Analysis
-
max time kernel
107s -
max time network
108s -
platform
windows11-21h2_x64 -
resource
win11-20240730-en -
resource tags
arch:x64arch:x86image:win11-20240730-enlocale:en-usos:windows11-21h2-x64system -
submitted
01-08-2024 09:10
Static task
static1
URLScan task
urlscan1
General
Malware Config
Extracted
quasar
1.4.1
Office04
192.168.68.119:4782
realwz-34142.portmap.host:34142
6eb5c908-87fa-4e33-a3b3-a6eaa2455bad
-
encryption_key
458FF650B9D9D277FD5A8DC74175331B7B2FC1B9
-
install_name
Downloader.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
SolaraExecutor
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\Desktop\e\Solara Executor V2\Download (RUN FIRST).exe family_quasar behavioral1/memory/1484-87-0x0000000000AC0000-0x0000000000DE4000-memory.dmp family_quasar -
Executes dropped EXE 4 IoCs
Processes:
Download (RUN FIRST).exeDownloader.exeSolara Executor.exeBootstrapperV1.11.exepid process 1484 Download (RUN FIRST).exe 3132 Downloader.exe 4060 Solara Executor.exe 4688 BootstrapperV1.11.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
Processes:
flow ioc 2 raw.githubusercontent.com 10 raw.githubusercontent.com 19 pastebin.com 21 raw.githubusercontent.com 22 pastebin.com 1 pastebin.com -
Drops file in Windows directory 1 IoCs
Processes:
chrome.exedescription ioc process File opened for modification C:\Windows\SystemTemp chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Solara Executor.exeBootstrapperV1.11.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Solara Executor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BootstrapperV1.11.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
msedge.exechrome.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 64 IoCs
Processes:
msedge.exemsedge.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\NodeSlot = "7" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\NodeSlot = "4" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193" msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 msedge.exe Key created \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\MRUListEx = 00000000ffffffff msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 msedge.exe Key created \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202 msedge.exe Key created \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" msedge.exe Key created \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 msedge.exe Key created \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell msedge.exe Key created \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff msedge.exe Key created \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags msedge.exe Key created \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic" msedge.exe Key created \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" msedge.exe Key created \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 msedge.exe Key created \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" msedge.exe Key created \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3} msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" msedge.exe Key created \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU msedge.exe Key created \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202 msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 msedge.exe Key created \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\MRUListEx = ffffffff msedge.exe Key created \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\NodeSlot = "6" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202 msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" msedge.exe Key created \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" msedge.exe Key created \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-243088447-3331090618-2776087093-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 msedge.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Solara Executor V2.rar:Zone.Identifier msedge.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2376 schtasks.exe 3620 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exeBootstrapperV1.11.exechrome.exemsedge.exemsedge.exemsedge.exepid process 1556 msedge.exe 1556 msedge.exe 3128 msedge.exe 3128 msedge.exe 1300 msedge.exe 1300 msedge.exe 1000 identity_helper.exe 1000 identity_helper.exe 4764 msedge.exe 4764 msedge.exe 4688 BootstrapperV1.11.exe 4688 BootstrapperV1.11.exe 4688 BootstrapperV1.11.exe 4132 chrome.exe 4132 chrome.exe 4780 msedge.exe 4780 msedge.exe 5684 msedge.exe 5684 msedge.exe 4060 msedge.exe 4060 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msedge.exepid process 5684 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs
Processes:
msedge.exechrome.exepid process 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
