xenorat | b7302ba3d49a98ca752e1987299824841feff97f57c0d9db7dcf0ad4b5480beb

Analysis

max time kernel
149s
max time network
148s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
21-05-2024 01:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

httpsgithub.comdiscord1ggWUFGKADFLastExternalreleasestagsolar.txt
Size

69B
MD5

3953e278bc14b68f8dd59633c05ce74d
SHA1

d67cf05a8dac0eb133fa0cc37b761eeb80d63bda
SHA256

b7302ba3d49a98ca752e1987299824841feff97f57c0d9db7dcf0ad4b5480beb
SHA512

7e36f0033729b1622a2cd89bc1cbd2aae8cae29b71c784ba24a1318652cc3b066bc2161a5ba84b1f1387e42b9ca0d8095aabeb7665574446f8bb9f3e30a38b36

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

127.0.0.1

Mutex

Xeno_rat_nd8912d

Attributes

delay
1
install_path
appdata
port
8080
startup_name
Cra

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

Solar2.exeSolar2.exe

pid process

4752 Solar2.exe
436 Solar2.exe

pid	process
4752	Solar2.exe
436	Solar2.exe

Drops file in Windows directory 2 IoCs

Processes:

SecHealthUI.exeSecHealthUI.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\4272278488\2581520266.pri	SecHealthUI.exe
File created	C:\Windows\rescache\_merged\4272278488\2581520266.pri	SecHealthUI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

596 schtasks.exe

pid	process
596	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133607280276745624"	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1296 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

2152 chrome.exe
2152 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

2152 chrome.exe
2152 chrome.exe
2152 chrome.exe
2152 chrome.exe

pid	process
1296	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeCreatePagefilePrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeCreatePagefilePrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeCreatePagefilePrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeCreatePagefilePrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeCreatePagefilePrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeCreatePagefilePrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeCreatePagefilePrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeCreatePagefilePrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeCreatePagefilePrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeCreatePagefilePrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeCreatePagefilePrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeCreatePagefilePrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeCreatePagefilePrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeCreatePagefilePrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeCreatePagefilePrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeCreatePagefilePrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeCreatePagefilePrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeCreatePagefilePrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeCreatePagefilePrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeCreatePagefilePrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeCreatePagefilePrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeCreatePagefilePrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeCreatePagefilePrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeCreatePagefilePrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeCreatePagefilePrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeCreatePagefilePrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeCreatePagefilePrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeCreatePagefilePrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeCreatePagefilePrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeCreatePagefilePrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeCreatePagefilePrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeCreatePagefilePrivilege	2152	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

chrome.exe

pid	process
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

SecHealthUI.exeSecHealthUI.exe

pid process

3816 SecHealthUI.exe
4056 SecHealthUI.exe

pid	process
3816	SecHealthUI.exe
4056	SecHealthUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2152 wrote to memory of 4440	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 4440	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 4296	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 4296	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 4296	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 4296	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 4296	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 4296	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 4296	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 4296	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 4296	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 4296	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 4296	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 4296	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 4296	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 4296	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 4296	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 4296	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 4296	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 4296	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 4296	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 4296	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 4296	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 4296	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 4296	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 4296	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 4296	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 4296	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 4296	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 4296	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 4296	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 4296	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 4296	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 4296	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 4296	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 4296	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 4296	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 4296	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 4296	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 4296	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 4168	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 4168	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 1316	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 1316	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 1316	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 1316	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 1316	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 1316	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 1316	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 1316	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 1316	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 1316	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 1316	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 1316	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 1316	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 1316	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 1316	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 1316	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 1316	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 1316	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 1316	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 1316	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 1316	2152	chrome.exe	chrome.exe
PID 2152 wrote to memory of 1316	2152	chrome.exe	chrome.exe

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\httpsgithub.comdiscord1ggWUFGKADFLastExternalreleasestagsolar.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1296

C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mca
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3816

C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mca
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffa57539758,0x7ffa57539768,0x7ffa57539778
2⤵
PID:4440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=1740,i,12807278458428717735,1695040929773380110,131072 /prefetch:2
2⤵
PID:4296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1856 --field-trial-handle=1740,i,12807278458428717735,1695040929773380110,131072 /prefetch:8
2⤵
PID:4168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2100 --field-trial-handle=1740,i,12807278458428717735,1695040929773380110,131072 /prefetch:8
2⤵
PID:1316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2888 --field-trial-handle=1740,i,12807278458428717735,1695040929773380110,131072 /prefetch:1
2⤵
PID:4596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2896 --field-trial-handle=1740,i,12807278458428717735,1695040929773380110,131072 /prefetch:1
2⤵
PID:3888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4000 --field-trial-handle=1740,i,12807278458428717735,1695040929773380110,131072 /prefetch:1
2⤵
PID:3228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4636 --field-trial-handle=1740,i,12807278458428717735,1695040929773380110,131072 /prefetch:8
2⤵
PID:2884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4764 --field-trial-handle=1740,i,12807278458428717735,1695040929773380110,131072 /prefetch:8
2⤵
PID:884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5032 --field-trial-handle=1740,i,12807278458428717735,1695040929773380110,131072 /prefetch:8
2⤵
PID:816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4864 --field-trial-handle=1740,i,12807278458428717735,1695040929773380110,131072 /prefetch:8
2⤵
PID:424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5072 --field-trial-handle=1740,i,12807278458428717735,1695040929773380110,131072 /prefetch:8
2⤵
PID:4564

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
2⤵
PID:748

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x24c,0x250,0x254,0x240,0x258,0x7ff6dd197688,0x7ff6dd197698,0x7ff6dd1976a8
3⤵
PID:2540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4776 --field-trial-handle=1740,i,12807278458428717735,1695040929773380110,131072 /prefetch:1
2⤵
PID:1932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5912 --field-trial-handle=1740,i,12807278458428717735,1695040929773380110,131072 /prefetch:8
2⤵
PID:1788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5932 --field-trial-handle=1740,i,12807278458428717735,1695040929773380110,131072 /prefetch:8
2⤵
PID:2980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5932 --field-trial-handle=1740,i,12807278458428717735,1695040929773380110,131072 /prefetch:8
2⤵
PID:4924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6124 --field-trial-handle=1740,i,12807278458428717735,1695040929773380110,131072 /prefetch:8
2⤵
PID:4376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6120 --field-trial-handle=1740,i,12807278458428717735,1695040929773380110,131072 /prefetch:8
2⤵
PID:524

C:\Users\Admin\Downloads\Solar2.exe
"C:\Users\Admin\Downloads\Solar2.exe"
2⤵
- Executes dropped EXE
PID:4752

C:\Users\Admin\AppData\Roaming\XenoManager\Solar2.exe
"C:\Users\Admin\AppData\Roaming\XenoManager\Solar2.exe"
3⤵
- Executes dropped EXE
PID:436

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "Cra" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6D6B.tmp" /F
4⤵
- Creates scheduled task(s)
PID:596

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5092

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000f
Filesize
45KB

MD5
de087e8e68098c324b7253ac076fa549

SHA1
1dc477a49db64ec4945fac5459a61c40337e2432

SHA256
fe56f6d2792173796f3ebe02c4ce6333b8c77ba026b7e2e86da958ceb22bd0cd

SHA512
46d42b1754550b066a0e52c46fbc4881cbe377da3474cde4c1495c44cb5d4cefad7e2564fdbbc2ae3523309965f6e9765c95ee3d4d47f7b69f903b6ab8818bfd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
6d8a0324f74cc77b2587f2748eea7227

SHA1
2d8f855e032b5344dcf70d2df4538d1b29757113

SHA256
6aaed8b5b08aa7711b1621269173effad2d1587f755668bd7be7059d5a068b12

SHA512
9cdebd47f1c2acf6e07fdd559653e669b448d31e6ff9cd042570fc7ed90c1d9be5d85113ceefb11f54dd0a1c3d0bcb0b12bc7a1b703150c3726458b3fa6dd7cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
71395dbd4e077bf33ed107348ef48a68

SHA1
2fa406c9b21d5d3c5ab536402f5dcbf7931fe51c

SHA256
1d27433a1b8d0ff7a633f5fe7fce485ff1c24c80b8f094a764dde34255516f63

SHA512
e50ecd7700a2520334f0bfb26327dbf91a5c5747cbb0ce96c9375576cf52dbdfc91edd3d3803c4f2643ec270218380bb186fc3adf8ebdb5dc4e7c50bf531083f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
afa78ee89793e07a6ae3bf9fdaa8d8bf

SHA1
cb8764864c4c0bc7eb7ae153810fc1acd74e3546

SHA256
f1dba3def5f4d5d0003f3a7536b7df5888b21b397a2e7c2083688dbe29828413

SHA512
47373a78cc147393d620e878c22c94a423fc00c3daab7000b958bfe249efc8cc1511c72194791f3cd2716b89b177ad22ee6a195acf8cad3d25fcdc31bd6189f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
872B

MD5
2559a4e57b4e3699b9fb49899b6bbee9

SHA1
68579a64d9eb6698d358e8041830fa195b3953cf

SHA256
a6390b6333f30f5b6bb29a176da231674fbbe7ddddcd802761a87ab30c6cc96d

SHA512
d4fcc7cf53d81528c31a31bee283047c33c5da7fce1ed751286b337a46ae49bbf80ef6dde5b4e53d39b367e87147fa4a786e6ce9a8dd663bdc804e12e679e163

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
27a92a391785300261950034bca347d1

SHA1
08678f808c2084e97fba9b306edbf84d30002432

SHA256
2029201dc4e0d071ed9807f231c9b2ab47606f1f8eec6202d2f8ebc731bb2799

SHA512
163af2770a0f322eee25e58562a77ecbe5fd57ff6913ef4ee43163f03b32a71d39da8b8f2447be533c5701cdba43ef66b6ce4535838d5db676f85f78b51d67cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
6afec60b12e9d3966b46f407e55b37f3

SHA1
6a7ac045676a360d6e4885cde6212f22af6b1d00

SHA256
723306d2f40ceaf6d061f33bf86cd4e6730532a5b8b413d93ae7a6406487a506

SHA512
36169aaaa93be4cbdd316454bf38ef91a0b36f06e38dcd111cfdc669e060d07e97377429aec7efed32c3e885ce4ceccbc42c9ea5ff2f8393d88385bd8672c7f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
1fc401740f60acb50b9f934a41eb74fe

SHA1
33355b149e0ecbc4e07c498fc539c7edcd75b109

SHA256
4cfd26ffc871fb9f9913dbf133e336ae5736e9687d4043bbd287ccbcaa7f75f2

SHA512
a3cd0ef7cdb627ba56cf1cf6b9f215661272a0714055c072a2ce2cb61bc7de3c7b3d340bbbfac4d1e2a09bed9a0c857e8ba8b24019f4822a97d5bd03729b9d37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
0b70748bbf3df2d1e6b5f8de988df2e5

SHA1
f39c9718b8ff8c43cd718c602b1755f2f0cb55cf

SHA256
1eedcca8b91841118d4c514d16bf93be3028b19f7ee3620d7ad1172174edca3b

SHA512
c6d5c4c2e737e9e7b0e6e242d7a08a07e691b646e680418df73925e852e2c4004818e05dad27e8eb4c748f6225649fb6ce1a76f4e51a3049ca386fa599271320

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
5e05adf90d49138b8f954b2f143cc3fd

SHA1
29b038aa7ed41ca6fca358a9c867f559a3f53af6

SHA256
abb5095bd9b845ff854fa8a5589a3231c7ec9560a03c84b64e893f5c74e76697

SHA512
37f1b59cf74f1070dce1c21b82c457aa705ececea5bb9380ba662328331967ecf310100bf83a6565f24ee9c56ec9d4db886728a89a4a5640d754f26f1abc5383

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
12KB

MD5
8e5c394ccf8cc4c8a8df686933613cae

SHA1
15c998e40a5efb5663172fd9084da34f89e83a6e

SHA256
833ca7b50b9e78d9e8ecb165804a8d23e7a5658f5955099bcc7efda4efef5481

SHA512
75b6936369521f804cbc5f20e7a13b82b0a3ef50dfa49080404e61c1ab15a3a1f613c4333d73dda5407bc1301ca5894115f5e23f0dc22d9e138c2db466590220

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
277KB

MD5
85dbc2646dcf93bb0b48dc221381c435

SHA1
67f2e17ef5ae5d2c449e6a1804e211143c5fa2da

SHA256
fab9be2c8782b1fe026dc7245a6d35491bc2743894e492f173599c31491bfb19

SHA512
f1879f3141814eb8f970ce3c665310aaab0808cd5d3299c0ade7f31ea6dbf6ad9abac73bda4e8cf3c91ae8367336418c3cd5d0568c4fe154bb152d30b8fa8a16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Solar2.exe.log
Filesize
226B

MD5
957779c42144282d8cd83192b8fbc7cf

SHA1
de83d08d2cca06b9ff3d1ef239d6b60b705d25fe

SHA256
0d7ca7ba65e2b465e4878e324ceab8f8981f5ec06dcf5bc32559a4467a9c7d51

SHA512
f1549c61b4f2906d13b2aabb74772c2bc826cd42373d7bb6c48cbb125d5aa2ec17617e6b5e67e8aae3bb5790cc831cdba48a45008ed01df4fba8be448cce39fd

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.sechealthui_cw5n1h2txyewy\AC\Microsoft\Windows\4272278488\2581520266.pri
Filesize
70KB

MD5
dc37deff2947a4ec8bf9b40a3dc25c49

SHA1
422bdce2dc21c634760c8b06a60c4ebf131cc592

SHA256
00dee1b03565baf7c105f1484f27a2e04d900538c153372482fbedd8cde61d85

SHA512
bbe9730344e0f648c53d2d5c518791ce8d92c1f04e1b9646bb4feca24d5f41fae255eff57ad7c36ff1d26869ad25eede25bbd4e98a59267d41ee71f3885d9dd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6D6B.tmp
Filesize
1KB

MD5
e4d1b848a416ad80d471e7d5c489aeb8

SHA1
510a8e67f43522b11b5b95f8ac799484ea6b87bd

SHA256
f2a532a4ec5a461d33317482e274d77362cc9c6b3a8596db96057678e26100e9

SHA512
d0f1009b7d0792e3dac1dbfdd57c772da5cc09f78d2ca56a13c58ad665af952229ad7041b514fe0d376f041b9e0f3e31fbe055a202100bc018e6d6504f0efd04

Download Submit
\??\pipe\crashpad_2152_JTIHHEOWFNLFWTBF
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4752-190-0x00000000000F0000-0x0000000000102000-memory.dmp

Filesize
72KB

Download