Edit tour

Windows Analysis Report
Solara-3.0.exe

Overview

General Information

Sample name:	Solara-3.0.exe
Analysis ID:	1579341
MD5:	4ae32f4d7b7d72738797fa1533962135
SHA1:	de2b314913be445b83a502db7a9eca17463bfcd0
SHA256:	6a6a26172d67b47810cc4088daed7fc1d77a45d7ebc998cfa1bb13c988fc9e4b
Tags:	exeuser-aachum
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Solara-3.0.exe (PID: 6464 cmdline: "C:\Users\user\Desktop\Solara-3.0.exe" MD5: 4AE32F4D7B7D72738797FA1533962135)

conhost.exe (PID: 1076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Solara-3.0.exe (PID: 4956 cmdline: "C:\Users\user\Desktop\Solara-3.0.exe" MD5: 4AE32F4D7B7D72738797FA1533962135)

WerFault.exe (PID: 2352 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 292 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["aspecteirs.lat", "necklacebudi.lat", "rapeflowwj.lat", "energyaffai.lat", "discokeyus.lat", "sustainskelet.lat", "grannyejh.lat", "crosshuaht.lat", "sweepyribs.lat"], "Build id": "yau6Na--899083440"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000002.2476830515.000000000578C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.Solara-3.0.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
3.2.Solara-3.0.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-21T19:51:10.175064+0100	2028371	3	Unknown Traffic	192.168.2.5	49704	172.67.197.170	443	TCP
2024-12-21T19:51:39.581423+0100	2028371	3	Unknown Traffic	192.168.2.5	49754	172.67.197.170	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-21T19:51:38.492451+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49704	172.67.197.170	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-21T19:51:38.492451+0100	2049836	1	A Network Trojan was detected	192.168.2.5	49704	172.67.197.170	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-21T19:51:10.175064+0100	2058361	1	Domain Observed Used for C2 Detected	192.168.2.5	49704	172.67.197.170	443	TCP
2024-12-21T19:51:39.581423+0100	2058361	1	Domain Observed Used for C2 Detected	192.168.2.5	49754	172.67.197.170	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (discokeyus .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-21T19:51:08.282211+0100	2058360	1	Domain Observed Used for C2 Detected	192.168.2.5	58809	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grannyejh .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-21T19:51:07.999442+0100	2058364	1	Domain Observed Used for C2 Detected	192.168.2.5	55666	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sweepyribs .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-21T19:51:07.603905+0100	2058378	1	Domain Observed Used for C2 Detected	192.168.2.5	63394	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.2476830515.000000000578C000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["aspecteirs.lat", "necklacebudi.lat", "rapeflowwj.lat", "energyaffai.lat", "discokeyus.lat", "sustainskelet.lat", "grannyejh.lat", "crosshuaht.lat", "sweepyribs.lat"], "Build id": "yau6Na--899083440"}

Multi AV Scanner detection for submitted file

Source: Solara-3.0.exe	ReversingLabs: Detection: 39%
Source: Solara-3.0.exe	Virustotal: Detection: 48%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.4% probability

Machine Learning detection for sample

Source: Solara-3.0.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: rapeflowwj.lat
Source: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: crosshuaht.lat
Source: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: sustainskelet.lat
Source: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: aspecteirs.lat
Source: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: energyaffai.lat
Source: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: necklacebudi.lat
Source: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: discokeyus.lat
Source: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: grannyejh.lat
Source: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: sweepyribs.lat
Source: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: yau6Na--899083440

Source: Solara-3.0.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.5:49704 version: TLS 1.2

Source: Solara-3.0.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 0_2_00485D48 FindFirstFileExW,	0_2_00485D48
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 0_2_00485DF9 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00485DF9
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00485D48 FindFirstFileExW,	3_2_00485D48
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00485DF9 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	3_2_00485DF9

Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then mov esi, dword ptr [ebp-20h]	3_2_0040B922
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then jmp ecx	3_2_00439A00
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+20CBA957h]	3_2_00418857
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then mov byte ptr [edx], al	3_2_0041E870
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then mov esi, edx	3_2_0041E870
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-39h]	3_2_0041E870
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then mov edi, ebx	3_2_0043E820
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-04AB3DE7h]	3_2_00429030
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], E785F9BAh	3_2_004270E0
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+2FDC4307h]	3_2_004160F8
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax+000002A3h]	3_2_004160F8
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then jmp edx	3_2_0042309E
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+00000098h]	3_2_0042E145
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then movzx edx, byte ptr [ecx]	3_2_0042E145
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	3_2_0042B950
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then mov ebx, eax	3_2_00405910
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then mov ebp, eax	3_2_00405910
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], E785F9BAh	3_2_00428912
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx]	3_2_00424120
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then movzx ebx, bx	3_2_00424120
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], E785F9BAh	3_2_00428938
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_004159D0
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+69CAA957h]	3_2_004159D0
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then movzx edx, byte ptr [ecx]	3_2_0042C981
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then movzx edx, byte ptr [ecx]	3_2_0042C981
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax]	3_2_00439A70
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax]	3_2_00423A00
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	3_2_004342E0
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], E785F9BAh	3_2_00429AF0
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then mov byte ptr [esi], al	3_2_0042DAB4
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then mov byte ptr [esi], al	3_2_0042DAB4
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then add edx, eax	3_2_00408B50
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then cmp byte ptr [eax+ebx+09h], 00000000h	3_2_00436B50
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+0Eh]	3_2_0041D360
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then mov word ptr [ebx], ax	3_2_0041D360
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_0040C377
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then mov word ptr [ecx], dx	3_2_0040C377
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then mov eax, dword ptr [edi+10h]	3_2_0043D330
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then mov word ptr [edi], ax	3_2_0040D338
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then mov esi, edx	3_2_0043C33D
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then mov edx, ecx	3_2_004093C0
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then cmp dword ptr [ebp+esi*8+00h], E785F9BAh	3_2_0042ABF8
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then cmp dword ptr [ebp+esi*8+00h], E785F9BAh	3_2_0042ABF8
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	3_2_0042B380
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 5E874B5Fh	3_2_00427380
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then mov eax, ebx	3_2_00427380
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	3_2_00402B90
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx]	3_2_004243B0
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then mov byte ptr [esi], al	3_2_0042DAAF
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], E785F9BAh	3_2_00437450
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then mov ecx, edi	3_2_00407460
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then mov eax, dword ptr [edi+10h]	3_2_0043CC70
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx-00000091h]	3_2_0041CC00
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-4653A5D2h]	3_2_0043EC00
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-1795116Dh]	3_2_0043EC00
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-46B5D6C4h]	3_2_0043E490
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then mov byte ptr [edi], bl	3_2_00408D50
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx]	3_2_00424550
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then mov eax, dword ptr [edi+10h]	3_2_0043CD60
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-46B5D6C4h]	3_2_0043D570
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+69CAA75Bh]	3_2_00417D1A
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], E785F9BAh	3_2_00429D1E
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then mov eax, dword ptr [00444118h]	3_2_00424DC0
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], E785F9BAh	3_2_00428DC5
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx]	3_2_004245F7
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	3_2_0042BE10
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+edi+00000090h]	3_2_00402ED0
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then movzx edx, byte ptr [esp+edi+69CAA6A7h]	3_2_004376E0
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then mov eax, dword ptr [edi+10h]	3_2_0043CEA0
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], E785F9BAh	3_2_0042AEB3
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then mov eax, dword ptr [edi+10h]	3_2_0043CF50
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], E785F9BAh	3_2_0042AFDB
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then mov eax, dword ptr [edi+10h]	3_2_0043CFE0
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 4x nop then mov byte ptr [esi], cl	3_2_0042E784

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058378 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sweepyribs .lat) : 192.168.2.5:63394 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058364 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grannyejh .lat) : 192.168.2.5:55666 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058360 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (discokeyus .lat) : 192.168.2.5:58809 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.5:49704 -> 172.67.197.170:443
Source: Network traffic	Suricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.5:49754 -> 172.67.197.170:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49704 -> 172.67.197.170:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49704 -> 172.67.197.170:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: aspecteirs.lat
Source: Malware configuration extractor	URLs: necklacebudi.lat
Source: Malware configuration extractor	URLs: rapeflowwj.lat
Source: Malware configuration extractor	URLs: energyaffai.lat
Source: Malware configuration extractor	URLs: discokeyus.lat
Source: Malware configuration extractor	URLs: sustainskelet.lat
Source: Malware configuration extractor	URLs: grannyejh.lat
Source: Malware configuration extractor	URLs: crosshuaht.lat
Source: Malware configuration extractor	URLs: sweepyribs.lat

Source: Joe Sandbox View

IP Address: 172.67.197.170 172.67.197.170

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49704 -> 172.67.197.170:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49754 -> 172.67.197.170:443

Source: global traffic

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: discokeyus.lat

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: sweepyribs.lat
Source: global traffic	DNS traffic detected: DNS query: grannyejh.lat
Source: global traffic	DNS traffic detected: DNS query: discokeyus.lat

