discordrat | hxxps://gofile[.]io/d/vg1Pjm

Analysis

max time kernel
127s
max time network
133s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
11-10-2024 08:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/vg1Pjm

Score

10^/10

discordrat defense_evasion discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI5MzY4MTEyNTMyMjkyMDAyMg.GyUVT9.PdXlDnnKGi1vPy546OLbQrug6P8HthySRh7ZPg
server_id
1293975894108540940

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Downloads MZ/PE file

Executes dropped EXE 64 IoCs

pid	Process
1916	Solara_Bootstrapper.exe
3600	Solara_Bootstrapper.exe
3324	Solara_Bootstrapper.exe
5024	Solara_Bootstrapper.exe
1712	Solara_Bootstrapper.exe
5056	Solara_Bootstrapper.exe
3980	Solara_Bootstrapper.exe
1700	Solara_Bootstrapper.exe
2736	Solara_Bootstrapper.exe
244	Solara_Bootstrapper.exe
568	Solara_Bootstrapper.exe
2148	Solara_Bootstrapper.exe
2104	Solara_Bootstrapper.exe
808	Solara_Bootstrapper.exe
5428	Solara_Bootstrapper.exe
5436	Solara_Bootstrapper.exe
5444	Solara_Bootstrapper.exe
5504	Solara_Bootstrapper.exe
5580	Solara_Bootstrapper.exe
5456	Solara_Bootstrapper.exe
5464	Solara_Bootstrapper.exe
5472	Solara_Bootstrapper.exe
5480	Solara_Bootstrapper.exe
5488	Solara_Bootstrapper.exe
5512	Solara_Bootstrapper.exe
5496	Solara_Bootstrapper.exe
5796	Solara_Bootstrapper.exe
5964	Solara_Bootstrapper.exe
6680	Solara_Bootstrapper.exe
6708	Solara_Bootstrapper.exe
6804	Solara_Bootstrapper.exe
6864	Solara_Bootstrapper.exe
7036	Solara_Bootstrapper.exe
7148	Solara_Bootstrapper.exe
6096	Solara_Bootstrapper.exe
6264	Solara_Bootstrapper.exe
7236	Solara_Bootstrapper.exe
7400	Solara_Bootstrapper.exe
7480	Solara_Bootstrapper.exe
7520	Solara_Bootstrapper.exe
7568	Solara_Bootstrapper.exe
7736	Solara_Bootstrapper.exe
7888	Solara_Bootstrapper.exe
7960	Solara_Bootstrapper.exe
8052	Solara_Bootstrapper.exe
8120	Solara_Bootstrapper.exe
8168	Solara_Bootstrapper.exe
7384	Solara_Bootstrapper.exe
8556	Solara_Bootstrapper.exe
8644	Solara_Bootstrapper.exe
8740	Solara_Bootstrapper.exe
8856	Solara_Bootstrapper.exe
8996	Solara_Bootstrapper.exe
9036	Solara_Bootstrapper.exe
8032	Solara_Bootstrapper.exe
964	Solara_Bootstrapper.exe
5644	Solara_Bootstrapper.exe
8616	Solara_Bootstrapper.exe
5416	Solara_Bootstrapper.exe
8008	Solara_Bootstrapper.exe
3408	Solara_Bootstrapper.exe
4968	Solara_Bootstrapper.exe
9256	Solara_Bootstrapper.exe
9344	Solara_Bootstrapper.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 26 IoCs

Web Service

T1102

flow	ioc
107	discord.com
21	discord.com
33	discord.com
34	discord.com
35	discord.com
39	discord.com
45	discord.com
100	discord.com
113	discord.com
149	discord.com
171	discord.com
25	discord.com
44	discord.com
50	discord.com
87	discord.com
104	discord.com
23	discord.com
27	discord.com
67	discord.com
73	discord.com
92	discord.com
9	discord.com
31	discord.com
36	discord.com
112	discord.com
175	discord.com

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Solara_Bootstrapper.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 478784.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Solara_Bootstrapper.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3956	msedge.exe
3956	msedge.exe
4116	msedge.exe
4116	msedge.exe
4444	msedge.exe
4444	msedge.exe
4668	identity_helper.exe
4668	identity_helper.exe
1472	msedge.exe
1472	msedge.exe
10912	msedge.exe
10912	msedge.exe
10912	msedge.exe
10912	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4116	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1916	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	3600	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	3324	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	5024	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	1712	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	5056	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	3980	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	1700	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	2736	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	244	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	568	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	2148	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	2104	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	808	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	5472	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	5436	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	5504	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	5512	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	5464	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	5456	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	5480	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	5428	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	5488	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	5444	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	5496	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	5580	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	5964	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	5796	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	6680	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	6708	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	6804	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	6864	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	7036	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	7148	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	6096	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	6264	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	7236	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	7400	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	7480	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	7568	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	7520	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	7736	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	7888	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	7960	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	8052	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	8120	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	8168	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	7384	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	8556	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	8644	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	8740	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	8856	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	8996	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	9036	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	8032	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	964	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	5644	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	8616	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	5416	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	8008	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	3408	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	4968	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	9256	Solara_Bootstrapper.exe
Token: SeDebugPrivilege	9344	Solara_Bootstrapper.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4116 wrote to memory of 844	4116	msedge.exe	77
PID 4116 wrote to memory of 844	4116	msedge.exe	77
PID 4116 wrote to memory of 1200	4116	msedge.exe	78
PID 4116 wrote to memory of 1200	4116	msedge.exe	78
PID 4116 wrote to memory of 1200	4116	msedge.exe	78
PID 4116 wrote to memory of 1200	4116	msedge.exe	78
PID 4116 wrote to memory of 1200	4116	msedge.exe	78
PID 4116 wrote to memory of 1200	4116	msedge.exe	78
PID 4116 wrote to memory of 1200	4116	msedge.exe	78
PID 4116 wrote to memory of 1200	4116	msedge.exe	78
PID 4116 wrote to memory of 1200	4116	msedge.exe	78
PID 4116 wrote to memory of 1200	4116	msedge.exe	78
PID 4116 wrote to memory of 1200	4116	msedge.exe	78
PID 4116 wrote to memory of 1200	4116	msedge.exe	78
PID 4116 wrote to memory of 1200	4116	msedge.exe	78
PID 4116 wrote to memory of 1200	4116	msedge.exe	78
PID 4116 wrote to memory of 1200	4116	msedge.exe	78
PID 4116 wrote to memory of 1200	4116	msedge.exe	78
PID 4116 wrote to memory of 1200	4116	msedge.exe	78
PID 4116 wrote to memory of 1200	4116	msedge.exe	78
PID 4116 wrote to memory of 1200	4116	msedge.exe	78
PID 4116 wrote to memory of 1200	4116	msedge.exe	78
PID 4116 wrote to memory of 1200	4116	msedge.exe	78
PID 4116 wrote to memory of 1200	4116	msedge.exe	78
PID 4116 wrote to memory of 1200	4116	msedge.exe	78
PID 4116 wrote to memory of 1200	4116	msedge.exe	78
PID 4116 wrote to memory of 1200	4116	msedge.exe	78
PID 4116 wrote to memory of 1200	4116	msedge.exe	78
PID 4116 wrote to memory of 1200	4116	msedge.exe	78
PID 4116 wrote to memory of 1200	4116	msedge.exe	78
PID 4116 wrote to memory of 1200	4116	msedge.exe	78
PID 4116 wrote to memory of 1200	4116	msedge.exe	78
PID 4116 wrote to memory of 1200	4116	msedge.exe	78
PID 4116 wrote to memory of 1200	4116	msedge.exe	78
PID 4116 wrote to memory of 1200	4116	msedge.exe	78
PID 4116 wrote to memory of 1200	4116	msedge.exe	78
PID 4116 wrote to memory of 1200	4116	msedge.exe	78
PID 4116 wrote to memory of 1200	4116	msedge.exe	78
PID 4116 wrote to memory of 1200	4116	msedge.exe	78
PID 4116 wrote to memory of 1200	4116	msedge.exe	78
PID 4116 wrote to memory of 1200	4116	msedge.exe	78
PID 4116 wrote to memory of 1200	4116	msedge.exe	78
PID 4116 wrote to memory of 3956	4116	msedge.exe	79
PID 4116 wrote to memory of 3956	4116	msedge.exe	79
PID 4116 wrote to memory of 2852	4116	msedge.exe	80
PID 4116 wrote to memory of 2852	4116	msedge.exe	80
PID 4116 wrote to memory of 2852	4116	msedge.exe	80
PID 4116 wrote to memory of 2852	4116	msedge.exe	80
PID 4116 wrote to memory of 2852	4116	msedge.exe	80
PID 4116 wrote to memory of 2852	4116	msedge.exe	80
PID 4116 wrote to memory of 2852	4116	msedge.exe	80
PID 4116 wrote to memory of 2852	4116	msedge.exe	80
PID 4116 wrote to memory of 2852	4116	msedge.exe	80
PID 4116 wrote to memory of 2852	4116	msedge.exe	80
PID 4116 wrote to memory of 2852	4116	msedge.exe	80
PID 4116 wrote to memory of 2852	4116	msedge.exe	80
PID 4116 wrote to memory of 2852	4116	msedge.exe	80
PID 4116 wrote to memory of 2852	4116	msedge.exe	80
PID 4116 wrote to memory of 2852	4116	msedge.exe	80
PID 4116 wrote to memory of 2852	4116	msedge.exe	80
PID 4116 wrote to memory of 2852	4116	msedge.exe	80
PID 4116 wrote to memory of 2852	4116	msedge.exe	80
PID 4116 wrote to memory of 2852	4116	msedge.exe	80
PID 4116 wrote to memory of 2852	4116	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/vg1Pjm
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff926c73cb8,0x7ff926c73cc8,0x7ff926c73cd8
  2⤵
  PID:844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1736,7969845609764689851,11847154021618637454,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1868 /prefetch:2
  2⤵
  PID:1200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1736,7969845609764689851,11847154021618637454,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2420 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1736,7969845609764689851,11847154021618637454,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2536 /prefetch:8
  2⤵
  PID:2852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1736,7969845609764689851,11847154021618637454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:1920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1736,7969845609764689851,11847154021618637454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:2080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1736,7969845609764689851,11847154021618637454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4564 /prefetch:1
  2⤵
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1736,7969845609764689851,11847154021618637454,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1736,7969845609764689851,11847154021618637454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:1
  2⤵
  PID:4292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1736,7969845609764689851,11847154021618637454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
  2⤵
  PID:3792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1736,7969845609764689851,11847154021618637454,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
  2⤵
  PID:1104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1736,7969845609764689851,11847154021618637454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:1
  2⤵
  PID:1392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1736,7969845609764689851,11847154021618637454,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5768 /prefetch:8
  2⤵
  PID:1576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1736,7969845609764689851,11847154021618637454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
  2⤵
  PID:3060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1736,7969845609764689851,11847154021618637454,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
  2⤵
  PID:2660
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1736,7969845609764689851,11847154021618637454,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6300 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1736,7969845609764689851,11847154021618637454,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4756 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1472
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1916
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3600
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3324
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5024
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1712
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5056
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3980
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1700
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2736
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:244
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:568
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2148
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2104
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:808
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5428
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5436
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5444
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5456
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5464
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5472
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5480
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5488
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5496
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5504
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5512
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5580
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5796
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5964
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:6680
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:6708
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:6804
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:6864
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:7036
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:7148
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:6096
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:6264
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:7236
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:7400
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:7480
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:7520
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:7568
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:7736
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:7888
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:7960
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:8052
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:8120
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:8168
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:7384
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:8556
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:8644
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:8740
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:8856
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:8996
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:9036
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:8032
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:964
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5644
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:8616
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5416
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:8008
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3408
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4968
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:9256
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:9344
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:9436
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:9540
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:9676
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:9768
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:9852
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:9944
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:10052
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:8844
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:9164
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:6104
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:9560
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:10336
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:10436
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:10540
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:10640
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:10876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1736,7969845609764689851,11847154021618637454,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4732 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:10912
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:11028
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:11224
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:9824
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:8100
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:10556
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:10768
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:5788
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:11152
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:11188
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:10528
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:11436
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:11528
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:11624
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:11748
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:11940
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:12036
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:12148
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:12260
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:10492
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:12020
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:10720
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:10292
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:11932
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:12360
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:12500
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:12604
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:12740
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:12836
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:13024
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:13140
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:13252
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:7976
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:7060
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:12396
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:12688
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:13352
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:13504
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:13732
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:13824
- C:\Users\Admin\Downloads\Solara_Bootstrapper.exe
  "C:\Users\Admin\Downloads\Solara_Bootstrapper.exe"
  2⤵
  PID:13960

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:568

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7145ec3fa29a4f2df900d1418974538

SHA1
1368d579635ba1a53d7af0ed89bf0b001f149f9d

SHA256
efc56eb46cf3352bf706c0309d5d740bca6ac06142f9bdc5e8344b81d4d83d59

SHA512
5bb663ede88f8b7c96b09c1214aac68eda99bc09525ac383baa96914ff7d553ea1aed09e3c9d16893d791c81ddb164c682dfbb4759ac0bc751221f3e36558a91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d91478312beae099b8ed57e547611ba2

SHA1
4b927559aedbde267a6193e3e480fb18e75c43d7

SHA256
df43cd7779d9fc91fd0416155d6771bc81565e98be38689cb17caece256bf043

SHA512
4086c4ebe410a37d0124fc8bd00c58775e70ab2b7b5a39b4e49b332ce5b4866c6775707436395467aff9596507c96fb4896f3bf0249c5b9c99a927f31dcc1a96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
2d3325784bb105e3d404e3a03ee49911

SHA1
5fb51bf8682b6a73c4595ae24207308d794610a3

SHA256
0a2b9c842530b6786d7d4fee4be7148ce5ebf8e167d61dfed86e662ec4577508

SHA512
d0b861d2af699f4523e245f1beb8a108574f5cb90870fd482a0d3cbab534fc6b68a8424f4d2292f5fbdd5eacef1a089f5d3d70ecff9a6ed39d3f46471e095dfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
391B

MD5
af70db1887381980b2e8b6cabbededc2

SHA1
b5259f04715316d365c733e90c8768a8f7aa68e6

SHA256
fbb070db6f3a8745c65d094352de10556b5fb45173b6aa56e5de9d016187b265

SHA512
67a439819258cc6e2bcdc3e9a75a3f270d411362094afd768301481c3e31c32e5200afd2ef06932eae855112ef08137d52e580ab3958f6ae71c2d1bca2889503

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
84a183e201f7b44502b826451e8bfbdd

SHA1
13bd989d6b1ef502fee1d1938227b038e06c5a7c

SHA256
13262be2eea9e73231fa10806ebbea74f3890abddc7be514e7250c486137b7f7

SHA512
1c7be491c0962257605df36e5a6edc8384fc9daae0754ee75a745791dffc38c4bf06bdd9c537e0a1d5afb1ced8d31570469e1b028f1e9e0eec0cae91f0490c9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f2dc5774363d89206c9716b25db5a8e9

SHA1
44c163060dc7dd313f00130afd8bc3b8fc3b07ae

SHA256
32d39b3a78f04788969fd964b414a48b4fa20ccbf4f0e21098192bc6ba7cc001

SHA512
3bfacaada3ae9b243201c142da9a9585b531c31555144c2aadd17c9075c863900f0d4da3228c1aec49599409811a4df741e4f162a36ce9b41d174621db1d94d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8a3fe3d50eba4d0cedf8d56f3e1c08e9

SHA1
29e044860d5cd76a2ff92085d6bcef8c0b99d70e

SHA256
f340f0fc719ca1e3c9ba457cc31a5d3eb92530b2be00103ba487647b3d9b5b04

SHA512
2b09459fa78daf188d7004e03699a92f81a845aeb78f6ec65fc44a0735715eeefc40bc7ebd6f48b68adff1f50a95e4b7f24a89799a29ee9281c1cb009da85fe4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
034c564b9e5ee3fe351517b1b7ff890f

SHA1
dcb6d4a75bdc246f3484801bc41688bfd904e31a

SHA256
c73ca812ab9ec7eed486e2e1ffd283acfaa16b4fa5fe392ca7c8caa8781f9863

SHA512
3cddf6e6131556d338fcdde7a9b764a22e36ca8f05fe4d9f7fd72ac32d3854a39e1b37d37fa88ab196ff1cebb68f3f17aee219f306869b4f7badc04e6ab90d87

Download Submit
C:\Users\Admin\Downloads\Solara_Bootstrapper.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 478784.crdownload

Filesize
15.3MB

MD5
171c4b88bd1d14049a533648ef3e25b6

SHA1
f6578600a79ceb368c7fea473a5584039189f66a

SHA256
68ceb1bf818a1010818c6cc987f7e2145d1f188afeb2656db5c0eec3a8e52ec1

SHA512
7628ff0e685fda753255a6c333aee5578647e1ea6e190c730603058d39563db9b373c1e9a0f7ed500643b3ef600336227749f0c09ac16f58c28e8a74fc1da7d9

Download Submit
memory/244-223-0x0000029D6F4C0000-0x0000029D6F568000-memory.dmp

Filesize
672KB

Download
memory/568-224-0x0000019F61A20000-0x0000019F61AC8000-memory.dmp

Filesize
672KB

Download
memory/808-227-0x00000246CC2A0000-0x00000246CC348000-memory.dmp

Filesize
672KB

Download
memory/1700-221-0x00000285747A0000-0x0000028574848000-memory.dmp

Filesize
672KB

Download
memory/1712-149-0x0000022BE3A80000-0x0000022BE3B28000-memory.dmp

Filesize
672KB

Download
memory/1916-131-0x000001E17D310000-0x000001E17D838000-memory.dmp

Filesize
5.2MB

Download
memory/1916-120-0x000001E162450000-0x000001E162468000-memory.dmp

Filesize
96KB

Download
memory/1916-121-0x000001E17CB10000-0x000001E17CCD2000-memory.dmp

Filesize
1.8MB

Download
memory/1916-145-0x000001E17CDE0000-0x000001E17CE88000-memory.dmp

Filesize
672KB

Download
memory/2104-226-0x00000257656D0000-0x0000025765778000-memory.dmp

Filesize
672KB

Download
memory/2148-225-0x000001AE70B60000-0x000001AE70C08000-memory.dmp

Filesize
672KB

Download
memory/2736-222-0x000001AFCCE80000-0x000001AFCCF28000-memory.dmp

Filesize
672KB

Download
memory/3324-147-0x00000243DD4D0000-0x00000243DD578000-memory.dmp

Filesize
672KB

Download
memory/3600-146-0x0000020B40250000-0x0000020B402F8000-memory.dmp

Filesize
672KB

Download
memory/3980-220-0x000001CF8A490000-0x000001CF8A538000-memory.dmp

Filesize
672KB

Download
memory/5024-148-0x0000019C4A930000-0x0000019C4A9D8000-memory.dmp

Filesize
672KB

Download
memory/5056-219-0x000002516D7B0000-0x000002516D858000-memory.dmp

Filesize
672KB

Download
memory/5428-254-0x0000017EE98B0000-0x0000017EE9958000-memory.dmp

Filesize
672KB

Download
memory/5436-255-0x000001C66CF20000-0x000001C66CFC8000-memory.dmp

Filesize
672KB

Download
memory/5444-256-0x000001E69C470000-0x000001E69C518000-memory.dmp

Filesize
672KB

Download
memory/5456-257-0x000001E6519D0000-0x000001E651A78000-memory.dmp

Filesize
672KB

Download
memory/5464-258-0x000001700B500000-0x000001700B5A8000-memory.dmp

Filesize
672KB

Download
memory/5472-259-0x000001AB41FA0000-0x000001AB42048000-memory.dmp

Filesize
672KB

Download
memory/5480-260-0x000001D700530000-0x000001D7005D8000-memory.dmp

Filesize
672KB

Download
memory/5488-261-0x00000227C0260000-0x00000227C0308000-memory.dmp

Filesize
672KB

Download