Malware Analysis Report

2024-09-22 06:58

Sample ID 240621-ncb4js1dqm
Target XSolaraBoostraper.exe
SHA256 983a63b1512fde7fa38311ecffb3c95ee6c65a9cf1146da42d80d22b55ea6507
Tags
asyncrat default rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

983a63b1512fde7fa38311ecffb3c95ee6c65a9cf1146da42d80d22b55ea6507

Threat Level: Known bad

The file XSolaraBoostraper.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat default rat

AsyncRat

Async RAT payload

Executes dropped EXE

Loads dropped DLL

Blocklisted process makes network request

Enumerates connected drives

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Unsigned PE

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-21 11:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-21 11:14

Reported

2024-06-21 11:17

Platform

win7-20240221-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\XSolaraBoostraper.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI2B0C.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI2B8A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI2BAA.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f762701.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f762701.msi C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DLLHOST.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SolaraUpdateHoster.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SolaraUpdateHoster.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1908 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\XSolaraBoostraper.exe C:\Users\Admin\AppData\Local\Temp\DLLHOST.EXE
PID 1908 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\XSolaraBoostraper.exe C:\Users\Admin\AppData\Local\Temp\DLLHOST.EXE
PID 1908 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\XSolaraBoostraper.exe C:\Users\Admin\AppData\Local\Temp\DLLHOST.EXE
PID 1908 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\XSolaraBoostraper.exe C:\Users\Admin\AppData\Local\Temp\DLLHOST.EXE
PID 1908 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\XSolaraBoostraper.exe C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
PID 1908 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\XSolaraBoostraper.exe C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
PID 1908 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\XSolaraBoostraper.exe C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
PID 1908 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\XSolaraBoostraper.exe C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
PID 2168 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\DLLHOST.EXE C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\DLLHOST.EXE C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\DLLHOST.EXE C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\DLLHOST.EXE C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\DLLHOST.EXE C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\DLLHOST.EXE C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\DLLHOST.EXE C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\DLLHOST.EXE C:\Windows\SysWOW64\cmd.exe
PID 2580 wrote to memory of 2776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2580 wrote to memory of 2776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2580 wrote to memory of 2776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2580 wrote to memory of 2776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1748 wrote to memory of 888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1748 wrote to memory of 888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1748 wrote to memory of 888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1748 wrote to memory of 888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2472 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE C:\Windows\SysWOW64\msiexec.exe
PID 2472 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE C:\Windows\SysWOW64\msiexec.exe
PID 2472 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE C:\Windows\SysWOW64\msiexec.exe
PID 2472 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE C:\Windows\SysWOW64\msiexec.exe
PID 2472 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE C:\Windows\SysWOW64\msiexec.exe
PID 2472 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE C:\Windows\SysWOW64\msiexec.exe
PID 2472 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE C:\Windows\SysWOW64\msiexec.exe
PID 1748 wrote to memory of 300 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SolaraUpdateHoster.exe
PID 1748 wrote to memory of 300 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SolaraUpdateHoster.exe
PID 1748 wrote to memory of 300 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SolaraUpdateHoster.exe
PID 1748 wrote to memory of 300 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SolaraUpdateHoster.exe
PID 1748 wrote to memory of 300 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SolaraUpdateHoster.exe
PID 1748 wrote to memory of 300 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SolaraUpdateHoster.exe
PID 1748 wrote to memory of 300 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SolaraUpdateHoster.exe
PID 284 wrote to memory of 2040 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 284 wrote to memory of 2040 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 284 wrote to memory of 2040 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 284 wrote to memory of 2040 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 284 wrote to memory of 2040 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 284 wrote to memory of 1420 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 284 wrote to memory of 1420 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 284 wrote to memory of 1420 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 284 wrote to memory of 1420 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 284 wrote to memory of 1420 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 284 wrote to memory of 1420 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 284 wrote to memory of 1420 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2472 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE C:\Windows\SysWOW64\WerFault.exe
PID 2472 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE C:\Windows\SysWOW64\WerFault.exe
PID 2472 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE C:\Windows\SysWOW64\WerFault.exe
PID 2472 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\XSolaraBoostraper.exe

"C:\Users\Admin\AppData\Local\Temp\XSolaraBoostraper.exe"

C:\Users\Admin\AppData\Local\Temp\DLLHOST.EXE

"C:\Users\Admin\AppData\Local\Temp\DLLHOST.EXE"

C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE

"C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "SolaraUpdateHoster" /tr '"C:\Users\Admin\AppData\Roaming\SolaraUpdateHoster.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1BCA.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "SolaraUpdateHoster" /tr '"C:\Users\Admin\AppData\Roaming\SolaraUpdateHoster.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Windows\SysWOW64\msiexec.exe

"msiexec" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Users\Admin\AppData\Roaming\SolaraUpdateHoster.exe

"C:\Users\Admin\AppData\Roaming\SolaraUpdateHoster.exe"

C:\Windows\system32\MsiExec.exe

C:\Windows\system32\MsiExec.exe -Embedding 1CA0125E8199866971F351DB27B1CE03

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding BB52325938AA245C85DCE9A4666F3115

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 1564

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.nodejs.org udp
US 104.20.23.46:443 www.nodejs.org tcp
US 8.8.8.8:53 nodejs.org udp
US 104.20.22.46:443 nodejs.org tcp
US 8.8.8.8:53 aka.ms udp
GB 2.17.6.114:443 aka.ms tcp
US 8.8.8.8:53 carolina-reverse.gl.at.ply.gg udp
US 147.185.221.20:34609 carolina-reverse.gl.at.ply.gg tcp
US 147.185.221.20:34609 carolina-reverse.gl.at.ply.gg tcp

Files

\Users\Admin\AppData\Local\Temp\DLLHOST.EXE

MD5 44359c5e869c44100cfe1dd316d4f0a2
SHA1 26f8aed6286f69c9d9884ffa1c81d931b77e94c1
SHA256 503a126804af61976611e4fa3f4991a2e3c6741029a6ac8aa2c5411a192f2115
SHA512 e3edb5700da4b86ee0ff0e5ba2aff9b2fc2b5107c449cef301c8a6117eaef68ef7b2778d20e7c03a80a44023638faf5a3f5a8536f09996bb1e88fef4ea641210

\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE

MD5 36b62ba7d1b5e149a2c297f11e0417ee
SHA1 ce1b828476274375e632542c4842a6b002955603
SHA256 8353c5ace62fda6aba330fb3396e4aab11d7e0476f815666bd96a978724b9e0c
SHA512 fddec44631e7a800abf232648bbf417969cd5cc650f32c17b0cdc12a0a2afeb9a5dbf5c1f899bd2fa496bd22307bfc8d1237c94920fceafd84f47e13a6b98b94

memory/2168-14-0x00000000743FE000-0x00000000743FF000-memory.dmp

memory/2168-15-0x00000000000D0000-0x00000000000E2000-memory.dmp

memory/2472-16-0x0000000000DA0000-0x0000000000E6E000-memory.dmp

memory/2472-17-0x00000000743F0000-0x0000000074ADE000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar1A8A.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\tmp1BCA.tmp.bat

MD5 d6c6ccee9561c48c16b3ea7f980d3db1
SHA1 a61e943f64d7622001294768c88c24e093795505
SHA256 678638abe3a0d55f9173fc75405c68624a554f57d2d55d43ed7a1c90434f805b
SHA512 d82858e37df15598ebb45335ec5d1d4850a2e034084a71882dd9315f8fb4cbfe4e140e61dd7a52f8cb5e9605d2d92349e1f26692d6a1e4b271f96cfe54472ec8

C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi

MD5 0e4e9aa41d24221b29b19ba96c1a64d0
SHA1 231ade3d5a586c0eb4441c8dbfe9007dc26b2872
SHA256 5bfb6f3ab89e198539408f7e0e8ec0b0bd5efe8898573ec05b381228efb45a5d
SHA512 e6f27aecead72dffecbeaad46ebdf4b1fd3dbcddd1f6076ba183b654e4e32d30f7af1236bf2e04459186e993356fe2041840671be73612c8afed985c2c608913

memory/300-69-0x00000000012C0000-0x00000000012D2000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 062b6606b5d6fc33cbe3b7505d571c04
SHA1 f6eab92b1700c239e63c4a3cfa9bf32d3957d7b5
SHA256 2ae7502c49ddea8c2163f67c6a22e950a43871374efd33817ac76636334ec7fa
SHA512 ef4c6cdcca8589b4e811f06ab689dada40575e556ae11a420560069919bf62c8abf801b2185d02ceaa353f7090f6135aa5d35f643be28e05b7df8c76c8cd9bc3

C:\Windows\Installer\MSI2B0C.tmp

MD5 9fe9b0ecaea0324ad99036a91db03ebb
SHA1 144068c64ec06fc08eadfcca0a014a44b95bb908
SHA256 e2cce64916e405976a1d0c522b44527d12b1cba19de25da62121cf5f41d184c9
SHA512 906641a73d69a841218ae90b83714a05af3537eec8ad1d761f58ac365cf005bdd74ad88f71c4437aaa126ac74fa46bcad424d17c746ab197eec2caa1bd838176

C:\Windows\Installer\MSI2BAA.tmp

MD5 a3ae5d86ecf38db9427359ea37a5f646
SHA1 eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256 c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA512 96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cf16eef62236eac156cbe2960ecf06e1
SHA1 a50341fcb4c7cb0ad827fe0185e57ee68536f9e4
SHA256 5b18b3d9b673401d775630a5abf9dabcd1aba916c8ae903e3073d13ca1cc6fe0
SHA512 7482e5f3d8fe4fdfce18d29fef2a42cf1c72d35fd2c0439aca30a6599d332b9342f5bb5f238f6ef880f53141b0b204de2ac80357e23ddeae0f1bb6f9c731217d

memory/2472-146-0x00000000743F0000-0x0000000074ADE000-memory.dmp

memory/300-147-0x0000000000B90000-0x0000000000BF4000-memory.dmp