Malware analysis Solara 3.07 (1).zip Malicious activity

Add for printing

File name:	Solara 3.07 (1).zip
Full analysis:	https://app.any.run/tasks/4c20e970-28a3-4a6c-afa8-91e62a8f6572
Verdict:	Malicious activity
Analysis date:	September 13, 2024, 11:18:07
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	pastebin
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v1.0 to extract, compression method=store
MD5:	9354A65DBFB6953AD01BE6CFFE5740F4
SHA1:	EF73FD4D4BD511449FB2DB15F255FB92C1D25E3F
SHA256:	E28AC1C19529E863C0F1647B9C684EAAD0E9F809DFBD4E4199B7E275EA5B52EF
SSDEEP:	98304:lKo9hvbuXScA3JpmGQ8HnFHWtJXIapOUlqcERLodC63smXYl06MV0cAOOi1xm3kW:UlHlNjB+THQx5+1laW5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Changes the autorun value in the registry
  - MicrosoftEdgeUpdate.exe (PID: 5492)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - WinRAR.exe (PID: 6844)
  - MicrosoftEdgeUpdate.exe (PID: 5492)
- Executes application which crashes
  - Solara.exe (PID: 3236)
- Executable content was dropped or overwritten
  - RobloxPlayerInstaller.exe (PID: 5344)
  - MicrosoftEdgeWebview2Setup.exe (PID: 4252)
  - MicrosoftEdgeUpdate.exe (PID: 5492)
- Changes default file association
  - RobloxPlayerInstaller.exe (PID: 5344)
- Starts itself from another location
  - MicrosoftEdgeUpdate.exe (PID: 5492)
- Creates/Modifies COM task schedule object
  - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7188)
  - MicrosoftEdgeUpdate.exe (PID: 7184)
  - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 876)
  - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7624)
- Starts a Microsoft application from unusual location
  - MicrosoftEdgeUpdate.exe (PID: 5492)
- Potential Corporate Privacy Violation
  - svchost.exe (PID: 2056)
INFO
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 6844)
  - msedge.exe (PID: 7676)
  - msedge.exe (PID: 2992)
- The process uses the downloaded file
  - WinRAR.exe (PID: 6844)
  - msedge.exe (PID: 2992)
  - msedge.exe (PID: 3880)
- Reads the computer name
  - Solara.exe (PID: 3236)
  - identity_helper.exe (PID: 7472)
  - RobloxPlayerInstaller.exe (PID: 5344)
  - MicrosoftEdgeUpdate.exe (PID: 5492)
  - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 876)
  - MicrosoftEdgeUpdate.exe (PID: 7184)
  - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7188)
  - MicrosoftEdgeUpdate.exe (PID: 4668)
  - MicrosoftEdgeUpdate.exe (PID: 7636)
  - MicrosoftEdgeUpdate.exe (PID: 3876)
  - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7624)
- Checks supported languages
  - Solara.exe (PID: 3236)
  - identity_helper.exe (PID: 7472)
  - MicrosoftEdgeWebview2Setup.exe (PID: 4252)
  - RobloxPlayerInstaller.exe (PID: 5344)
  - MicrosoftEdgeUpdate.exe (PID: 7184)
  - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7188)
  - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 876)
  - MicrosoftEdgeUpdate.exe (PID: 5492)
  - MicrosoftEdgeUpdate.exe (PID: 3876)
  - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7624)
  - MicrosoftEdgeUpdate.exe (PID: 4668)
  - MicrosoftEdgeUpdate.exe (PID: 7636)
- Reads the machine GUID from the registry
  - Solara.exe (PID: 3236)
  - RobloxPlayerInstaller.exe (PID: 5344)
- Reads Environment values
  - Solara.exe (PID: 3236)
  - identity_helper.exe (PID: 7472)
  - MicrosoftEdgeUpdate.exe (PID: 4668)
- Disables trace logs
  - Solara.exe (PID: 3236)
- Reads the software policy settings
  - Solara.exe (PID: 3236)
  - WerFault.exe (PID: 360)
  - MicrosoftEdgeUpdate.exe (PID: 4668)
  - MicrosoftEdgeUpdate.exe (PID: 3876)
- Checks proxy server information
  - Solara.exe (PID: 3236)
  - WerFault.exe (PID: 360)
  - MicrosoftEdgeUpdate.exe (PID: 4668)
  - MicrosoftEdgeUpdate.exe (PID: 3876)
- Creates files or folders in the user directory
  - WerFault.exe (PID: 360)
  - RobloxPlayerInstaller.exe (PID: 5344)
  - MicrosoftEdgeUpdate.exe (PID: 5492)
- Sends debugging messages
  - msedge.exe (PID: 320)
  - RobloxPlayerInstaller.exe (PID: 5344)
- Manual execution by a user
  - msedge.exe (PID: 2992)
- Create files in a temporary directory
  - RobloxPlayerInstaller.exe (PID: 5344)
  - MicrosoftEdgeWebview2Setup.exe (PID: 4252)
  - svchost.exe (PID: 2056)
  - MicrosoftEdgeUpdate.exe (PID: 5492)
- Application launched itself
  - msedge.exe (PID: 2992)
- Process checks whether UAC notifications are on
  - RobloxPlayerInstaller.exe (PID: 5344)
- Process checks computer location settings
  - MicrosoftEdgeUpdate.exe (PID: 5492)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (36.3)

