Analysis Overview
SHA256
37fc35152df715d72c9c4fc531936776addafa3ba97477d78e5dd2c2eb8c1708
Threat Level: Likely malicious
The file solar_beta.exe was found to be: Likely malicious.
Malicious Activity Summary
Command and Scripting Interpreter: PowerShell
Reads user/profile data of web browsers
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops startup file
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Unsigned PE
Event Triggered Execution: Netsh Helper DLL
Detects Pyinstaller
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Modifies registry class
Detects videocard installed
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-20 10:21
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 10:21
Reported
2024-06-20 10:24
Platform
win10v2004-20240611-en
Max time kernel
167s
Max time network
168s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\solar_beta.exe | C:\Users\Admin\AppData\Local\Temp\solar_beta.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\solar_beta.exe | C:\Users\Admin\AppData\Local\Temp\solar_beta.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\solar_beta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\solar_beta.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "111" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\solar_beta.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\solar_beta.exe
"C:\Users\Admin\AppData\Local\Temp\solar_beta.exe"
C:\Users\Admin\AppData\Local\Temp\solar_beta.exe
"C:\Users\Admin\AppData\Local\Temp\solar_beta.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
C:\Windows\System32\Wbem\wmic.exe
wmic cpu get Name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\solar_beta.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\solar_beta.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\solar_beta.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\solar_beta.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
C:\Windows\System32\Wbem\wmic.exe
wmic cpu get Name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa389e855 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.12.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 89.90.14.23.in-addr.arpa | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| NL | 23.62.61.56:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 56.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 233.128.159.162.in-addr.arpa | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI43482\python311.dll
| MD5 | 0b66c50e563d74188a1e96d6617261e8 |
| SHA1 | cfd778b3794b4938e584078cbfac0747a8916d9e |
| SHA256 | 02c665f77db6b255fc62f978aedbe2092b7ef1926836290da68fd838dbf2a9f2 |
| SHA512 | 37d710cb5c0ceb5957d11b61684cfbc65951c1d40ab560f3f3cb8feca42f9d43bd981a0ff44c3cb7562779264f18116723457e79e0e23852d7638b1a954a258f |
C:\Users\Admin\AppData\Local\Temp\_MEI43482\VCRUNTIME140.dll
| MD5 | 4585a96cc4eef6aafd5e27ea09147dc6 |
| SHA1 | 489cfff1b19abbec98fda26ac8958005e88dd0cb |
| SHA256 | a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736 |
| SHA512 | d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286 |
memory/5092-127-0x00007FFB6B730000-0x00007FFB6BD19000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI43482\base_library.zip
| MD5 | d220b7e359810266fe6885a169448fa0 |
| SHA1 | 556728b326318b992b0def059eca239eb14ba198 |
| SHA256 | ca40732f885379489d75a2dec8eb68a7cce024f7302dd86d63f075e2745a1e7d |
