2a4255d739e42838d49159d7228952b512a2c8ccb6f4b0c8d35543912130dac6

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25/07/2024, 23:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bootstrapper.exe
Size

797KB
MD5

86bf094b70901e55a281e0a0683dd8b3
SHA1

24afc916d186facaf7885363bf335e3e5b7d69b9
SHA256

2a4255d739e42838d49159d7228952b512a2c8ccb6f4b0c8d35543912130dac6
SHA512

2f33349c13f7778869f4e200380acd9c12e41a981a30005ad01aa8c29442d9bfdfb2a76a1b589be1efb2e4a314cbdf92f691a12b0fa487af4160e7d87ff25e56
SSDEEP

12288:e/+ubxKHJg5bbEjlsqRoAQpjFVfG0c4XqCon9hUpVo34u:Q+ubYHYqRoAQpjFVG0HXqlF4u

Score

9^/10

discovery evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Solara.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Solara.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Solara.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe

Executes dropped EXE 3 IoCs

pid	Process
1564	vc_redist.x64.exe
1304	vc_redist.x64.exe
4904	Solara.exe

Loads dropped DLL 17 IoCs

pid	Process
3144	MsiExec.exe
3144	MsiExec.exe
2068	MsiExec.exe
2068	MsiExec.exe
2068	MsiExec.exe
2068	MsiExec.exe
2068	MsiExec.exe
5108	MsiExec.exe
5108	MsiExec.exe
5108	MsiExec.exe
3144	MsiExec.exe
1304	vc_redist.x64.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x00070000000241d3-2905.dat	themida
behavioral1/memory/4904-2913-0x0000000180000000-0x0000000180B5F000-memory.dmp	themida
behavioral1/memory/4904-2920-0x0000000180000000-0x0000000180B5F000-memory.dmp	themida

Blocklisted process makes network request 2 IoCs

flow	pid	Process
36	2348	msiexec.exe
38	2348	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Solara.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
7	pastebin.com
69	raw.githubusercontent.com
70	raw.githubusercontent.com
73	pastebin.com
75	pastebin.com
6	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4904	Solara.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\socks-proxy-agent\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-bugs.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\clone\clone.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npx.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\git\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\text-table\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man7\orgs.7	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\infer-owner\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\identity\index.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\npm-registry-fetch\lib\default-opts.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\using-npm\registry.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\promise-spawn\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\socks\build\client\socksclient.js.map	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\verify.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-docs.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\using-npm\scope.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cssesc\cssesc.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\color-support\browser.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cssesc\bin\cssesc	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\npmlog\lib\log.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\lib\entry-index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\lru-cache\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\promzard\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-help-search.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\doctor.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-link.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\which\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\brace-expansion\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\events\tests\check-listener-leaks.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\spdx-expression-parse\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\minipass-fetch\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-flush\node_modules\minipass\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\nopt\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\events\tests\prepend.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\parse-conflict-json\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-owner.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-explore.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\readable-stream\lib\internal\streams\from-browser.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\lib\list.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\gauge\lib\has-color.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\npm-package-arg\lib\npa.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-dedupe.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\types\sigstore\__generated__\google\protobuf\timestamp.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\events\tests\events-once.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-publish.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-audit.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-login.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\read-package-json-fast\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\dist\updater.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\functions\compare-build.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\lib\util\glob.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\glob\sync.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\identity\issuer.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-org.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\tools\emacs\testdata\media.gyp	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmversion\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\.github\workflows\Python_tests.yml	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\prune.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\cli\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\client\rekor.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\ip-regex\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tar\lib\high-level-opt.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\npm-pick-manifest\LICENSE.md	msiexec.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSICD54.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID11E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID381.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDBEF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFDD2.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICCB6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFF69.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFD63.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\NodeIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5F2.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID352.tmp	msiexec.exe
File created	C:\Windows\Installer\e57c826.msi	msiexec.exe
File created	C:\Windows\Installer\e57c822.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICD34.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDC1F.tmp	msiexec.exe
File created	C:\Windows\Installer\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\NodeIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\e57c822.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vc_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vc_redist.x64.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\DocumentationShortcuts	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\NodeRuntime	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\PackageName = "node-v18.16.0-x64.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\ProductName = "Node.js"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\NodeEtwSupport = "NodeRuntime"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\corepack	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\PackageCode = "347C7A52EDBDC9A498427C0BC7ABB536"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPathNode = "EnvironmentPath"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPath	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\ProductIcon = "C:\\Windows\\Installer\\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\\NodeIcon"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPathNpmModules = "EnvironmentPath"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\npm	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Version = "303038464"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Media\1 = ";"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3804	Bootstrapper.exe
2348	msiexec.exe
2348	msiexec.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe
4904	Solara.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3804	Bootstrapper.exe
Token: SeShutdownPrivilege	2360	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2360	msiexec.exe
Token: SeSecurityPrivilege	2348	msiexec.exe
Token: SeCreateTokenPrivilege	2360	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2360	msiexec.exe
Token: SeLockMemoryPrivilege	2360	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2360	msiexec.exe
Token: SeMachineAccountPrivilege	2360	msiexec.exe
Token: SeTcbPrivilege	2360	msiexec.exe
Token: SeSecurityPrivilege	2360	msiexec.exe
Token: SeTakeOwnershipPrivilege	2360	msiexec.exe
Token: SeLoadDriverPrivilege	2360	msiexec.exe
Token: SeSystemProfilePrivilege	2360	msiexec.exe
Token: SeSystemtimePrivilege	2360	msiexec.exe
Token: SeProfSingleProcessPrivilege	2360	msiexec.exe
Token: SeIncBasePriorityPrivilege	2360	msiexec.exe
Token: SeCreatePagefilePrivilege	2360	msiexec.exe
Token: SeCreatePermanentPrivilege	2360	msiexec.exe
Token: SeBackupPrivilege	2360	msiexec.exe
Token: SeRestorePrivilege	2360	msiexec.exe
Token: SeShutdownPrivilege	2360	msiexec.exe
Token: SeDebugPrivilege	2360	msiexec.exe
Token: SeAuditPrivilege	2360	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2360	msiexec.exe
Token: SeChangeNotifyPrivilege	2360	msiexec.exe
Token: SeRemoteShutdownPrivilege	2360	msiexec.exe
Token: SeUndockPrivilege	2360	msiexec.exe
Token: SeSyncAgentPrivilege	2360	msiexec.exe
Token: SeEnableDelegationPrivilege	2360	msiexec.exe
Token: SeManageVolumePrivilege	2360	msiexec.exe
Token: SeImpersonatePrivilege	2360	msiexec.exe
Token: SeCreateGlobalPrivilege	2360	msiexec.exe
Token: SeRestorePrivilege	2348	msiexec.exe
Token: SeTakeOwnershipPrivilege	2348	msiexec.exe
Token: SeRestorePrivilege	2348	msiexec.exe
Token: SeTakeOwnershipPrivilege	2348	msiexec.exe
Token: SeRestorePrivilege	2348	msiexec.exe
Token: SeTakeOwnershipPrivilege	2348	msiexec.exe
Token: SeRestorePrivilege	2348	msiexec.exe
Token: SeTakeOwnershipPrivilege	2348	msiexec.exe
Token: SeRestorePrivilege	2348	msiexec.exe
Token: SeTakeOwnershipPrivilege	2348	msiexec.exe
Token: SeRestorePrivilege	2348	msiexec.exe
Token: SeTakeOwnershipPrivilege	2348	msiexec.exe
Token: SeRestorePrivilege	2348	msiexec.exe
Token: SeTakeOwnershipPrivilege	2348	msiexec.exe
Token: SeRestorePrivilege	2348	msiexec.exe
Token: SeTakeOwnershipPrivilege	2348	msiexec.exe
Token: SeRestorePrivilege	2348	msiexec.exe
Token: SeTakeOwnershipPrivilege	2348	msiexec.exe
Token: SeRestorePrivilege	2348	msiexec.exe
Token: SeTakeOwnershipPrivilege	2348	msiexec.exe
Token: SeRestorePrivilege	2348	msiexec.exe
Token: SeTakeOwnershipPrivilege	2348	msiexec.exe
Token: SeSecurityPrivilege	1428	wevtutil.exe
Token: SeBackupPrivilege	1428	wevtutil.exe
Token: SeSecurityPrivilege	884	wevtutil.exe
Token: SeBackupPrivilege	884	wevtutil.exe
Token: SeRestorePrivilege	2348	msiexec.exe
Token: SeTakeOwnershipPrivilege	2348	msiexec.exe
Token: SeRestorePrivilege	2348	msiexec.exe
Token: SeTakeOwnershipPrivilege	2348	msiexec.exe
Token: SeRestorePrivilege	2348	msiexec.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3804 wrote to memory of 2360	3804	Bootstrapper.exe	93
PID 3804 wrote to memory of 2360	3804	Bootstrapper.exe	93
PID 3804 wrote to memory of 2360	3804	Bootstrapper.exe	93
PID 2348 wrote to memory of 3144	2348	msiexec.exe	97
PID 2348 wrote to memory of 3144	2348	msiexec.exe	97
PID 2348 wrote to memory of 2068	2348	msiexec.exe	98
PID 2348 wrote to memory of 2068	2348	msiexec.exe	98
PID 2348 wrote to memory of 2068	2348	msiexec.exe	98
PID 2348 wrote to memory of 5108	2348	msiexec.exe	101
PID 2348 wrote to memory of 5108	2348	msiexec.exe	101
PID 2348 wrote to memory of 5108	2348	msiexec.exe	101
PID 5108 wrote to memory of 1428	5108	MsiExec.exe	102
PID 5108 wrote to memory of 1428	5108	MsiExec.exe	102
PID 5108 wrote to memory of 1428	5108	MsiExec.exe	102
PID 1428 wrote to memory of 884	1428	wevtutil.exe	104
PID 1428 wrote to memory of 884	1428	wevtutil.exe	104
PID 3804 wrote to memory of 1564	3804	Bootstrapper.exe	109
PID 3804 wrote to memory of 1564	3804	Bootstrapper.exe	109
PID 3804 wrote to memory of 1564	3804	Bootstrapper.exe	109
PID 1564 wrote to memory of 1304	1564	vc_redist.x64.exe	110
PID 1564 wrote to memory of 1304	1564	vc_redist.x64.exe	110
PID 1564 wrote to memory of 1304	1564	vc_redist.x64.exe	110
PID 3804 wrote to memory of 4904	3804	Bootstrapper.exe	111
PID 3804 wrote to memory of 4904	3804	Bootstrapper.exe	111

