Malware analysis /quivings/Solara/raw/main/Files/Solara.Dir.zip Malicious activity

Add for printing

download:	/quivings/Solara/raw/main/Files/Solara.Dir.zip
Full analysis:	https://app.any.run/tasks/4eee18d1-78cc-4a16-9eae-7cdaf0991579
Verdict:	Malicious activity
Analysis date:	July 25, 2024, 08:42:43
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	github themida
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=store
MD5:	9BD9AA90323438A6CBADE4596D16C5AA
SHA1:	AF3E64847DB76B914B7037EE6B14CD1F989F9706
SHA256:	DEAC87399F24746CAE8CB22ED13B0BF87B505D7F47FE298C04AC7E780A670BE5
SSDEEP:	98304:7LslEynX9VIYkSSKXYYaJKvyZYBkpdCBLTrEwUlf/scQsGzrNySepwxnPK0qyZ/q:L2LC+6MJh3UPB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 240 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 180 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Process drops legitimate windows executable
  - WinRAR.exe (PID: 4052)
- Reads security settings of Internet Explorer
  - cd57e4c171d6e8f5ea8b8f824a6a7316.exe (PID: 6636)
- Reads the BIOS version
  - cd57e4c171d6e8f5ea8b8f824a6a7316.exe (PID: 6636)
- Executes application which crashes
  - cd57e4c171d6e8f5ea8b8f824a6a7316.exe (PID: 6636)
  - cd57e4c171d6e8f5ea8b8f824a6a7316.exe (PID: 3008)
INFO
- Manual execution by a user
  - cd57e4c171d6e8f5ea8b8f824a6a7316.exe (PID: 6636)
  - cd57e4c171d6e8f5ea8b8f824a6a7316.exe (PID: 3008)
- Drops the executable file immediately after the start
  - WinRAR.exe (PID: 4052)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 4052)
- Dropped object may contain TOR URL's
  - WinRAR.exe (PID: 4052)
- Reads the machine GUID from the registry
  - cd57e4c171d6e8f5ea8b8f824a6a7316.exe (PID: 6636)
  - cd57e4c171d6e8f5ea8b8f824a6a7316.exe (PID: 3008)
- Reads the computer name
  - cd57e4c171d6e8f5ea8b8f824a6a7316.exe (PID: 6636)
  - cd57e4c171d6e8f5ea8b8f824a6a7316.exe (PID: 3008)
- Checks supported languages
  - cd57e4c171d6e8f5ea8b8f824a6a7316.exe (PID: 6636)
  - cd57e4c171d6e8f5ea8b8f824a6a7316.exe (PID: 3008)
- Reads Environment values
  - cd57e4c171d6e8f5ea8b8f824a6a7316.exe (PID: 6636)
  - cd57e4c171d6e8f5ea8b8f824a6a7316.exe (PID: 3008)
- Disables trace logs
  - cd57e4c171d6e8f5ea8b8f824a6a7316.exe (PID: 6636)
  - cd57e4c171d6e8f5ea8b8f824a6a7316.exe (PID: 3008)
- Checks proxy server information
  - cd57e4c171d6e8f5ea8b8f824a6a7316.exe (PID: 6636)
  - slui.exe (PID: 4028)
  - WerFault.exe (PID: 5740)
  - cd57e4c171d6e8f5ea8b8f824a6a7316.exe (PID: 3008)
- Reads the software policy settings
  - cd57e4c171d6e8f5ea8b8f824a6a7316.exe (PID: 6636)
  - slui.exe (PID: 4028)
  - WerFault.exe (PID: 5740)
- Create files in a temporary directory
  - cd57e4c171d6e8f5ea8b8f824a6a7316.exe (PID: 6636)
- Themida protector has been detected
  - cd57e4c171d6e8f5ea8b8f824a6a7316.exe (PID: 6636)
- Creates files or folders in the user directory
  - WerFault.exe (PID: 5740)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (36.3)

EXIF

ZIP

ZipRequiredVersion:	20
ZipBitFlag:	-
ZipCompression:	None
ZipModifyDate:	2024:07:22 15:57:44
ZipCRC:	0x00000000
ZipCompressedSize:	-
ZipUncompressedSize:	-
ZipFileName:	Solara.Dir/bin/

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

145

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

3008

"C:\Users\admin\Desktop\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe"

C:\Users\admin\Desktop\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

WpfApp1

Exit code:

3762504530

Version:

1.0.0.0

Modules

Images
c:\users\admin\desktop\solara.dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

4028

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

4052

"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\Solara.Dir.zip

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

4584

C:\WINDOWS\system32\WerFault.exe -u -p 6636 -s 2596

C:\Windows\System32\WerFault.exe

—

cd57e4c171d6e8f5ea8b8f824a6a7316.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Problem Reporting

Exit code:

2147942405

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll

5200

C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\rundll32.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll

5740

C:\WINDOWS\system32\WerFault.exe -u -p 3008 -s 1812

C:\Windows\System32\WerFault.exe

cd57e4c171d6e8f5ea8b8f824a6a7316.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Problem Reporting

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll

6636

"C:\Users\admin\Desktop\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe"

C:\Users\admin\Desktop\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

WpfApp1

Exit code:

3762504530

Version:

1.0.0.0

Modules

Images
c:\users\admin\desktop\solara.dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

9 788

Read events

9 766

Write events

Delete events

Modification events


(PID) Process:	(4052) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(4052) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(4052) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(4052) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\Solara.Dir.zip
(PID) Process:	(4052) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(4052) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(4052) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(4052) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(6636) cd57e4c171d6e8f5ea8b8f824a6a7316.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\cd57e4c171d6e8f5ea8b8f824a6a7316_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(6636) cd57e4c171d6e8f5ea8b8f824a6a7316.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\cd57e4c171d6e8f5ea8b8f824a6a7316_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0