7zG.exeDownload (RUN FIRST).exeDownloader.exeSolara Executor.exeBootstrapperV1.11.exechrome.exedescription pid process Token: SeRestorePrivilege 784 7zG.exe Token: 35 784 7zG.exe Token: SeSecurityPrivilege 784 7zG.exe Token: SeSecurityPrivilege 784 7zG.exe Token: SeDebugPrivilege 1484 Download (RUN FIRST).exe Token: SeDebugPrivilege 3132 Downloader.exe Token: SeDebugPrivilege 4060 Solara Executor.exe Token: SeDebugPrivilege 4688 BootstrapperV1.11.exe Token: SeShutdownPrivilege 4132 chrome.exe Token: SeCreatePagefilePrivilege 4132 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exe7zG.exechrome.exepid process 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 784 7zG.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe -
Suspicious use of SendNotifyMessage 32 IoCs
Processes:
msedge.exechrome.exepid process 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 4132 chrome.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
Downloader.exemsedge.exemsedge.exepid process 3132 Downloader.exe 5684 msedge.exe 4060 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 3128 wrote to memory of 1984 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 1984 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 968 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 968 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 968 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 968 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 968 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 968 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 968 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 968 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 968 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 968 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 968 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 968 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 968 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 968 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 968 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 968 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 968 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 968 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 968 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 968 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 968 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 968 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 968 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 968 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 968 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 968 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 968 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 968 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 968 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 968 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 968 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 968 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 968 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 968 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 968 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 968 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 968 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 968 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 968 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 968 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 1556 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 1556 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 3548 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 3548 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 3548 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 3548 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 3548 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 3548 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 3548 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 3548 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 3548 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 3548 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 3548 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 3548 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 3548 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 3548 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 3548 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 3548 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 3548 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 3548 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 3548 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 3548 3128 msedge.exe msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/frSouth/Solara/raw/main/Solara%20Executor%20V2.rar1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc27233cb8,0x7ffc27233cc8,0x7ffc27233cd82⤵PID:1984
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1988,6802035808822687253,3245694852448136596,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2000 /prefetch:22⤵PID:968
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1988,6802035808822687253,3245694852448136596,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1556 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1988,6802035808822687253,3245694852448136596,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:82⤵PID:3548
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,6802035808822687253,3245694852448136596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:12⤵PID:2192
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,6802035808822687253,3245694852448136596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:12⤵PID:1420
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,6802035808822687253,3245694852448136596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:12⤵PID:2032
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1988,6802035808822687253,3245694852448136596,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4728 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1300 -
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1988,6802035808822687253,3245694852448136596,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1000 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1988,6802035808822687253,3245694852448136596,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5704 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4764 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,6802035808822687253,3245694852448136596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:12⤵PID:2336
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,6802035808822687253,3245694852448136596,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2484 /prefetch:12⤵PID:876
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,6802035808822687253,3245694852448136596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:12⤵PID:2424
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,6802035808822687253,3245694852448136596,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:12⤵PID:2116
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,6802035808822687253,3245694852448136596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:12⤵PID:5548
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,6802035808822687253,3245694852448136596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6240 /prefetch:12⤵PID:5644
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,6802035808822687253,3245694852448136596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:12⤵PID:5732
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,6802035808822687253,3245694852448136596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:12⤵PID:5856
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,6802035808822687253,3245694852448136596,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:12⤵PID:5864
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,6802035808822687253,3245694852448136596,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:12⤵PID:6076
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,6802035808822687253,3245694852448136596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:12⤵PID:3176
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,6802035808822687253,3245694852448136596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1976 /prefetch:12⤵PID:2524
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,6802035808822687253,3245694852448136596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1748 /prefetch:12⤵PID:3180
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1988,6802035808822687253,3245694852448136596,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2492 /prefetch:82⤵PID:4756
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1988,6802035808822687253,3245694852448136596,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5768 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4780 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,6802035808822687253,3245694852448136596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:12⤵PID:3508
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,6802035808822687253,3245694852448136596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:12⤵PID:3428
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,6802035808822687253,3245694852448136596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:12⤵PID:2820
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1988,6802035808822687253,3245694852448136596,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6472 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5684 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1988,6802035808822687253,3245694852448136596,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6784 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4060
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5024
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3640
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4816
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\e\" -an -ai#7zMap2969:98:7zEvent17761⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:784
-
C:\Users\Admin\Desktop\e\Solara Executor V2\Download (RUN FIRST).exe"C:\Users\Admin\Desktop\e\Solara Executor V2\Download (RUN FIRST).exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1484 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "SolaraExecutor" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Downloader.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2376 -
C:\Users\Admin\AppData\Roaming\SubDir\Downloader.exe"C:\Users\Admin\AppData\Roaming\SubDir\Downloader.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3132 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "SolaraExecutor" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Downloader.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:3620
-
C:\Users\Admin\Desktop\e\Solara Executor V2\Solara Executor.exe"C:\Users\Admin\Desktop\e\Solara Executor V2\Solara Executor.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4060 -
C:\Users\Admin\Desktop\e\Solara Executor V2\BootstrapperV1.11.exe"C:\Users\Admin\Desktop\e\Solara Executor V2\BootstrapperV1.11.exe" --oldBootstrapper "C:\Users\Admin\Desktop\e\Solara Executor V2\Solara Executor.exe" --isUpdate true2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4688
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4132 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc0e38cc40,0x7ffc0e38cc4c,0x7ffc0e38cc582⤵PID:4856
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1944,i,13964522293070778368,3585335063193975270,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=1936 /prefetch:22⤵PID:2452
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1800,i,13964522293070778368,3585335063193975270,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=2076 /prefetch:32⤵PID:3060
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2224,i,13964522293070778368,3585335063193975270,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=2176 /prefetch:82⤵PID:1564
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3104,i,13964522293070778368,3585335063193975270,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=3124 /prefetch:12⤵PID:4940
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,13964522293070778368,3585335063193975270,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=3176 /prefetch:12⤵PID:2892
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4520,i,13964522293070778368,3585335063193975270,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=4528 /prefetch:12⤵PID:3640
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4524,i,13964522293070778368,3585335063193975270,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=3108 /prefetch:12⤵PID:2648
-
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"1⤵PID:4684
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD52b19d924bb4bcdaa7ac588a19f23c1cf
SHA1029fff51342bba0ca87fdc2c0d5b34e5f403fd62
SHA256392831994d2195896398b368e9637ef52e02a06a4cd532c8f84358169b20c66c
SHA512881879b0a495faab50bd87a8a79553c83421e847f723b96699cba9ef73a54b2c6425f89a063ca7af0b7cb83ceaeb6f79b60c00e70ca364ef78958ec7ce01ef6e
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
8KB
MD5856e7831c680f6a74ef4be16dcec0b01
SHA1562dabbd43712b18bfb0dfc8014d67a7f7f1a812
SHA2561ddce44db3e35042fe4a569b8e624baec99813d5f9ab873ce3da0ee9869c239d
SHA5122ef0b9963dba7d57b70d65a9b2aad9d5f81125e80ccfb84b0587417623d1babdf75bd035d6edc15626ef8d767c743d3c315c4e7fc6e8651dd211242098d3c38f
-
Filesize
100KB
MD5c00a14ac3199e593f336ffce190d10da
SHA115c12f1044f251a2b12cd3d2ee5274eb6613e348
SHA256a466540a23b4ddd9cfc3a0a8f3c56a5c4235ada48e4250e856fc01329fc02a06
SHA512d24828a65baef07d0396d102d6fa492a844971fc655ebc1bb0457149cb32787be20053d843c5c3354ae87269816b55e054ed4ccafbd162f4690a443b5bb72617
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
152B
MD5e54c067cca21523c0c8c8cfbec7d6c82
SHA1a7702346349e22f07969345f446145bb05c376c9
SHA2566643a12004f5c4558a9b9d529f217ebaf6cc662eb199a4f1ae64047f46bdb01d
SHA51277394c860d9d7da8e8dabda82b287e42d2f159237e2e500cda1e3a748cd30ce72e98deac0cfc36d24e82edd6ff2be886da08e49690920e4a97e21f301c69c421
-
Filesize
152B
MD5295ffd94f13447e3c07097d4de2a4264
SHA1e915f342fae28343b7ca7840f0f181e5f158da31
SHA2567c34d8bdc19592bc72c9af4831e53125f8efb40d8dfaed3eb402334b95964e2f
SHA51256c82a0040bbdabbc4f067ea07cf8b440f276cb767eb3b0434edff2ae93cbea85cfa658b05f333769b5dcf5c7c8018858f3cac6d8c67f8e66677c0e56a3d9bfb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5750e8de6c936f70f0495542bca31b8e4
SHA1d65cdea6438ec4ee5b15db5e4617cf738186d2d3
SHA25632dd0a6cc5d8e5f0afb5317cfb1d605ce971af1119f64e72e1e2588d7660713a
SHA512135c8583fd04e2865ab487a6c9d38a97d7d4365edc0f00b5f0bba981e163198ce90cf7e521f3b3964a89aaa000f9e01577c4aa124fd00066b30300f3af16febb
-
Filesize
261B
MD52c2e6472d05e3832905f0ad4a04d21c3
SHA1007edbf35759af62a5b847ab09055e7d9b86ffcc
SHA256283d954fa21caa1f3b4aba941b154fab3e626ff27e7b8029f5357872c48cbe03
SHA5128c4ce1ea02da6ffb7e7041c50528da447d087d9ee3c9f4a8c525d2d856cf48e46f5dd9a1fedd23dd047634e719c8886457f7e7240aa3cc36f1a6216e4c00ee37
-
Filesize
5KB
MD5277dc972c1f2617cc1837d190e3506c5
SHA1a93b5b402ccbf9368417ccc8030bdedcfc2df024
SHA2562264507ba8df1c2f7538ba518c1ff9123d25da658cd448f2139bd0126c9804a2
SHA512cc518535b00f1f36f977c211b5d1df00b24b5e57d67c8b2a76d4553027185384bbb7ea833e9e38fe5fe9ccf8f5320f81f3eb4c502815915ebb3db153cb44a5bb
-
Filesize
6KB
MD5eda8b4658a6a8f4d2965968013542e2d
SHA1e6949b1c8c45fd426be90fd429d90f56f4d7f22b
SHA25642b8c3a705b116cc9ec794f4cea263ed623dce391a9e718ce58dac0b5c341b33
SHA512d607911c1de4aa386eded15fcf5bb77f6d90c158e1f30353b58f74e6e92989b57970af135d0213ed309b3275e40fc9df98bde920a8148c5a4450252b4f8d85a8
-
Filesize
6KB
MD52da0742f740f7e21fa70ab6d40355821
SHA132aa69792e7c750cabc8789a36eea70cd28b77a4
SHA2566283809faa01683be4c78d089fcf5a132c9463d66f384408582a8de9da3a0f44
SHA512f5c794b1fd94e91cc71d9f67c8d9d708c949c7bf925335c2785891ac397ba96d12e694407bba2f77385c5c6c2be9503afb616dc07669363651cdde3fde63fa6e
-
Filesize
6KB
MD56e0f16e178fcb6e02f67ed047a4e3c54
SHA1bd4c7d8f62e8f6f7ba76e17e64a614a3f71a1f10
SHA256a67d25495601b5118e3690ca0d840018d8da2504a052a3b70dbc78895165fcc3
SHA51238d938c74e3de87fd04181d9e5b12ffc651720439a81b805e5985d86991720d2951f2ab439c46432509cfe54bd7d9b2e5436e6d029c414af1d43ed774e55eb7c
-
Filesize
7KB
MD5e8fc188b98ae8b06dc3da0fc6d44c4ae
SHA1242c7684e3ae331a3a1a989b25bf576209ba2a12
SHA256585ad2cb9dc1aff7c83d1308d241b4cbe79cc0125e7486cf599eb25f4eceddba
SHA5120dd65851e6bec30b2191da59e211ee711bfdaee2ec4662c3fcc60ca0e37252c0da724de1c17fc8730635524f5300c7c3d0631bc044bde2d971787a27f5b81ac4
-
Filesize
873B
MD53d3fa891e12b0962eeaf6a3d1686f375
SHA1477e06c6054bc5a9c085d1f53c1b207fb3d9a0ef
SHA2564326581b32d5d7201a16c1088a134aa5d4f95955416c95b6dc047ebee35720bc
SHA5126afede29d88cc07aab051c2d1955eddd3bb3b85fbebbbce86e8053d3ba53ae72dcca28d451f221d22b9b50225b56b16161e527ae0984729caacf5e109d198bf2
-
Filesize
371B
MD5d6c7b2807059150428c9fcd4343a17d1
SHA1483cc19209be1f55c43c95c56194f9c858a21420
SHA2567294f6b2eda60b4ee7ac8ff5b74eef914414b80ef42b5f4bfaa9138a5b058b22
SHA512f3d0e9bc2713c75a93eac9d57dcc2f37f4f10f8f5e6db38ceb71b6d6e04b9bd9beeb4255b412864f85ba65fcf02b7c03cf6a521a4c680d7ec793f545aef4451f
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD549e55e7a4a99b5aeb2490b7bd1ddf0b3
SHA1e8d4cbfa04f320cc1470f524ff2b9fcc6c9394c3
SHA25633f3a9cead5e209a7be9f36ec54fb5d362812fe9b6129a8864d3b9b6326c75ec
SHA5125bf45bd4f6f8cdac320e79f711116e12ca4a4c0f37eddfb92b7d16cd6552e19bcfe72e6273145b934fe3e888f00c84b7257b0dde71f0c5307e2dc92df6989398
-
Filesize
11KB
MD5ea92f44575db5f552527236e43ee5ef7
SHA1a89926237867f519738981a249a2d6c76ae8338d
SHA2560cee8e9244ad5ad95ae69730d34cbe8696237458fe87710c61e09828dfc6784d
SHA512a6a876054c17865c36a60d9590faa2ab0dacdcdc5a9c2b759572d2985ce1da3512cec53e00fd690a95cf8ba8ef67b3f6ff7222e57a16d0843b3491d7eb778699
-
Filesize
795KB
MD5365971e549352a15e150b60294ec2e57
SHA12932242b427e81b1b4ac8c11fb17793eae0939f7
SHA256faad2bc8e61b75e595a80ff2b6d150ff8b27187a8ba426cc1e5e38e193ab6d42
SHA512f7ba1353e880213a6bdf5bd1dfdfd42a0acf4066a540a502e8df8fec8eac7fb80b75aa52e68eca98be3f7701da48eb90758e5b94d72013d3dff05e0aaf27e938
-
Filesize
3.1MB
MD5c23404d4606f1e49bfc9efff359ed317
SHA1da2904b0f8e16119576e389c0d77c2b4c96baf9e
SHA25600345f840ce5cc3045c67e63e93f2fb438963eeb13a8d8587e2b196d4bc79591
SHA51230bb2f181342ab8e9c8bd851d554bedb6f87a91021b2a521ed02313ec146083920b33cc3a28135fb4b45f6103dc0c8fb01ba61096ece3ad23e2e5d3cd5720407
-
Filesize
795KB
MD5a7f3293b177a63f6c50b5560e729cbff
SHA14885073e4881cffc5c5155de720aa65755418fe8
SHA256da17868f107954124c0953fd1cb37ac8ed4e78460905e83d6402b966a77ee7dc
SHA51270b3431b238457a24e66914d0059e7e8e2dc4f79ac49c9a9c510214b8bc1279af6947288442060ac02c3cf3c863c144ef95219006097d2e59183586f7f701438
-
Filesize
1.2MB
MD551e6735ce2042e2ba0c187a3c47ff2df
SHA10902722a7e18a5a90c81dc786ab3b5ec616f2d70
SHA256a83f40624d7d8f6f769e672c41a72785bb623fa6f87640aac16cd7300599b21e
SHA512bcd27ec0ef174fd44e8295d84196ea4da9f9f7d15dd9fb814b9a8608c7585e723eb6ad415317648654e3b97a15e35d4b9c9d5702c2e4b55a2f78203fa8d7be72
-
Filesize
116B
MD521cae65b4123aa8bc63789da5b7ff324
SHA17f0dcd0d80c82acc783b561cdbd78905a680f83a
SHA256ae29c47f073c03445a5fa1fd2e9c52afaeffdf69611feca4bf3b6fc560771460
SHA512e2d8cc90934dc4b2a09d27bac5c54e9d44bc4fc12ab4d1aa07476b7ecd8c676f5790ae5d8d7a9f0fe77b0de46b2e25fe3cd842039dffd1dffe94f663bbe6268a
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e