xworm | 8f26519cc724675fe6112c07b20ff129543125822d2f320f7648775b8ba4781f

Analysis

max time kernel
135s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SolaraBootstrapper.exe
Size

2.5MB
MD5

b438aa2ccb3380494ca147d34d3fba56
SHA1

fdbc721bf15236cc981a95ffda53feba6a7033ca
SHA256

8f26519cc724675fe6112c07b20ff129543125822d2f320f7648775b8ba4781f
SHA512

39b3974af9558feb0712b91b40dd2de75a785a6b02fd4c1ab2839ae3c9c352e23a4a84efbb4d48d16b30f8fd6275341fdeca59938f018070721141e8c7db1af8
SSDEEP

49152:fnZqHAl+vgnacJLGSeZs+OmboDdYQ4GGc5QM47XVF:fZq34nayLGSeTjg2c5Qv

Score

10^/10

xworm evasion persistence rat themida trojan

Malware Config

Extracted

Family

xworm

Version

3.1

feature-mouse.gl.at.ply.gg:32683

Mutex

VQh28vrCo2a4H2gG

Attributes

Install_directory
%Temp%
install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a0000000233ea-8.dat	family_xworm
behavioral1/memory/2236-17-0x00000000006D0000-0x00000000006E2000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 64 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SolaraBootstrapper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SOLARABOOTSTRAPPER.EXE

Checks BIOS information in registry 2 TTPs 64 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SOLARABOOTSTRAPPER.EXE

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SOLARABOOTSTRAPPER.EXE

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SETTINGS.lnk	SETTINGS.EXE
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SETTINGS.lnk	SETTINGS.EXE

Executes dropped EXE 64 IoCs

pid	Process
2236	SETTINGS.EXE
364	SETTINGS.EXE
2368	SETTINGS.EXE
5060	SETTINGS.EXE
1964	SETTINGS.EXE
2204	SETTINGS.EXE
2324	SETTINGS.EXE
1740	SETTINGS.EXE
3636	SETTINGS.EXE
4676	SETTINGS.EXE
1768	SETTINGS.EXE
2364	SETTINGS.EXE
4980	SETTINGS.EXE
3516	SETTINGS.EXE
4420	SETTINGS.EXE
4968	SETTINGS.EXE
4036	SETTINGS.EXE
2460	SETTINGS.EXE
3592	SETTINGS.EXE
2912	SETTINGS.EXE
1848	SETTINGS.EXE
3480	SETTINGS.EXE
4936	SETTINGS.EXE
4224	SETTINGS.EXE
2324	SETTINGS.EXE
3004	SETTINGS.EXE
3636	SETTINGS.EXE
4008	SETTINGS.EXE
4416	SETTINGS.EXE
4764	SETTINGS.EXE
2136	SETTINGS.EXE
4556	SETTINGS.EXE
872	SETTINGS.EXE
4072	SETTINGS.EXE
4348	SETTINGS.EXE
4600	SETTINGS.EXE
2768	SETTINGS.EXE
2196	SETTINGS.EXE
2900	SETTINGS.EXE
4636	SETTINGS.EXE
1196	SETTINGS.EXE
4860	SETTINGS.EXE
2056	SETTINGS.EXE
524	SETTINGS.EXE
4616	SETTINGS.EXE
4864	SETTINGS.EXE
4108	SETTINGS.EXE
3180	SETTINGS.EXE
1212	SETTINGS.EXE
1528	SETTINGS.EXE
4540	SETTINGS.EXE
4092	SETTINGS.EXE
3952	SETTINGS.EXE
1500	SETTINGS.EXE
1940	SETTINGS.EXE
3828	SETTINGS.EXE
4860	SETTINGS.EXE
2472	SETTINGS.EXE
2360	SETTINGS.EXE
5100	SETTINGS.EXE
1840	SETTINGS.EXE
3108	SETTINGS.EXE
3932	SETTINGS.EXE
2868	SETTINGS.EXE

