asyncrat | e97fee577801ecbaf43de7c1709734a498d5c1f472d0e00bdd12a06a3621adfc

Analysis

max time kernel
77s
max time network
75s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2024, 19:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Solara.exe
Size

63KB
MD5

6c9fa73d768bca2a8caa6be510efef95
SHA1

0e86a3ce627b02263d1f9bd0a0e8d87f1014989f
SHA256

e97fee577801ecbaf43de7c1709734a498d5c1f472d0e00bdd12a06a3621adfc
SHA512

8b457bb7afe3ec80315dc041f66f873573d04a2aebc21adbdb4f0bafc5253534d212fdb8cdc7b9ed5630bfd05835f994dec5bdf859d473a127b29c08b6b95335
SSDEEP

768:ijwu/n3jzh78J4C8A+XTSazcBRL5JTk1+T4KSBGHmDbD/ph0oXneGr/SugdpqKYC:CrzV4dSJYUbdh9huugdpqKmY7

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

run-neither.gl.at.ply.gg:33834

Attributes

delay
1
install
true
install_file
xdwdSystem32.exe
install_folder
%Temp%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000200000001e77e-11.dat	family_asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Solara.exe

Executes dropped EXE 3 IoCs

pid	Process
4872	xdwdSystem32.exe
4704	xdwdSystem32.exe
6124	xdwdSystem32.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4232	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133796304396655052"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1744	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3584	Solara.exe
3584	Solara.exe
3584	Solara.exe
3584	Solara.exe
3584	Solara.exe
3584	Solara.exe
3584	Solara.exe
3584	Solara.exe
3584	Solara.exe
3584	Solara.exe
3584	Solara.exe
3584	Solara.exe
3584	Solara.exe
3584	Solara.exe
3584	Solara.exe
3584	Solara.exe
3584	Solara.exe
3584	Solara.exe
3584	Solara.exe
3584	Solara.exe
3584	Solara.exe
3584	Solara.exe
3584	Solara.exe
3584	Solara.exe
3584	Solara.exe
3584	Solara.exe
3584	Solara.exe
3584	Solara.exe
3584	Solara.exe
4872	xdwdSystem32.exe
4872	xdwdSystem32.exe
4872	xdwdSystem32.exe
4872	xdwdSystem32.exe
4872	xdwdSystem32.exe
4872	xdwdSystem32.exe
4872	xdwdSystem32.exe
4872	xdwdSystem32.exe
4872	xdwdSystem32.exe
4872	xdwdSystem32.exe
4872	xdwdSystem32.exe
4872	xdwdSystem32.exe
4872	xdwdSystem32.exe
4872	xdwdSystem32.exe
4872	xdwdSystem32.exe
4872	xdwdSystem32.exe
4872	xdwdSystem32.exe
4872	xdwdSystem32.exe
4872	xdwdSystem32.exe
4872	xdwdSystem32.exe
4872	xdwdSystem32.exe
4872	xdwdSystem32.exe
4872	xdwdSystem32.exe
4872	xdwdSystem32.exe
4872	xdwdSystem32.exe
4872	xdwdSystem32.exe
4872	xdwdSystem32.exe
4872	xdwdSystem32.exe
4872	xdwdSystem32.exe
4872	xdwdSystem32.exe
4872	xdwdSystem32.exe
4872	xdwdSystem32.exe
4872	xdwdSystem32.exe
4872	xdwdSystem32.exe
4872	xdwdSystem32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3584	Solara.exe
Token: SeDebugPrivilege	3584	Solara.exe
Token: SeDebugPrivilege	4872	xdwdSystem32.exe
Token: SeDebugPrivilege	4872	xdwdSystem32.exe
Token: SeDebugPrivilege	3284	Solara.exe
Token: SeDebugPrivilege	4704	xdwdSystem32.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeDebugPrivilege	6124	xdwdSystem32.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeDebugPrivilege	4296	Solara.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3584 wrote to memory of 3060	3584	Solara.exe	84
PID 3584 wrote to memory of 3060	3584	Solara.exe	84
PID 3584 wrote to memory of 3408	3584	Solara.exe	86
PID 3584 wrote to memory of 3408	3584	Solara.exe	86
PID 3408 wrote to memory of 4232	3408	cmd.exe	88
PID 3408 wrote to memory of 4232	3408	cmd.exe	88
PID 3060 wrote to memory of 1744	3060	cmd.exe	89
PID 3060 wrote to memory of 1744	3060	cmd.exe	89
PID 3408 wrote to memory of 4872	3408	cmd.exe	90
PID 3408 wrote to memory of 4872	3408	cmd.exe	90
PID 1584 wrote to memory of 1708	1584	chrome.exe	109
PID 1584 wrote to memory of 1708	1584	chrome.exe	109
PID 1584 wrote to memory of 2892	1584	chrome.exe	110
PID 1584 wrote to memory of 2892	1584	chrome.exe	110
PID 1584 wrote to memory of 2892	1584	chrome.exe	110
PID 1584 wrote to memory of 2892	1584	chrome.exe	110
PID 1584 wrote to memory of 2892	1584	chrome.exe	110
PID 1584 wrote to memory of 2892	1584	chrome.exe	110
PID 1584 wrote to memory of 2892	1584	chrome.exe	110
PID 1584 wrote to memory of 2892	1584	chrome.exe	110
PID 1584 wrote to memory of 2892	1584	chrome.exe	110
PID 1584 wrote to memory of 2892	1584	chrome.exe	110
PID 1584 wrote to memory of 2892	1584	chrome.exe	110
PID 1584 wrote to memory of 2892	1584	chrome.exe	110
PID 1584 wrote to memory of 2892	1584	chrome.exe	110
PID 1584 wrote to memory of 2892	1584	chrome.exe	110
PID 1584 wrote to memory of 2892	1584	chrome.exe	110
PID 1584 wrote to memory of 2892	1584	chrome.exe	110
PID 1584 wrote to memory of 2892	1584	chrome.exe	110
PID 1584 wrote to memory of 2892	1584	chrome.exe	110
PID 1584 wrote to memory of 2892	1584	chrome.exe	110
PID 1584 wrote to memory of 2892	1584	chrome.exe	110
PID 1584 wrote to memory of 2892	1584	chrome.exe	110
PID 1584 wrote to memory of 2892	1584	chrome.exe	110
PID 1584 wrote to memory of 2892	1584	chrome.exe	110
PID 1584 wrote to memory of 2892	1584	chrome.exe	110
PID 1584 wrote to memory of 2892	1584	chrome.exe	110
PID 1584 wrote to memory of 2892	1584	chrome.exe	110
PID 1584 wrote to memory of 2892	1584	chrome.exe	110
PID 1584 wrote to memory of 2892	1584	chrome.exe	110
PID 1584 wrote to memory of 2892	1584	chrome.exe	110
PID 1584 wrote to memory of 2892	1584	chrome.exe	110
PID 1584 wrote to memory of 5076	1584	chrome.exe	111
PID 1584 wrote to memory of 5076	1584	chrome.exe	111
PID 1584 wrote to memory of 4380	1584	chrome.exe	112
PID 1584 wrote to memory of 4380	1584	chrome.exe	112
PID 1584 wrote to memory of 4380	1584	chrome.exe	112
PID 1584 wrote to memory of 4380	1584	chrome.exe	112
PID 1584 wrote to memory of 4380	1584	chrome.exe	112
PID 1584 wrote to memory of 4380	1584	chrome.exe	112
PID 1584 wrote to memory of 4380	1584	chrome.exe	112
PID 1584 wrote to memory of 4380	1584	chrome.exe	112
PID 1584 wrote to memory of 4380	1584	chrome.exe	112
PID 1584 wrote to memory of 4380	1584	chrome.exe	112
PID 1584 wrote to memory of 4380	1584	chrome.exe	112
PID 1584 wrote to memory of 4380	1584	chrome.exe	112
PID 1584 wrote to memory of 4380	1584	chrome.exe	112
PID 1584 wrote to memory of 4380	1584	chrome.exe	112
PID 1584 wrote to memory of 4380	1584	chrome.exe	112
PID 1584 wrote to memory of 4380	1584	chrome.exe	112
PID 1584 wrote to memory of 4380	1584	chrome.exe	112
PID 1584 wrote to memory of 4380	1584	chrome.exe	112
PID 1584 wrote to memory of 4380	1584	chrome.exe	112
PID 1584 wrote to memory of 4380	1584	chrome.exe	112

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Solara.exe
"C:\Users\Admin\AppData\Local\Temp\Solara.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3584
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "xdwdSystem32" /tr '"C:\Users\Admin\AppData\Local\Temp\xdwdSystem32.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "xdwdSystem32" /tr '"C:\Users\Admin\AppData\Local\Temp\xdwdSystem32.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC553.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3408
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:4232
- - C:\Users\Admin\AppData\Local\Temp\xdwdSystem32.exe
    "C:\Users\Admin\AppData\Local\Temp\xdwdSystem32.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4872

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4888

C:\Users\Admin\AppData\Local\Temp\Solara.exe
"C:\Users\Admin\AppData\Local\Temp\Solara.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3284

C:\Users\Admin\AppData\Local\Temp\xdwdSystem32.exe
"C:\Users\Admin\AppData\Local\Temp\xdwdSystem32.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fffa59bcc40,0x7fffa59bcc4c,0x7fffa59bcc58
  2⤵
  PID:1708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1876,i,11964549937625840306,7093259112393368828,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1872 /prefetch:2
  2⤵
  PID:2892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2080,i,11964549937625840306,7093259112393368828,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2116 /prefetch:3
  2⤵
  PID:5076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2284,i,11964549937625840306,7093259112393368828,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2292 /prefetch:8
  2⤵
  PID:4380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3188,i,11964549937625840306,7093259112393368828,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:4564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3348,i,11964549937625840306,7093259112393368828,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:1040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3740,i,11964549937625840306,7093259112393368828,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4600 /prefetch:1
  2⤵
  PID:1920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4768,i,11964549937625840306,7093259112393368828,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4440 /prefetch:1
  2⤵
  PID:4224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4760,i,11964549937625840306,7093259112393368828,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4700 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3324,i,11964549937625840306,7093259112393368828,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4568 /prefetch:8
  2⤵
  PID:2412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3728,i,11964549937625840306,7093259112393368828,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4088 /prefetch:8
  2⤵
  PID:4544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4500,i,11964549937625840306,7093259112393368828,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4568 /prefetch:8
  2⤵
  PID:1656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5064,i,11964549937625840306,7093259112393368828,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5052 /prefetch:8
  2⤵
  PID:872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4076,i,11964549937625840306,7093259112393368828,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4764 /prefetch:8
  2⤵
  PID:3252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4904,i,11964549937625840306,7093259112393368828,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5164 /prefetch:8
  2⤵
  PID:816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3480,i,11964549937625840306,7093259112393368828,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5148 /prefetch:2
  2⤵
  PID:5500

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3560

C:\Users\Admin\AppData\Local\Temp\xdwdSystem32.exe
"C:\Users\Admin\AppData\Local\Temp\xdwdSystem32.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6124

C:\Users\Admin\AppData\Local\Temp\Solara.exe
"C:\Users\Admin\AppData\Local\Temp\Solara.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\Users\Admin\AppData\Local\Temp\Solara.exe
"C:\Users\Admin\AppData\Local\Temp\Solara.exe"
1⤵
PID:3780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
a05aae18fbc3e3a31b9572a97f94f313

SHA1
46aaf36878a3840198e77fb63039e7db1fbd84dd

SHA256
7b022c1d4a62d3b25656c2d35d4e6dc604914298813c5eb94e19d906a286fa61

SHA512
c114d811db58ffacfdbaf1e8875dc580af24f0059364a19c816f17830720aca13f4a79260d5d41e3bbf52f0fdde8827b826bd1ebf20abd95c52b8b777f20afaa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
b417ad116b29c71f7591e86ba3ade057

SHA1
bde4467232c3dd40c44625b25fcc845428719e6b

SHA256
f62f426cddec493e2f8e323eb83d38dfdd53111ded6ce851d1c01b047f4dc23b

SHA512
702733ba8141eca47d457db09258f9745e626a5cf4c486adfc3937c28f3e39d4e26a3c5aa400947a5f2c0bf5eed69746a29ef196b51c4484c3255b47effbb2da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
7055135033ff84522d187262f53fa03d

SHA1
4179a6310960f4c931b5cde0c4d7156a180e301a

SHA256
13ce674a82f36780f4e8848e8b14f6d126382a9b73557d9b19f276fc0f3c9778

SHA512
5b43c610924bb3ae7181187bbee0745e8f05716dd458e5c462f7b4ab57a667d0db8bd05732f2a682fb2616fa6fda430697f3148aa26e9aa8622626cfd91b6138

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f5762a999d0a3b20474f099b1c3c92a4

SHA1
4b9a8e83f966ac81952dff3110fc47e0607a69da

SHA256
449cdc14a31eb202bba68aa6bfb40f74fe7aad0f26f5291a0f6019716d073471

SHA512
92c77122b47b6a32bbd74e1df1f16d7b02807db6afcfa108d1c4bdb9719201c8ea56f728748fb707e9f9fe61b7e45c0babeaa3ebee6d41bf612eef55f3ae801e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
68e47ab2581379601fe392fa6c6d3225

SHA1
12d224ab5502dea49616a2a8e833977006cf73fa

SHA256
a9fa6ccc6d583a892f2aa0ee525f245ee142303850213391223e74327978742e

SHA512
eac14be36532d25be34047d54f2a7ccba0b5f8d676a0027d691dd83afc3db6edaeb6afe4891f86459eddfec44fd45026aa88e8c144fdd23e8169f9eafac4d7b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
1c601af2888b5c9855a599c076696162

SHA1
45dcce8a16a2911633fe9b456dc18b4a84dc92b3

SHA256
0f52b5ffd9404b87b7b9e2e19c41fd657023683ceb2f4f3f2569d4808cc06e4f

SHA512
2ee77715b47f656d1c0131aa5c5a85c61258d2ea4b310ebe3918e4a2c90b8661d86c093a72b1fcd4812cb0787622bd90a4cb2c2e8adf750b69a2087ea2821b04

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
053c87f3020570b64dc9fd55d3f11643

SHA1
4aa56b4cdb38dd5101792ec6f60f3246a990631d

SHA256
ca2065083634eadf8fe210a8db97875c92780b3cfebe8b9540d2c53685231109

SHA512
5d06471dfb73f55821320a6e4b4f3df248e689a5fa58917129e30caeb8a09b3391686e06b4b54979876de24f555af7854e2475c4d4613f145171433bf5508359

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
411100d7872be934bf4dada86471dd16

SHA1
1b6b691de7ac4b812c49caf8e95eff9f17f2f05f

SHA256
2a12972377f067ea79c3f04943aa0765651f69c3886db00617571ad7f94983b4

SHA512
0167e8ec535692d40e7a0b479d56e61831b90afd56c027d4800fbbdc07af619dae7583b2a1cb00ca15ee7acc75693e8e9a80787ef47f173404374bf4f90af9a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Solara.exe.log

Filesize
871B

MD5
d58f949aad7df2e7b55248bfdfc6e1b8

SHA1
6713cad396b5808b66ede2dd9b169e00d5e5018f

SHA256
5e1611e4d915fd9759825811fa4463f09172889f85889a2942be1561948fab8a

SHA512
bdddb838108c4f3f0a7737703cbde935fe26aaea97459bb099c4c773c0789997283d7f20ac7ea4ac2aedef23515afc0b251b5b461aa12d3b7a60846b87b26e38

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1584_1238850244\5ccb3f91-ccc3-48d5-ac67-c84b664e3126.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1584_1238850244\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC553.tmp.bat

Filesize
159B

MD5
210acac15c4f05c1d657d17528c29797

SHA1
d772d07636543813affe4a092cf7e5b9ba90ba95

SHA256
18452dcd3b01fc183a2491c5ee7009b00cbf11f27ee987e026f4d7e7223d125b

SHA512
27d25f8c7fd5ad508dc0e4a44fb1d201b6c580d6ccbd463d021967c5c0274c2462e159268108b2049a17fdce756e5117fb7785a31f0c4c60c75a155cf9ea29c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\xdwdSystem32.exe

Filesize
63KB

MD5
6c9fa73d768bca2a8caa6be510efef95

SHA1
0e86a3ce627b02263d1f9bd0a0e8d87f1014989f

SHA256
e97fee577801ecbaf43de7c1709734a498d5c1f472d0e00bdd12a06a3621adfc

SHA512
8b457bb7afe3ec80315dc041f66f873573d04a2aebc21adbdb4f0bafc5253534d212fdb8cdc7b9ed5630bfd05835f994dec5bdf859d473a127b29c08b6b95335

Download Submit
memory/3584-0-0x00007FFFAC463000-0x00007FFFAC465000-memory.dmp

Filesize
8KB

Download
memory/3584-8-0x00007FFFAC460000-0x00007FFFACF21000-memory.dmp

Filesize
10.8MB

Download
memory/3584-7-0x00007FFFAC460000-0x00007FFFACF21000-memory.dmp

Filesize
10.8MB

Download
memory/3584-2-0x00007FFFAC460000-0x00007FFFACF21000-memory.dmp

Filesize
10.8MB

Download
memory/3584-1-0x0000000000A10000-0x0000000000A26000-memory.dmp

Filesize
88KB

Download