discordrat | hxxps://cdn[.]discordapp[.]com/attachments/1246629392017264730/1246630633296498749/SolaraB[.]zip?ex=665d16c0&is=665bc540&hm=e92ff639e30663ccb29b047bd40cc92f9c4abcaf01ca27c3a1803b4b7204e774&

Resubmissions

02-06-2024 18:16

240602-wwfvvabd56 10

02-06-2024 17:44

240602-wa9k2aag22 10

Analysis

max time kernel
152s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2024 17:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1246629392017264730/1246630633296498749/SolaraB.zip?ex=665d16c0&is=665bc540&hm=e92ff639e30663ccb29b047bd40cc92f9c4abcaf01ca27c3a1803b4b7204e774&

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI0NTMyMTUyODE4NzQyNDc3OA.GR78y4.vMfEj5skpraljw4MJ9J0BO20fQH19kOJIYpkg4
server_id
1245464272843051061

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Legitimate hosting services abused for malware hosting/C2 1 TTPs 39 IoCs

Web Service

T1102

flow	ioc
136	discord.com
175	discord.com
208	discord.com
239	discord.com
81	discord.com
92	discord.com
109	discord.com
84	discord.com
112	discord.com
124	discord.com
224	discord.com
253	discord.com
90	discord.com
178	discord.com
200	discord.com
189	discord.com
192	discord.com
45	discord.com
63	discord.com
98	discord.com
250	discord.com
44	discord.com
221	discord.com
241	discord.com
234	discord.com
95	discord.com
147	discord.com
213	discord.com
238	discord.com
48	discord.com
161	discord.com
202	discord.com
120	discord.com
140	discord.com
151	discord.com
165	discord.com
67	discord.com
71	discord.com
73	discord.com