Themida packer 64 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/4468-0-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/4468-2-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/4468-3-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/3708-19-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/4468-18-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/3708-20-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/3708-21-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/3708-24-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/4660-25-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/4660-27-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/4660-26-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/2460-29-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/4660-31-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/2460-32-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/2460-33-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/3116-35-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/2460-37-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/3116-38-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/3116-39-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/3116-45-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/1332-43-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/1332-47-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/1332-46-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/2940-52-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/1332-53-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/2940-54-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/2940-55-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/2940-59-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/4540-57-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/4540-60-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/4540-61-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/4832-63-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/4540-65-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/4832-67-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/4832-66-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/3388-69-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/4832-71-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/3388-72-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/3388-73-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/3388-77-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/380-78-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/380-79-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/380-75-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/4592-81-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/380-83-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/4592-85-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/4592-84-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/4592-89-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/1872-87-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/1872-90-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/1872-91-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/3184-93-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/1872-95-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/3184-96-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/3184-97-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/636-99-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/3184-102-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/636-104-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/636-103-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/636-107-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/4388-109-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/4388-108-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/4388-111-0x0000000000400000-0x0000000000A75000-memory.dmp	themida
behavioral1/memory/2056-112-0x0000000000400000-0x0000000000A75000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SETTINGS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SETTINGS.EXE"	SETTINGS.EXE

Checks whether UAC is enabled 1 TTPs 64 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SOLARABOOTSTRAPPER.EXE