Source: unknown

Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: Solara-3.0.exe, 00000003.00000002.2425276295.00000000048A0000.00000004.00000020.00020000.00000000.sdmp, Solara-3.0.exe, 00000003.00000003.2424663031.00000000048A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discokeyus.lat/
Source: Solara-3.0.exe, 00000003.00000003.2424541946.00000000048DF000.00000004.00000020.00020000.00000000.sdmp, Solara-3.0.exe, 00000003.00000002.2425368925.00000000048E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discokeyus.lat/H
Source: Solara-3.0.exe, 00000003.00000002.2425368925.00000000048E0000.00000004.00000020.00020000.00000000.sdmp, Solara-3.0.exe, 00000003.00000002.2425276295.00000000048B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discokeyus.lat/api
Source: Solara-3.0.exe, 00000003.00000003.2424541946.00000000048DF000.00000004.00000020.00020000.00000000.sdmp, Solara-3.0.exe, 00000003.00000002.2425368925.00000000048E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discokeyus.lat/apic
Source: Solara-3.0.exe, 00000003.00000003.2424541946.00000000048DF000.00000004.00000020.00020000.00000000.sdmp, Solara-3.0.exe, 00000003.00000002.2425368925.00000000048E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discokeyus.lat/m

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443

Source: unknown

HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.5:49704 version: TLS 1.2

Source: C:\Users\user\Desktop\Solara-3.0.exe

Code function: 3_2_004327A0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

3_2_004327A0

Source: C:\Users\user\Desktop\Solara-3.0.exe

Code function: 3_2_004327A0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

3_2_004327A0

Source: C:\Users\user\Desktop\Solara-3.0.exe

Code function: 3_2_00432950 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

3_2_00432950

Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 0_2_00461000	0_2_00461000
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 0_2_004741DF	0_2_004741DF
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 0_2_0047E2D0	0_2_0047E2D0
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 0_2_0048B4A2	0_2_0048B4A2
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 0_2_004896BB	0_2_004896BB
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 0_2_00478BE2	0_2_00478BE2
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_0040C9FC	3_2_0040C9FC
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00408670	3_2_00408670
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_0040A710	3_2_0040A710
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00418857	3_2_00418857
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_0041E870	3_2_0041E870
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00422820	3_2_00422820
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_0043E820	3_2_0043E820
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_004038E0	3_2_004038E0
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_004270E0	3_2_004270E0
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_004160F8	3_2_004160F8
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_0042309E	3_2_0042309E
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_0042E145	3_2_0042E145
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00415152	3_2_00415152
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_0041790C	3_2_0041790C
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00405910	3_2_00405910
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_0043E110	3_2_0043E110
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00419F86	3_2_00419F86
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00424120	3_2_00424120
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00428938	3_2_00428938
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_004361C0	3_2_004361C0
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_004159D0	3_2_004159D0
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_0042C981	3_2_0042C981
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_0042C981	3_2_0042C981
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_0042C190	3_2_0042C190
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_0041B9B0	3_2_0041B9B0
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_004281B9	3_2_004281B9
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_0042D244	3_2_0042D244
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_0043A260	3_2_0043A260
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00439A70	3_2_00439A70
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00406200	3_2_00406200
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_0041FA00	3_2_0041FA00
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00423A00	3_2_00423A00
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_0042D2CF	3_2_0042D2CF
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00419ADE	3_2_00419ADE
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_0041E2E0	3_2_0041E2E0
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00429AF0	3_2_00429AF0
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00404290	3_2_00404290
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_0042DAB4	3_2_0042DAB4
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00436B50	3_2_00436B50
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_0041D360	3_2_0041D360
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00432300	3_2_00432300
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_0042D333	3_2_0042D333
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_0040D338	3_2_0040D338
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_0043C33D	3_2_0043C33D
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00404BC0	3_2_00404BC0
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_004093C0	3_2_004093C0
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_0040ABD0	3_2_0040ABD0
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00421BE0	3_2_00421BE0
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_004233EA	3_2_004233EA
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_0041DBF0	3_2_0041DBF0
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00427380	3_2_00427380
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00434B94	3_2_00434B94
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_004243B0	3_2_004243B0
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_0042DAAF	3_2_0042DAAF
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00422440	3_2_00422440
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00407460	3_2_00407460
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_0043CC70	3_2_0043CC70
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_0041CC00	3_2_0041CC00
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_0043EC00	3_2_0043EC00
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00417409	3_2_00417409
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00430CC0	3_2_00430CC0
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_0043E490	3_2_0043E490
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00424550	3_2_00424550
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_0043CD60	3_2_0043CD60
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00414D70	3_2_00414D70
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_0041657A	3_2_0041657A
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_0042950C	3_2_0042950C
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00417D1A	3_2_00417D1A
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00411DE0	3_2_00411DE0
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_0041E5F0	3_2_0041E5F0
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_004245F7	3_2_004245F7
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00432580	3_2_00432580
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00428592	3_2_00428592
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00405E60	3_2_00405E60
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00427670	3_2_00427670
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00424636	3_2_00424636
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00402ED0	3_2_00402ED0
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00416ED1	3_2_00416ED1
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_0041DED0	3_2_0041DED0
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_004376E0	3_2_004376E0
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_004206F0	3_2_004206F0
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00406690	3_2_00406690
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00427690	3_2_00427690
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_0043CEA0	3_2_0043CEA0
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_0043CF50	3_2_0043CF50
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00435F60	3_2_00435F60
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00439F70	3_2_00439F70
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00437F77	3_2_00437F77
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00420FC0	3_2_00420FC0
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_004367D0	3_2_004367D0
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00408FE0	3_2_00408FE0
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_0043CFE0	3_2_0043CFE0
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_0040DF82	3_2_0040DF82
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00419F86	3_2_00419F86
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_0042D791	3_2_0042D791
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_004357BC	3_2_004357BC
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00461000	3_2_00461000
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_004741DF	3_2_004741DF
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_0047E2D0	3_2_0047E2D0
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_0048B4A2	3_2_0048B4A2
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_004896BB	3_2_004896BB
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00478BE2	3_2_00478BE2

Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: String function: 00480E8D appears 34 times
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: String function: 00407FA0 appears 41 times
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: String function: 004746F0 appears 92 times
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: String function: 00414D60 appears 55 times
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: String function: 0047CB28 appears 42 times

Source: C:\Users\user\Desktop\Solara-3.0.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 292

Source: Solara-3.0.exe, 00000000.00000002.2476830515.000000000578C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRpcPing.exej% vs Solara-3.0.exe
Source: Solara-3.0.exe, 00000000.00000000.2093405656.00000000004A3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameRpcPing.exej% vs Solara-3.0.exe
Source: Solara-3.0.exe, 00000003.00000003.2104002709.000000000479B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRpcPing.exej% vs Solara-3.0.exe
Source: Solara-3.0.exe, 00000003.00000002.2424995401.00000000004A3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameRpcPing.exej% vs Solara-3.0.exe
Source: Solara-3.0.exe	Binary or memory string: OriginalFilenameRpcPing.exej% vs Solara-3.0.exe

Source: Solara-3.0.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: Solara-3.0.exe

Static PE information: Section: .bss ZLIB complexity 1.0003389443728523

Source: classification engine

Classification label: mal100.troj.evad.winEXE@5/5@3/1

Source: C:\Users\user\Desktop\Solara-3.0.exe

Code function: 3_2_0042E9E0 CoCreateInstance,

3_2_0042E9E0

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1076:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6464

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\636f6bd6-0806-4c8d-8158-96602ad23db1

Jump to behavior

Source: Solara-3.0.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Solara-3.0.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Solara-3.0.exe	ReversingLabs: Detection: 39%
Source: Solara-3.0.exe	Virustotal: Detection: 48%

Source: C:\Users\user\Desktop\Solara-3.0.exe

File read: C:\Users\user\Desktop\Solara-3.0.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Solara-3.0.exe "C:\Users\user\Desktop\Solara-3.0.exe"
Source: C:\Users\user\Desktop\Solara-3.0.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Solara-3.0.exe	Process created: C:\Users\user\Desktop\Solara-3.0.exe "C:\Users\user\Desktop\Solara-3.0.exe"
Source: C:\Users\user\Desktop\Solara-3.0.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 292
Source: C:\Users\user\Desktop\Solara-3.0.exe	Process created: C:\Users\user\Desktop\Solara-3.0.exe "C:\Users\user\Desktop\Solara-3.0.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Solara-3.0.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: Solara-3.0.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE

Source: Solara-3.0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Solara-3.0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Solara-3.0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Solara-3.0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Solara-3.0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 0_2_00474813 push ecx; ret	0_2_00474826
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00443813 pushfd ; ret	3_2_00443814
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00442991 push ecx; retf	3_2_004429A3
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00443B60 pushfd ; iretd	3_2_00443B61
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_0043CC30 push eax; mov dword ptr [esp], 959493C2h	3_2_0043CC31
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_004454B9 push esp; iretd	3_2_004454BF
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00439EB0 push eax; mov dword ptr [esp], 9B9C9D9Eh	3_2_00439EBE
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00474813 push ecx; ret	3_2_00474826

Source: C:\Users\user\Desktop\Solara-3.0.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Solara-3.0.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-20616