| SHA512 | 8f802c2e717b0cb47c3eeea990ffa0214f17d00c79ce65a0c0824a4f095bde9a3d9d85efb38f8f2535e703476cb6f379195565761a0b1d738d045d7bb2c0b542 |
C:\Users\Admin\AppData\Local\Temp\_MEI43482\_ctypes.pyd
| MD5 | 5006b7ea33fce9f7800fecc4eb837a41 |
| SHA1 | f6366ba281b2f46e9e84506029a6bdf7948e60eb |
| SHA256 | 8f7a5b0abc319ba9bfd11581f002e533fcbe4ca96cedd37656b579cd3942ef81 |
| SHA512 | e3e5e8f471a8ca0d5f0091e00056bd53c27105a946ca936da3f5897b9d802167149710404386c2ed3399b237b8da24b1a24e2561c436ed2e031a8f0564fbbc7c |
C:\Users\Admin\AppData\Local\Temp\_MEI43482\python3.DLL
| MD5 | d8ba00c1d9fcc7c0abbffb5c214da647 |
| SHA1 | 5fa9d5700b42a83bfcc125d1c45e0111b9d62035 |
| SHA256 | e45452efa356db874f2e5ff08c9cc0fe22528609e5d341f8fb67ba48885ab77d |
| SHA512 | df1b714494856f618a742791eefbf470b2eee07b51d983256e4386ea7d48da5c7b1e896f222ea55a748c9413203886cde3a65ef9e7ea069014fa626f81d79cd3 |
C:\Users\Admin\AppData\Local\Temp\_MEI43482\libffi-8.dll
| MD5 | 08b000c3d990bc018fcb91a1e175e06e |
| SHA1 | bd0ce09bb3414d11c91316113c2becfff0862d0d |
| SHA256 | 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece |
| SHA512 | 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf |
memory/5092-136-0x00007FFB7E750000-0x00007FFB7E773000-memory.dmp
memory/5092-137-0x00007FFB80860000-0x00007FFB8086F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI43482\_bz2.pyd
| MD5 | 20a7ecfe1e59721e53aebeb441a05932 |
| SHA1 | a91c81b0394d32470e9beff43b4faa4aacd42573 |
| SHA256 | 7ebbe24da78b652a1b6fe77b955507b1daff6af7ff7e5c3fa5ac71190bde3da8 |
| SHA512 | 99e5d877d34ebaaaeb281c86af3fff9d54333bd0617f1366e3b4822d33e23586ef9b11f4f7dd7e1e4a314c7a881f33123735294fe8af3a136cd10f80a9b8d902 |
C:\Users\Admin\AppData\Local\Temp\_MEI43482\_lzma.pyd
| MD5 | f8b61629e42adfe417cb39cdbdf832bb |
| SHA1 | e7f59134b2bf387a5fd5faa6d36393cbcbd24f61 |
| SHA256 | 7a3973fedd5d4f60887cf0665bcb7bd3c648ad40d3ae7a8e249d875395e5e320 |
| SHA512 | 58d2882a05289b9d17949884bf50c8f4480a6e6d2b8bd48dfdbcb03d5009af64abf7e9967357aeebf95575d7ef434a40e8ad07a2c1fe275d1a87aa59dcc702d6 |
C:\Users\Admin\AppData\Local\Temp\_MEI43482\libcrypto-3.dll
| MD5 | 27515b5bb912701abb4dfad186b1da1f |
| SHA1 | 3fcc7e9c909b8d46a2566fb3b1405a1c1e54d411 |
| SHA256 | fe80bd2568f8628032921fe7107bd611257ff64c679c6386ef24ba25271b348a |
| SHA512 | 087dfdede2a2e6edb3131f4fde2c4df25161bee9578247ce5ec2bce03e17834898eb8d18d1c694e4a8c5554ad41392d957e750239d3684a51a19993d3f32613c |
C:\Users\Admin\AppData\Local\Temp\_MEI43482\_queue.pyd
| MD5 | 0da22ccb73cd146fcdf3c61ef279b921 |
| SHA1 | 333547f05e351a1378dafa46f4b7c10cbebe3554 |
| SHA256 | e8ae2c5d37a68bd34054678ae092e2878f73a0f41e6787210f1e9b9bb97f37a0 |
| SHA512 | 9eece79511163eb7c36a937f3f2f83703195fc752b63400552ca03d0d78078875ff41116ebaeb05c48e58e82b01254a328572096a17aaad818d32f3d2d07f436 |
C:\Users\Admin\AppData\Local\Temp\_MEI43482\pyexpat.pyd
| MD5 | a455699ddccffda2a59b97f76dfba2f8 |
| SHA1 | 6b2882f473128cb7b6a580f232bc6bc02b44d4d1 |
| SHA256 | 6abe08b9ea1c5ade35654aeabc89948520553f00748cbfee0a981c350b95071d |
| SHA512 | 8bfc3e9941eedeac87257cf70ceebef8649e055ea34bc4a75ca192c23aeb7ff32b0c455ed2af4bc1830f58a4f778157e2473e072cdc229d3a4ed7f008311e675 |
C:\Users\Admin\AppData\Local\Temp\_MEI43482\_socket.pyd
| MD5 | c12bded48873b3098c7a36eb06b34870 |
| SHA1 | c32a57bc2fc8031417632500aa9b1c01c3866ade |
| SHA256 | 6c4860cb071bb6d0b899f7ca2a1da796b06ea391bac99a01f192e856725e88aa |