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
4468	SolaraBootstrapper.exe
3708	SOLARABOOTSTRAPPER.EXE
4660	SOLARABOOTSTRAPPER.EXE
2460	SOLARABOOTSTRAPPER.EXE
3116	SOLARABOOTSTRAPPER.EXE
1332	SOLARABOOTSTRAPPER.EXE
2940	SOLARABOOTSTRAPPER.EXE
4540	SOLARABOOTSTRAPPER.EXE
4832	SOLARABOOTSTRAPPER.EXE
3388	SOLARABOOTSTRAPPER.EXE
380	SOLARABOOTSTRAPPER.EXE
4592	SOLARABOOTSTRAPPER.EXE
1872	SOLARABOOTSTRAPPER.EXE
3184	SOLARABOOTSTRAPPER.EXE
636	SOLARABOOTSTRAPPER.EXE
4388	SOLARABOOTSTRAPPER.EXE
2056	SOLARABOOTSTRAPPER.EXE
3368	SOLARABOOTSTRAPPER.EXE
2252	SOLARABOOTSTRAPPER.EXE
4504	SOLARABOOTSTRAPPER.EXE
2240	SOLARABOOTSTRAPPER.EXE
1988	SOLARABOOTSTRAPPER.EXE
3992	SOLARABOOTSTRAPPER.EXE
4832	SOLARABOOTSTRAPPER.EXE
2672	SOLARABOOTSTRAPPER.EXE
1144	SOLARABOOTSTRAPPER.EXE
4300	SOLARABOOTSTRAPPER.EXE
2408	SOLARABOOTSTRAPPER.EXE
2556	SOLARABOOTSTRAPPER.EXE
3952	SOLARABOOTSTRAPPER.EXE
1644	SOLARABOOTSTRAPPER.EXE
4404	SOLARABOOTSTRAPPER.EXE
1540	SOLARABOOTSTRAPPER.EXE
892	SOLARABOOTSTRAPPER.EXE
2044	SOLARABOOTSTRAPPER.EXE
2460	SOLARABOOTSTRAPPER.EXE
2708	SOLARABOOTSTRAPPER.EXE
4684	SOLARABOOTSTRAPPER.EXE
1632	SOLARABOOTSTRAPPER.EXE
1676	SOLARABOOTSTRAPPER.EXE
5012	SOLARABOOTSTRAPPER.EXE
4460	SOLARABOOTSTRAPPER.EXE
2216	SOLARABOOTSTRAPPER.EXE
1616	SOLARABOOTSTRAPPER.EXE
3376	SOLARABOOTSTRAPPER.EXE
1692	SOLARABOOTSTRAPPER.EXE
3592	SOLARABOOTSTRAPPER.EXE
5100	SOLARABOOTSTRAPPER.EXE
4848	SOLARABOOTSTRAPPER.EXE
3108	SOLARABOOTSTRAPPER.EXE
1632	SOLARABOOTSTRAPPER.EXE
4600	SOLARABOOTSTRAPPER.EXE
3764	SOLARABOOTSTRAPPER.EXE
3388	SOLARABOOTSTRAPPER.EXE
404	SOLARABOOTSTRAPPER.EXE
4596	SOLARABOOTSTRAPPER.EXE
2252	SOLARABOOTSTRAPPER.EXE
464	SOLARABOOTSTRAPPER.EXE
4012	SOLARABOOTSTRAPPER.EXE
2764	SOLARABOOTSTRAPPER.EXE
3112	SOLARABOOTSTRAPPER.EXE
2136	SOLARABOOTSTRAPPER.EXE
2708	SOLARABOOTSTRAPPER.EXE
2276	SOLARABOOTSTRAPPER.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4468	SolaraBootstrapper.exe
4468	SolaraBootstrapper.exe
3708	SOLARABOOTSTRAPPER.EXE
3708	SOLARABOOTSTRAPPER.EXE
4660	SOLARABOOTSTRAPPER.EXE
4660	SOLARABOOTSTRAPPER.EXE
2460	SOLARABOOTSTRAPPER.EXE
2460	SOLARABOOTSTRAPPER.EXE
3116	SOLARABOOTSTRAPPER.EXE
3116	SOLARABOOTSTRAPPER.EXE
1332	SOLARABOOTSTRAPPER.EXE
1332	SOLARABOOTSTRAPPER.EXE
2940	SOLARABOOTSTRAPPER.EXE
2940	SOLARABOOTSTRAPPER.EXE
4540	SOLARABOOTSTRAPPER.EXE
4540	SOLARABOOTSTRAPPER.EXE
4832	SOLARABOOTSTRAPPER.EXE
4832	SOLARABOOTSTRAPPER.EXE
3388	SOLARABOOTSTRAPPER.EXE
3388	SOLARABOOTSTRAPPER.EXE
380	SOLARABOOTSTRAPPER.EXE
380	SOLARABOOTSTRAPPER.EXE
4592	SOLARABOOTSTRAPPER.EXE
4592	SOLARABOOTSTRAPPER.EXE
1872	SOLARABOOTSTRAPPER.EXE
1872	SOLARABOOTSTRAPPER.EXE
3184	SOLARABOOTSTRAPPER.EXE
3184	SOLARABOOTSTRAPPER.EXE
636	SOLARABOOTSTRAPPER.EXE
636	SOLARABOOTSTRAPPER.EXE
4388	SOLARABOOTSTRAPPER.EXE
4388	SOLARABOOTSTRAPPER.EXE
2056	SOLARABOOTSTRAPPER.EXE
2056	SOLARABOOTSTRAPPER.EXE
3368	SOLARABOOTSTRAPPER.EXE
3368	SOLARABOOTSTRAPPER.EXE
2252	SOLARABOOTSTRAPPER.EXE
2252	SOLARABOOTSTRAPPER.EXE
4504	SOLARABOOTSTRAPPER.EXE
4504	SOLARABOOTSTRAPPER.EXE
2240	SOLARABOOTSTRAPPER.EXE
2240	SOLARABOOTSTRAPPER.EXE
1988	SOLARABOOTSTRAPPER.EXE
1988	SOLARABOOTSTRAPPER.EXE
3992	SOLARABOOTSTRAPPER.EXE
3992	SOLARABOOTSTRAPPER.EXE
4832	SOLARABOOTSTRAPPER.EXE
4832	SOLARABOOTSTRAPPER.EXE
2672	SOLARABOOTSTRAPPER.EXE
2672	SOLARABOOTSTRAPPER.EXE
1144	SOLARABOOTSTRAPPER.EXE
1144	SOLARABOOTSTRAPPER.EXE
4300	SOLARABOOTSTRAPPER.EXE
4300	SOLARABOOTSTRAPPER.EXE
2408	SOLARABOOTSTRAPPER.EXE
2408	SOLARABOOTSTRAPPER.EXE
2556	SOLARABOOTSTRAPPER.EXE
2556	SOLARABOOTSTRAPPER.EXE
3952	SOLARABOOTSTRAPPER.EXE
3952	SOLARABOOTSTRAPPER.EXE
1644	SOLARABOOTSTRAPPER.EXE
1644	SOLARABOOTSTRAPPER.EXE
4404	SOLARABOOTSTRAPPER.EXE
4404	SOLARABOOTSTRAPPER.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2236	SETTINGS.EXE
Token: SeDebugPrivilege	364	SETTINGS.EXE
Token: SeDebugPrivilege	2368	SETTINGS.EXE
Token: SeDebugPrivilege	5060	SETTINGS.EXE
Token: SeDebugPrivilege	1964	SETTINGS.EXE
Token: SeDebugPrivilege	2204	SETTINGS.EXE
Token: SeDebugPrivilege	2324	SETTINGS.EXE
Token: SeDebugPrivilege	1740	SETTINGS.EXE
Token: SeDebugPrivilege	3636	SETTINGS.EXE
Token: SeDebugPrivilege	4676	SETTINGS.EXE
Token: SeDebugPrivilege	1768	SETTINGS.EXE
Token: SeDebugPrivilege	2364	SETTINGS.EXE
Token: SeDebugPrivilege	4980	SETTINGS.EXE
Token: SeDebugPrivilege	3516	SETTINGS.EXE
Token: SeDebugPrivilege	4420	SETTINGS.EXE
Token: SeDebugPrivilege	4968	SETTINGS.EXE
Token: SeDebugPrivilege	4036	SETTINGS.EXE
Token: SeDebugPrivilege	2460	SETTINGS.EXE
Token: SeDebugPrivilege	3592	SETTINGS.EXE
Token: SeDebugPrivilege	2912	SETTINGS.EXE
Token: SeDebugPrivilege	1848	SETTINGS.EXE
Token: SeDebugPrivilege	3480	SETTINGS.EXE
Token: SeDebugPrivilege	4936	SETTINGS.EXE
Token: SeDebugPrivilege	4224	SETTINGS.EXE
Token: SeDebugPrivilege	2324	SETTINGS.EXE
Token: SeDebugPrivilege	3004	SETTINGS.EXE
Token: SeDebugPrivilege	3636	SETTINGS.EXE
Token: SeDebugPrivilege	4008	SETTINGS.EXE
Token: SeDebugPrivilege	4416	SETTINGS.EXE
Token: SeDebugPrivilege	4764	SETTINGS.EXE
Token: SeDebugPrivilege	2136	SETTINGS.EXE
Token: SeDebugPrivilege	4556	SETTINGS.EXE
Token: SeDebugPrivilege	872	SETTINGS.EXE
Token: SeDebugPrivilege	4072	SETTINGS.EXE
Token: SeDebugPrivilege	4348	SETTINGS.EXE
Token: SeDebugPrivilege	4600	SETTINGS.EXE
Token: SeDebugPrivilege	2768	SETTINGS.EXE
Token: SeDebugPrivilege	2196	SETTINGS.EXE
Token: SeDebugPrivilege	2900	SETTINGS.EXE
Token: SeDebugPrivilege	4636	SETTINGS.EXE
Token: SeDebugPrivilege	1196	SETTINGS.EXE
Token: SeDebugPrivilege	4860	SETTINGS.EXE
Token: SeDebugPrivilege	2056	SETTINGS.EXE
Token: SeDebugPrivilege	524	SETTINGS.EXE
Token: SeDebugPrivilege	4616	SETTINGS.EXE
Token: SeDebugPrivilege	4864	SETTINGS.EXE
Token: SeDebugPrivilege	4108	SETTINGS.EXE
Token: SeDebugPrivilege	3180	SETTINGS.EXE
Token: SeDebugPrivilege	1212	SETTINGS.EXE
Token: SeDebugPrivilege	1528	SETTINGS.EXE
Token: SeDebugPrivilege	4540	SETTINGS.EXE
Token: SeDebugPrivilege	4092	SETTINGS.EXE
Token: SeDebugPrivilege	3952	SETTINGS.EXE
Token: SeDebugPrivilege	1500	SETTINGS.EXE
Token: SeDebugPrivilege	1940	SETTINGS.EXE
Token: SeDebugPrivilege	3828	SETTINGS.EXE
Token: SeDebugPrivilege	4860	SETTINGS.EXE
Token: SeDebugPrivilege	2472	SETTINGS.EXE
Token: SeDebugPrivilege	2360	SETTINGS.EXE
Token: SeDebugPrivilege	5100	SETTINGS.EXE
Token: SeDebugPrivilege	1840	SETTINGS.EXE
Token: SeDebugPrivilege	3108	SETTINGS.EXE
Token: SeDebugPrivilege	3932	SETTINGS.EXE
Token: SeDebugPrivilege	2868	SETTINGS.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4468 wrote to memory of 2236	4468	SolaraBootstrapper.exe	82
PID 4468 wrote to memory of 2236	4468	SolaraBootstrapper.exe	82
PID 4468 wrote to memory of 3708	4468	SolaraBootstrapper.exe	83
PID 4468 wrote to memory of 3708	4468	SolaraBootstrapper.exe	83
PID 4468 wrote to memory of 3708	4468	SolaraBootstrapper.exe	83
PID 3708 wrote to memory of 364	3708	SOLARABOOTSTRAPPER.EXE	84
PID 3708 wrote to memory of 364	3708	SOLARABOOTSTRAPPER.EXE	84
PID 3708 wrote to memory of 4660	3708	SOLARABOOTSTRAPPER.EXE	85
PID 3708 wrote to memory of 4660	3708	SOLARABOOTSTRAPPER.EXE	85
