Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 04:09
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://f29cc861.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe
Resource
win10v2004-20241007-en
General
-
Target
https://f29cc861.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe
Malware Config
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation Bootstrapper (1).exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation Bootstrapper.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation BootstrapperV2.04.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation Bootstrapper.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation BootstrapperV2.04.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation BootstrapperV2.04.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation BootstrapperV2.04.exe -
Executes dropped EXE 12 IoCs
pid Process 3384 Bootstrapper.exe 4232 BootstrapperV2.04.exe 1556 Solara.exe 4848 Bootstrapper.exe 1204 BootstrapperV2.04.exe 3252 Solara.exe 5064 BootstrapperV2.04.exe 2680 Solara.exe 1736 BootstrapperV2.04.exe 1920 Solara.exe 4872 Bootstrapper (1).exe 508 BootstrapperV2.04.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
flow ioc 73 pastebin.com 74 pastebin.com 85 pastebin.com 93 pastebin.com 96 pastebin.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.
pid Process 4304 ipconfig.exe 1272 ipconfig.exe 4876 ipconfig.exe -
NTFS ADS 5 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 319408.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 586595.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 466704.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 523497.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 470574.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 3764 msedge.exe 3764 msedge.exe 2000 msedge.exe 2000 msedge.exe 948 identity_helper.exe 948 identity_helper.exe 3272 msedge.exe 3272 msedge.exe 1556 Solara.exe 1556 Solara.exe 3252 Solara.exe 3252 Solara.exe 2680 Solara.exe 2680 Solara.exe 1920 Solara.exe 1920 Solara.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 636 msedge.exe 2240 msedge.exe 2240 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
pid Process 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe -
Suspicious use of AdjustPrivilegeToken 53 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1420 WMIC.exe Token: SeSecurityPrivilege 1420 WMIC.exe Token: SeTakeOwnershipPrivilege 1420 WMIC.exe Token: SeLoadDriverPrivilege 1420 WMIC.exe Token: SeSystemProfilePrivilege 1420 WMIC.exe Token: SeSystemtimePrivilege 1420 WMIC.exe Token: SeProfSingleProcessPrivilege 1420 WMIC.exe Token: SeIncBasePriorityPrivilege 1420 WMIC.exe Token: SeCreatePagefilePrivilege 1420 WMIC.exe Token: SeBackupPrivilege 1420 WMIC.exe Token: SeRestorePrivilege 1420 WMIC.exe Token: SeShutdownPrivilege 1420 WMIC.exe Token: SeDebugPrivilege 1420 WMIC.exe Token: SeSystemEnvironmentPrivilege 1420 WMIC.exe Token: SeRemoteShutdownPrivilege 1420 WMIC.exe Token: SeUndockPrivilege 1420 WMIC.exe Token: SeManageVolumePrivilege 1420 WMIC.exe Token: 33 1420 WMIC.exe Token: 34 1420 WMIC.exe Token: 35 1420 WMIC.exe Token: 36 1420 WMIC.exe Token: SeIncreaseQuotaPrivilege 1420 WMIC.exe Token: SeSecurityPrivilege 1420 WMIC.exe Token: SeTakeOwnershipPrivilege 1420 WMIC.exe Token: SeLoadDriverPrivilege 1420 WMIC.exe Token: SeSystemProfilePrivilege 1420 WMIC.exe Token: SeSystemtimePrivilege 1420 WMIC.exe Token: SeProfSingleProcessPrivilege 1420 WMIC.exe Token: SeIncBasePriorityPrivilege 1420 WMIC.exe Token: SeCreatePagefilePrivilege 1420 WMIC.exe Token: SeBackupPrivilege 1420 WMIC.exe Token: SeRestorePrivilege 1420 WMIC.exe Token: SeShutdownPrivilege 1420 WMIC.exe Token: SeDebugPrivilege 1420 WMIC.exe Token: SeSystemEnvironmentPrivilege 1420 WMIC.exe Token: SeRemoteShutdownPrivilege 1420 WMIC.exe Token: SeUndockPrivilege 1420 WMIC.exe Token: SeManageVolumePrivilege 1420 WMIC.exe Token: 33 1420 WMIC.exe Token: 34 1420 WMIC.exe Token: 35 1420 WMIC.exe Token: 36 1420 WMIC.exe Token: SeDebugPrivilege 3384 Bootstrapper.exe Token: SeDebugPrivilege 4232 BootstrapperV2.04.exe Token: SeDebugPrivilege 1556 Solara.exe Token: SeDebugPrivilege 4848 Bootstrapper.exe Token: SeDebugPrivilege 1204 BootstrapperV2.04.exe Token: SeDebugPrivilege 3252 Solara.exe Token: SeDebugPrivilege 5064 BootstrapperV2.04.exe Token: SeDebugPrivilege 2680 Solara.exe Token: SeDebugPrivilege 1736 BootstrapperV2.04.exe Token: SeDebugPrivilege 1920 Solara.exe Token: SeDebugPrivilege 4872 Bootstrapper (1).exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe 2000 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2000 wrote to memory of 2608 2000 msedge.exe 84 PID 2000 wrote to memory of 2608 2000 msedge.exe 84 PID 2000 wrote to memory of 5028 2000 msedge.exe 85 PID 2000 wrote to memory of 5028 2000 msedge.exe 85 PID 2000 wrote to memory of 5028 2000 msedge.exe 85 PID 2000 wrote to memory of 5028 2000 msedge.exe 85 PID 2000 wrote to memory of 5028 2000 msedge.exe 85 PID 2000 wrote to memory of 5028 2000 msedge.exe 85 PID 2000 wrote to memory of 5028 2000 msedge.exe 85 PID 2000 wrote to memory of 5028 2000 msedge.exe 85 PID 2000 wrote to memory of 5028 2000 msedge.exe 85 PID 2000 wrote to memory of 5028 2000 msedge.exe 85 PID 2000 wrote to memory of 5028 2000 msedge.exe 85 PID 2000 wrote to memory of 5028 2000 msedge.exe 85 PID 2000 wrote to memory of 5028 2000 msedge.exe 85 PID 2000 wrote to memory of 5028 2000 msedge.exe 85 PID 2000 wrote to memory of 5028 2000 msedge.exe 85 PID 2000 wrote to memory of 5028 2000 msedge.exe 85 PID 2000 wrote to memory of 5028 2000 msedge.exe 85 PID 2000 wrote to memory of 5028 2000 msedge.exe 85 PID 2000 wrote to memory of 5028 2000 msedge.exe 85 PID 2000 wrote to memory of 5028 2000 msedge.exe 85 PID 2000 wrote to memory of 5028 2000 msedge.exe 85 PID 2000 wrote to memory of 5028 2000 msedge.exe 85 PID 2000 wrote to memory of 5028 2000 msedge.exe 85 PID 2000 wrote to memory of 5028 2000 msedge.exe 85 PID 2000 wrote to memory of 5028 2000 msedge.exe 85 PID 2000 wrote to memory of 5028 2000 msedge.exe 85 PID 2000 wrote to memory of 5028 2000 msedge.exe 85 PID 2000 wrote to memory of 5028 2000 msedge.exe 85 PID 2000 wrote to memory of 5028 2000 msedge.exe 85 PID 2000 wrote to memory of 5028 2000 msedge.exe 85 PID 2000 wrote to memory of 5028 2000 msedge.exe 85 PID 2000 wrote to memory of 5028 2000 msedge.exe 85 PID 2000 wrote to memory of 5028 2000 msedge.exe 85 PID 2000 wrote to memory of 5028 2000 msedge.exe 85 PID 2000 wrote to memory of 5028 2000 msedge.exe 85 PID 2000 wrote to memory of 5028 2000 msedge.exe 85 PID 2000 wrote to memory of 5028 2000 msedge.exe 85 PID 2000 wrote to memory of 5028 2000 msedge.exe 85 PID 2000 wrote to memory of 5028 2000 msedge.exe 85 PID 2000 wrote to memory of 5028 2000 msedge.exe 85 PID 2000 wrote to memory of 3764 2000 msedge.exe 86 PID 2000 wrote to memory of 3764 2000 msedge.exe 86 PID 2000 wrote to memory of 2460 2000 msedge.exe 87 PID 2000 wrote to memory of 2460 2000 msedge.exe 87 PID 2000 wrote to memory of 2460 2000 msedge.exe 87 PID 2000 wrote to memory of 2460 2000 msedge.exe 87 PID 2000 wrote to memory of 2460 2000 msedge.exe 87 PID 2000 wrote to memory of 2460 2000 msedge.exe 87 PID 2000 wrote to memory of 2460 2000 msedge.exe 87 PID 2000 wrote to memory of 2460 2000 msedge.exe 87 PID 2000 wrote to memory of 2460 2000 msedge.exe 87 PID 2000 wrote to memory of 2460 2000 msedge.exe 87 PID 2000 wrote to memory of 2460 2000 msedge.exe 87 PID 2000 wrote to memory of 2460 2000 msedge.exe 87 PID 2000 wrote to memory of 2460 2000 msedge.exe 87 PID 2000 wrote to memory of 2460 2000 msedge.exe 87 PID 2000 wrote to memory of 2460 2000 msedge.exe 87 PID 2000 wrote to memory of 2460 2000 msedge.exe 87 PID 2000 wrote to memory of 2460 2000 msedge.exe 87 PID 2000 wrote to memory of 2460 2000 msedge.exe 87 PID 2000 wrote to memory of 2460 2000 msedge.exe 87 PID 2000 wrote to memory of 2460 2000 msedge.exe 87
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://f29cc861.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff267146f8,0x7fff26714708,0x7fff267147182⤵PID:2608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,15881808951892667348,5316924086483075445,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:22⤵PID:5028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,15881808951892667348,5316924086483075445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,15881808951892667348,5316924086483075445,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:82⤵PID:2460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15881808951892667348,5316924086483075445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:12⤵PID:2176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15881808951892667348,5316924086483075445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:12⤵PID:424
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,15881808951892667348,5316924086483075445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4924 /prefetch:82⤵PID:2284
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,15881808951892667348,5316924086483075445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4924 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2156,15881808951892667348,5316924086483075445,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5528 /prefetch:82⤵PID:3016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15881808951892667348,5316924086483075445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:12⤵PID:2240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15881808951892667348,5316924086483075445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:12⤵PID:2672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2156,15881808951892667348,5316924086483075445,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5884 /prefetch:82⤵PID:3700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2156,15881808951892667348,5316924086483075445,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5828 /prefetch:82⤵PID:4992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2156,15881808951892667348,5316924086483075445,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6212 /prefetch:82⤵PID:696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2156,15881808951892667348,5316924086483075445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6272 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2156,15881808951892667348,5316924086483075445,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6356 /prefetch:82⤵PID:2176
-
-
C:\Users\Admin\Downloads\Bootstrapper.exe"C:\Users\Admin\Downloads\Bootstrapper.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3384 -
C:\Windows\SYSTEM32\cmd.exe"cmd" /c ipconfig /all3⤵PID:4556
-
C:\Windows\system32\ipconfig.exeipconfig /all4⤵
- Gathers network information
PID:4304
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")3⤵PID:4696
-
C:\Windows\System32\Wbem\WMIC.exewmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1420
-
-
-
C:\Users\Admin\Downloads\BootstrapperV2.04.exe"C:\Users\Admin\Downloads\BootstrapperV2.04.exe" --oldBootstrapper "C:\Users\Admin\Downloads\Bootstrapper.exe" --isUpdate true3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4232 -
C:\ProgramData\Solara\Solara.exe"C:\ProgramData\Solara\Solara.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1556
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15881808951892667348,5316924086483075445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:12⤵PID:3508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15881808951892667348,5316924086483075445,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:12⤵PID:1552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15881808951892667348,5316924086483075445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:12⤵PID:3852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15881808951892667348,5316924086483075445,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:12⤵PID:4788
-
-
C:\Users\Admin\Downloads\Bootstrapper.exe"C:\Users\Admin\Downloads\Bootstrapper.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4848 -
C:\Windows\SYSTEM32\cmd.exe"cmd" /c ipconfig /all3⤵PID:700
-
C:\Windows\system32\ipconfig.exeipconfig /all4⤵
- Gathers network information
PID:1272
-
-
-
C:\Users\Admin\Downloads\BootstrapperV2.04.exe"C:\Users\Admin\Downloads\BootstrapperV2.04.exe" --oldBootstrapper "C:\Users\Admin\Downloads\Bootstrapper.exe" --isUpdate true3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1204 -
C:\ProgramData\Solara\Solara.exe"C:\ProgramData\Solara\Solara.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3252
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,15881808951892667348,5316924086483075445,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5336 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15881808951892667348,5316924086483075445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:12⤵PID:2680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2156,15881808951892667348,5316924086483075445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2240
-
-
C:\Users\Admin\Downloads\Bootstrapper (1).exe"C:\Users\Admin\Downloads\Bootstrapper (1).exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4872 -
C:\Windows\SYSTEM32\cmd.exe"cmd" /c ipconfig /all3⤵PID:4064
-
C:\Windows\system32\ipconfig.exeipconfig /all4⤵
- Gathers network information
PID:4876
-
-
-
C:\Users\Admin\Downloads\BootstrapperV2.04.exe"C:\Users\Admin\Downloads\BootstrapperV2.04.exe" --oldBootstrapper "C:\Users\Admin\Downloads\Bootstrapper (1).exe" --isUpdate true3⤵
- Executes dropped EXE
PID:508
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1772
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:696
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1340
-
C:\Users\Admin\Downloads\BootstrapperV2.04.exe"C:\Users\Admin\Downloads\BootstrapperV2.04.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5064 -
C:\ProgramData\Solara\Solara.exe"C:\ProgramData\Solara\Solara.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2680
-
-
C:\Users\Admin\Downloads\BootstrapperV2.04.exe"C:\Users\Admin\Downloads\BootstrapperV2.04.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1736 -
C:\ProgramData\Solara\Solara.exe"C:\ProgramData\Solara\Solara.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1920
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
695KB
MD5195ffb7167db3219b217c4fd439eedd6
SHA11e76e6099570ede620b76ed47cf8d03a936d49f8
SHA256e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d
SHA51256eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac
-
Filesize
133KB
MD5c6f770cbb24248537558c1f06f7ff855
SHA1fdc2aaae292c32a58ea4d9974a31ece26628fdd7
SHA256d1e4a542fa75f6a6fb636b5de6f7616e2827a79556d3d9a4afc3ecb47f0beb2b
SHA512cac56c58bd01341ec3ff102fe04fdb66625baad1d3dd7127907cd8453d2c6e2226ad41033e16ba20413a509fc7c826e4fdc0c0d553175eb6f164c2fc0906614a
-
Filesize
5.2MB
MD5aead90ab96e2853f59be27c4ec1e4853
SHA143cdedde26488d3209e17efff9a51e1f944eb35f
SHA25646cfbe804b29c500ebc0b39372e64c4c8b4f7a8e9b220b5f26a9adf42fcb2aed
SHA512f5044f2ee63906287460b9adabfcf3c93c60b51c86549e33474c4d7f81c4f86cd03cd611df94de31804c53006977874b8deb67c4bf9ea1c2b70c459b3a44b38d
-
Filesize
25B
MD5a07b495c4f2cf418c610f373e05cf3c5
SHA162440eae8c3749722a4a2d7a118b578fcd2bee62
SHA256f0d93e3a408559e40649c7e367e1c51012b7caa80424ce8e9b46a17898de5586
SHA512816f7466c11372ff6ce1da7331abca7e44af6a6bb67112c6600cfb0c29f4fd84102aa1ee18c5d79608ccea56ac672c8c86b01c4cfefeba5364d31212f8f3952b
-
Filesize
5B
MD537aa1f84af14327f56844e2a6e046b8e
SHA14ab41557ec631ee3866c62a76f31339f95da5c40
SHA256800febbfd5e51c2df3529c3dbd5ac3216cb3485be40ec10c9f9168382c4bfcd9
SHA512ef7237d3f954790262bd73f129fda3db2fa7c3b4f9eb827d46d38a033c3198ed1e4921374a9d66a523de7d13bc5754e462b69dab93d7e62827453b0d813ba7de
-
Filesize
1KB
MD5cde7fd64be09b0eba117a32e8f9fa5f8
SHA1fd6ad41a1a33d453a1ac0bbe916b19be7bfd00b7
SHA2560db4af16047106c35f28911fb8ffc495c7e656ba2fd2a4606be1a6779abe39e0
SHA51265a6fb91efeba69d83209cbc23b22ac103b53bfc71b281f04debc662307e703e107f4273c472843eb420541ad88608bcb03be64e47be6b0649b3affacc86f823
-
Filesize
3KB
MD5ede267ce211bba2f46e802f160033800
SHA12c70ce7e80e43082e6d183874e5d3c84bbc62cda
SHA256a34776cfc8b1030eb71a108d636d67c51aa73c1759caa65d5fe5e69d49dd6b60
SHA512e2600730ac724065b72ea42b5fcf6a2e6857ad54905624225a86cac8dfe0233008ef218ca86e88b5db42729aa16c9d330228ab294431a549551ecc040e80acaf
-
Filesize
152B
MD58749e21d9d0a17dac32d5aa2027f7a75
SHA1a5d555f8b035c7938a4a864e89218c0402ab7cde
SHA256915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304
SHA512c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a
-
Filesize
152B
MD534d2c4f40f47672ecdf6f66fea242f4a
SHA14bcad62542aeb44cae38a907d8b5a8604115ada2
SHA256b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33
SHA51250fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6
-
Filesize
489B
MD5c540cd8f244377716366d53c0f3d6221
SHA1d45b9c6069296c07440964b922c43e1e5847e896
SHA256909ea7f066e6b91d0b4d761de7dc42d6549d6c91e3d855f4dc4aafd7709281ce
SHA512a5a6982dfdf5c626d70903c13d236fe892d9a6355b483efc7fd73ec06c102534719ca5f88d4f016f83ff1627c9412c1cfcab8ef4a298cacba120302af0866b0f
-
Filesize
5KB
MD58089f66021c9d6812ee0aaa63d50b6c2
SHA1a5a3c05666684025e627117c709ca1b3fa4e6a69
SHA256adecbe42aee86f5a765350a37b567ca7adc34e1c9d652e1e2fa192b6246f3a28
SHA512ee35a73a4c43834b60667938735435b67fd54f099974b3922f3dade678c2abbb1b9cbbfbe9c8a52b63c581c5ca17a769eca3950761273ccc14d194e8b3760f0e
-
Filesize
6KB
MD57dc93991153041c305760de75802bcb2
SHA1ceb89840f1be9f52e77236004c113efac790d7f7
SHA256cade5c8814cbabf47d188a38106f66d2f0af1b395822f0248045655eee9e5ce5
SHA512673348d51a8aee00e5f5d8de80c61a28efe148206432e9e490d7b0b80cf56fcada5d7af9f3683eef4fa545c3590de6c17c4805dee0a9244188def9097c1efe04
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD583eb095fdbb0b1a98da32bc6b1d5804d
SHA1ff8a92edfb9e109f2cfde6d076c69fbaf2070893
SHA25644352bd450055eab1d3f4d5a1948c8e16c35fad39e4485c05b0c5bebb933d820
SHA512fee4f6e961ed58d40a171b93db36683b21d542ddb6325ae4573e84e6ee0cdfe5e60f52b10fad8a0f421c60ae8b9b29d8adfd2a8396eb4439ef8fc1065669e03a
-
Filesize
11KB
MD58246c65395ed97976730eef10c94baa9
SHA10e2914b59b7bd60a53e7034bec2caefe947b27d9
SHA2569bf19e1269fd355c1e589d32ba4affdfdeb389e8f956179c921aaf57e9b49d91
SHA512f199c2accb2373debfe8db4402962d280f26a8fa2ee4ad48e68b3af65ae885b277c2d5f6493716e0021b5830ebb36ebe265842c569b9d9bf882e4f754b6ff9b0
-
Filesize
10KB
MD5833aa9461f9f5a181de16bc7adc214b1
SHA11fabc84130542f0c822bfba2124752ceba802b12
SHA2562fc2610385ab83f861a225142a85774c91f99598bdbc65d8ddcccc733d0a406e
SHA5122c7d3e63699f4ef5137eb8e716eafaca99868afc3827895fad18db865cfdcc6a4890fa7446f1d5f5bf48a1df9b5da03b60f62b98ae2f9f9faf15104bc3e001a7
-
Filesize
10KB
MD58fccaea94cb12bf73fdf2d4c73ae49ba
SHA110e2542df26e9d3c9002e938dea93447b38139ab
SHA256a0554aed4ad618859eeefbecfa2ff150b29ef318c5ee7a83f378b0418d1b13df
SHA512992a3c47014d7e080dc84659cf0f351ff0f3d57acbfdee10f87c7a56407f9c45d31971947d5140ba3ce9c6f904849bb024fa19f53e8bbf893914c194aa38d012
-
Filesize
2.8MB
MD5be4da425d9b7593e358ffbfca29f9c70
SHA1dc98530aad9728d779866ae957a738c52b13a565
SHA256c5277ddb6e51181d2b8bad59acf5f2badf5613b1e73384a84b793f720aa76c0d
SHA51235790944f5855038f8357c0f6d11ea81b260632e590c26f9342e8beb1a8dfd2e3eb9efa11f8378f8542cad45e7675af3d29cf27424accf35aaa6aeb34487155b
-
Filesize
79B
MD50284fa0391784125ad3b12be8c92c6ae
SHA1e4fe938288c6804d9c79947ad2e39939a595e9f3
SHA256789075b8c810f2b63f86dd1f8b7be836178ac679a32f2cb2376e013bc78c68c0
SHA5129dd8db4e0017ae906e7c4178a54ea16f03aaba4c17658ed96fc384d2cd51f44c6e514872ba5c7e5f43131eb4d25c063531291d70dfab4422260585742a37e235
-
Filesize
103B
MD5b016dafca051f817c6ba098c096cb450
SHA14cc74827c4b2ed534613c7764e6121ceb041b459
SHA256b03c8c2d2429e9dbc7920113dedf6fc09095ab39421ee0cc8819ad412e5d67b9
SHA512d69663e1e81ec33654b87f2dfaddd5383681c8ebf029a559b201d65eb12fa2989fa66c25fa98d58066eab7b897f0eef6b7a68fa1a9558482a17dfed7b6076aca
-
Filesize
7B
MD54047530ecbc0170039e76fe1657bdb01
SHA132db7d5e662ebccdd1d71de285f907e3a1c68ac5
SHA25682254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750
SHA5128f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e
-
Filesize
800KB
MD52a4dcf20b82896be94eb538260c5fb93
SHA121f232c2fd8132f8677e53258562ad98b455e679
SHA256ebbcb489171abfcfce56554dbaeacd22a15838391cbc7c756db02995129def5a
SHA5124f1164b2312fb94b7030d6eb6aa9f3502912ffa33505f156443570fc964bfd3bb21ded3cf84092054e07346d2dce83a0907ba33f4ba39ad3fe7a78e836efe288