Source: C:\Users\user\Desktop\Solara-3.0.exe

API coverage: 4.4 %

Source: C:\Users\user\Desktop\Solara-3.0.exe TID: 3136	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe TID: 5456	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 0_2_00485D48 FindFirstFileExW,	0_2_00485D48
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 0_2_00485DF9 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00485DF9
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00485D48 FindFirstFileExW,	3_2_00485D48
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00485DF9 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	3_2_00485DF9

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Solara-3.0.exe, 00000003.00000003.2424541946.00000000048CC000.00000004.00000020.00020000.00000000.sdmp, Solara-3.0.exe, 00000003.00000002.2425337234.00000000048CC000.00000004.00000020.00020000.00000000.sdmp, Solara-3.0.exe, 00000003.00000002.2425209758.000000000488C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\Solara-3.0.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Solara-3.0.exe

Code function: 0_2_0046FAE0 LdrInitializeThunk,

0_2_0046FAE0

Source: C:\Users\user\Desktop\Solara-3.0.exe

Code function: 0_2_00474573 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00474573

Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 0_2_0049E19E mov edi, dword ptr fs:[00000030h]	0_2_0049E19E
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 0_2_00461EB0 mov edi, dword ptr fs:[00000030h]	0_2_00461EB0
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00461EB0 mov edi, dword ptr fs:[00000030h]	3_2_00461EB0

Source: C:\Users\user\Desktop\Solara-3.0.exe

Code function: 0_2_004817A0 GetProcessHeap,

0_2_004817A0

Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 0_2_004741B7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_004741B7
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 0_2_00474567 SetUnhandledExceptionFilter,	0_2_00474567
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 0_2_00474573 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00474573
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 0_2_0047C860 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0047C860
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_004741B7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_004741B7
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00474567 SetUnhandledExceptionFilter,	3_2_00474567
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_00474573 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00474573
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: 3_2_0047C860 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0047C860

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\Solara-3.0.exe

Code function: 0_2_0049E19E GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_0049E19E

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Solara-3.0.exe

Memory written: C:\Users\user\Desktop\Solara-3.0.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: Solara-3.0.exe, 00000000.00000002.2476830515.000000000578C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: rapeflowwj.lat
Source: Solara-3.0.exe, 00000000.00000002.2476830515.000000000578C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: crosshuaht.lat
Source: Solara-3.0.exe, 00000000.00000002.2476830515.000000000578C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: sustainskelet.lat
Source: Solara-3.0.exe, 00000000.00000002.2476830515.000000000578C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: aspecteirs.lat
Source: Solara-3.0.exe, 00000000.00000002.2476830515.000000000578C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: energyaffai.lat
Source: Solara-3.0.exe, 00000000.00000002.2476830515.000000000578C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: necklacebudi.lat
Source: Solara-3.0.exe, 00000000.00000002.2476830515.000000000578C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: discokeyus.lat
Source: Solara-3.0.exe, 00000000.00000002.2476830515.000000000578C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: grannyejh.lat
Source: Solara-3.0.exe, 00000000.00000002.2476830515.000000000578C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: sweepyribs.lat

Source: C:\Users\user\Desktop\Solara-3.0.exe

Process created: C:\Users\user\Desktop\Solara-3.0.exe "C:\Users\user\Desktop\Solara-3.0.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: EnumSystemLocalesW,	0_2_0048107D
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00485097
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: EnumSystemLocalesW,	0_2_004852E8
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00485390
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: EnumSystemLocalesW,	0_2_004855E3
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: GetLocaleInfoW,	0_2_00485650
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: GetLocaleInfoW,	0_2_00485770
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: EnumSystemLocalesW,	0_2_00485725
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00485817
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: GetLocaleInfoW,	0_2_0048591D
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: GetLocaleInfoW,	0_2_00480B75
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: EnumSystemLocalesW,	3_2_0048107D
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_00485097
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: EnumSystemLocalesW,	3_2_004852E8
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	3_2_00485390
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: EnumSystemLocalesW,	3_2_004855E3
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: GetLocaleInfoW,	3_2_00485650
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: GetLocaleInfoW,	3_2_00485770
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: EnumSystemLocalesW,	3_2_00485725
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_00485817
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: GetLocaleInfoW,	3_2_0048591D
Source: C:\Users\user\Desktop\Solara-3.0.exe	Code function: GetLocaleInfoW,	3_2_00480B75

Source: C:\Users\user\Desktop\Solara-3.0.exe

Code function: 0_2_00475145 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00475145

Source: C:\Users\user\Desktop\Solara-3.0.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: 3.2.Solara-3.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Solara-3.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2476830515.000000000578C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: 3.2.Solara-3.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Solara-3.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2476830515.000000000578C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	211 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	211 Process Injection	LSASS Memory	1 Query Registry	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	41 Security Software Discovery	SMB/Windows Admin Shares	2 Clipboard Data	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	2 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Solara-3.0.exe	39%	ReversingLabs	Win32.Trojan.Generic
Solara-3.0.exe	49%	Virustotal		Browse
Solara-3.0.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
discokeyus.lat	172.67.197.170	true	false	high
grannyejh.lat	unknown	unknown	false	high
sweepyribs.lat	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
sweepyribs.lat	false	high
necklacebudi.lat	false	high
sustainskelet.lat	false	high
crosshuaht.lat	false	high
rapeflowwj.lat	false	high
https://discokeyus.lat/api	false	high
aspecteirs.lat	false	high
grannyejh.lat	false	high
energyaffai.lat	false	high
discokeyus.lat	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://discokeyus.lat/apic	Solara-3.0.exe, 00000003.00000003.2424541946.00000000048DF000.00000004.00000020.00020000.00000000.sdmp, Solara-3.0.exe, 00000003.00000002.2425368925.00000000048E0000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://discokeyus.lat/	Solara-3.0.exe, 00000003.00000002.2425276295.00000000048A0000.00000004.00000020.00020000.00000000.sdmp, Solara-3.0.exe, 00000003.00000003.2424663031.00000000048A0000.00000004.00000020.00020000.00000000.sdmp	false	high
https://discokeyus.lat/m	Solara-3.0.exe, 00000003.00000003.2424541946.00000000048DF000.00000004.00000020.00020000.00000000.sdmp, Solara-3.0.exe, 00000003.00000002.2425368925.00000000048E0000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://upx.sf.net	Amcache.hve.6.dr	false	high
https://discokeyus.lat/H	Solara-3.0.exe, 00000003.00000003.2424541946.00000000048DF000.00000004.00000020.00020000.00000000.sdmp, Solara-3.0.exe, 00000003.00000002.2425368925.00000000048E0000.00000004.00000020.00020000.00000000.sdmp	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.197.170	discokeyus.lat	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1579341
Start date and time:	2024-12-21 19:50:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Solara-3.0.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@5/5@3/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 26 Number of non-executed functions: 155
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.22, 40.126.53.6, 13.107.246.63, 20.12.23.50
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:51:07	API Interceptor	3x Sleep call for process: Solara-3.0.exe modified
13:51:44	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
172.67.197.170	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse
	Navan - Itinerary.pdf.scr.exe	Get hash	malicious	LummaC	Browse
	BigProject.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Vidar, Xmrig	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar, Xmrig	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, SystemBC, zgRAT	Browse
	hBBxlxfQ3F.exe	Get hash	malicious	LummaC, Stealc	Browse
	zhQFKte2vX.exe	Get hash	malicious	LummaC	Browse
	ddySsHnC6l.exe	Get hash	malicious	LummaC	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
discokeyus.lat	Navan - Itinerary.pdf.scr.exe	Get hash	malicious	LummaC	Browse	172.67.197.170
	BigProject.exe	Get hash	malicious	LummaC	Browse	172.67.197.170
	Set-up!.exe	Get hash	malicious	LummaC	Browse	104.21.21.99
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse	104.21.21.99
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Vidar, Xmrig	Browse	172.67.197.170
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse	104.21.21.99
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, SystemBC, zgRAT	Browse	172.67.197.170
	hBBxlxfQ3F.exe	Get hash	malicious	LummaC, Stealc	Browse	172.67.197.170
	gf3yK6i4OX.exe	Get hash	malicious	LummaC	Browse	104.21.21.99
	0WO49yZcDA.exe	Get hash	malicious	LummaC	Browse	104.21.21.99

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse	104.21.67.146
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	104.21.67.146
	Rechnung736258.pdf.lnk	Get hash	malicious	LummaC	Browse	104.21.16.1
	https://shibe-rium.net/	Get hash	malicious	Unknown	Browse	104.18.18.237
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	172.67.197.170
	finathot.exe	Get hash	malicious	RHADAMANTHYS	Browse	172.67.178.25
	Navan - Itinerary.pdf.scr.exe	Get hash	malicious	LummaC	Browse	172.67.197.170
	BigProject.exe	Get hash	malicious	LummaC	Browse	172.67.197.170
	setup.msi	Get hash	malicious	Unknown	Browse	172.67.164.25