PID 3708 wrote to memory of 4660	3708	SOLARABOOTSTRAPPER.EXE	85
PID 4660 wrote to memory of 2368	4660	SOLARABOOTSTRAPPER.EXE	86
PID 4660 wrote to memory of 2368	4660	SOLARABOOTSTRAPPER.EXE	86
PID 4660 wrote to memory of 2460	4660	SOLARABOOTSTRAPPER.EXE	116
PID 4660 wrote to memory of 2460	4660	SOLARABOOTSTRAPPER.EXE	116
PID 4660 wrote to memory of 2460	4660	SOLARABOOTSTRAPPER.EXE	116
PID 2460 wrote to memory of 5060	2460	SOLARABOOTSTRAPPER.EXE	88
PID 2460 wrote to memory of 5060	2460	SOLARABOOTSTRAPPER.EXE	88
PID 2460 wrote to memory of 3116	2460	SOLARABOOTSTRAPPER.EXE	89
PID 2460 wrote to memory of 3116	2460	SOLARABOOTSTRAPPER.EXE	89
PID 2460 wrote to memory of 3116	2460	SOLARABOOTSTRAPPER.EXE	89
PID 3116 wrote to memory of 1964	3116	SOLARABOOTSTRAPPER.EXE	90
PID 3116 wrote to memory of 1964	3116	SOLARABOOTSTRAPPER.EXE	90
PID 3116 wrote to memory of 1332	3116	SOLARABOOTSTRAPPER.EXE	91
PID 3116 wrote to memory of 1332	3116	SOLARABOOTSTRAPPER.EXE	91
PID 3116 wrote to memory of 1332	3116	SOLARABOOTSTRAPPER.EXE	91
PID 1332 wrote to memory of 2204	1332	SOLARABOOTSTRAPPER.EXE	92
PID 1332 wrote to memory of 2204	1332	SOLARABOOTSTRAPPER.EXE	92
PID 1332 wrote to memory of 2940	1332	SOLARABOOTSTRAPPER.EXE	93
PID 1332 wrote to memory of 2940	1332	SOLARABOOTSTRAPPER.EXE	93
PID 1332 wrote to memory of 2940	1332	SOLARABOOTSTRAPPER.EXE	93
PID 2940 wrote to memory of 2324	2940	SOLARABOOTSTRAPPER.EXE	130
PID 2940 wrote to memory of 2324	2940	SOLARABOOTSTRAPPER.EXE	130
PID 2940 wrote to memory of 4540	2940	SOLARABOOTSTRAPPER.EXE	95
PID 2940 wrote to memory of 4540	2940	SOLARABOOTSTRAPPER.EXE	95
PID 2940 wrote to memory of 4540	2940	SOLARABOOTSTRAPPER.EXE	95
PID 4540 wrote to memory of 1740	4540	SOLARABOOTSTRAPPER.EXE	96
PID 4540 wrote to memory of 1740	4540	SOLARABOOTSTRAPPER.EXE	96
PID 4540 wrote to memory of 4832	4540	SOLARABOOTSTRAPPER.EXE	127
PID 4540 wrote to memory of 4832	4540	SOLARABOOTSTRAPPER.EXE	127
PID 4540 wrote to memory of 4832	4540	SOLARABOOTSTRAPPER.EXE	127
PID 4832 wrote to memory of 3636	4832	SOLARABOOTSTRAPPER.EXE	134
PID 4832 wrote to memory of 3636	4832	SOLARABOOTSTRAPPER.EXE	134
PID 4832 wrote to memory of 3388	4832	SOLARABOOTSTRAPPER.EXE	99
PID 4832 wrote to memory of 3388	4832	SOLARABOOTSTRAPPER.EXE	99
PID 4832 wrote to memory of 3388	4832	SOLARABOOTSTRAPPER.EXE	99
PID 3388 wrote to memory of 4676	3388	SOLARABOOTSTRAPPER.EXE	100
PID 3388 wrote to memory of 4676	3388	SOLARABOOTSTRAPPER.EXE	100
PID 3388 wrote to memory of 380	3388	SOLARABOOTSTRAPPER.EXE	101
PID 3388 wrote to memory of 380	3388	SOLARABOOTSTRAPPER.EXE	101
PID 3388 wrote to memory of 380	3388	SOLARABOOTSTRAPPER.EXE	101
PID 380 wrote to memory of 1768	380	SOLARABOOTSTRAPPER.EXE	102
PID 380 wrote to memory of 1768	380	SOLARABOOTSTRAPPER.EXE	102
PID 380 wrote to memory of 4592	380	SOLARABOOTSTRAPPER.EXE	103
PID 380 wrote to memory of 4592	380	SOLARABOOTSTRAPPER.EXE	103
PID 380 wrote to memory of 4592	380	SOLARABOOTSTRAPPER.EXE	103
PID 4592 wrote to memory of 2364	4592	SOLARABOOTSTRAPPER.EXE	104
PID 4592 wrote to memory of 2364	4592	SOLARABOOTSTRAPPER.EXE	104
PID 4592 wrote to memory of 1872	4592	SOLARABOOTSTRAPPER.EXE	105
PID 4592 wrote to memory of 1872	4592	SOLARABOOTSTRAPPER.EXE	105
PID 4592 wrote to memory of 1872	4592	SOLARABOOTSTRAPPER.EXE	105
PID 1872 wrote to memory of 4980	1872	SOLARABOOTSTRAPPER.EXE	106
PID 1872 wrote to memory of 4980	1872	SOLARABOOTSTRAPPER.EXE	106
PID 1872 wrote to memory of 3184	1872	SOLARABOOTSTRAPPER.EXE	107
PID 1872 wrote to memory of 3184	1872	SOLARABOOTSTRAPPER.EXE	107