EXIF

ZIP

ZipRequiredVersion:	10
ZipBitFlag:	-
ZipCompression:	None
ZipModifyDate:	2024:09:12 21:32:40
ZipCRC:	0x00000000
ZipCompressedSize:	-
ZipUncompressedSize:	-
ZipFileName:	Solara 3.110/

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

218

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

236

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5640 --field-trial-handle=2460,i,16832268484742517519,15523285669590367051,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

236

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=6440 --field-trial-handle=2460,i,16832268484742517519,15523285669590367051,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

320

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x300,0x304,0x308,0x2f8,0x310,0x7fffd36b5fd8,0x7fffd36b5fe4,0x7fffd36b5ff0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

360

C:\WINDOWS\system32\WerFault.exe -u -p 3236 -s 1800

C:\Windows\System32\WerFault.exe

Solara.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Problem Reporting

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll

876

"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe" /user

C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe

—

MicrosoftEdgeUpdate.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge Update COM Registration Helper

Exit code:

Version:

1.3.171.39

Modules

Images
c:\users\admin\appdata\local\microsoft\edgeupdate\1.3.171.39\microsoftedgeupdatecomregistershell64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll

1164

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2788 --field-trial-handle=2460,i,16832268484742517519,15523285669590367051,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1172

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6312 --field-trial-handle=2460,i,16832268484742517519,15523285669590367051,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1992

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=57 --mojo-platform-channel-handle=7764 --field-trial-handle=2460,i,16832268484742517519,15523285669590367051,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2056

C:\WINDOWS\System32\svchost.exe -k netsvcs -p -s BITS

C:\Windows\System32\svchost.exe

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

2180

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2452 --field-trial-handle=2460,i,16832268484742517519,15523285669590367051,262144 --variations-seed-version /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

22 270

Read events

21 267

Write events

951

Delete events

Modification events


(PID) Process:	(6844) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(6844) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\Solara 3.07 (1).zip
(PID) Process:	(6844) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6844) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6844) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(6844) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(3236) Solara.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Solara_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(3236) Solara.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Solara_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(3236) Solara.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Solara_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(3236) Solara.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Solara_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:

Add for printing

Executable files

220

Suspicious files

1 439

Text files

568

Unknown types

Dropped files

PID	Process	Filename		Type
6844	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa6844.11532\Solara 3.110\Solara\Microsoft.Web.WebView2.Wpf.dll		executable
		MD5:E107C88A6FC54CC3CEB4D85768374074	SHA256:8F821F0C818F8D817B82F76C25F90FDE9FB73FF1AE99C3DF3EAF2B955653C9C8
6844	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa6844.11532\Solara 3.110\Solara\Monaco\fileaccess\index.js		text
		MD5:0E709BFB5675FF0531C925B909B58008	SHA256:ED94FD8980C043BAD99599102291E3285323B99CE0EB5D424C00E3DEA1A34E67
6844	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa6844.11532\Solara 3.110\Solara\Monaco\fileaccess\node_modules\body-parser\index.js		text
		MD5:B9E991C0E57C4D5ADDE68A2F4F063BC7	SHA256:9C6C900E7E85FB599C62D9B9E4DFD2EA2F61D119DCE5ED69AC3A8DA828819241
6844	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa6844.11532\Solara 3.110\Solara\Monaco\fileaccess\node_modules\array-flatten\array-flatten.js		binary
		MD5:4B17FA06C54846B686B8B799E9DD253A	SHA256:766CA145B6D25E3D60F352A716E8FA1876BCDF362C0767C360CF24F335BC281E
6844	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa6844.11532\Solara 3.110\Solara\Monaco\fileaccess\node_modules\accepts\index.js		binary
		MD5:4FE4D2C90A2FD19D6E97443A7D24F815	SHA256:BE2DECBD50610E8F995C1E312EE4DD6D7C1244CFDF03EE4C4A3DA68E572DADA1
6844	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa6844.11532\Solara 3.110\Solara\Monaco\combined.html		html
		MD5:036181954C4E23805C0A3F68E1679091	SHA256:ABF460FFE03CCC4BF085C9FC72DC32528F5AF27AEE7E0CF250E972912DEDEB25
6844	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa6844.11532\Solara 3.110\Solara\Microsoft.Web.WebView2.WinForms.dll		executable
		MD5:C7000FAA6C6040188C8CD8EF28B6DEDA	SHA256:E4F695B72F99024E3EE5D5F26A367E664F4E120BD5D90AA87A8BC0509C365EC8
6844	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa6844.11532\Solara 3.110\Solara\Microsoft.Web.WebView2.Core.dll		executable
		MD5:B037CA44FD19B8EEDB6D5B9DE3E48469	SHA256:11E88B2CA921E5C88F64567F11BD83CBC396C10365D40972F3359FCC7965D197
6844	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa6844.11532\Solara 3.110\Solara\Monaco\fileaccess\node_modules\bytes\package.json		binary
		MD5:5E3137FEEC27C5D88693E0CB2FF95D3C	SHA256:99B21C09CE812DC76A06CD87C4753247CB9615C6A8501C5A5A9D9CAA22EA2D12
6844	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa6844.11532\Solara 3.110\Solara\Monaco\fileaccess\node_modules\body-parser\lib\types\raw.js		text
		MD5:ACB38E4FE575AFAF8D1A257E47C6E362	SHA256:4E9CC80A7EE8BD667C68C264B4C374B28E731246DDB6EC22C3968DAF837E30A2

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

241

DNS requests

344

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6056	svchost.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1764	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
360	WerFault.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2612	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
2612	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
2056	svchost.exe	HEAD	200	152.199.19.161:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/ea79963f-51af-4930-ab74-50e807a8950b?P1=1726551324&P2=404&P3=2&P4=EeAltj09IVbfh56mshsxn7BcIT4%2b7d1t83rgtbTsFPblJo2qFzhn2CYiJfuu4plHw7N2wLcU1ojpI19T0OjGDw%3d%3d	unknown	—	—	whitelisted
2056	svchost.exe	GET	206	152.199.19.161:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/ea79963f-51af-4930-ab74-50e807a8950b?P1=1726551324&P2=404&P3=2&P4=EeAltj09IVbfh56mshsxn7BcIT4%2b7d1t83rgtbTsFPblJo2qFzhn2CYiJfuu4plHw7N2wLcU1ojpI19T0OjGDw%3d%3d	unknown	—	—	whitelisted
2056	svchost.exe	GET	206	152.199.19.161:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/ea79963f-51af-4930-ab74-50e807a8950b?P1=1726551324&P2=404&P3=2&P4=EeAltj09IVbfh56mshsxn7BcIT4%2b7d1t83rgtbTsFPblJo2qFzhn2CYiJfuu4plHw7N2wLcU1ojpI19T0OjGDw%3d%3d	unknown	—	—	whitelisted
2056	svchost.exe	GET	206	152.199.19.161:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/ea79963f-51af-4930-ab74-50e807a8950b?P1=1726551324&P2=404&P3=2&P4=EeAltj09IVbfh56mshsxn7BcIT4%2b7d1t83rgtbTsFPblJo2qFzhn2CYiJfuu4plHw7N2wLcU1ojpI19T0OjGDw%3d%3d	unknown	—	—	whitelisted
2056	svchost.exe	GET	206	152.199.19.161:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/ea79963f-51af-4930-ab74-50e807a8950b?P1=1726551324&P2=404&P3=2&P4=EeAltj09IVbfh56mshsxn7BcIT4%2b7d1t83rgtbTsFPblJo2qFzhn2CYiJfuu4plHw7N2wLcU1ojpI19T0OjGDw%3d%3d	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
6056	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
736	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2120	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
6056	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6056	svchost.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
3236	Solara.exe	172.67.19.24:443	pastebin.com	CLOUDFLARENET	US	shared
3236	Solara.exe	128.116.123.3:443	clientsettings.roblox.com	ROBLOX-PRODUCTION	US	whitelisted
1764	svchost.exe	20.190.160.20:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 20.73.194.208 40.127.240.158 51.104.136.2	whitelisted
google.com	142.250.186.46	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
pastebin.com	172.67.19.24 104.20.4.235 104.20.3.235	shared
clientsettings.roblox.com	128.116.123.3	whitelisted
login.live.com	20.190.160.20 40.126.32.136 20.190.160.14 40.126.32.138 40.126.32.74 40.126.32.140 20.190.160.17 40.126.32.72	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
client.wns.windows.com	40.115.3.253	whitelisted
watson.events.data.microsoft.com	104.208.16.94	whitelisted
slscr.update.microsoft.com	40.127.169.103	whitelisted