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse	172.67.197.170
	Rechnung736258.pdf.lnk	Get hash	malicious	LummaC	Browse	172.67.197.170
	Navan - Itinerary.pdf.scr.exe	Get hash	malicious	LummaC	Browse	172.67.197.170
	BigProject.exe	Get hash	malicious	LummaC	Browse	172.67.197.170
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.197.170
	Full-Setup.exe	Get hash	malicious	LummaC	Browse	172.67.197.170
	jqplot.hta	Get hash	malicious	Unknown	Browse	172.67.197.170
	setup.exe	Get hash	malicious	LummaC	Browse	172.67.197.170
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.197.170

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Solara-3.0.exe_21f26f2be0e9e9802a2c187ddde573df4cf61f70_1d855bed_8f1bc4db-ab38-4420-a0b7-6f92aa229a8b\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6670823956468123
Encrypted:	false
SSDEEP:	96:ztFny61yrv1isHsll1yDfUQXIDcQvc6QcEVcw3cE/X+HbHg/opAnhZAX/d5FMT2Q:xdyrz1ig0BU/wjRzuiFDZ24IO8mC
MD5:	D440EE9EE74B6E90AB3C152786D79BFC
SHA1:	4540C07D522C7B225D5E85F7A2B57CF19A155A86
SHA-256:	278415405CBC62C2DEDC581B3DE7671C9120FFBE8FA910EA91B19640C842B4F4
SHA-512:	728B34AE409C956EA00D9C9E1BAECB55519147332A0104A52F9316F0577C9338F2B89229F903F76FED2374B8772A4031723B6CCFA6166BB2B8E0D2CB91F40E4E
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.2.8.0.6.6.7.4.3.6.4.6.8.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.2.8.0.6.6.8.6.3.9.5.8.2.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.f.1.b.c.4.d.b.-.a.b.3.8.-.4.4.2.0.-.a.0.b.7.-.6.f.9.2.a.a.2.2.9.a.8.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.2.b.0.d.a.f.a.-.2.f.0.6.-.4.7.c.b.-.a.5.5.2.-.7.d.3.8.e.5.e.9.5.e.4.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.o.l.a.r.a.-.3...0...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.p.c.P.i.n.g...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.4.0.-.0.0.0.1.-.0.0.1.4.-.8.0.b.b.-.5.4.4.a.d.9.5.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.8.f.e.4.d.d.b.1.2.e.2.2.3.9.6.d.b.2.4.b.9.7.7.f.f.e.c.1.5.d.5.0.0.0.0.0.9.0.4.!.0.0.0.0.d.e.2.b.3.1.4.9.1.3.b.e.4.4.5.b.8.3.a.5.0.2.d.b.7.a.9.e.c.a.1.7.4.6.3.b.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7C33.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sat Dec 21 18:51:07 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	41964
Entropy (8bit):	1.6437198994996858
Encrypted:	false
SSDEEP:	96:5U8m5bXDT5UIJXSfha5Foi7GYQnk7bPgwaR68KoCS0jCj0WItWIXIfpITGsfCbWd:9ek5a5OOp7RW6zS8cfOGsqbRVAKIxp1
MD5:	CC24846C9596D2ED6C54A2E8E7F7C4D7
SHA1:	5516B109479E4BE1831BDBC4177F5CBB92173A57
SHA-256:	562128B41FBBC674C6DF1BD2E273297060C7658FF705F5563CB4E07C2D21657E
SHA-512:	05CF0648DE988EB2EDB07E69F12BA1F9A13AD40E0688D27007838798F5CC69C32165B31F5B8AF6941D2C8DB3388C2E0A652E6B60594E99869535C007BAE224AE
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........gg........................<...........T...............T.......8...........T...........(..........................................................................................................eJ..............GenuineIntel............T.......@.....gg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7E28.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8318
Entropy (8bit):	3.6943672374513326
Encrypted:	false
SSDEEP:	192:R6l7wVeJbv6RyQm6YEIPSU99JKgmfV0JvBprr89bLFsf2Zm:R6lXJD6U6YEgSU99JKgmfV0JvgLefZ
MD5:	5AF31F2C7C4A3E5DE0A5914373C9528A
SHA1:	338A4DF9BB6D26BEAE521B027782E064E83A1336
SHA-256:	79B5384A9977D73E9FA5C199D99AAB2B5990D453BB1FC1FD3A8D198CC05AC22D
SHA-512:	F795411BAD02A59AD95A11C25811775315548AA11461F471C526D2CC4D45651559199C661D317A9C8F70A09FBDA15C81511CA2474540D74D4F9C9B12469F3A43
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.6.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7FCF.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4661
Entropy (8bit):	4.4563276968170795
Encrypted:	false
SSDEEP:	48:cvIwWl8zssJg77aI9ZGWpW8VYaYm8M4JBuFgqI+q81/5ZKlTfd:uIjfqI7rH7VaJrqIO5ZKlTfd
MD5:	4DE04E437E96941DFFD113FFBACBDFA1
SHA1:	52E359A1C0D8E40AE24D8BC723ADB51A2D08D801
SHA-256:	CDB7C9BFFDF1BF4D83897DD6BC1740CF7459EB98EC281A8675EC5AF6F57A5799
SHA-512:	578376727370C2CAA2941643D6A8ECB57FC553799A64561625F54D52FD78AF4A8E2A456CD8D7E8491F814BD298ADD59998746AB5CC060D635ADCB3433891FFD0
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="641393" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.422056561724063
Encrypted:	false
SSDEEP:	6144:hSvfpi6ceLP/9skLmb0OTdWSPHaJG8nAgeMZMMhA2fX4WABlEnNy0uhiTw:4vloTdW+EZMM6DFyo03w
MD5:	C7BBA22FAECC6C41799E6CB42B1D2B4F
SHA1:	943441A7F9AC8BEC2699E7F62FBB6648086AD6EE
SHA-256:	E567A96E61499891DE0E4D79C2C9278A0F3ECB92EFE3CF0C10838E21343E4775
SHA-512:	80BFEF854A932D4EA84972841D37A42455AB3C09A9D242900D79E37FD4219B8C4FB0C0618D8364A8823FA751AE7E2750B1C30E16D7166F716FA7CD6EFC3717F2
Malicious:	false
Reputation:	low
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.!1K.S................................................................................................................................................................................................................................................................................................................................................&.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.50011582482069
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Solara-3.0.exe
File size:	564'736 bytes
MD5:	4ae32f4d7b7d72738797fa1533962135
SHA1:	de2b314913be445b83a502db7a9eca17463bfcd0
SHA256:	6a6a26172d67b47810cc4088daed7fc1d77a45d7ebc998cfa1bb13c988fc9e4b
SHA512:	5b4fbcf07c1a138b0f2066f01bec969bd4f0f5b84175b88d9590a690273280cec47d8db5fe92a659e2f454c342d59d05e681440808864d5622f5a8cec4bf3411
SSDEEP:	12288:xFVM5DLdrsiop2kOyV8x++VSmWJbJ4Hcxw6scr:xFVYviiktp+6LFr
TLSH:	12C4D0027150C073D96321BB587ED75E4A3EAA100F62AECF97480DFDDF616D1AA30B66
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Aeg.........."..................P............@.................................Ao....@.................................(...<..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4150f0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6765411E [Fri Dec 20 10:04:14 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	6716b894454b929c32282dbf6dfdce09

Entrypoint Preview

Instruction
call 00007F3B2485FFBAh
jmp 00007F3B2485FE1Dh
mov ecx, dword ptr [0043F700h]
push esi
push edi
mov edi, BB40E64Eh
mov esi, FFFF0000h
cmp ecx, edi
je 00007F3B2485FFB6h
test esi, ecx
jne 00007F3B2485FFD8h
call 00007F3B2485FFE1h
mov ecx, eax
cmp ecx, edi
jne 00007F3B2485FFB9h
mov ecx, BB40E64Fh
jmp 00007F3B2485FFC0h
test esi, ecx
jne 00007F3B2485FFBCh
or eax, 00004711h
shl eax, 10h
or ecx, eax
mov dword ptr [0043F700h], ecx
not ecx
pop edi
mov dword ptr [0043F740h], ecx
pop esi
ret
push ebp
mov ebp, esp
sub esp, 14h
lea eax, dword ptr [ebp-0Ch]
xorps xmm0, xmm0
push eax
movlpd qword ptr [ebp-0Ch], xmm0
call dword ptr [0043AA88h]
mov eax, dword ptr [ebp-08h]
xor eax, dword ptr [ebp-0Ch]
mov dword ptr [ebp-04h], eax
call dword ptr [0043AA40h]
xor dword ptr [ebp-04h], eax
call dword ptr [0043AA3Ch]
xor dword ptr [ebp-04h], eax
lea eax, dword ptr [ebp-14h]
push eax
call dword ptr [0043AAD8h]
mov eax, dword ptr [ebp-10h]
lea ecx, dword ptr [ebp-04h]
xor eax, dword ptr [ebp-14h]
xor eax, dword ptr [ebp-04h]
xor eax, ecx
leave
ret
mov eax, 00004000h
ret
push 00440DE0h
call dword ptr [0043AAB0h]
ret
push 00030000h
push 00010000h
push 00000000h
call 00007F3B24866B73h
add esp, 0Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3a828	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x43000	0x4b7	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x44000	0x24a0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x36608	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x32aa8	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3a9d4	0x170	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2f24a	0x2f400	2495dc8c0ab12c8014ecfa67ba4bfca9	False	0.5031932043650794	data	6.419092713039867	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x31000	0xc284	0xc400	1771f12ca6aaa6d4844c856d3aad4ff5	False	0.40066964285714285	data	4.725281682840565	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x35a8	0x2600	874dc6cdc2c93e2daa504e2a1c4b2e76	False	0.3143503289473684	data	5.134884165481645	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x42000	0x9	0x200	1f354d76203061bfdd5a53dae48d5435	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x43000	0x4b7	0x600	323e5b8dfbb45ffd31cb2e4414139031	False	0.3704427083333333	data	3.0539719237019582	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x44000	0x24a0	0x2600	15738575c29a8c3c6c9891e3304b685e	False	0.7405427631578947	data	6.4805114858401405	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.bss	0x47000	0x48c00	0x48c00	33e58051289bd7a53fd787e995c122d6	False	1.0003389443728523	data	7.999363347533518	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x430a0	0x390	data	English	United States	0.4517543859649123
RT_MANIFEST	0x43430	0x87	XML 1.0 document, ASCII text	English	United States	0.8222222222222222

Imports

DLL

Import

KERNEL32.dll

AcquireSRWLockExclusive, CloseHandle, CloseThreadpoolWork, CompareStringW, CreateFileW, CreateThreadpoolWork, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryWhenCallbackReturns, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetFileSize, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitOnceBeginInitialize, InitOnceComplete, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, SubmitThreadpoolWork, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryAcquireSRWLockExclusive, UnhandledExceptionFilter, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile

ADVAPI32.dll

EqualPrefixSid

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-21T19:51:07.603905+0100	2058378	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sweepyribs .lat)	1	192.168.2.5	63394	1.1.1.1	53	UDP
2024-12-21T19:51:07.999442+0100	2058364	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grannyejh .lat)	1	192.168.2.5	55666	1.1.1.1	53	UDP
2024-12-21T19:51:08.282211+0100	2058360	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (discokeyus .lat)	1	192.168.2.5	58809	1.1.1.1	53	UDP
2024-12-21T19:51:10.175064+0100	2058361	ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)	1	192.168.2.5	49704	172.67.197.170	443	TCP
2024-12-21T19:51:10.175064+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49704	172.67.197.170	443	TCP
2024-12-21T19:51:38.492451+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49704	172.67.197.170	443	TCP
2024-12-21T19:51:38.492451+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49704	172.67.197.170	443	TCP
2024-12-21T19:51:39.581423+0100	2058361	ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)	1	192.168.2.5	49754	172.67.197.170	443	TCP
2024-12-21T19:51:39.581423+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49754	172.67.197.170	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 21, 2024 19:51:08.938385010 CET	49704	443	192.168.2.5	172.67.197.170
Dec 21, 2024 19:51:08.938438892 CET	443	49704	172.67.197.170	192.168.2.5
Dec 21, 2024 19:51:08.938519001 CET	49704	443	192.168.2.5	172.67.197.170
Dec 21, 2024 19:51:08.941977024 CET	49704	443	192.168.2.5	172.67.197.170
Dec 21, 2024 19:51:08.941997051 CET	443	49704	172.67.197.170	192.168.2.5
Dec 21, 2024 19:51:10.174979925 CET	443	49704	172.67.197.170	192.168.2.5
Dec 21, 2024 19:51:10.175064087 CET	49704	443	192.168.2.5	172.67.197.170
Dec 21, 2024 19:51:10.178751945 CET	49704	443	192.168.2.5	172.67.197.170
Dec 21, 2024 19:51:10.178770065 CET	443	49704	172.67.197.170	192.168.2.5
Dec 21, 2024 19:51:10.179033995 CET	443	49704	172.67.197.170	192.168.2.5
Dec 21, 2024 19:51:10.221865892 CET	49704	443	192.168.2.5	172.67.197.170
Dec 21, 2024 19:51:10.250732899 CET	49704	443	192.168.2.5	172.67.197.170
Dec 21, 2024 19:51:10.250777960 CET	49704	443	192.168.2.5	172.67.197.170
Dec 21, 2024 19:51:10.250822067 CET	443	49704	172.67.197.170	192.168.2.5
Dec 21, 2024 19:51:38.492443085 CET	443	49704	172.67.197.170	192.168.2.5
Dec 21, 2024 19:51:38.492563963 CET	443	49704	172.67.197.170	192.168.2.5
Dec 21, 2024 19:51:38.492650986 CET	49704	443	192.168.2.5	172.67.197.170
Dec 21, 2024 19:51:38.494374037 CET	49704	443	192.168.2.5	172.67.197.170
Dec 21, 2024 19:51:38.494415998 CET	443	49704	172.67.197.170	192.168.2.5
Dec 21, 2024 19:51:38.494445086 CET	49704	443	192.168.2.5	172.67.197.170
Dec 21, 2024 19:51:38.494460106 CET	443	49704	172.67.197.170	192.168.2.5
Dec 21, 2024 19:51:38.507814884 CET	49754	443	192.168.2.5	172.67.197.170
Dec 21, 2024 19:51:38.507844925 CET	443	49754	172.67.197.170	192.168.2.5
Dec 21, 2024 19:51:38.508025885 CET	49754	443	192.168.2.5	172.67.197.170
Dec 21, 2024 19:51:38.508421898 CET	49754	443	192.168.2.5	172.67.197.170
Dec 21, 2024 19:51:38.508435011 CET	443	49754	172.67.197.170	192.168.2.5
Dec 21, 2024 19:51:39.581423044 CET	49754	443	192.168.2.5	172.67.197.170

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 21, 2024 19:51:07.603904963 CET	63394	53	192.168.2.5	1.1.1.1
Dec 21, 2024 19:51:07.912897110 CET	53	63394	1.1.1.1	192.168.2.5
Dec 21, 2024 19:51:07.999442101 CET	55666	53	192.168.2.5	1.1.1.1
Dec 21, 2024 19:51:08.223491907 CET	53	55666	1.1.1.1	192.168.2.5
Dec 21, 2024 19:51:08.282211065 CET	58809	53	192.168.2.5	1.1.1.1
Dec 21, 2024 19:51:08.683098078 CET	53	58809	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 21, 2024 19:51:07.603904963 CET	192.168.2.5	1.1.1.1	0xd29d	Standard query (0)	sweepyribs.lat	A (IP address)	IN (0x0001)	false
Dec 21, 2024 19:51:07.999442101 CET	192.168.2.5	1.1.1.1	0xfe2b	Standard query (0)	grannyejh.lat	A (IP address)	IN (0x0001)	false
Dec 21, 2024 19:51:08.282211065 CET	192.168.2.5	1.1.1.1	0x67dd	Standard query (0)	discokeyus.lat	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 21, 2024 19:51:07.912897110 CET	1.1.1.1	192.168.2.5	0xd29d	Name error (3)	sweepyribs.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 21, 2024 19:51:08.223491907 CET	1.1.1.1	192.168.2.5	0xfe2b	Name error (3)	grannyejh.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 21, 2024 19:51:08.683098078 CET	1.1.1.1	192.168.2.5	0x67dd	No error (0)	discokeyus.lat		172.67.197.170	A (IP address)	IN (0x0001)	false
Dec 21, 2024 19:51:08.683098078 CET	1.1.1.1	192.168.2.5	0x67dd	No error (0)	discokeyus.lat		104.21.21.99	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

discokeyus.lat

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	172.67.197.170	443	4956	C:\Users\user\Desktop\Solara-3.0.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-21 18:51:10 UTC	261	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: discokeyus.lat
2024-12-21 18:51:10 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-21 18:51:38 UTC	1133	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 18:51:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=gtsr7k087gr04o3a61clscbmt5; expires=Wed, 16 Apr 2025 12:38:17 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OP1c%2FIMw9X7tIYU9uCUqStJsrroAAviJHXWa1wSFrnFjM2haYqoAzqgxKPmjqTgHVwUhDwhuJQ6VTFf%2BKO53m7wfUcYPrIpHF8H5oofm%2FXJyXNcKsCIf%2BYF%2BAtbSYE%2FWcw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f5a0fde4cc87cb2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1845&min_rtt=1831&rtt_var=715&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2832&recv_bytes=905&delivery_rate=1500513&cwnd=216&unsent_bytes=0&cid=bb56422645c647fb&ts=28329&x=0"
2024-12-21 18:51:38 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-21 18:51:38 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	13:51:05
Start date:	21/12/2024
Path:	C:\Users\user\Desktop\Solara-3.0.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Solara-3.0.exe"
Imagebase:	0x460000
File size:	564'736 bytes
MD5 hash:	4AE32F4D7B7D72738797FA1533962135
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.2476830515.000000000578C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:51:05
Start date:	21/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:51:06
Start date:	21/12/2024
Path:	C:\Users\user\Desktop\Solara-3.0.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Solara-3.0.exe"
Imagebase:	0x460000
File size:	564'736 bytes
MD5 hash:	4AE32F4D7B7D72738797FA1533962135
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	13:51:07
Start date:	21/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 292
Imagebase:	0xdc0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	4.7%
Total number of Nodes:	279
Total number of Limit Nodes:	12

Executed Functions

Function 0049E19E Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,0049E110,0049E100), ref: 0049E334
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 0049E347
Wow64GetThreadContext.KERNEL32(0000010C,00000000), ref: 0049E365
ReadProcessMemory.KERNELBASE(00000110,?,0049E154,00000004,00000000), ref: 0049E389
VirtualAllocEx.KERNELBASE(00000110,?,?,00003000,00000040), ref: 0049E3B4
WriteProcessMemory.KERNELBASE(00000110,00000000,?,?,00000000,?), ref: 0049E40C
WriteProcessMemory.KERNELBASE(00000110,00400000,?,?,00000000,?,00000028), ref: 0049E457
WriteProcessMemory.KERNELBASE(00000110,?,?,00000004,00000000), ref: 0049E495
Wow64SetThreadContext.KERNEL32(0000010C,05210000), ref: 0049E4D1
ResumeThread.KERNELBASE(0000010C), ref: 0049E4E0

Strings

Load, xrefs: 0049E1DA
GetThreadContext, xrefs: 0049E276
aryA, xrefs: 0049E1E2
VirtualAlloc, xrefs: 0049E263
ResumeThread, xrefs: 0049E2D8
GetP, xrefs: 0049E21E
WriteProcessMemory, xrefs: 0049E2AF
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, xrefs: 0049E333
TerminateProcess, xrefs: 0049E3C3
VirtualAllocEx, xrefs: 0049E29C
CreateProcessW, xrefs: 0049E250
ReadProcessMemory, xrefs: 0049E289
SetThreadContext, xrefs: 0049E2C2
ress, xrefs: 0049E226

Memory Dump Source

Source File: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2687962208-3857624555
Opcode ID: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction ID: 7ff6e68f4c2e9b35ac9383a03b257b437f120c44c2578ca53fe366be505faf65
Opcode Fuzzy Hash: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction Fuzzy Hash: 71B1087260024AAFDB60CF69CC80BDA77A5FF88714F158165EA0CAB341D774FA52CB94

Function 0046FAE0 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12c7103b9ff8fd93b9d58c5197832e7a4a4584028e24c07e948ad7a813ba6458
Instruction ID: 77e1442c9ed962418e394c65b68adb720dbda21a90b346135a2b0fca75759fc0
Opcode Fuzzy Hash: 12c7103b9ff8fd93b9d58c5197832e7a4a4584028e24c07e948ad7a813ba6458
Instruction Fuzzy Hash: 8CB09BF1C0410CA7C704DA85F91245D776C5544654B140079E40D53301E5317F14D556

Function 00462080 Relevance: 9.2, APIs: 6, Instructions: 167
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE ref: 00462115
GetFileSize.KERNEL32 ref: 00462144
CloseHandle.KERNEL32 ref: 00462160

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: File$CloseCreateHandleSize
String ID:
API String ID: 1378416451-0
Opcode ID: 19b62a6e598764c7222ed1fb2e84d65a4a0bd122eb344adffaedbb331904a1aa
Instruction ID: 3c12bbcac4400d6f728ecf589c70393eb76b80c8dc482a8ac3500137a8b4a224
Opcode Fuzzy Hash: 19b62a6e598764c7222ed1fb2e84d65a4a0bd122eb344adffaedbb331904a1aa
Instruction Fuzzy Hash: 6381CDB0D04248DFDB00DFA8D59869DBBF0BF18304F10882EE859AB351E778A985CF56

Function 00486FCE Relevance: 6.1, APIs: 4, Instructions: 74
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00486FD6

Part of subcall function 0047FF81: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00481755,?,00000000,-00000008), ref: 0047FFE2

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0048700E
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0048702E

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: bcf0cde722a0456d57250c36c36ff12085be701cb380195d5b48161a4752b4b9
Instruction ID: 084594cea2ce6d152608e9cb298df14fa7af68ded9d6167ebaca9eaea889e592
Opcode Fuzzy Hash: bcf0cde722a0456d57250c36c36ff12085be701cb380195d5b48161a4752b4b9
Instruction Fuzzy Hash: A011E1F15096057F672137769DDDCAF3A5CDE973A8720083BF405A1212EA2CCD0192BA

Function 00461F20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeConsole.KERNELBASE ref: 00461F8B
VirtualProtect.KERNELBASE ref: 0046204D

Strings

@, xrefs: 00462041

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: ConsoleFreeProtectVirtual
String ID: @
API String ID: 621788221-2766056989
Opcode ID: 451d0fed37a2f0193c8eb337c2d3d3c9e7365d27a0770c7e692254c1695eb6ab
Instruction ID: fbea82c5de1925dd5d8908f340075d53cad580bc0849a15e1875dc117a1d6c6c
Opcode Fuzzy Hash: 451d0fed37a2f0193c8eb337c2d3d3c9e7365d27a0770c7e692254c1695eb6ab
Instruction Fuzzy Hash: BB41A0B0D00208DFCB04DFAAD58469EBBF0FF48358F10846AE858AB351E779A945CF95

Function 00487A04 Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00487DAE: GetConsoleOutputCP.KERNEL32(B2B73640,00000000,00000000,?), ref: 00487E11

WriteFile.KERNEL32(?,?,?,?,00000000,?,00000000,?,?,?,?,?,00478632,?,00478894), ref: 00487B89
GetLastError.KERNEL32(?,00478632,?,00478894,?,00478894,?,?,?,?,?,?,?,00000000,?,?), ref: 00487B93

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: 693c4d68f05e54aed7c69ba67f67bcdea14cb6aa6233fa8dbc1c251866790b95
Instruction ID: 8f1be8107f55989e4441358f7e88d56efe787917cc0650aa955a5e2007670db6
Opcode Fuzzy Hash: 693c4d68f05e54aed7c69ba67f67bcdea14cb6aa6233fa8dbc1c251866790b95
Instruction Fuzzy Hash: AC61EA71C08119AFDF15EFA8C894EEFBFB9AF05308F24095AE904A7211D339DA41CB59

Function 004881DD Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,?,?,00487B6F,?,00478894,?,?,?,00000000), ref: 00488279
GetLastError.KERNEL32(?,00487B6F,?,00478894,?,?,?,00000000,?,?,?,?,?,00478632,?,00478894), ref: 0048829F

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 3e3dba099b3f349ce9f37304f46a10452a464c65be98459dba76d3f06eaa3ddd
Instruction ID: 84aefb219fd3eedbbe54906c1af299ef7179b6bf13cbace1d93104d8113e0ef1
Opcode Fuzzy Hash: 3e3dba099b3f349ce9f37304f46a10452a464c65be98459dba76d3f06eaa3ddd
Instruction Fuzzy Hash: 4521D030A002188FCF19DF29DD809EDB7BAEF89305F5044EEE906D7211DA349D82CB68

Function 00481912 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6,?,?,?,?,?,?,?,00000000,00481801,0049D0A8,0000000C), ref: 0048195E
GetFileType.KERNELBASE(00000000,?,?,?,?,?,?,?,00000000,00481801,0049D0A8,0000000C), ref: 00481970

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: e75ff6fd02d2aa2e9dfbb44feb0c90f2c0128bac9235222b9c00e4918474a9dd
Instruction ID: 7cb3208534460a054a67d207992bd456fa43f051b5211c7edca2eaf7cc5e6571
Opcode Fuzzy Hash: e75ff6fd02d2aa2e9dfbb44feb0c90f2c0128bac9235222b9c00e4918474a9dd
Instruction Fuzzy Hash: 971193A11047514AC7306E2E8CA866BAA9DA752330B280B1BD1A7976F1C228D887D349

Function 00462300 Relevance: 3.0, APIs: 2, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 00462328
GetModuleFileNameA.KERNEL32 ref: 00462348

Part of subcall function 00462080: CreateFileA.KERNELBASE ref: 00462115

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: FileModule$CreateHandleName
String ID:
API String ID: 2828212432-0
Opcode ID: a57ef618eaf9a449f14c5c9d29ae0e77868c1625401e650007272a10c01bd497
Instruction ID: 042b4a1c788df115f38f627d2f57e4c8070c502fb3d1cda20f4e7174a29a88e2
Opcode Fuzzy Hash: a57ef618eaf9a449f14c5c9d29ae0e77868c1625401e650007272a10c01bd497
Instruction Fuzzy Hash: C1F0F9B19042088FCB50EF78D9453DDBBF4AB14300F4084BED8C9D3240EA785A98CF86

Function 0047FE37 Relevance: 3.0, APIs: 2, Instructions: 22
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,004840C4,?,00000000,?,?,00483D64,?,00000007,?,?,004846AA,?,?), ref: 0047FE4D
GetLastError.KERNEL32(?,?,004840C4,?,00000000,?,?,00483D64,?,00000007,?,?,004846AA,?,?), ref: 0047FE58