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4468
- C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
  "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:2236
- C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
  "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3708
- - C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
    "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:364
- - C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
    "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4660
  - - C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
      "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2368
  - - C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
      "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
      4⤵
      Checks BIOS information in registry
      Checks computer location settings
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2460
    - - C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5060
    - - C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        5⤵
        Checks BIOS information in registry
        Checks computer location settings
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3116
      - C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
      - C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        6⤵
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        7⤵
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        8⤵
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        9⤵
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        10⤵
        Checks computer location settings
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        11⤵
        Checks BIOS information in registry
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:380
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        12⤵
        Checks BIOS information in registry
        Checks computer location settings
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        13⤵
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        14⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks computer location settings
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        15⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks computer location settings
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        16⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        17⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks computer location settings
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        18⤵
        Checks BIOS information in registry
        Checks computer location settings
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        19⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        20⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks computer location settings
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        21⤵
        Checks BIOS information in registry
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        22⤵
        Checks BIOS information in registry
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        23⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks computer location settings
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        24⤵
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        25⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks computer location settings
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        26⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        27⤵
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        28⤵
        Checks BIOS information in registry
        Checks computer location settings
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        29⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        30⤵
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        31⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks computer location settings
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        32⤵
        Checks BIOS information in registry
        Checks computer location settings
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        33⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        33⤵
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        34⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        34⤵
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        35⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        35⤵
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        36⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        36⤵
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        37⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        37⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        38⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        38⤵
        Checks computer location settings
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        39⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        39⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks computer location settings
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        40⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        40⤵
        Checks BIOS information in registry
        Checks computer location settings
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        41⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        41⤵
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        42⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        42⤵
        Checks BIOS information in registry
        Checks computer location settings
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        43⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        43⤵
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        44⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        44⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        45⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        45⤵
        Checks BIOS information in registry
        Checks computer location settings
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        46⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        46⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks computer location settings
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        47⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        47⤵
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        48⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        48⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks computer location settings
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        49⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        49⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        50⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        50⤵
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        51⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        51⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        52⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        52⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        53⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        53⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks computer location settings
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:3764
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        54⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        54⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        55⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        55⤵
        Checks BIOS information in registry
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        56⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        56⤵
        Checks BIOS information in registry
        Checks computer location settings
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        57⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        57⤵
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        58⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        58⤵
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        59⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        59⤵
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        60⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        60⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks computer location settings
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        61⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        61⤵
        Checks BIOS information in registry
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        62⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        62⤵
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        63⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        63⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks computer location settings
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        64⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        64⤵
        Checks BIOS information in registry
        Checks computer location settings
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        65⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        65⤵
        Checks computer location settings
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        66⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        66⤵
        Checks computer location settings
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        67⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        67⤵
        Checks BIOS information in registry
        Checks computer location settings
        Checks whether UAC is enabled
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        68⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        68⤵
        Checks BIOS information in registry
        Checks computer location settings
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        69⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        69⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        70⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        70⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        71⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        71⤵
        Checks computer location settings
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        72⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        72⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        73⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        73⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        74⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        74⤵
        Checks BIOS information in registry
        Checks computer location settings
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        75⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        75⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks computer location settings
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        76⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        76⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks whether UAC is enabled
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        77⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        77⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks computer location settings
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        78⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        78⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        79⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        79⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        80⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        80⤵
        Checks whether UAC is enabled
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        81⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        81⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        82⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        82⤵
        Checks computer location settings
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        83⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        83⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks computer location settings
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        84⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        84⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        85⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        85⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        86⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        86⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks whether UAC is enabled
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        87⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        87⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        88⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        88⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        89⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        89⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        90⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        90⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks computer location settings
        Checks whether UAC is enabled
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        91⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        91⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks computer location settings
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        92⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        92⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        93⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        93⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        94⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        94⤵
        Checks computer location settings
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        95⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        95⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        96⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        96⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks computer location settings
        Checks whether UAC is enabled
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        97⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        97⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks computer location settings
        Checks whether UAC is enabled
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        98⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        98⤵
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        99⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        99⤵
        Checks computer location settings
        Checks whether UAC is enabled
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        100⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        100⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks computer location settings
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        101⤵
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        101⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks computer location settings
        Checks whether UAC is enabled
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        102⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        102⤵
        Checks BIOS information in registry
        Checks computer location settings
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        103⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        103⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks computer location settings
        Checks whether UAC is enabled
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        104⤵
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        104⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks whether UAC is enabled
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        105⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        105⤵
        Checks BIOS information in registry
        Checks computer location settings
        Checks whether UAC is enabled
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        106⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        106⤵
        Checks whether UAC is enabled
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        107⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        107⤵
        Checks BIOS information in registry
        Checks computer location settings
        Checks whether UAC is enabled
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        108⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        108⤵
        Checks computer location settings
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        109⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        109⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks whether UAC is enabled
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        110⤵
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        110⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        111⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        111⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        112⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        112⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        113⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        113⤵
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        114⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        114⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks whether UAC is enabled
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        115⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        115⤵
        Checks whether UAC is enabled
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        116⤵
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        116⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks whether UAC is enabled
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        117⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        117⤵
        Checks computer location settings
        Checks whether UAC is enabled
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        118⤵
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        118⤵
        Checks whether UAC is enabled
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        119⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        119⤵
        Checks BIOS information in registry
        Checks computer location settings
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        120⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        120⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks computer location settings
        Checks whether UAC is enabled
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        121⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        121⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks whether UAC is enabled
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        122⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        122⤵
        Checks whether UAC is enabled
        
        PID:3328
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        123⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        123⤵
        Checks whether UAC is enabled
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        124⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        124⤵
        Checks whether UAC is enabled
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        125⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        125⤵
        Checks BIOS information in registry
        Checks computer location settings
        Checks whether UAC is enabled
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        126⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        126⤵
        Checks whether UAC is enabled
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        127⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        127⤵
        Checks BIOS information in registry
        Checks computer location settings
        Checks whether UAC is enabled
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        128⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        128⤵
        Checks whether UAC is enabled
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        129⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        129⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        130⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        130⤵
        Checks computer location settings
        Checks whether UAC is enabled
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        131⤵
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        131⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        132⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        132⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        133⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        133⤵
        Checks computer location settings
        Checks whether UAC is enabled
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        134⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        134⤵
        Checks BIOS information in registry
        Checks whether UAC is enabled
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        135⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        135⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks computer location settings
        Checks whether UAC is enabled
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        136⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        136⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        137⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        137⤵
        Checks BIOS information in registry
        Checks computer location settings
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        138⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        138⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks whether UAC is enabled
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        139⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        139⤵
        Checks BIOS information in registry
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        140⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        140⤵
        Checks computer location settings
        Checks whether UAC is enabled
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        141⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        141⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks whether UAC is enabled
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        142⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        142⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks computer location settings
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        143⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        143⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks whether UAC is enabled
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        144⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        144⤵
        Checks BIOS information in registry
        Checks computer location settings
        Checks whether UAC is enabled
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        145⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        145⤵
        Checks BIOS information in registry
        Checks computer location settings
        Checks whether UAC is enabled
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        146⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        146⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks whether UAC is enabled
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        147⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        147⤵
        Checks BIOS information in registry
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        148⤵
        