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 38 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133618238760274568"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
14984	chrome.exe
14984	chrome.exe
2812	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2976	chrome.exe
2976	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeDebugPrivilege	3076	SolarbB.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeDebugPrivilege	3792	SolarbB.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
12764	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2812	2976	chrome.exe	84
PID 2976 wrote to memory of 2812	2976	chrome.exe	84
PID 2976 wrote to memory of 3696	2976	chrome.exe	85
PID 2976 wrote to memory of 3696	2976	chrome.exe	85
PID 2976 wrote to memory of 3696	2976	chrome.exe	85
PID 2976 wrote to memory of 3696	2976	chrome.exe	85
PID 2976 wrote to memory of 3696	2976	chrome.exe	85
PID 2976 wrote to memory of 3696	2976	chrome.exe	85
PID 2976 wrote to memory of 3696	2976	chrome.exe	85
PID 2976 wrote to memory of 3696	2976	chrome.exe	85
PID 2976 wrote to memory of 3696	2976	chrome.exe	85
PID 2976 wrote to memory of 3696	2976	chrome.exe	85
PID 2976 wrote to memory of 3696	2976	chrome.exe	85
PID 2976 wrote to memory of 3696	2976	chrome.exe	85
PID 2976 wrote to memory of 3696	2976	chrome.exe	85
PID 2976 wrote to memory of 3696	2976	chrome.exe	85
PID 2976 wrote to memory of 3696	2976	chrome.exe	85
PID 2976 wrote to memory of 3696	2976	chrome.exe	85
PID 2976 wrote to memory of 3696	2976	chrome.exe	85
PID 2976 wrote to memory of 3696	2976	chrome.exe	85
PID 2976 wrote to memory of 3696	2976	chrome.exe	85
PID 2976 wrote to memory of 3696	2976	chrome.exe	85
PID 2976 wrote to memory of 3696	2976	chrome.exe	85
PID 2976 wrote to memory of 3696	2976	chrome.exe	85
PID 2976 wrote to memory of 3696	2976	chrome.exe	85
PID 2976 wrote to memory of 3696	2976	chrome.exe	85
PID 2976 wrote to memory of 3696	2976	chrome.exe	85
PID 2976 wrote to memory of 3696	2976	chrome.exe	85
PID 2976 wrote to memory of 3696	2976	chrome.exe	85
PID 2976 wrote to memory of 3696	2976	chrome.exe	85
PID 2976 wrote to memory of 3696	2976	chrome.exe	85
PID 2976 wrote to memory of 3696	2976	chrome.exe	85
PID 2976 wrote to memory of 3696	2976	chrome.exe	85
PID 2976 wrote to memory of 1804	2976	chrome.exe	86
PID 2976 wrote to memory of 1804	2976	chrome.exe	86
PID 2976 wrote to memory of 1900	2976	chrome.exe	87
PID 2976 wrote to memory of 1900	2976	chrome.exe	87
PID 2976 wrote to memory of 1900	2976	chrome.exe	87
PID 2976 wrote to memory of 1900	2976	chrome.exe	87
PID 2976 wrote to memory of 1900	2976	chrome.exe	87
PID 2976 wrote to memory of 1900	2976	chrome.exe	87
PID 2976 wrote to memory of 1900	2976	chrome.exe	87
PID 2976 wrote to memory of 1900	2976	chrome.exe	87
PID 2976 wrote to memory of 1900	2976	chrome.exe	87
PID 2976 wrote to memory of 1900	2976	chrome.exe	87
PID 2976 wrote to memory of 1900	2976	chrome.exe	87
PID 2976 wrote to memory of 1900	2976	chrome.exe	87
PID 2976 wrote to memory of 1900	2976	chrome.exe	87
PID 2976 wrote to memory of 1900	2976	chrome.exe	87
PID 2976 wrote to memory of 1900	2976	chrome.exe	87
PID 2976 wrote to memory of 1900	2976	chrome.exe	87
PID 2976 wrote to memory of 1900	2976	chrome.exe	87
PID 2976 wrote to memory of 1900	2976	chrome.exe	87
PID 2976 wrote to memory of 1900	2976	chrome.exe	87
PID 2976 wrote to memory of 1900	2976	chrome.exe	87
PID 2976 wrote to memory of 1900	2976	chrome.exe	87
PID 2976 wrote to memory of 1900	2976	chrome.exe	87
PID 2976 wrote to memory of 1900	2976	chrome.exe	87
PID 2976 wrote to memory of 1900	2976	chrome.exe	87
PID 2976 wrote to memory of 1900	2976	chrome.exe	87
PID 2976 wrote to memory of 1900	2976	chrome.exe	87
PID 2976 wrote to memory of 1900	2976	chrome.exe	87
PID 2976 wrote to memory of 1900	2976	chrome.exe	87
PID 2976 wrote to memory of 1900	2976	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.discordapp.com/attachments/1246629392017264730/1246630633296498749/SolaraB.zip?ex=665d16c0&is=665bc540&hm=e92ff639e30663ccb29b047bd40cc92f9c4abcaf01ca27c3a1803b4b7204e774&
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffef810ab58,0x7ffef810ab68,0x7ffef810ab78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1716 --field-trial-handle=1924,i,3303134445892602796,12279199104336012278,131072 /prefetch:2
  2⤵
  PID:3696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 --field-trial-handle=1924,i,3303134445892602796,12279199104336012278,131072 /prefetch:8
  2⤵
  PID:1804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1924,i,3303134445892602796,12279199104336012278,131072 /prefetch:8
  2⤵
  PID:1900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2996 --field-trial-handle=1924,i,3303134445892602796,12279199104336012278,131072 /prefetch:1
  2⤵
  PID:3032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3004 --field-trial-handle=1924,i,3303134445892602796,12279199104336012278,131072 /prefetch:1
  2⤵
  PID:3092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4592 --field-trial-handle=1924,i,3303134445892602796,12279199104336012278,131072 /prefetch:8
  2⤵
  PID:4284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4732 --field-trial-handle=1924,i,3303134445892602796,12279199104336012278,131072 /prefetch:8
  2⤵
  PID:4000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4644 --field-trial-handle=1924,i,3303134445892602796,12279199104336012278,131072 /prefetch:8
  2⤵
  PID:1892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4928 --field-trial-handle=1924,i,3303134445892602796,12279199104336012278,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:14984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=212 --field-trial-handle=1924,i,3303134445892602796,12279199104336012278,131072 /prefetch:8
  2⤵
  PID:12304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4720 --field-trial-handle=1924,i,3303134445892602796,12279199104336012278,131072 /prefetch:8
  2⤵
  PID:2136