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: f2d889fc6ff98e5802c9f71d94ac43b5d0abaf1ca6817945bdb87b62b06d8159
Instruction ID: 5f1f5717cf8a790d6363b09a50be10354d17ec2deee065941fe7f854535f40e6
Opcode Fuzzy Hash: f2d889fc6ff98e5802c9f71d94ac43b5d0abaf1ca6817945bdb87b62b06d8159
Instruction Fuzzy Hash: F5E0CD3210025867DF113FE1ED09BDA3B58DB41795F40403AF51C96572D63C8850CBDC

Function 00472E60 Relevance: 1.6, APIs: 1, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9ecef80945b5e4976aedc8eb0dd2ff6427eb21d1ab8196fbbe8a94f634d9eaa
Instruction ID: 02350faae03d25c369afae22d0ee9b815bc34a099e05a1eb8eeb1d188088fc51
Opcode Fuzzy Hash: d9ecef80945b5e4976aedc8eb0dd2ff6427eb21d1ab8196fbbe8a94f634d9eaa
Instruction Fuzzy Hash: 3531B63290010AAFCF15CF69CA808EEB7F8BF09320B14826BE519E3390D775E945DB94

Function 00471740 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004716A7: GetModuleHandleExW.KERNEL32(00000002,00000000,?,?,?,0047166A,?,?,0047163B,?), ref: 004716B3

FreeLibraryWhenCallbackReturns.KERNEL32(?,00000000,B2B73640,?,?,?,0048FCB4,000000FF), ref: 004717A7

Part of subcall function 00468140: std::_Throw_Cpp_error.LIBCPMT ref: 0046816C
Part of subcall function 00468140: std::_Throw_Cpp_error.LIBCPMT ref: 00468188

Part of subcall function 00473D6F: ReleaseSRWLockExclusive.KERNEL32(?,?,?,00468209,?,0046E473), ref: 00473D84

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$CallbackExclusiveFreeHandleLibraryLockModuleReleaseReturnsWhen
String ID:
API String ID: 1423221283-0
Opcode ID: c539351b19c6ae3b01a17c1ef7c9df1ed1fc9bc74dbb96460e272e4859880bb4
Instruction ID: 6d103d9676a963250bee1ae907ff814d248588616b9612fd3da6544e7d8e476d
Opcode Fuzzy Hash: c539351b19c6ae3b01a17c1ef7c9df1ed1fc9bc74dbb96460e272e4859880bb4
Instruction Fuzzy Hash: 3311C8369006149BCB256F5ADC41AAE7769EB52B24F14C43FF809977A0CF3DE801CA9D

Function 00472E52 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: CriticalLeaveSection
String ID:
API String ID: 3988221542-0
Opcode ID: 1c9328f9d37dce5cab7efee406f89d5864b2cd8d66f9955c354b2597b37e5286
Instruction ID: cd28ab122ef5644526ec33fa1ee6d946bf93bd7b610a254b9257e443c53453af
Opcode Fuzzy Hash: 1c9328f9d37dce5cab7efee406f89d5864b2cd8d66f9955c354b2597b37e5286
Instruction Fuzzy Hash: 5601263260C2425BCB19CB39EB652E9BB60FF46339F20C16FD00D956C2C7AA9455D748

Function 00462380 Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EqualPrefixSid.ADVAPI32 ref: 004623FA

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: EqualPrefix
String ID:
API String ID: 447727826-0
Opcode ID: 34cadc1378e9d0bee2da34770a2c4a65cb1fe1a500c7780a80e5aaf688aefb9f
Instruction ID: b7eb82a318c0dcafd11a85cf3d0add70c9f9aa695d6e1eac46a0f1f5143358f1
Opcode Fuzzy Hash: 34cadc1378e9d0bee2da34770a2c4a65cb1fe1a500c7780a80e5aaf688aefb9f
Instruction Fuzzy Hash: 771109B4901609DFCB04DF99D945BDEBBB4FB48728F00812AE819AB380D7785944CFA6

Function 0047FE71 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00470E1D,?,?,00462FE2,00001000,?,00462F2A), ref: 0047FEA3

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ef2262f2900776d29af56ef3b1de4940006827f89802cf61de50a89c5ef55441
Instruction ID: 38144ce7c6f9ada679b9f25b325b0b27de8179e30c0ab0e6326dd351624e71b7
Opcode Fuzzy Hash: ef2262f2900776d29af56ef3b1de4940006827f89802cf61de50a89c5ef55441
Instruction Fuzzy Hash: 84E065211001619BDB316B669C01BEB76589F82BA0F15C13BEC5DD66B3DB2CCC0581AE

Function 0046F270 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0046F291

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: e698da4e2a0c9afea4aee6be23e352cc0bb0fce2af689acc99df10ec8a48f2d0
Instruction ID: f87c90347590ffef6ee9105f31a4345417e6acb3a0d48655cc87f40c33a3af32
Opcode Fuzzy Hash: e698da4e2a0c9afea4aee6be23e352cc0bb0fce2af689acc99df10ec8a48f2d0
Instruction Fuzzy Hash: CEF0F878D04208DFCB04EFA9D5518ADBBB4AF48304F1044AAE85AA7351EB399E00CF56

Function 00468A40 Relevance: 1.5, APIs: 1, Instructions: 26COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00468A61

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 5131010f3407a689571a87183b5d103d86ee62e594e9a9b88ca0487d03deef54
Instruction ID: 1dc24888d757581d4b73de89fe269525d2621a7902bd6b9d3fd86aaefd53842e
Opcode Fuzzy Hash: 5131010f3407a689571a87183b5d103d86ee62e594e9a9b88ca0487d03deef54
Instruction Fuzzy Hash: C6F0F874D04208DFCB04EFE8C5418ADBBB0AF48314F1044AEE81AA7351EB39AF40CB56

Non-executed Functions

Function 0048B4A2 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1479COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0048B6B9

Strings

1#IND, xrefs: 0048B5A7
1#SNAN, xrefs: 0048B5AE
1#INF, xrefs: 0048B5D8
1#QNAN, xrefs: 0048B5B5

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: eab5addb0e7cd2b1b80f192b61e92c7fc162755920d8ccc8fe4213d01857f5c2
Instruction ID: c844118c73d4306578c6baa7dfb55b69345580841cb79d533c2184956c6f583e
Opcode Fuzzy Hash: eab5addb0e7cd2b1b80f192b61e92c7fc162755920d8ccc8fe4213d01857f5c2
Instruction Fuzzy Hash: B6D22871E082298FDB65DE28CD807EEB7B5EB44304F1445EBD40DA7240EB78AE858F95

Function 00485817 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,004851CD,00000002,00000000,?,?,?,004851CD,?,00000000), ref: 004858B0
GetLocaleInfoW.KERNEL32(?,20001004,004851CD,00000002,00000000,?,?,?,004851CD,?,00000000), ref: 004858D9
GetACP.KERNEL32(?,?,004851CD,?,00000000), ref: 004858EE

Strings

OCP, xrefs: 0048586B
ACP, xrefs: 00485835

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: b7b6e04075c34ba6e8befd3790eec65a3a84a8479d01bb772d7b482c0cf2ffba
Instruction ID: 10d763c5a00cf18537874466c7f208a27616a780f66d99654247b6b88e0fa65c
Opcode Fuzzy Hash: b7b6e04075c34ba6e8befd3790eec65a3a84a8479d01bb772d7b482c0cf2ffba
Instruction Fuzzy Hash: 9121D622A00A01AADB34BF15C904A9F73A6EF54B10B568C37E80ADB310E73ADD61D359

Function 00485097 Relevance: 7.7, APIs: 5, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004800CA: GetLastError.KERNEL32(00000000,?,0048244D), ref: 004800CE
Part of subcall function 004800CA: SetLastError.KERNEL32(00000000,?,?,00000028,0047CD93), ref: 00480170

GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 0048519F
IsValidCodePage.KERNEL32(00000000), ref: 004851DD
IsValidLocale.KERNEL32(?,00000001), ref: 004851F0
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00485238
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00485253

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: ab30e1121f8852ad6a1b4c06bf4d79c937cb140eca638a1b9684f2655b86f13d
Instruction ID: f3295c213ed65c8e1ca4d0fece6783c2dc2ad59ff5fbd825c3a2a3b8e953320c
Opcode Fuzzy Hash: ab30e1121f8852ad6a1b4c06bf4d79c937cb140eca638a1b9684f2655b86f13d
Instruction Fuzzy Hash: 5F517F71E00A05ABDF10FFA5CC45BAF73B8AF48304F54496BE901E7290EB789944CB69

Function 0047E2D0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65f1bee39169fa6f762fa4cea941cf52af4f013e640272b1e1485c0bbb4dd8b8
Instruction ID: 6354ae27e696beb7ed248515af34c88a277c6a23a5ea6d6e690b79aae1a662de
Opcode Fuzzy Hash: 65f1bee39169fa6f762fa4cea941cf52af4f013e640272b1e1485c0bbb4dd8b8
Instruction Fuzzy Hash: 6D023C71E012199BDF14CFAAC9806EEBBF5FF48314F2482AAD519E7341D735A901CB94