C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3804
- C:\Windows\SysWOW64\msiexec.exe
  "msiexec" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2360
- C:\Users\Admin\AppData\Local\Temp\vc_redist.x64.exe
  "C:\Users\Admin\AppData\Local\Temp\vc_redist.x64.exe" /install /quiet /norestart
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Windows\Temp\{D44D031C-09E1-402B-958B-105855CFE2CA}\.cr\vc_redist.x64.exe
    "C:\Windows\Temp\{D44D031C-09E1-402B-958B-105855CFE2CA}\.cr\vc_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\vc_redist.x64.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548 /install /quiet /norestart
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1304
- C:\ProgramData\Solara\Solara.exe
  "C:\ProgramData\Solara\Solara.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:4904

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 57313F94AC53FEF9D5AE5D017D1F219B
  2⤵
  - Loads dropped DLL
  PID:3144
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 81A849AA04F16DAD61CBE94D88808F4F
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2068
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding BC4F639C2EF237BCA79DB09F55E7CBD1 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5108
- - C:\Windows\SysWOW64\wevtutil.exe
    "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1428
  - - C:\Windows\System32\wevtutil.exe
      "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man" /fromwow64
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57c825.rbs

Filesize
1.0MB

MD5
11a356edcdec1b6f67b4d86c195be674

SHA1
b2835bdb5175396e7fb921616f32bf8970b2db12

SHA256
662cbce46b5366182190fbef3a682b74c1a40844f56bea6d751b19d6aa25bf2a

SHA512
5647a9e487df808d80322bc33156996d8550586696c8b93dc2fb03b395f626f08e5d44ec1048024d8333beb5f212f027b9a81c9ca0cd7074de1adcdcd71e9715

Download Submit
C:\Program Files\nodejs\node_etw_provider.man

Filesize
10KB

MD5
1d51e18a7247f47245b0751f16119498

SHA1
78f5d95dd07c0fcee43c6d4feab12d802d194d95

SHA256
1975aa34c1050b8364491394cebf6e668e2337c3107712e3eeca311262c7c46f

SHA512
1eccbe4ddae3d941b36616a202e5bd1b21d8e181810430a1c390513060ae9e3f12cd23f5b66ae0630fd6496b3139e2cc313381b5506465040e5a7a3543444e76

Download Submit
C:\Program Files\nodejs\node_etw_provider.man

Filesize
8KB

MD5
d3bc164e23e694c644e0b1ce3e3f9910

SHA1
1849f8b1326111b5d4d93febc2bafb3856e601bb

SHA256
1185aaa5af804c6bc6925f5202e68bb2254016509847cd382a015907440d86b4

SHA512
91ebff613f4c35c625bb9b450726167fb77b035666ed635acf75ca992c4846d952655a2513b4ecb8ca6f19640d57555f2a4af3538b676c3bd2ea1094c4992854

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\LICENSE.md

Filesize
818B

MD5
2916d8b51a5cc0a350d64389bc07aef6

SHA1
c9d5ac416c1dd7945651bee712dbed4d158d09e1

SHA256
733dcbf5b1c95dc765b76db969b998ce0cbb26f01be2e55e7bccd6c7af29cb04

SHA512
508c5d1842968c478e6b42b94e04e0b53a342dfaf52d55882fdcfe02c98186e9701983ab5e9726259fba8336282e20126c70d04fc57964027586a40e96c56b74

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\aggregate-error\license

Filesize
1KB

MD5
5ad87d95c13094fa67f25442ff521efd

SHA1
01f1438a98e1b796e05a74131e6bb9d66c9e8542

SHA256
67292c32894c8ac99db06ffa1cb8e9a5171ef988120723ebe673bf76712260ec

SHA512
7187720ccd335a10c9698f8493d6caa2d404e7b21731009de5f0da51ad5b9604645fbf4bc640aa94513b9eb372aa6a31df2467198989234bc2afbce87f76fbc3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\LICENSE

Filesize
754B

MD5
d2cf52aa43e18fdc87562d4c1303f46a

SHA1
58fb4a65fffb438630351e7cafd322579817e5e1

SHA256
45e433413760dc3ae8169be5ed9c2c77adc31ad4d1bc5a28939576df240f29a0

SHA512
54e33d7998b5e9ba76b2c852b4d0493ebb1b1ee3db777c97e6606655325ff66124a0c0857ca4d62de96350dbaee8d20604ec22b0edc17b472086da4babbbcb16

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmhook\LICENSE.md

Filesize
771B

MD5
e9dc66f98e5f7ff720bf603fff36ebc5

SHA1
f2b428eead844c4bf39ca0d0cf61f6b10aeeb93b

SHA256
b49c8d25a8b57fa92b2902d09c4b8a809157ee32fc10d17b7dbb43c4a8038f79

SHA512
8027d65e1556511c884cb80d3c1b846fc9d321f3f83002664ad3805c4dee8e6b0eaf1db81c459153977bdbde9e760b0184ba6572f68d78c37bff617646bcfc3b

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmorg\LICENSE

Filesize
730B

MD5
072ac9ab0c4667f8f876becedfe10ee0

SHA1
0227492dcdc7fb8de1d14f9d3421c333230cf8fe

SHA256
2ef361317adeda98117f14c5110182c28eae233af1f7050c83d4396961d14013

SHA512
f38fd6506bd9795bb27d31f1ce38b08c9e6f1689c34fca90e9e1d5194fa064d1f34a9c51d15941506ebbbcd6d4193055e9664892521b7e39ebcd61c3b6f25013

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-pipeline\node_modules\minipass\package.json

Filesize
1KB

MD5
d116a360376e31950428ed26eae9ffd4

SHA1
192b8e06fb4e1f97e5c5c7bf62a9bff7704c198b

SHA256
c3052bd85910be313e38ad355528d527b565e70ef15a784db3279649eee2ded5

SHA512
5221c7648f4299234a4637c47d3f1eb5e147014704913bc6fdad91b9b6a6ccc109bced63376b82b046bb5cad708464c76fb452365b76dbf53161914acf8fb11a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\LICENSE

Filesize
802B

MD5
d7c8fab641cd22d2cd30d2999cc77040

SHA1
d293601583b1454ad5415260e4378217d569538e

SHA256
04400db77d925de5b0264f6db5b44fe6f8b94f9419ad3473caaa8065c525c0be

SHA512
278ff929904be0c19ee5fb836f205e3e5b3e7cec3d26dd42bbf1e7e0ca891bf9c42d2b28fce3741ae92e4a924baf7490c7c6c59284127081015a82e2653e0764

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\index.js

Filesize
16KB

MD5
bc0c0eeede037aa152345ab1f9774e92

SHA1
56e0f71900f0ef8294e46757ec14c0c11ed31d4e

SHA256
7a395802fbe01bb3dc8d09586e0864f255874bf897378e546444fbaec29f54c5

SHA512
5f31251825554bf9ed99eda282fa1973fcec4a078796a10757f4fb5592f2783c4ebdd00bdf0d7ed30f82f54a7668446a372039e9d4589db52a75060ca82186b3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\LICENSE

Filesize
780B

MD5
b020de8f88eacc104c21d6e6cacc636d

SHA1
20b35e641e3a5ea25f012e13d69fab37e3d68d6b

SHA256
3f24d692d165989cd9a00fe35ca15a2bc6859e3361fa42aa20babd435f2e4706

SHA512
4220617e29dd755ad592295bc074d6bc14d44a1feeed5101129669f3ecf0e34eaa4c7c96bbc83da7352631fa262baab45d4a370dad7dabec52b66f1720c28e38

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\promise-all-reject-late\LICENSE

Filesize
763B

MD5
7428aa9f83c500c4a434f8848ee23851

SHA1
166b3e1c1b7d7cb7b070108876492529f546219f

SHA256
1fccd0ad2e7e0e31ddfadeaf0660d7318947b425324645aa85afd7227cab52d7

SHA512
c7f01de85f0660560206784cdf159b2bdc5f1bc87131f5a8edf384eba47a113005491520b0a25d3cc425985b5def7b189e18ff76d7d562c434dc5d8c82e90cce

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\node_modules\minipass\index.d.ts

Filesize
4KB

MD5
f0bd53316e08991d94586331f9c11d97

SHA1
f5a7a6dc0da46c3e077764cfb3e928c4a75d383e

SHA256
dd3eda3596af30eda88b4c6c2156d3af6e7fa221f39c46e492c5e9fb697e2fef

SHA512
fd6affbaed67d09cf45478f38e92b8ca6c27650a232cbbeaff36e4f7554fb731ae44cf732378641312e98221539e3d8fabe80a7814e4f425026202de44eb5839

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\treeverse\LICENSE

Filesize
771B

MD5
1d7c74bcd1904d125f6aff37749dc069

SHA1
21e6dfe0fffc2f3ec97594aa261929a3ea9cf2ab

SHA256
24b8d53712087b867030d18f2bd6d1a72c78f9fb4dee0ce025374da25e4443b9

SHA512
b5ac03addd29ba82fc05eea8d8d09e0f2fa9814d0dd619c2f7b209a67d95b538c3c2ff70408641ef3704f6a14e710e56f4bf57c2bb3f8957ba164f28ee591778

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js documentation.url

Filesize
168B

MD5
db7dbbc86e432573e54dedbcc02cb4a1

SHA1
cff9cfb98cff2d86b35dc680b405e8036bbbda47

SHA256
7cf8a9c96f9016132be81fd89f9573566b7dc70244a28eb59d573c2fdba1def9

SHA512
8f35f2e7dac250c66b209acecab836d3ecf244857b81bacebc214f0956ec108585990f23ff3f741678e371b0bee78dd50029d0af257a3bb6ab3b43df1e39f2ec

Download Submit
C:\ProgramData\Solara\Microsoft.Web.WebView2.Core.dll

Filesize
488KB

MD5
851fee9a41856b588847cf8272645f58

SHA1
ee185a1ff257c86eb19d30a191bf0695d5ac72a1

SHA256
5e7faee6b8230ca3b97ce9542b914db3abbbd1cb14fd95a39497aaad4c1094ca

SHA512
cf5c70984cf33e12cf57116da1f282a5bd6433c570831c185253d13463b0b9a0b9387d4d1bf4dddab3292a5d9ba96d66b6812e9d7ebc5eb35cb96eea2741348f

Download Submit
C:\ProgramData\Solara\Microsoft.Web.WebView2.Wpf.dll

Filesize
43KB

MD5
34ec990ed346ec6a4f14841b12280c20

SHA1
6587164274a1ae7f47bdb9d71d066b83241576f0

SHA256
1e987b22cd011e4396a0805c73539586b67df172df75e3dded16a77d31850409

SHA512
b565015ca4b11b79ecbc8127f1fd40c986948050f1caefdd371d34ed2136af0aabf100863dc6fd16d67e3751d44ee13835ea9bf981ac0238165749c4987d1ae0

Download Submit
C:\ProgramData\Solara\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\ProgramData\Solara\Solara.dll

Filesize
4.4MB

MD5
d2095e81b64ae68f6315e2a84bcf7e77

SHA1
c822a738341d9c7a551bb38f5dd9d288975ab45a

SHA256
9664bb7b9e94eec10aed5c7b8b198efee20056da51537066d1f4894fd72c7f38

SHA512
df43ea1eed8a18224591d34e7ca519c181f1d7999dad53a1b5cc9b2467c1a7e5466ef41f9df51ada51a94aa4cea196ce670c124e5112c2261056207fc7545e15

Download Submit
C:\ProgramData\Solara\Solara.exe

Filesize
92KB

MD5
a03d8871ac626b0e49e2879ae7190d85

SHA1
f377ac96377711a66e6518020a71106c036cb8cf

SHA256
901d866f9c3bd5bbb6e3482a9488bcc60e7748727515569d4305bea87ab8940a

SHA512
04f060fbffc2d097706033e2915f5097aa77b58eaad23d0b3df547f6a78d2ca8717651caed29e2cc2d2e2bd52a09ea43905b7f405d1d4c723ef44e88c3e21ce8

Download Submit
C:\ProgramData\Solara\WebView2Loader.dll

Filesize
133KB

MD5
a0bd0d1a66e7c7f1d97aedecdafb933f

SHA1
dd109ac34beb8289030e4ec0a026297b793f64a3

SHA256
79d7e45f8631e8d2541d01bfb5a49a3a090be72b3d465389a2d684680fee2e36

SHA512
2a50ae5c7234a44b29f82ebc2e3cfed37bf69294eb00b2dc8905c61259975b2f3a059c67aeab862f002752454d195f7191d9b82b056f6ef22d6e1b0bb3673d50

Download Submit
C:\ProgramData\Solara\Wpf.Ui.dll

Filesize
5.2MB

MD5
aead90ab96e2853f59be27c4ec1e4853

SHA1
43cdedde26488d3209e17efff9a51e1f944eb35f

SHA256
46cfbe804b29c500ebc0b39372e64c4c8b4f7a8e9b220b5f26a9adf42fcb2aed

SHA512
f5044f2ee63906287460b9adabfcf3c93c60b51c86549e33474c4d7f81c4f86cd03cd611df94de31804c53006977874b8deb67c4bf9ea1c2b70c459b3a44b38d

Download Submit
C:\ProgramData\Solara\bin\path.txt

Filesize
34B

MD5
0e2184f1c7464b6617329fb18f107b4f

SHA1
6f22f98471e33c9db10d6f6f1728e98852e25b8f

SHA256
dbf5f44e1b84a298dbbcad3c31a617d2f6cfa08eb5d16e05a5c28726c574d4eb

SHA512
8e745c0215d52e15702551f29efb882a5eba97b5f279ccc29293b1a9b1b8661bf71b548569f9a99fa35c35a15d1b6b288d3c381c1292418c36dc89e2fa0b3a37

Download Submit
C:\ProgramData\Solara\libcurl.dll

Filesize
522KB

MD5
e31f5136d91bad0fcbce053aac798a30

SHA1
ee785d2546aec4803bcae08cdebfd5d168c42337

SHA256
ee94e2201870536522047e6d7fe7b903a63cd2e13e20c8fffc86d0e95361e671

SHA512
a1543eb1d10d25efb44f9eaa0673c82bfac5173055d04c0f3be4792984635a7c774df57a8e289f840627754a4e595b855d299070d469e0f1e637c3f35274abe6

Download Submit
C:\ProgramData\Solara\vcruntime140.dll

Filesize
99KB

MD5
7a2b8cfcd543f6e4ebca43162b67d610

SHA1
c1c45a326249bf0ccd2be2fbd412f1a62fb67024

SHA256
7d7ca28235fba5603a7f40514a552ac7efaa67a5d5792bb06273916aa8565c5f

SHA512
e38304fb9c5af855c1134f542adf72cde159fab64385533eafa5bb6e374f19b5a29c0cb5516fc5da5c0b5ac47c2f6420792e0ac8ddff11e749832a7b7f3eb5c8

Download Submit
C:\ProgramData\Solara\zlib1.dll

Filesize
113KB

MD5
75365924730b0b2c1a6ee9028ef07685

SHA1
a10687c37deb2ce5422140b541a64ac15534250f

SHA256
945e7f5d09938b7769a4e68f4ef01406e5af9f40db952cba05ddb3431dd1911b

SHA512
c1e31c18903e657203ae847c9af601b1eb38efa95cb5fa7c1b75f84a2cba9023d08f1315c9bb2d59b53256dfdb3bac89930252138475491b21749471adc129a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi

Filesize
30.1MB

MD5
0e4e9aa41d24221b29b19ba96c1a64d0

SHA1
231ade3d5a586c0eb4441c8dbfe9007dc26b2872

SHA256
5bfb6f3ab89e198539408f7e0e8ec0b0bd5efe8898573ec05b381228efb45a5d

SHA512
e6f27aecead72dffecbeaad46ebdf4b1fd3dbcddd1f6076ba183b654e4e32d30f7af1236bf2e04459186e993356fe2041840671be73612c8afed985c2c608913

Download Submit
C:\Users\Admin\AppData\Local\Temp\vc_redist.x64.exe

Filesize
24.1MB

MD5
e091e9e5ede4161b45b880ccd6e140b0

SHA1
1a18b960482c2a242df0e891de9e3a125e439122

SHA256
cee28f29f904524b7f645bcec3dfdfe38f8269b001144cd909f5d9232890d33b

SHA512
fa8627055bbeb641f634b56059e7b5173e7c64faaa663e050c20d01d708a64877e71cd0b974282c70cb448e877313b1cf0519cf6128c733129b045f2b961a09b

Download Submit
C:\Windows\Installer\MSICCB6.tmp

Filesize
122KB

MD5
9fe9b0ecaea0324ad99036a91db03ebb

SHA1
144068c64ec06fc08eadfcca0a014a44b95bb908

SHA256
e2cce64916e405976a1d0c522b44527d12b1cba19de25da62121cf5f41d184c9

SHA512
906641a73d69a841218ae90b83714a05af3537eec8ad1d761f58ac365cf005bdd74ad88f71c4437aaa126ac74fa46bcad424d17c746ab197eec2caa1bd838176