| SHA512 | 335510d6f2f13fb2476a5a17445ca6820c86f7a8a8650f4fd855dd098d022a16c80a8131e04212fd724957d8785ad51ccaff532f2532224ccfd6ce44f4e740f9 |
C:\Users\Admin\AppData\Local\Temp\_MEI43482\select.pyd
| MD5 | 1e9e36e61651c3ad3e91aba117edc8d1 |
| SHA1 | 61ab19f15e692704139db2d7fb3ac00c461f9f8b |
| SHA256 | 5a91ba7ea3cf48033a85247fc3b1083f497bc060778dcf537ca382a337190093 |
| SHA512 | b367e00e1a8a3e7af42d997b59e180dfca7e31622558398c398f594d619b91cedc4879bfdda303d37f31dfcc3447faa88f65fd13bac109889cee8c1e3c1d62d0 |
C:\Users\Admin\AppData\Local\Temp\_MEI43482\VCRUNTIME140_1.dll
| MD5 | 7e668ab8a78bd0118b94978d154c85bc |
| SHA1 | dbac42a02a8d50639805174afd21d45f3c56e3a0 |
| SHA256 | e4b533a94e02c574780e4b333fcf0889f65ed00d39e32c0fbbda2116f185873f |
| SHA512 | 72bb41db17256141b06e2eaeb8fc65ad4abdb65e4b5f604c82b9e7e7f60050734137d602e0f853f1a38201515655b6982f2761ee0fa77c531aa58591c95f0032 |
C:\Users\Admin\AppData\Local\Temp\_MEI43482\pywin32_system32\pythoncom311.dll
| MD5 | e7fff204fe3d536ff7982337d9dd8ac2 |
| SHA1 | 1ba30434a94de4f2d3f4ecfcc9c8286449130f5b |
| SHA256 | 558452270fbec84ab2a5d1e8322952a4a962ac9edb96cbc10cf62a7d6b26fc4d |
| SHA512 | 1684b50e04f38bdd005f131ab0acfbc270f9cab51621b8b6eb8ae548f8fae3ca0d8458606968c88d3fed36601ef5ce66d0d06978cf303d096bc00deb23bf26a6 |
C:\Users\Admin\AppData\Local\Temp\_MEI43482\win32\win32api.pyd
| MD5 | 85642cb62201b351b19d5a8d0b4ab378 |
| SHA1 | 1a74b9e4116e71d01d2ece8bf89e205e5e491314 |
| SHA256 | 389ba902f34fb3290206970719740764371a693d53f3c71a150e06805aae8404 |
| SHA512 | 05d8e26e2316fba86e4e55310e14746f7165b159c22f40bb6d03fbdec35842f85cc6e618ed87fda9c1d236fd5b9ee4d26eb3886b740d6e67945f7e727b7d9f18 |
C:\Users\Admin\AppData\Local\Temp\_MEI43482\pywin32_system32\pywintypes311.dll
| MD5 | 3bf87b8d3995425b8ce60dce61bccf30 |
| SHA1 | a1a6312d007da5f7ff580871b56248c642b84491 |
| SHA256 | b5f75de7bfa298962b2e98e51d13fcd7bdfae54b3504453f560ea7f2d5676c81 |
| SHA512 | 7dce095647e6890e952c38328a745f467255af744c34cf104e95e73ec55b9a1b0823bdbba34e421e66cd66f247ed561e4f0f103238c914d4b4b1609fb6e139d3 |
C:\Users\Admin\AppData\Local\Temp\_MEI43482\_uuid.pyd
| MD5 | 3a09b6db7e4d6ff0f74c292649e4ba96 |
| SHA1 | 1a515f98946a4dccc50579cbcedf959017f3a23c |
| SHA256 | fc09e40e569f472dd4ba2ea93da48220a6b0387ec62bb0f41f13ef8fab215413 |
| SHA512 | 8d5ea9f7eee3d75f0673cc7821a94c50f753299128f3d623e7a9c262788c91c267827c859c5d46314a42310c27699af5cdfc6f7821dd38bf03c0b35873d9730f |
C:\Users\Admin\AppData\Local\Temp\_MEI43482\_ssl.pyd
| MD5 | e52dbaeba8cd6cadf00fea19df63f0c1 |
| SHA1 | c03f112ee2035d0eaab184ae5f9db89aca04273a |
| SHA256 | eaf60a9e979c95669d8f209f751725df385944f347142e0ecdcf2f794d005ead |
| SHA512 | 10eef8fd49e2997542e809c4436ad35dcc6b8a4b9b4313ad54481daef5f01296c9c5f6dedad93fb620f267aef46b0208deffbad1903593fd26fd717a030e89e8 |
C:\Users\Admin\AppData\Local\Temp\_MEI43482\_sqlite3.pyd
| MD5 | 63618d0bc7b07aecc487a76eb3a94af8 |
| SHA1 | 53d528ef2ecbe8817d10c7df53ae798d0981943a |
| SHA256 | e74c9ca9007b6b43ff46783ecb393e6ec9ebbdf03f7c12a90c996d9331700a8b |
| SHA512 | 8280f0f6afc69a82bc34e16637003afb61fee5d8f2cab80be7d66525623ec33f1449b0cc8c96df363c661bd9dbc7918a787ecafaaa5d2b85e6cafdcf0432d394 |
C:\Users\Admin\AppData\Local\Temp\_MEI43482\_overlapped.pyd
| MD5 | 589199e56dcacb62cd9ee220e29fcd47 |
| SHA1 | 15600ad2260a97b407f90223c4119ee3ed04f7f4 |
| SHA256 | 0884bba8820e766ce4f028e0460b88ea34a750ca09a0dd79f2843078bbbea866 |