Threats

PID	Process	Class	Message
2256	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Online Pastebin Text Storage
6168	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
6168	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
6168	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
6168	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
6168	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
6168	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
6168	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
6168	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
6168	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)

Add for printing

Process	Message
msedge.exe	[0913/111919.431:WARNING:device_ticket.cc(151)] Timed out waiting for device ticket. Canceling async operation.
msedge.exe	[0913/111919.431:ERROR:device_ticket.cc(187)] The identity is null.
msedge.exe	[0913/111920.525:ERROR:process_memory_win.cc(74)] ReadMemory at 0x7ff6278d0000 of 64 bytes failed: Only part of a ReadProcessMemory or WriteProcessMemory request was completed. (0x12B)
msedge.exe	[0913/111920.526:WARNING:pe_image_reader.cc(340)] could not read dos header from C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe	[0913/111920.526:ERROR:process_memory_win.cc(74)] ReadMemory at 0x7ffff85f0000 of 64 bytes failed: Only part of a ReadProcessMemory or WriteProcessMemory request was completed. (0x12B)
msedge.exe	[0913/111920.526:WARNING:pe_image_reader.cc(340)] could not read dos header from C:\WINDOWS\SYSTEM32\ntdll.dll
msedge.exe	[0913/111920.526:ERROR:process_memory_win.cc(74)] ReadMemory at 0x7ffff6f10000 of 64 bytes failed: Only part of a ReadProcessMemory or WriteProcessMemory request was completed. (0x12B)
msedge.exe	[0913/111920.526:WARNING:pe_image_reader.cc(340)] could not read dos header from C:\WINDOWS\System32\KERNEL32.DLL
msedge.exe	[0913/111920.526:ERROR:process_memory_win.cc(74)] ReadMemory at 0x7ffff5da0000 of 64 bytes failed: Only part of a ReadProcessMemory or WriteProcessMemory request was completed. (0x12B)
msedge.exe	[0913/111920.526:WARNING:pe_image_reader.cc(340)] could not read dos header from C:\WINDOWS\System32\KERNELBASE.dll

General Info

Solara 3.07 (1).zip

9354A65DBFB6953AD01BE6CFFE5740F4

EF73FD4D4BD511449FB2DB15F255FB92C1D25E3F

E28AC1C19529E863C0F1647B9C684EAAD0E9F809DFBD4E4199B7E275EA5B52EF

98304:lKo9hvbuXScA3JpmGQ8HnFHWtJXIapOUlqcERLodC63smXYl06MV0cAOOi1xm3kW:UlHlNjB+THQx5+1laW5

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

SUSPICIOUS

Reads security settings of Internet Explorer

Executes application which crashes

Executable content was dropped or overwritten

Changes default file association

Starts itself from another location

Creates/Modifies COM task schedule object

Starts a Microsoft application from unusual location

Potential Corporate Privacy Violation

INFO

Executable content was dropped or overwritten

The process uses the downloaded file

Reads the computer name

Checks supported languages

Reads the machine GUID from the registry

Reads Environment values

Disables trace logs

Reads the software policy settings

Checks proxy server information

Creates files or folders in the user directory

Sends debugging messages

Manual execution by a user

Create files in a temporary directory

Application launched itself

Process checks whether UAC notifications are on

Process checks computer location settings

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings