1
2126a627e65439fbc0aaebb5e617773c804c7c0c

SHA256
df001aa8f5987008702a6a13f2bff0eaf302cb629251080d22b79edad911c70b

SHA512
a2ae070260302e125b9aa0208b8897ea6c04edf06ac1752345b505b227587a0b6f369b21762193059efbb14cc4369805b716e2be99d9079345071f0911984049

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
819fd8046dbefcffd97b57c916bb05d6

SHA1
0f49e3a8066398ca36461467397e55c388fa7d30

SHA256
cb0ca83c88d1329873559ee1246e37a19776e6d6ac6700c6fa45962f7a430d47

SHA512
aa0a1eab276e89870fcd98e60daba9881ebc3c429121fcf506db7333fbcea6c3067db1d6324c5485ad057a1ac5a25ebc4851bd28ce31999650ac8845d94f5286

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
815224e618b778be49a096dfb484969d

SHA1
d68a972232f06db8972853e1e9d2946d1ff793a5

SHA256
724a2f7f0a76a696a8d7d8dcd41e0e5909c8237b0b8827f124150c2321af0bd7

SHA512
8d1ca8a4e49726b1985a0086bbe4e6ccf51ec7eb3f6a5187c4a4a0f389768e4d05c0b621eabf5e9c5ec413d8c03e79140f1db4dd1148c01a3247d0cd23cdfb96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
398f74b365d407bf6234188d0fa6a9ac

SHA1
ffbdc8cccdab2a602307780b3ed813fd316a4f9e

SHA256
1dde727680c69fd6a4105b281a7d5e9f1b1da5040a7c3d0d93aed84e79288197

SHA512
57b42c9250f56a786dc64878cbe8847954983ba77bb0b6f5692090bd5a99ecc4f652a3d34a0c7e28ebfbaf3717994f8dd9e63820ba9856e91b6e4b7cce54c212

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
966acd1212e5678312f6c780b63d90ad

SHA1
5492d7d2d316456c908f47afa91463e49f13b6f0

SHA256
bd43ad40947e4c4eb4c2f5d13180585062f0208c2e501a383e5d2e83baa9082e

SHA512
15eaa2cbc05f612cf3f0921532c08b9d556e40054d924ce8cccecffed53a2bcf79aeedddac2d6d0eb83dbf2d94a9569918c89a26d6eefd5e8390ef560ccf61ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\blob_storage\c1314317-7f33-4ea7-968f-f135bb8c6796\1
Filesize
8.1MB

MD5
1c0b51ad185778fa96bf9f821d78d5b5

SHA1
25683b47ae1f5a64e334bdd7449ffbe07d911cad

SHA256
e4c9a8ba20305f1caeba7ee9211d791bcf4b4667bd6a7ba04605546516aebdaf

SHA512
a2f9f3daa317cb6129a3dcca054094a6b481aaedeb9143aa5c9568dcfb695fbd36b497d36a0c875d6033f72171810bf01966f1fd9b139f74b3e7da512dd616c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
150KB

MD5
c686d952e5c4816853c1eb3c9b0f3089

SHA1
a4e8e5d4428fa950231b514fbbeaee402dd9ccf6

SHA256
ab00237ddaed2e8ebec8cec7d620d83364fe02da6f7e15d6e6b65e39faafbcd3

SHA512
74373ec2be3daee02138828db3cb398cd466dbc2aa6ff48c3aa0e4716f89ec72b8fe51ae7951d6349108e13e79b7aa34654a93258ee492a48c623941e01a3cd6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
150KB

MD5
f4945749ae53bcba82022c89e43fda74

SHA1
266f77f29ca51e0ca0dc3d289ad765b1b1868b54

SHA256
80b1e4c637ca638475124c9d7ac31fb54ad5dafc466826a548daf74f31d2ce3e

SHA512
e7a73f11e90ba3b1ba5b6fe487e7d7c653eaf3bd10ee338c54e9be7064c90baeca73d77def437b507264ad605156f088fd98a5c5cad837e93feb2328a7999c24

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
189KB

MD5
ce7d618c147ee62cbd1d30ea13ea97f3

SHA1
ad6647023049847c195e9f17a1ebe2b44eac26a7

SHA256
503269846ad00446a97e0ed9f52c35ce055314f75d8637ee7780f34558f0f1ba

SHA512
fa4f27586debc76d06ca995671689c31c62013c320143336c3bd5d8aebc0ad57d0870958b86eb8f19414c3741494b8827a32794af801bef441bd2405615fc652

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
150KB

MD5
75c8ac314d7e29cd989409a000af5563

SHA1
bf66eba68d66c65a4cf37aababda8875eb42495a

SHA256
d04a5eb9abefba8bbd1ca5d404cd1835c8e15b62c0cc9b22325d9bb22cccb697

SHA512
d82f96482dfa49d6acc3f04fd9aa5cc69f9a5cb3dcaeaa5559612868a721d97ea6ee80f691a3d4b8ec6c345f245240270d78f03f412df57dc1246f4d2922f955

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
109KB

MD5
7bdb9f44aedd1cdf7aa7607900c181d0

SHA1
12469575b9a99a78691f3d90d020c0c6425e17ec

SHA256
8908cfdd8f715f83a8b55b9f4099850710caa22473a34106e4d655516ffc04cc

SHA512
2194ee6c39415ceb2f9e741afd7424f67d11e11df933d8d9e82126f7a3c4d9d053c382fb3d103c8119b55d40bcee580f64dd7b93fd104d6353225c460ad7e5e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5882b8.TMP
Filesize
105KB

MD5
1e6f53fbb121ae1ed9184aa596b211b8

SHA1
93fd5341c898b12ed543e78675613ce01a6e82d3

SHA256
9492bbd8b159fa7196092cfd2b61c7134c1393a9899fcf9ccb8d9cff1dc86ed5

SHA512
23e9ff7de671e4c5e8e0b3028a8572d277d09dac58e8b66f72eeb7abb19c8b28cee37e035662a0e5ed0056e9ff0b018ba4fed9380dacd2b4b434d8a9a4c5ae09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\Solara.Dir.zip.crdownload
Filesize
13.1MB

MD5
1c53ad627bad990dc76ae17efaf7be93

SHA1
3fd84183f5953106aaef6b0f5edd2f058b074e2c

SHA256
8691f4cbe985ff4ad3559e3d9183ffa5e706695533ffe775dbc70080aff420c3

SHA512
9b894d1d81a1e6773798f022c7021b86cd650c45fa019284038ff32b936eb4857f9dcb46fdb7c74890f895c642b6e49894e705f152b893c1caef396ece7818cc

Download Submit
\??\pipe\crashpad_4152_YHMPMTJGIPULBNTV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2836-311-0x00007FFAB6290000-0x00007FFAB6C7C000-memory.dmp

Filesize
9.9MB

Download
memory/2836-322-0x0000018FCEE00000-0x0000018FCEE08000-memory.dmp

Filesize
32KB

Download
memory/2836-310-0x0000018FCA6E0000-0x0000018FCAC1C000-memory.dmp

Filesize
5.2MB

Download
memory/2836-308-0x00007FFAB6293000-0x00007FFAB6294000-memory.dmp

Filesize
4KB

Download
memory/2836-312-0x0000018FCA420000-0x0000018FCA4D8000-memory.dmp

Filesize
736KB

Download
memory/2836-313-0x0000018FCA4E0000-0x0000018FCA592000-memory.dmp

Filesize
712KB

Download
memory/2836-314-0x0000018FCA3D0000-0x0000018FCA3F2000-memory.dmp

Filesize
136KB

Download
memory/2836-315-0x0000018FCA3C0000-0x0000018FCA3CE000-memory.dmp

Filesize
56KB

Download
memory/2836-316-0x0000018FCAFA0000-0x0000018FCB01E000-memory.dmp

Filesize
504KB

Download
memory/2836-317-0x0000000180000000-0x0000000180B0D000-memory.dmp

Filesize
11.1MB

Download
memory/2836-319-0x0000000180000000-0x0000000180B0D000-memory.dmp

Filesize
11.1MB

Download
memory/2836-318-0x0000000180000000-0x0000000180B0D000-memory.dmp

Filesize
11.1MB

Download
memory/2836-320-0x0000000180000000-0x0000000180B0D000-memory.dmp

Filesize
11.1MB

Download
memory/2836-309-0x0000018FAF440000-0x0000018FAF45A000-memory.dmp

Filesize
104KB

Download
memory/2836-323-0x0000018FCF410000-0x0000018FCF448000-memory.dmp

Filesize
224KB

Download
memory/2836-324-0x0000018FCF630000-0x0000018FCF63E000-memory.dmp

Filesize
56KB

Download
memory/2836-326-0x00007FFACBD10000-0x00007FFACBD34000-memory.dmp

Filesize
144KB

Download
memory/2836-325-0x0000000180000000-0x0000000180B0D000-memory.dmp

Filesize
11.1MB

Download
memory/2836-327-0x00007FFAB6293000-0x00007FFAB6294000-memory.dmp

Filesize
4KB

Download
memory/2836-328-0x00007FFAB6290000-0x00007FFAB6C7C000-memory.dmp

Filesize
9.9MB

Download
memory/2836-329-0x0000000180000000-0x0000000180B0D000-memory.dmp

Filesize
11.1MB

Download
memory/2836-333-0x0000000180000000-0x0000000180B0D000-memory.dmp

Filesize
11.1MB

Download
memory/2836-334-0x0000000180000000-0x0000000180B0D000-memory.dmp

Filesize
11.1MB

Download
memory/2836-336-0x0000000180000000-0x0000000180B0D000-memory.dmp

Filesize
11.1MB

Download
memory/2836-338-0x0000000180000000-0x0000000180B0D000-memory.dmp

Filesize
11.1MB

Download
memory/2836-340-0x00007FFAB6290000-0x00007FFAB6C7C000-memory.dmp

Filesize
9.9MB

Download