| SHA512 | f80b5e440b6de476bdbec0b4615b4b0501797834e28e12cc6d934b7d46a2d261196d728ca8b143a44e272631973c8a18d9945c76bc75b2095b74a0cd70cfb24f |
C:\Users\Admin\AppData\Local\Temp\_MEI43482\_multiprocessing.pyd
| MD5 | 613c908079fef4d54188b84ceb909363 |
| SHA1 | 499e46dc798c01b9289dd7ed6c5075c5d689e63c |
| SHA256 | f3d39d769c0a2f56a851912f4718f191910cf07f31bb8c01a4b1de2e61d418aa |
| SHA512 | 3f0d529493537fbb7f21bf57e697787aafb95a709a2a374631f232a30538d29fb91848f4f30681828c14c2129556d8d1a344996b650e6633346f72239ebe0157 |
C:\Users\Admin\AppData\Local\Temp\_MEI43482\_hashlib.pyd
| MD5 | a81e0df35ded42e8909597f64865e2b3 |
| SHA1 | 6b1d3a3cd48e94f752dd354791848707676ca84d |
| SHA256 | 5582f82f7656d4d92ed22f8e460bebd722e04c8f993c3a6adcc8437264981185 |
| SHA512 | 2cda7348faffabc826fb7c4eddc120675730077540f042d6dc8f5e6921cf2b9cb88afcd114f53290aa20df832e3b7a767432ea292f6e5b5b5b7d0e05cf8905a6 |
C:\Users\Admin\AppData\Local\Temp\_MEI43482\_decimal.pyd
| MD5 | d0231f126902db68d7f6ca1652b222c0 |
| SHA1 | 70e79674d0084c106e246474c4fb112e9c5578eb |
| SHA256 | 69876f825678b717c51b7e7e480de19499d972cb1e98bbfd307e53ee5bace351 |
| SHA512 | b6b6bfd5fde200a9f45aeb7f6f845eac916feeef2e3fca54e4652e1f19d66ae9817f1625ce0ed79d62e504377011ce23fd95a407fbdbaa6911a09e48b5ef4179 |
C:\Users\Admin\AppData\Local\Temp\_MEI43482\_cffi_backend.cp311-win_amd64.pyd
| MD5 | 1518035a65a45c274f1557ff5655e2d7 |
| SHA1 | 2676d452113c68aa316cba9a03565ec146088c3f |
| SHA256 | 9ca400d84a52ae61c5613403ba379d69c271e8e9e9c3f253f93434c9336bc6e8 |
| SHA512 | b5932a2eadd2981a3bbc0918643a9936c9aaafc606d833d5ef2758061e05a3148826060ed52a2d121fabfd719ad9736b3402683640a4c4846b6aaaa457366b66 |
C:\Users\Admin\AppData\Local\Temp\_MEI43482\_asyncio.pyd
| MD5 | f554c2359783d1fb16d919bad68f3f8d |
| SHA1 | a0fdcca34245e840a4b3275ab5e15498181ee821 |
| SHA256 | 873ce59b13732cf566db24d0bd3531d159e415192378db50c5e331a2fcfbb734 |
| SHA512 | d1f0a9e8bd20f83aefe3f9193918d91011ad3f823d1674c3bf1b60fa088be3f327a133853dabc7607d2eec7edd177e0f0ddcfe8c329b5111492fd5fe1cc636cf |
C:\Users\Admin\AppData\Local\Temp\_MEI43482\unicodedata.pyd
| MD5 | af87b4aa3862a59d74ff91be300ee9e3 |
| SHA1 | e5bfd29f92c28afa79a02dc97a26ed47e4f199b4 |
| SHA256 | fac71c7622957fe0773214c7432364d7fc39c5e12250ff9eaaeea4d897564dc7 |
| SHA512 | 1fb0b8100dffd18c433c4aa97a4f2da76ff6e62e2ef2139edc4f98603ba0bb1c27b310b187b5070cf4e892ffc2d09661a6914defa4509c99b60bcbb50f70f4a0 |
C:\Users\Admin\AppData\Local\Temp\_MEI43482\sqlite3.dll
| MD5 | c78fab9114164ac981902c44d3cd9b37 |
| SHA1 | cb34dff3cf82160731c7da5527c9f3e7e7f113b7 |
| SHA256 | 4569acfa25dda192becda0d79f4254ce548a718b566792d73c43931306cc5242 |
| SHA512 | bf82ccc02248be669fe4e28d8342b726cf52c4ec2bfe2ec1f71661528e2d8df03781ae5ccf005a6022d59a90e36cea7d3c7a495bd11bf149319c891c00ac669b |
C:\Users\Admin\AppData\Local\Temp\_MEI43482\libssl-3.dll
| MD5 | 6eda5a055b164e5e798429dcd94f5b88 |
| SHA1 | 2c5494379d1efe6b0a101801e09f10a7cb82dbe9 |
| SHA256 | 377da6175c8a3815d164561350ae1df22e024bc84c55ae5d2583b51dfd0a19a8 |
| SHA512 | 74283b4051751f9e4fd0f4b92ca4b953226c155fe4730d737d7ce41a563d6f212da770e96506d1713d8327d6fef94bae4528336ebcfb07e779de0e0f0cb31f2e |
memory/5092-143-0x00007FFB7A840000-0x00007FFB7A86D000-memory.dmp
memory/5092-141-0x00007FFB7B040000-0x00007FFB7B059000-memory.dmp
memory/5092-179-0x00007FFB7A5C0000-0x00007FFB7A5EB000-memory.dmp
memory/5092-178-0x00007FFB79E80000-0x00007FFB79F3C000-memory.dmp
memory/5092-177-0x00007FFB79E00000-0x00007FFB79E2E000-memory.dmp
memory/5092-176-0x00007FFB7B030000-0x00007FFB7B03D000-memory.dmp
memory/5092-175-0x00007FFB7B6B0000-0x00007FFB7B6BD000-memory.dmp
memory/5092-174-0x00007FFB7A5F0000-0x00007FFB7A609000-memory.dmp
memory/5092-173-0x00007FFB7A610000-0x00007FFB7A646000-memory.dmp
memory/5092-181-0x00007FFB79E40000-0x00007FFB79E73000-memory.dmp
memory/5092-186-0x00007FFB6AF80000-0x00007FFB6B4A2000-memory.dmp
memory/5092-185-0x00007FFB6B4B0000-0x00007FFB6B57D000-memory.dmp
memory/5092-187-0x000002B3F4FB0000-0x000002B3F54D2000-memory.dmp
memory/5092-191-0x00007FFB79D70000-0x00007FFB79D82000-memory.dmp
memory/5092-194-0x00007FFB75F90000-0x00007FFB75FB3000-memory.dmp
memory/5092-195-0x00007FFB6AE00000-0x00007FFB6AF77000-memory.dmp
memory/5092-190-0x00007FFB7A4A0000-0x00007FFB7A4B5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI43482\psutil\_psutil_windows.pyd
| MD5 | 937fa2077ad3fb82f9edc419627969a3 |
| SHA1 | 381011c5b575c03ab77ab943920b39ef8ec8e57b |
| SHA256 | 633fb691bc13e4d42b9caa0af3a0897e081c8cccdab37530745598fba597a4c2 |
| SHA512 | deb6f7f0dd850528aa78c32fdcb42e836507ed7dc1f198c4903810dbba47ef37b87cabae7f148f9017d6f628d93904250a11cdce05d5e29758a422285b01025a |
memory/5092-198-0x00007FFB6B730000-0x00007FFB6BD19000-memory.dmp
memory/5092-199-0x00007FFB79D50000-0x00007FFB79D68000-memory.dmp
memory/5092-201-0x00007FFB79C50000-0x00007FFB79C64000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI43482\charset_normalizer\md.cp311-win_amd64.pyd
| MD5 | 32062fd1796553acac7aa3d62ce4c4a5 |
| SHA1 | 0c5e7deb9c11eeaf4799f1a677880fbaf930079c |
| SHA256 | 4910c386c02ae6b2848d5728e7376c5881c56962d29067005e1e2ad518bc07ae |
| SHA512 | 18c3b894af9102df8ed15f78e1d3a51db1f07465d814380a0220f0c0571b52292b065aed819004f13aeb343f677ac5bfd5a5a35d6f74e48381228724241f7758 |
C:\Users\Admin\AppData\Local\Temp\_MEI43482\charset_normalizer\md__mypyc.cp311-win_amd64.pyd
| MD5 | 1c52efd6568c7d95b83b885632ec7798 |
| SHA1 | cae9e800292cb7f328105495dd53fc20749741f8 |
| SHA256 | 2b2cad68bec8979fd577d692013a7981fdbc80a5a6e8f517c2467fdcee5d8939 |
| SHA512 | 35e619f996e823f59455b531f1872d7658b299c41e14d91cd13dcef20072971a437884fde4424fd9a10b67a39ea40f48df416ed8b0633aea00022b31709541f2 |
memory/5092-207-0x00007FFB71EF0000-0x00007FFB71F16000-memory.dmp
memory/5092-206-0x00007FFB7A9A0000-0x00007FFB7A9AB000-memory.dmp
memory/5092-209-0x00007FFB6ACE0000-0x00007FFB6ADFC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI43482\certifi\cacert.pem
| MD5 | d3e74c9d33719c8ab162baa4ae743b27 |
| SHA1 | ee32f2ccd4bc56ca68441a02bf33e32dc6205c2b |
| SHA256 | 7a347ca8fef6e29f82b6e4785355a6635c17fa755e0940f65f15aa8fc7bd7f92 |
| SHA512 | e0fb35d6901a6debbf48a0655e2aa1040700eb5166e732ae2617e89ef5e6869e8ddd5c7875fa83f31d447d4abc3db14bffd29600c9af725d9b03f03363469b4c |
memory/5092-212-0x00007FFB7A5F0000-0x00007FFB7A609000-memory.dmp
memory/5092-214-0x00007FFB71EB0000-0x00007FFB71EE8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI43482\Cryptodome\Cipher\_raw_ecb.pyd
| MD5 | b47c542168546fb875e74e49c84325b6 |
| SHA1 | 2aecab080cc0507f9380756478eadad2d3697503 |
| SHA256 | 55657830c9ab79875af923b5a92e7ee30e0560affc3baa236c38039b4ef987f2 |
| SHA512 | fc25087c859c76dff1126bbfe956ea6811dc3ca79e9bbfd237893144db8b7ce3cae3aeb0923f69e0bfffa5575b5442ad1891d7088dd3857b62be12b5326be50d |
memory/5092-215-0x00007FFB79E40000-0x00007FFB79E73000-memory.dmp
memory/5092-218-0x00007FFB7A570000-0x00007FFB7A57C000-memory.dmp
memory/5092-217-0x00007FFB7A830000-0x00007FFB7A83B000-memory.dmp
memory/5092-216-0x00007FFB6B4B0000-0x00007FFB6B57D000-memory.dmp
memory/5092-221-0x00007FFB79E30000-0x00007FFB79E3C000-memory.dmp
memory/5092-226-0x00007FFB79970000-0x00007FFB7997C000-memory.dmp
memory/5092-225-0x00007FFB79980000-0x00007FFB7998B000-memory.dmp
memory/5092-224-0x00007FFB7A530000-0x00007FFB7A53B000-memory.dmp
memory/5092-223-0x00007FFB79260000-0x00007FFB7926C000-memory.dmp
memory/5092-222-0x000002B3F4FB0000-0x000002B3F54D2000-memory.dmp
memory/5092-220-0x00007FFB7A5B0000-0x00007FFB7A5BB000-memory.dmp
memory/5092-219-0x00007FFB6AF80000-0x00007FFB6B4A2000-memory.dmp
memory/5092-227-0x00007FFB79140000-0x00007FFB7914E000-memory.dmp
memory/5092-228-0x00007FFB75F90000-0x00007FFB75FB3000-memory.dmp
memory/5092-234-0x00007FFB71850000-0x00007FFB7185C000-memory.dmp
memory/5092-233-0x00007FFB71EA0000-0x00007FFB71EAC000-memory.dmp
memory/5092-232-0x00007FFB73EF0000-0x00007FFB73EFB000-memory.dmp
memory/5092-231-0x00007FFB75F80000-0x00007FFB75F8B000-memory.dmp
memory/5092-237-0x00007FFB71810000-0x00007FFB7181C000-memory.dmp
memory/5092-236-0x00007FFB71820000-0x00007FFB71832000-memory.dmp
memory/5092-238-0x00007FFB71EF0000-0x00007FFB71F16000-memory.dmp
memory/5092-235-0x00007FFB71840000-0x00007FFB7184D000-memory.dmp
memory/5092-230-0x00007FFB79130000-0x00007FFB7913C000-memory.dmp
memory/5092-229-0x00007FFB6AE00000-0x00007FFB6AF77000-memory.dmp
memory/5092-239-0x00007FFB6AA90000-0x00007FFB6ACD5000-memory.dmp
memory/5092-243-0x00007FFB6C370000-0x00007FFB6C399000-memory.dmp
memory/5092-242-0x00007FFB71EB0000-0x00007FFB71EE8000-memory.dmp
memory/5092-241-0x00007FFB6ACE0000-0x00007FFB6ADFC000-memory.dmp
memory/1960-262-0x0000018E3FFC0000-0x0000018E3FFE2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bgv1v0yy.1fs.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\ajn2UcbuSV\Browser\history.txt
| MD5 | 5638715e9aaa8d3f45999ec395e18e77 |
| SHA1 | 4e3dc4a1123edddf06d92575a033b42a662fe4ad |
| SHA256 | 4db7f6559c454d34d9c2d557524603c3f52649c2d69b26b6e8384a3d179aeae6 |
| SHA512 | 78c96efab1d941e34d3137eae32cef041e2db5b0ebbf883e6a2effa79a323f66e00cfb7c45eb3398b3cbd0469a2be513c3ff63e5622261857eefc1685f77f76b |
C:\Users\Admin\AppData\Local\Temp\ajn2UcbuSV\Browser\cc's.txt
| MD5 | 5aa796b6950a92a226cc5c98ed1c47e8 |
| SHA1 | 6706a4082fc2c141272122f1ca424a446506c44d |
| SHA256 | c4c83da3a904a4e7114f9bd46790db502cdd04800e684accb991cd1a08ee151c |
| SHA512 | 976f403257671e8f652bf988f4047202e1a0fd368fdb2bab2e79ece1c20c7eb775c4b3a8853c223d4f750f4192cd09455ff024918276dc1dd1442fa3b36623ad |
memory/5092-314-0x00007FFB84470000-0x00007FFB8447F000-memory.dmp
memory/5092-331-0x00007FFB6B4B0000-0x00007FFB6B57D000-memory.dmp
memory/5092-342-0x00007FFB71EB0000-0x00007FFB71EE8000-memory.dmp
memory/5092-361-0x00007FFB71EF0000-0x00007FFB71F16000-memory.dmp
memory/5092-364-0x00007FFB84470000-0x00007FFB8447F000-memory.dmp
memory/5092-363-0x00007FFB6C370000-0x00007FFB6C399000-memory.dmp
memory/5092-362-0x00007FFB6AA90000-0x00007FFB6ACD5000-memory.dmp
memory/5092-360-0x00007FFB7A9A0000-0x00007FFB7A9AB000-memory.dmp
memory/5092-359-0x00007FFB79C50000-0x00007FFB79C64000-memory.dmp
memory/5092-358-0x00007FFB79D50000-0x00007FFB79D68000-memory.dmp
memory/5092-357-0x00007FFB75F90000-0x00007FFB75FB3000-memory.dmp
memory/5092-356-0x00007FFB79D70000-0x00007FFB79D82000-memory.dmp
memory/5092-355-0x00007FFB7A4A0000-0x00007FFB7A4B5000-memory.dmp
memory/5092-354-0x00007FFB79E40000-0x00007FFB79E73000-memory.dmp
memory/5092-353-0x00007FFB7A5C0000-0x00007FFB7A5EB000-memory.dmp
memory/5092-352-0x00007FFB79E80000-0x00007FFB79F3C000-memory.dmp
memory/5092-351-0x00007FFB79E00000-0x00007FFB79E2E000-memory.dmp
memory/5092-350-0x00007FFB7B030000-0x00007FFB7B03D000-memory.dmp
memory/5092-349-0x00007FFB7B6B0000-0x00007FFB7B6BD000-memory.dmp
memory/5092-348-0x00007FFB7A5F0000-0x00007FFB7A609000-memory.dmp
memory/5092-347-0x00007FFB7A610000-0x00007FFB7A646000-memory.dmp
memory/5092-346-0x00007FFB7B040000-0x00007FFB7B059000-memory.dmp
memory/5092-345-0x00007FFB7A840000-0x00007FFB7A86D000-memory.dmp
memory/5092-344-0x00007FFB80860000-0x00007FFB8086F000-memory.dmp
memory/5092-343-0x00007FFB7E750000-0x00007FFB7E773000-memory.dmp
memory/5092-341-0x00007FFB6ACE0000-0x00007FFB6ADFC000-memory.dmp
memory/5092-336-0x00007FFB6AE00000-0x00007FFB6AF77000-memory.dmp
memory/5092-332-0x00007FFB6AF80000-0x00007FFB6B4A2000-memory.dmp
memory/5092-318-0x00007FFB6B730000-0x00007FFB6BD19000-memory.dmp
memory/3816-435-0x00000232FB420000-0x00000232FB421000-memory.dmp
memory/3816-436-0x00000232FB420000-0x00000232FB421000-memory.dmp
memory/3816-437-0x00000232FB420000-0x00000232FB421000-memory.dmp
memory/3816-447-0x00000232FB420000-0x00000232FB421000-memory.dmp
memory/3816-446-0x00000232FB420000-0x00000232FB421000-memory.dmp
memory/3816-445-0x00000232FB420000-0x00000232FB421000-memory.dmp
memory/3816-444-0x00000232FB420000-0x00000232FB421000-memory.dmp
memory/3816-442-0x00000232FB420000-0x00000232FB421000-memory.dmp
memory/3816-443-0x00000232FB420000-0x00000232FB421000-memory.dmp
memory/3816-441-0x00000232FB420000-0x00000232FB421000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI29482\setuptools-65.5.0.dist-info\INSTALLER
| MD5 | 365c9bfeb7d89244f2ce01c1de44cb85 |
| SHA1 | d7a03141d5d6b1e88b6b59ef08b6681df212c599 |
| SHA256 | ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508 |
| SHA512 | d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1 |
memory/3172-571-0x00007FFB680E0000-0x00007FFB686C9000-memory.dmp
memory/3172-573-0x00007FFB7B030000-0x00007FFB7B03F000-memory.dmp
memory/3172-572-0x00007FFB7A550000-0x00007FFB7A573000-memory.dmp
memory/3172-575-0x00007FFB6B750000-0x00007FFB6B77D000-memory.dmp
memory/3172-574-0x00007FFB7A530000-0x00007FFB7A549000-memory.dmp
memory/3172-576-0x00007FFB6AAE0000-0x00007FFB6AB16000-memory.dmp
memory/3172-578-0x00007FFB7B000000-0x00007FFB7B00D000-memory.dmp
memory/3172-577-0x00007FFB7A4C0000-0x00007FFB7A4D9000-memory.dmp
memory/3172-582-0x00007FFB6A7E0000-0x00007FFB6A80E000-memory.dmp
memory/3172-581-0x00007FFB69FB0000-0x00007FFB6A06C000-memory.dmp
memory/3172-580-0x00007FFB7AB70000-0x00007FFB7AB7D000-memory.dmp
memory/3172-579-0x00007FFB680E0000-0x00007FFB686C9000-memory.dmp
memory/3172-584-0x00007FFB69F80000-0x00007FFB69FAB000-memory.dmp
memory/3172-583-0x00007FFB7A550000-0x00007FFB7A573000-memory.dmp
memory/3172-586-0x00007FFB69BD0000-0x00007FFB69C9D000-memory.dmp
memory/3172-585-0x00007FFB69F40000-0x00007FFB69F73000-memory.dmp
C:\Users\Admin\tmp\9tEQJTCHqZ
| MD5 | c366e91a78b9dadf7ae1c8610489d751 |
| SHA1 | 30b8acc2f0a22a83bc25e64e642a53397d356cad |
| SHA256 | 7d1124f91ea762676d1fbeb23875786cb02459c78f17086c94bcadab2b61dc31 |