Add for printing

Executable files

Suspicious files

170

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
4052	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4052.28464\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe		executable
		MD5:D84E7F79F4F0D7074802D2D6E6F3579E	SHA256:DCFC2B4FA3185DF415855EC54395D9C36612F68100D046D8C69659DA01F7D227
4052	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4052.28464\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.dll		executable
		MD5:A9F04DA45768D32D110BCC28E8EEC17B	SHA256:0FE02773D86518849BBC8EC1964F642B2B5C75249056C8600E43815E39FB18D5
4052	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4052.28464\Solara.Dir\libcurl.dll		executable
		MD5:E31F5136D91BAD0FCBCE053AAC798A30	SHA256:EE94E2201870536522047E6D7FE7B903A63CD2E13E20C8FFFC86D0E95361E671
4052	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4052.28464\Solara.Dir\Microsoft.Web.WebView2.WinForms.dll		executable
		MD5:4CF94FFA50FD9BDC0BB93CCEAEDE0629	SHA256:50B2E46C99076F6FA9C33E0A98F0FE3A2809A7C647BB509066E58F4C7685D7E6
4052	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4052.28464\Solara.Dir\Microsoft.Web.WebView2.Core.dll		executable
		MD5:851FEE9A41856B588847CF8272645F58	SHA256:5E7FAEE6B8230CA3B97CE9542B914DB3ABBBD1CB14FD95A39497AAAD4C1094CA
4052	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4052.28464\Solara.Dir\Monaco\fileaccess\index.js		text
		MD5:E462FB7561F6C9BCCB24E62BB93889D2	SHA256:FF3FC42D5F912950D1095C43C8EDB8A3BE63C8EEE9DB5CA5D39D5668F68F7B41
4052	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4052.28464\Solara.Dir\bin\version.txt		text
		MD5:73CDF608D1EE898D0B5EF68F1869A851	SHA256:853A9A75B07E44C4A4117630D67A4C1EB7CED7B45C72BB6C13CAF2CA2AB338ED
4052	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4052.28464\Solara.Dir\Microsoft.Web.WebView2.Wpf.dll		executable
		MD5:34EC990ED346EC6A4F14841B12280C20	SHA256:1E987B22CD011E4396A0805C73539586B67DF172DF75E3DDED16A77D31850409
4052	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4052.28464\Solara.Dir\Monaco\fileaccess\node_modules\bytes\index.js		binary
		MD5:83CF8FE86424252C5A9A3E2FE90DBD57	SHA256:893FCBBBE962DC00E40DC2E4B20E76E92D874DD257345003C6575D940E91A37F
4052	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4052.28464\Solara.Dir\Monaco\fileaccess\node_modules\accepts\index.js		binary
		MD5:4FE4D2C90A2FD19D6E97443A7D24F815	SHA256:BE2DECBD50610E8F995C1E312EE4DD6D7C1244CFDF03EE4C4A3DA68E572DADA1

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5368	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
5664	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
5272	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
760	lsass.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D	unknown	—	—	whitelisted
7164	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
6012	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6132	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3108	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3952	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4204	svchost.exe	4.209.32.198:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
3108	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6636	cd57e4c171d6e8f5ea8b8f824a6a7316.exe	128.116.44.4:443	clientsettings.roblox.com	ROBLOX-PRODUCTION	US	malicious
6636	cd57e4c171d6e8f5ea8b8f824a6a7316.exe	185.199.109.133:443	raw.githubusercontent.com	FASTLY	US	unknown

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 4.231.128.59 51.124.78.146	whitelisted
google.com	142.250.184.206	whitelisted
clientsettings.roblox.com	128.116.44.4	whitelisted
raw.githubusercontent.com	185.199.109.133 185.199.108.133 185.199.110.133 185.199.111.133	shared
activation-v2.sls.microsoft.com	40.91.76.224 20.83.72.98	whitelisted
www.bing.com	92.123.104.42 92.123.104.50 92.123.104.46 92.123.104.44 92.123.104.47 92.123.104.39 92.123.104.40 92.123.104.43 92.123.104.45	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
login.live.com	20.190.159.0 20.190.159.71 20.190.159.73 20.190.159.23 20.190.159.2 20.190.159.68 40.126.31.73 20.190.159.75	whitelisted
client.wns.windows.com	40.115.3.253	whitelisted
arc.msn.com	20.199.58.43	whitelisted

Threats

PID	Process	Class	Message
2284	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Attempting to access raw user content on GitHub

Add for printing

No debug info

General Info

/quivings/Solara/raw/main/Files/Solara.Dir.zip

9BD9AA90323438A6CBADE4596D16C5AA

AF3E64847DB76B914B7037EE6B14CD1F989F9706

DEAC87399F24746CAE8CB22ED13B0BF87B505D7F47FE298C04AC7E780A670BE5

98304:7LslEynX9VIYkSSKXYYaJKvyZYBkpdCBLTrEwUlf/scQsGzrNySepwxnPK0qyZ/q:L2LC+6MJh3UPB

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Process drops legitimate windows executable

Reads security settings of Internet Explorer

Reads the BIOS version

Executes application which crashes

INFO

Manual execution by a user

Drops the executable file immediately after the start

Executable content was dropped or overwritten

Dropped object may contain TOR URL's

Reads the machine GUID from the registry

Reads the computer name

Checks supported languages

Reads Environment values

Disables trace logs

Checks proxy server information

Reads the software policy settings

Create files in a temporary directory

Themida protector has been detected

Creates files or folders in the user directory

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings