Resubmissions
15-02-2025 20:37
250215-zeajaatld1 1015-02-2025 20:26
250215-y71eqsspck 1015-02-2025 20:22
250215-y5x7lasqey 10Analysis
-
max time kernel
520s -
max time network
522s -
platform
windows11-21h2_x64 -
resource
win11-20250211-en -
resource tags
-
submitted
15-02-2025 20:37
General
-
Target
https://github.com/Mikeykorby/Educational-Purposes./raw/refs/heads/main/Bootstrapper1.exe
Malware Config
Extracted
xenorat
192.168.1.236
Xeno_rat_nd8912d
-
delay
5000
-
install_path
appdata
-
port
4785
-
startup_name
Solara Bootstrapper Dependinces
Extracted
quasar
1.4.1
yada
192.168.1.236:4782
b796139d-9ac7-4dd6-b216-9d23cb27a8cf
-
encryption_key
A32C977AF70FAC39329AA4FE677FAA9E5BEB3D7E
-
install_name
BoostrapperNew.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Solara Boostrapper Dependinces
-
subdirectory
SubDir
Signatures
-
Detect XenoRat Payload 2 IoCs
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 2 IoCs
-
XenorRat
XenorRat is a remote access trojan written in C#.
-
Xenorat family
-
Downloads MZ/PE file 2 IoCs
-
Executes dropped EXE 18 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 2 IoCs
-
NTFS ADS 7 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Mikeykorby/Educational-Purposes./raw/refs/heads/main/Bootstrapper1.exe1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff87f153cb8,0x7ff87f153cc8,0x7ff87f153cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,6697171467394644199,5551261467182421210,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1976 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,6697171467394644199,5551261467182421210,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 /prefetch:32⤵
- Downloads MZ/PE file
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1936,6697171467394644199,5551261467182421210,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6697171467394644199,5551261467182421210,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6697171467394644199,5551261467182421210,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1936,6697171467394644199,5551261467182421210,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4648 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6697171467394644199,5551261467182421210,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6697171467394644199,5551261467182421210,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6697171467394644199,5551261467182421210,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6697171467394644199,5551261467182421210,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6697171467394644199,5551261467182421210,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6697171467394644199,5551261467182421210,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1936,6697171467394644199,5551261467182421210,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6408 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1936,6697171467394644199,5551261467182421210,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6408 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1936,6697171467394644199,5551261467182421210,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1936,6697171467394644199,5551261467182421210,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6092 /prefetch:82⤵
-
-
C:\Users\Admin\Downloads\Bootstrapper1.exe"C:\Users\Admin\Downloads\Bootstrapper1.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- NTFS ADS
-
C:\Users\Admin\AppData\Roaming\XenoManager\Bootstrapper1.exe"C:\Users\Admin\AppData\Roaming\XenoManager\Bootstrapper1.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "Solara Bootstrapper Dependinces" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7347.tmp" /F4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,6697171467394644199,5551261467182421210,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5952 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6697171467394644199,5551261467182421210,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7040 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1936,6697171467394644199,5551261467182421210,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3312 /prefetch:82⤵
-
-
C:\Users\Admin\Downloads\Bootstrapper1.exe"C:\Users\Admin\Downloads\Bootstrapper1.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "Solara Bootstrapper Dependinces" /XML "C:\Users\Admin\AppData\Local\Temp\tmp52EF.tmp" /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1936,6697171467394644199,5551261467182421210,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4536 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\BootstrapperNew.exe"C:\Users\Admin\Downloads\BootstrapperNew.exe"2⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Solara Boostrapper Dependinces" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\BoostrapperNew.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir\BoostrapperNew.exe"C:\Users\Admin\AppData\Roaming\SubDir\BoostrapperNew.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Solara Boostrapper Dependinces" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\BoostrapperNew.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
-
C:\Users\Admin\Downloads\BootstrapperNew.exe"C:\Users\Admin\Downloads\BootstrapperNew.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Downloads\BootstrapperNew.exe"C:\Users\Admin\Downloads\BootstrapperNew.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Downloads\BootstrapperNew.exe"C:\Users\Admin\Downloads\BootstrapperNew.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NzlGRUY5QjItOTY0RC00Q0IyLTlEMkYtRjZCQkRFQ0YwMTJCfSIgdXNlcmlkPSJ7QkRGRjhEQjEtMEQ2Ri00QzgzLUJFQkUtOUQzNzYwM0EwOTAxfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MUVFNkJCRjMtN0QwNi00NDkwLUJEQzYtOURGQ0ZEQkM1RERCfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjQiIGluc3RhbGxkYXRldGltZT0iMTczOTI4MjMwMiIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNzUzNTk3Mjc0MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUwODgxODk0MDIiLz48L2FwcD48L3JlcXVlc3Q-1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\Bootstrapper1.exe"C:\Users\Admin\Downloads\Bootstrapper1.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "Solara Bootstrapper Dependinces" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA592.tmp" /F2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\Bootstrapper1.exe"C:\Users\Admin\Downloads\Bootstrapper1.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "Solara Bootstrapper Dependinces" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA7EE.tmp" /F2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\Downloads\Bootstrapper1.exe"C:\Users\Admin\Downloads\Bootstrapper1.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NzlGRUY5QjItOTY0RC00Q0IyLTlEMkYtRjZCQkRFQ0YwMTJCfSIgdXNlcmlkPSJ7QkRGRjhEQjEtMEQ2Ri00QzgzLUJFQkUtOUQzNzYwM0EwOTAxfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9IntFQUZGODA2Mi0zMTIzLTQwNzUtOUIzRC0zRjcxOUM1Q0RGQUR9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTk1LjQzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iNCIgY29ob3J0PSJycmZAMC40NCI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSI0IiByZD0iNjYxNiIgcGluZ19mcmVzaG5lc3M9Ins1MkQ0NjVGOS0wMUYxLTQ1MTQtODVCMi0zRkU1QjVEMzlERUZ9Ii8-PC9hcHA-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjkwLjAuODE4LjY2IiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9IjQiIGlzX3Bpbm5lZF9zeXN0ZW09InRydWUiIGxhc3RfbGF1bmNoX2NvdW50PSIxIiBsYXN0X2xhdW5jaF90aW1lPSIxMzM4NDEyNTQ1MDg1MDI2NTAiPjx1cGRhdGVjaGVjay8-PHBpbmcgYWN0aXZlPSIxIiBhPSI0IiByPSI0IiBhZD0iNjYxNiIgcmQ9IjY2MTYiIHBpbmdfZnJlc2huZXNzPSJ7M0E0NjNBREItQTE1My00NkY1LUI2MjEtNTg0NUFFMDNDQkUwfSIvPjwvYXBwPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIxMzIuMC4yOTU3LjE0MCIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjQiIGNvaG9ydD0icnJmQDAuNTciIHVwZGF0ZV9jb3VudD0iMSI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSI0IiByZD0iNjYxNiIgcGluZ19mcmVzaG5lc3M9Ins1NjREQkY2RC0zODUzLTQ0ODQtQjE2OC01NDdERDQ5ODY0NDZ9Ii8-PC9hcHA-PC9yZXF1ZXN0Pg1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Users\Admin\Downloads\BootstrapperNew.exe"C:\Users\Admin\Downloads\BootstrapperNew.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\Bootstrapper1.exe"C:\Users\Admin\Downloads\Bootstrapper1.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "Solara Bootstrapper Dependinces" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2C91.tmp" /F2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\Downloads\Bootstrapper1.exe"C:\Users\Admin\Downloads\Bootstrapper1.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "Solara Bootstrapper Dependinces" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8CEC.tmp" /F2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\Downloads\BootstrapperNew.exe"C:\Users\Admin\Downloads\BootstrapperNew.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\Bootstrapper1.exe"C:\Users\Admin\Downloads\Bootstrapper1.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "Solara Bootstrapper Dependinces" /XML "C:\Users\Admin\AppData\Local\Temp\tmp868E.tmp" /F2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\Downloads\Bootstrapper1.exe"C:\Users\Admin\Downloads\Bootstrapper1.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\Downloads\Bootstrapper1.exe"C:\Users\Admin\Downloads\Bootstrapper1.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
536KB
MD526321053593fb8c6e0ee6fc76543a7dc
SHA181c93b6d48e7f2ec450603647850a9446fdce66e
SHA2566ffaa14f8344f631800c6efba294a5504b091df98607e7d99342c1f95b34faf2
SHA512034036505a71d2a713d277fb287a0124a04e90ae7ce59e05f947f66e10d35cfefbb04869a70c3cd55ea145c8c709c3a5701097f14210982ae273bd81c4636d2c
-
Filesize
1KB
MD5b4e91d2e5f40d5e2586a86cf3bb4df24
SHA131920b3a41aa4400d4a0230a7622848789b38672
SHA2565d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210
SHA512968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319
-
Filesize
226B
MD51294de804ea5400409324a82fdc7ec59
SHA19a39506bc6cadf99c1f2129265b610c69d1518f7
SHA256494398ec6108c68573c366c96aae23d35e7f9bdbb440a4aab96e86fcad5871d0
SHA512033905cc5b4d0c0ffab2138da47e3223765146fa751c9f84b199284b653a04874c32a23aae577d2e06ce6c6b34fec62331b5fc928e3baf68dc53263ecdfa10c1
-
Filesize
152B
MD5c743f011d7ed53768d6263de076110e3
SHA106a2242398c6120019439f767d965dca0b09be9e
SHA25650a22e70855487f9a451bcd09fb033c0aea8a1f3743821fd99faf0a4eb396813
SHA512339942620fccb0c49d87f0c99370feeb5cb3aebf60064bf5ab3fddad7f8c3c1330284690b148068fc94e64fc2d9bc9657f5a6d038e1a653f314f5fe0c394f240
-
Filesize
152B
MD5601ce2abb603e36824720f68d9572fab
SHA19139cb22b081ccba9c548252df3f74678c101cad
SHA256fad8ae5bf8471db17a344746a32fdfae1b0e457498a25b5129909209506fbfc9
SHA51217765022996fe81a0ce8e30d60970c19ef6b4df9ca2782063c6a724d70e2a1aad1db4282a7875caafde192dfb17cf495b6b53b71f0967b9411bfd963ba949b97
-
Filesize
3.1MB
MD562d9f6384836aa3689de2fbfec9bb7df
SHA1ec70bc0c27e8960e10183d06f4f30867861c05ac
SHA256af1805db073f4300e63bf940091b0efbf7fc36a2b993c2fcd976020359a68306
SHA512a49007fbfac991835282d0bbf5dc625ee49033652f307f0ca1dc0f4db9a9d1a37b1904b2b968a956f1b40f5899337b289fc3fad7d0e9bed9e170f41ad3ec37e7
-
Filesize
261B
MD52c2e6472d05e3832905f0ad4a04d21c3
SHA1007edbf35759af62a5b847ab09055e7d9b86ffcc
SHA256283d954fa21caa1f3b4aba941b154fab3e626ff27e7b8029f5357872c48cbe03
SHA5128c4ce1ea02da6ffb7e7041c50528da447d087d9ee3c9f4a8c525d2d856cf48e46f5dd9a1fedd23dd047634e719c8886457f7e7240aa3cc36f1a6216e4c00ee37
-
Filesize
5KB
MD53c0d66994ba0ffd67ac96509925be048
SHA1688fcecba29b2a374dece290adb09d5cee0a3599
SHA2567221b84f77990f1f191fcb9d2d68d5a3c1cae1cbf7fc8960a9b3d5950983ef6b
SHA512030d1a40a49db6ae176d710d68943429ac6d2891fcd2df5781585b136a7e2910c6e560f0c1f2ea57de68cc419e4694477eebc2ad99d73ee7996e554a744ce517
-
Filesize
5KB
MD54eedc5a771b00b96c8c18a4d627bdda8
SHA1e61bca5246fc1afcca634291b1904a1a69066dd3
SHA256f2493ed973fc7e35d2a1a7f3ee73294d066f8b676547c04bec9d5e371845033c
SHA5127966620c3f446e678f2aebbb67810906108e636304700e4660b4c6fc4e25a8f9d259b95e7c2c03586431dc7d9a1f752997044aea05324dc1e596ab087666f68f
-
Filesize
371B
MD5bb80dae812836f322f9935f612086681
SHA1f6e1a9105c0b7c413e1687d85c3e81edb6adcb6e
SHA25608907ff3adb0743ce2b6873e393d4f9f9479db0429ed51112dc367a54f763369
SHA512183a5fe9bb86bac0f660cc13da9a54bc01bf934cc92ce50402e63ee7164fe5475d52fc980bd66156edca4afa761c496781272b72fea2b62fbc6d93fda53965e8
-
Filesize
371B
MD535fca89febdbc54ee385251ec3486877
SHA179ce756de404967174d1eeb8bf9ce3f418beb13e
SHA2566490d49c6e8a008a8746a33ad4744c42a1c31a65fdb247c882f5dd2c71ee1673
SHA512ff0e7707974018d81c1638397411292f0320f0fbec2765e31f32027ea736a97247bb4bce94796f08f6c478256bc788c2a39394d9804c96b92204cc1f645a1eb7
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD59d2fcd240a035e6cd993ad46e0d1a187
SHA17203b8e9c5be3b26e9c056b7c8828bb718d85d80
SHA256ecad9daa6072517cbb6842e70f4bb8190d516c149f1431f9de21d3bacc835e2a
SHA512ec9789bac5498a677995c8a2f26b0812613d94bf12e5c54098a4754585ae81cb907e608f96b633f364c1d61733f31676c464576fd09cb0e01f5592024ad2af90
-
Filesize
11KB
MD5a84d971608e3e838491d434a0b0b0f2a
SHA16b2144aa0b2e8c75af7dc81df522d8cc43a031f3
SHA2565a37f3fb0e95319a2d62bdef5013b0e85e684f133e52ffbe9355dbf79d11e9ca
SHA512fe81f26aacfe60a73b6f4eda76641ddc92759b21c3025a9ced33942f2aef0e68e6812a27a20926ce22e50c150cd2e79f09c15bdfde63aff873c4e6082dad10c9
-
Filesize
10KB
MD54cf179de186284e66367600612a34e40
SHA17a9aa4b9bba93f881f1057aac9a9b6eab85b7156
SHA256a3b00946458ab2d59e34ce30dab212691e2af8e4c2b9104fcb65836f692b4dd1
SHA51242fd6079fa9f733adacff728214f2b6b22ef2f0d0bbd52d2b2a4de92091611a81a2a96901570ccc54a3c917b5bc591efe59ed3afaca8f1f88cc0a895c9820c89
-
Filesize
11KB
MD5bdd62506750940cbb03fd9bb65903f12
SHA1faf605c50fd9da963c16f0fed4480d74ea0041dd
SHA256d3710dc7169275ba15b72e9ac4a7f31ce1bf7902f1ef0762c8193217e9cbc276
SHA512f17fc7bb912a52256f595ef5663302420013abbe4e0f0fe5efe79b28881508a2a0be23a40e04e617637520a0415ec5b972837a42c3cf71e1812c4be5336b90c8
-
Filesize
23KB
MD53c0b335b1d1506dfc3d1f4674b9b6ca9
SHA1b9b553ccc9353535839f1c2a9bf5b311370578d1
SHA2562d49a9d03f69c0048d27892bcd3857961d0b1c7f85fd9e53c41e74b3b18a5141
SHA512a195ab104beaa2119fe42a871c2c246a9779a9728457b1cb0182aa35e93913625389f1c66de88df38817e0a459f06c9600d38d96f9adaf05812ba6d4ba7b29aa
-
Filesize
23KB
MD5a52866cde19a888f704a6e88fd7b0232
SHA195012f733c1f8b320e253158e0e9ffaef4223ccd
SHA256b8f331a1ca1c7717b5bd2f2f7105d7f5f99b481ec25fdb3f08459aa3b39cec83
SHA512a39a9011a0a3c4a74ccb87b02df00daccb6a5968909e1cb6a5d1f41ab29262493e5299e603ba6dc5f06f48f0dd972817b1e914498de39c2f529ad2ed22c11f4a
-
Filesize
1KB
MD5da6fd436727f3296b91949a5afce90c5
SHA10927e56c7c2ee565560adb7b6102de83f76fcb9c
SHA25647e03c530dc2a0948cb4164e11342e622d8b02fdb4321973957c8d5055cf7367
SHA5128c4c9163198b90e1d1c53682e59ea506da38b33570cf930b36aeffb47821b1e04ed3b14f6537672d28a0327cf864c856fef5c8db00f6b9f11e994c66a3337c03
-
Filesize
1KB
MD51ec2f0c6c7965b39b79ca1f79ae490a6
SHA15adbb76e1e123c105269819dc073671544c169fe
SHA2566864bffcab80c29d24c572d759669b314b8ed081ea0ba210658dc863cc797c9e
SHA512c1b50441ede202d418de4e1915b67f5d000ebc009e2820d0b24d4fe82bd9f4c21061f558191f7bfd5804e0c0cf74f7aa470873c66b975c35a99f461925243ccd
-
Filesize
136B
MD51cdbf41497f0f427d18724122cf04dd4
SHA1990106c4cbc0c591438b3601872c990425e96fb5
SHA256c98ab74557185932187b27ac457ac1e6a2c87e044d00f3b146d40f04fa0ad614
SHA5121c6a6e733c64a31613a45d6ffccd0f1cd62f86146e072725beba86263441080888dfbab95de4845cfaef48a958bb6414ddcbffbd55c78b92e829d45dd17c08ac
-
Filesize
138B
MD52cdc2194c0a24051f137a211f5cd22f0
SHA1a24d7f4107fd2dcd66cdb349a4b08acbcb7e4e71
SHA256ef201df083a933adaba167f49edcdb2c91228d72571036047cd0882264262e29
SHA512e217396b819e1bbc6bca7242f7e5b3813d86bfb7b401ead0aec72180cbeb4592bff66942bc8321a628a87467edce8b002327f50d674da7bb58899eb7c542f756
-
Filesize
50KB
MD55c515c9244bc27f0f426244c885fa70d
SHA166e1e6a46113b2bd38b6bb3d1e6325af47229668
SHA2565636beed6886a348e3d78ed59e335a0f3b798604afb47f966b1b5853568932a3
SHA5120f91a1dc3777d238b784e1bac7540df01bce101e2eba2b078bb33a4313672ccd6fd1e1b2a3b43befd94a2825807723b718b8198b393f8b72d00dffda2dad66e9
-
Filesize
3.1MB
-
Filesize
320KB
-
Filesize
712KB
-
Filesize
72KB