Download Submit
C:\Windows\Installer\MSICD54.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Installer\MSID352.tmp

Filesize
297KB

MD5
7a86ce1a899262dd3c1df656bff3fb2c

SHA1
33dcbe66c0dc0a16bab852ed0a6ef71c2d9e0541

SHA256
b8f2d0909d7c2934285a8be010d37c0609c7854a36562cbfcbce547f4f4c7b0c

SHA512
421e8195c47381de4b3125ab6719eec9be7acd2c97ce9247f4b70a309d32377917c9686b245864e914448fe53df2694d5ee5f327838d029989ba7acafda302ec

Download Submit
C:\Windows\Temp\{132BB304-4C3B-4A43-BCD9-855CE4CA8A14}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{132BB304-4C3B-4A43-BCD9-855CE4CA8A14}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\Temp\{D44D031C-09E1-402B-958B-105855CFE2CA}\.cr\vc_redist.x64.exe

Filesize
634KB

MD5
cb264f7d256b42a54b2129b7a02c1ce3

SHA1
d71459e24185f70b0c8647758663b1116a898412

SHA256
d6aaee30c9b7edeac6939f78f4a55683c6358d9cc03dac487880d01f18700e83

SHA512
4f623f5d21bc216f3dd040e6d0c663a8ea37efe5d0ce5f4aeb1ef5c1f7c873e19d1abc979d3e40d4dc70e2e4f0fc9a1b114b17d9eb852ea9a41d0f84356cd7cb

Download Submit
memory/3804-2892-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download
memory/3804-2-0x0000000005990000-0x0000000005F34000-memory.dmp

Filesize
5.6MB

Download
memory/3804-1971-0x00000000748AE000-0x00000000748AF000-memory.dmp

Filesize
4KB

Download
memory/3804-2476-0x0000000006AD0000-0x0000000006ADA000-memory.dmp

Filesize
40KB

Download
memory/3804-2478-0x0000000006B00000-0x0000000006B12000-memory.dmp

Filesize
72KB

Download
memory/3804-5-0x0000000006460000-0x00000000067B4000-memory.dmp

Filesize
3.3MB

Download
memory/3804-2370-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download
memory/3804-0-0x00000000748AE000-0x00000000748AF000-memory.dmp

Filesize
4KB

Download
memory/3804-1-0x00000000009E0000-0x0000000000AAE000-memory.dmp

Filesize
824KB

Download
memory/3804-4-0x0000000006430000-0x0000000006452000-memory.dmp

Filesize
136KB

Download
memory/3804-3-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download
memory/4904-2897-0x0000018755B60000-0x0000018755C12000-memory.dmp

Filesize
712KB

Download
memory/4904-2902-0x00000187566E0000-0x000001875675E000-memory.dmp

Filesize
504KB

Download
memory/4904-2900-0x0000018755A60000-0x0000018755A6E000-memory.dmp

Filesize
56KB

Download
memory/4904-2898-0x0000018755A70000-0x0000018755A92000-memory.dmp

Filesize
136KB

Download
memory/4904-2891-0x000001873B370000-0x000001873B38C000-memory.dmp

Filesize
112KB

Download
memory/4904-2895-0x0000018755AA0000-0x0000018755B5A000-memory.dmp

Filesize
744KB

Download
memory/4904-2913-0x0000000180000000-0x0000000180B5F000-memory.dmp

Filesize
11.4MB

Download
memory/4904-2894-0x0000018755E20000-0x000001875635C000-memory.dmp

Filesize
5.2MB

Download
memory/4904-2916-0x00000187566B0000-0x00000187566B8000-memory.dmp

Filesize
32KB

Download
memory/4904-2918-0x00000187566D0000-0x00000187566DE000-memory.dmp

Filesize
56KB

Download
memory/4904-2917-0x000001875AC40000-0x000001875AC78000-memory.dmp

Filesize
224KB

Download
memory/4904-2920-0x0000000180000000-0x0000000180B5F000-memory.dmp

Filesize
11.4MB

Download