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:800

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2960

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3076

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3792

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:716

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:1660

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:2884

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:4620

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:5176

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:5272

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:5368

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:5460

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:5556

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:5648

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:5752

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:5864

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:5952

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:6056

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:3856

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:2828

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:6036

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:6148

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:6260

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:6568

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:6668

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:6772

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:6880

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:6984

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:7108

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:4840

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:5440

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:936

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:6524

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:6940

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:2132

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:7268

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:7388

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:7576

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:7704

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:7824

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:7976

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:8084

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:6376

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:7200

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:7492

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:7920

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:8180

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:8272

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:8408

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:8532

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:8672

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:8940

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:9072

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:9192

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:7648

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:8232

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:8664

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:8868

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:9096

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:3884

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:9300

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:9428

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:9568

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:9700

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:9916

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:10200

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:8928

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:9812

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:10192

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:10164

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:10144

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:9296

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:10360

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:10512

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:10672

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:10824

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:10980

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:11184

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:4876

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:10048

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:10504

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:2228

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:4852

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:1236

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:9776

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:10188

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:2208

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:11456

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:11620

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:11828

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:11972

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:12156

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:3644

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:10132

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:11372

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:11764

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:11988

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:9224

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:12636

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:12980

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:13196

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:11724

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:9724

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:2932

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:12552

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:12864

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:13300

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:636

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:12808

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:13292

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:13496

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:11908

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:13400

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:13892

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:9888

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:7584

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:4372

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:13952

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:13936

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:7540

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:2016

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:14464

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:14680

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:14852

C:\Users\Admin\Desktop\SolarbB.exe
"C:\Users\Admin\Desktop\SolarbB.exe"
1⤵
PID:15112

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:13812

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:14968

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:12764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
63666f63fdf4c618365394391b8c9754

SHA1
d0bd08851bfaaf41561cd2d7dfa2d09bd4dba96b

SHA256
fb7777612aeed7907efa08394d5d3bad54e633cacc7748d60eb5125330a0ec81

SHA512
81cfcceb3740a869af2d34cc655643e96e65f11d8e7b0178275f40e35bc300337c199299fa46779595a81730b3d42a04edd9bb8dfc954c45a9f8d92e42c4023e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
359135a045571e5096ee87ed7b89d592

SHA1
bd1cf5db81de83d74623569490ec56163d8dd7c1

SHA256
3fa2846a2700aa34677dd737221f88f172d0e90d54f25f5feac485b30baf41e7

SHA512
11d1ccaaf0bf802e319feeb279329fea38c1b6d62bf451faf3bfb04fbb38eab60c006050cff7b81fa7c053b8350e1a3f2e0f515d616f3f88b472bc53f977ad08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
c9b835afe52445e443910872d4f7b553

SHA1
4d837d5382f1b989ec34759324b979ff47ee815a

SHA256
4d3c96ce66303e0db2c7d087ccbbedb530cc786fcb4e1f8dbbd928b0319313ba

SHA512
b245a7caf08d55548fcd0a0452fc5494126057c1f38f9495e23923da8597f1123d54f66495d1da23f7fe171fb5e23e138c85acbd85686b3948ec013590584b2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
129KB

MD5
85520356384f58d2808f18165830d318

SHA1
1e603c7d5d0220872dde2860605930ac4d509108

SHA256
088e7bf997148621c934a652be5644fa642b54d40eea0728c82cf2b31d6f9c1c

SHA512
ec5472fcead93aa0e630582827e49e7775a6610cbd8898b92a4d721088ae261a7f2fb4ffc3e0514b3ab94a39bd80fb8f69dbf1dd215dadc9a5e88a230999422b

Download Submit
C:\Users\Admin\Downloads\SolaraB.zip

Filesize
27KB

MD5
c0426e2992fd4fa90336665e6d56abe8

SHA1
8b00e93e5d84520c07d2e5942af997afe0dc1e63

SHA256
f20ff052ab37ce445122c007f90d20148f4e0de842417b4e26230f128ce485f0

SHA512
e78d71040b24143e51f311e4f3bb284f4b76ff5ddbde5a97b65b0ae1547d5e0979f77508abe40ce3cd11862d597d66d355cc3c3a3d4c01f0c520cd58d9593ebf

Download Submit
memory/3076-53-0x00007FFEE4670000-0x00007FFEE5131000-memory.dmp

Filesize
10.8MB

Download
memory/3076-52-0x0000012DEC4F0000-0x0000012DEC6B2000-memory.dmp

Filesize
1.8MB

Download
memory/3076-54-0x0000012DECCF0000-0x0000012DED218000-memory.dmp

Filesize
5.2MB

Download
memory/3076-56-0x00007FFEE4673000-0x00007FFEE4675000-memory.dmp

Filesize
8KB

Download
memory/3076-66-0x00007FFEE4670000-0x00007FFEE5131000-memory.dmp

Filesize
10.8MB

Download
memory/3076-50-0x0000012DE9EA0000-0x0000012DE9EB8000-memory.dmp

Filesize
96KB

Download
memory/3076-51-0x00007FFEE4673000-0x00007FFEE4675000-memory.dmp

Filesize
8KB

Download
memory/3792-55-0x00007FFEE4670000-0x00007FFEE5131000-memory.dmp

Filesize
10.8MB

Download
memory/3792-67-0x00007FFEE4670000-0x00007FFEE5131000-memory.dmp

Filesize
10.8MB

Download