        PID:3764
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        148⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        149⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        149⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks computer location settings
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        150⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        150⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks whether UAC is enabled
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        151⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        151⤵
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        152⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        152⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        153⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        153⤵
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        154⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        154⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        155⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        155⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        156⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        156⤵
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        157⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        157⤵
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        158⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        158⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        159⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        159⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        160⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        160⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        161⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        161⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        162⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        162⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        163⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        163⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        164⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        164⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        165⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        165⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        166⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        166⤵
        
        PID:424
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        167⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        167⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        168⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        168⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE"
        169⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
        169⤵
        
        PID:5092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SETTINGS.EXE.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETTINGS.EXE

Filesize
51KB

MD5
49fdec15280e92d09221eef9dfd0d7c3

SHA1
f459bce6a6f43b6c2e4fa5adea1cb8557e427d1b

SHA256
da112c0abd9a8b8752cf3c3fd8ae938e80b8a219eb6ee7ad6535d45ce94940c0

SHA512
85846753d7795463755e2fee94b7cd3229c3d6eee222509b435ef239a47b37c256b90985d845ca2d7b43c64c519e0852341b7281aaa9ae5648aaa47124605de1

Download Submit
memory/380-79-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/380-83-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/380-78-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/380-75-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/636-99-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/636-104-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/636-107-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/636-103-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/1332-46-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/1332-47-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/1332-43-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/1332-53-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/1872-95-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/1872-91-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/1872-87-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/1872-90-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/1988-132-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/2056-113-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/2056-112-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/2056-115-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/2236-100-0x000000001B530000-0x000000001B540000-memory.dmp

Filesize
64KB

Download
memory/2236-41-0x000000001B530000-0x000000001B540000-memory.dmp

Filesize
64KB

Download
memory/2236-15-0x00007FF8418E3000-0x00007FF8418E5000-memory.dmp

Filesize
8KB

Download
memory/2236-17-0x00000000006D0000-0x00000000006E2000-memory.dmp

Filesize
72KB

Download
memory/2240-131-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/2240-128-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/2240-129-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/2252-120-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/2252-121-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/2252-123-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/2460-37-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/2460-33-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/2460-32-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/2460-29-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/2940-52-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/2940-54-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/2940-55-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/2940-59-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/3116-38-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/3116-35-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/3116-39-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/3116-45-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/3184-93-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/3184-102-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/3184-97-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/3184-96-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/3368-116-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/3368-119-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/3368-117-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/3388-77-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/3388-69-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/3388-72-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/3388-73-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/3708-19-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/3708-20-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/3708-21-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/3708-24-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/4388-109-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/4388-108-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/4388-111-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/4468-18-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/4468-1-0x00000000771E4000-0x00000000771E6000-memory.dmp

Filesize
8KB

Download
memory/4468-0-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/4468-2-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/4468-3-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/4504-127-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/4504-125-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/4504-124-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/4540-57-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/4540-61-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/4540-65-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/4540-60-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/4592-85-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/4592-89-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/4592-84-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/4592-81-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/4660-25-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/4660-27-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/4660-26-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/4660-31-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/4832-63-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/4832-71-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/4832-66-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download
memory/4832-67-0x0000000000400000-0x0000000000A75000-memory.dmp

Filesize
6.5MB

Download