| SHA512 | b4ee7798b32c60690d953a1934fd6d5cf930011b5de4cbc8375f32fc9e8cd019c2306e4ec999ce8682d75a1a1c44ab8b1e2386b27488e53189137a3c802b63f2 |
C:\Users\Admin\AppData\Local\Temp\YLnwUQzx4E\Browser\cookies.txt
| MD5 | 8ba72187ec48cef2b70b9de5f50c8a41 |
| SHA1 | 7214780e83ec339f264f988f7a5527fb28c12d25 |
| SHA256 | 5e54c3f17bf16c5be04f1e7acd53daf2292108835e2f94fc8916ba66c5b48ac1 |
| SHA512 | d67bf1dc98f3409492b9143f2a30e8574e9001bd0cccfec5daf99145f4b7a5b9ba2ec71ce9e6172c4dae83a1f258573af8a695c91928b3158a808d503ac66c5f |
C:\Users\Admin\AppData\Local\Temp\YLnwUQzx4E\Browser\roblox cookies.txt
| MD5 | de9ec9fc7c87635cb91e05c792e94140 |
| SHA1 | 3f0fbeaff23a30040e5f52b78b474e7cb23488ab |
| SHA256 | aac2a87a65cbbe472000734bd6db5c76f0ffed78e80928f575d5573f3ac94d0f |
| SHA512 | a18ff0f277d880cf249fe7ef20fa026fd8126121fbb6f1de33d3d4a08d37084c662724053c6e8e2035aa7c347000e14a9c12698017ac72b327db6473d6e4af56 |
memory/3172-720-0x00007FFB69A20000-0x00007FFB69B97000-memory.dmp
memory/3172-727-0x00007FFB7A4B0000-0x00007FFB7A4BF000-memory.dmp
memory/3172-726-0x00007FFB69D60000-0x00007FFB69D98000-memory.dmp
memory/3172-725-0x00007FFB69720000-0x00007FFB6983C000-memory.dmp
memory/3172-724-0x00007FFB69DC0000-0x00007FFB69DE6000-memory.dmp
memory/3172-723-0x00007FFB79E00000-0x00007FFB79E0B000-memory.dmp
memory/3172-722-0x00007FFB69EF0000-0x00007FFB69F04000-memory.dmp
memory/3172-721-0x00007FFB6AA10000-0x00007FFB6AA28000-memory.dmp
memory/3172-716-0x00007FFB67960000-0x00007FFB67E82000-memory.dmp
memory/3172-715-0x00007FFB69BD0000-0x00007FFB69C9D000-memory.dmp
memory/3172-714-0x00007FFB69F40000-0x00007FFB69F73000-memory.dmp
memory/3172-719-0x00007FFB69F10000-0x00007FFB69F33000-memory.dmp
memory/3172-718-0x00007FFB6B730000-0x00007FFB6B742000-memory.dmp
memory/3172-717-0x00007FFB79130000-0x00007FFB79145000-memory.dmp
memory/3172-713-0x00007FFB69F80000-0x00007FFB69FAB000-memory.dmp
memory/3172-702-0x00007FFB680E0000-0x00007FFB686C9000-memory.dmp
memory/4340-813-0x00000275DD040000-0x00000275DD041000-memory.dmp
memory/4340-812-0x00000275DD040000-0x00000275DD041000-memory.dmp
memory/4340-811-0x00000275DD040000-0x00000275DD041000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 10:21
Reported
2024-06-20 10:24
Platform
win7-20240611-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\solar_beta.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2340 wrote to memory of 2940 | N/A | C:\Users\Admin\AppData\Local\Temp\solar_beta.exe | C:\Users\Admin\AppData\Local\Temp\solar_beta.exe |
| PID 2340 wrote to memory of 2940 | N/A | C:\Users\Admin\AppData\Local\Temp\solar_beta.exe | C:\Users\Admin\AppData\Local\Temp\solar_beta.exe |
| PID 2340 wrote to memory of 2940 | N/A | C:\Users\Admin\AppData\Local\Temp\solar_beta.exe | C:\Users\Admin\AppData\Local\Temp\solar_beta.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\solar_beta.exe
"C:\Users\Admin\AppData\Local\Temp\solar_beta.exe"
C:\Users\Admin\AppData\Local\Temp\solar_beta.exe
"C:\Users\Admin\AppData\Local\Temp\solar_beta.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI23402\python311.dll
| MD5 | 0b66c50e563d74188a1e96d6617261e8 |
| SHA1 | cfd778b3794b4938e584078cbfac0747a8916d9e |
| SHA256 | 02c665f77db6b255fc62f978aedbe2092b7ef1926836290da68fd838dbf2a9f2 |
| SHA512 | 37d710cb5c0ceb5957d11b61684cfbc65951c1d40ab560f3f3cb8feca42f9d43bd981a0ff44c3cb7562779264f18116723457e79e0e23852d7638b1a954a258f |
memory/2940-125-0x000007FEF56A0000-0x000007FEF5C89000-memory.dmp