Function 00485DF9 Relevance: 6.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00485EE9

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 22f9ebce84bb6a559313b292263ba32c2ea57328663f012966219298a44a6336
Instruction ID: 6fbce18ebb927290f294ee6c9559dc1e58c2b501e72bc76fdb81196c2c27a171
Opcode Fuzzy Hash: 22f9ebce84bb6a559313b292263ba32c2ea57328663f012966219298a44a6336
Instruction Fuzzy Hash: 7C71CF718055685FDF21EF28DC89AAEBBB9AF06304F1445EBE009A7211DB394E859F18

Function 00474573 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 0047457F
IsDebuggerPresent.KERNEL32 ref: 0047464B
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00474664
UnhandledExceptionFilter.KERNEL32(?), ref: 0047466E

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 331a6c337b0a67d968fb18326a864c7bf2ec5380e162f9cde456f21798adb067
Instruction ID: 29eb6403ec1eacdd17462cebc1f3a735e11512270b1347bd8f88bda96b67ae56
Opcode Fuzzy Hash: 331a6c337b0a67d968fb18326a864c7bf2ec5380e162f9cde456f21798adb067
Instruction Fuzzy Hash: 4E310875D052289BDF20DFA5DD497CDBBB8AF08304F1041AAE50CAB250EB749A84CF89

Function 00475145 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00475157
GetCurrentThreadId.KERNEL32 ref: 00475166
GetCurrentProcessId.KERNEL32 ref: 0047516F
QueryPerformanceCounter.KERNEL32(?), ref: 0047517C

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: e1599c5150b4f98d13a7a635760fe50ce9a20c2df094ea0cccd13dc78d1fd464
Instruction ID: 23e88c55ad0d04b18723518cc13ea0e30c6d933b6375edb01020aea1c122e6fd
Opcode Fuzzy Hash: e1599c5150b4f98d13a7a635760fe50ce9a20c2df094ea0cccd13dc78d1fd464
Instruction Fuzzy Hash: 44F0B230C0020CEBCB00DBB4CA4899EBBF4FF2C200B9145A6A412E7510EB34AB54DF95

Function 00485390 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 004800CA: GetLastError.KERNEL32(00000000,?,0048244D), ref: 004800CE
Part of subcall function 004800CA: SetLastError.KERNEL32(00000000,?,?,00000028,0047CD93), ref: 00480170

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004853E4
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0048542E
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004854F4

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: 10907cc074d4e44a37c40e9bc0a30fa97308e70a61ad4b0d188651dde5a80773
Instruction ID: 21d1b424b122393be48acc6900d7a07f5fc02a52f6adc064e2f034fb889588a1
Opcode Fuzzy Hash: 10907cc074d4e44a37c40e9bc0a30fa97308e70a61ad4b0d188651dde5a80773
Instruction Fuzzy Hash: 9161C171510A07AFDB28AF24CC82BBE77A9EF04704F1049BBE905C6285E738DD85CB58

Function 0047C860 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 0047C958
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 0047C962
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0047C96F

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: d8be7e0776969c31b0b8fb487142d33b061b9ed94f2d9ef292d23b9c5ce938af
Instruction ID: 23dcf6ddf4e72f526c8559815920f10440c1bf28a49947b2c7ede2f77029c40b
Opcode Fuzzy Hash: d8be7e0776969c31b0b8fb487142d33b061b9ed94f2d9ef292d23b9c5ce938af
Instruction Fuzzy Hash: D431D4B4901228ABCB21DF64DC887CDBBB8BF18314F5081EAE50CA7250E7749F858F49

Function 004852E8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004800CA: GetLastError.KERNEL32(00000000,?,0048244D), ref: 004800CE
Part of subcall function 004800CA: SetLastError.KERNEL32(00000000,?,?,00000028,0047CD93), ref: 00480170

EnumSystemLocalesW.KERNEL32(00485390,00000001,00000000,?,-00000050,?,00485173,00000000,-00000002,00000000,?,00000055,?), ref: 0048535A

Strings

sQH, xrefs: 0048532F

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID: sQH
API String ID: 2417226690-1917954732
Opcode ID: 104f16c82d7709611ff62b2b263fa4dd858a02497ff8b57da4ce88bf2181e717
Instruction ID: 5087d1ef6c2a535ea89c79444d0a5a2454aebcc3ce8e358e22fc3fae75fd552f
Opcode Fuzzy Hash: 104f16c82d7709611ff62b2b263fa4dd858a02497ff8b57da4ce88bf2181e717
Instruction Fuzzy Hash: A8110636200B019FDB18AF39D89167FB791FB80398B14482EE94647B40D3B57842C744

Function 004896BB Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00489616,?,?,00000008,?,?,0048FACB,00000000), ref: 004898E8

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 8200f43a6ade1d3bac06ce9d1166b8f7ae32262e87b17f67aa0d189d82ecce8e
Instruction ID: b79801471a78d91f269330d05a8c77123f7a5da92a8e311f259066d195726e79
Opcode Fuzzy Hash: 8200f43a6ade1d3bac06ce9d1166b8f7ae32262e87b17f67aa0d189d82ecce8e
Instruction Fuzzy Hash: 5CB14871520A099FD715DF28C486B697BA0FF05324F298A5DE899CF3A1C339ED82CB44

Function 004741DF Relevance: 1.7, APIs: 1, Instructions: 242COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 004741F5

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 831c7c34cfd3edfbf5d633f16a903ad813e129b1c38477a2d3c375c0f8f9d82a
Instruction ID: 824c94eabf89fa31546e8b5d6dd746995d250a22379b9a52efcc1f64b6f8ba5e
Opcode Fuzzy Hash: 831c7c34cfd3edfbf5d633f16a903ad813e129b1c38477a2d3c375c0f8f9d82a
Instruction Fuzzy Hash: 2EA190B29112058FDB58DF54D8816AEBBF0FB98364F25813BD425E73A0D3389844CF58

Function 00485D48 Relevance: 1.7, APIs: 1, Instructions: 199fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00481174: HeapAlloc.KERNEL32(00000008,00001000,?,?,00480268,00000001,00000364,?,00000003,000000FF,?,?,0047C119,0047FEB4,00000000), ref: 004811B5

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00485EE9
FindNextFileW.KERNEL32(00000000,?), ref: 00485FDD
FindClose.KERNEL32(00000000), ref: 0048601C
FindClose.KERNEL32(00000000), ref: 0048604F

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: Find$CloseFile$AllocFirstHeapNext
String ID:
API String ID: 2701053895-0
Opcode ID: 3cc535a4d083a94a3375bad261cba25c35bf955f78c21b51f32c2f915012e149
Instruction ID: 4b983b9a7a8e368f85ea6ea15af05980ebb55cbcb82fcc932f7694c4fbccb627
Opcode Fuzzy Hash: 3cc535a4d083a94a3375bad261cba25c35bf955f78c21b51f32c2f915012e149
Instruction Fuzzy Hash: CC5135719005086FDF10BF299C88AFF77A9DF45318F1485AFF80997311EA388E429B68

Function 00485650 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 004800CA: GetLastError.KERNEL32(00000000,?,0048244D), ref: 004800CE
Part of subcall function 004800CA: SetLastError.KERNEL32(00000000,?,?,00000028,0047CD93), ref: 00480170

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004856A4

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 049e87ebc49aecb2af85d0f9e1ec20549932dbe0c41495daeeea5e93dbc983ff
Instruction ID: 06ab6513d8c275a023fc027ef846a4ed2d5cdeebba0478b96a0aed40e340b52c
Opcode Fuzzy Hash: 049e87ebc49aecb2af85d0f9e1ec20549932dbe0c41495daeeea5e93dbc983ff
Instruction Fuzzy Hash: C921B072611606EBEB28BA65DC81ABF73A8EF05318F10447FFD05D6241EA78AD44CB58

Function 00478BE2 Relevance: 1.6, Strings: 1, Instructions: 318COMMON

Download Yara Rule

Strings

0, xrefs: 00478D66

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 5450a32e22fa8dff74a060d0452af9f1a162ded9fd58edc0784ae9ce43070a57
Instruction ID: 766db836d0b376a257f6400ed672d171caccdee7a26c2713831b5f30790cbec2
Opcode Fuzzy Hash: 5450a32e22fa8dff74a060d0452af9f1a162ded9fd58edc0784ae9ce43070a57
Instruction Fuzzy Hash: 8AB1D13098060A8FCB359E68895D6FFBBA1AB50304F14861FD45AA7781CF3C9D02CB69

Function 00485770 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 004800CA: GetLastError.KERNEL32(00000000,?,0048244D), ref: 004800CE
Part of subcall function 004800CA: SetLastError.KERNEL32(00000000,?,?,00000028,0047CD93), ref: 00480170

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004857C4

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 63ec89b57b520e04d2db24417f80f52f332c2a7e7f009a61820e0ea0e6fdf60a
Instruction ID: 1f51d6fd9b7fc836a1236651ada3946befa255340174ba95eb635377059182a9
Opcode Fuzzy Hash: 63ec89b57b520e04d2db24417f80f52f332c2a7e7f009a61820e0ea0e6fdf60a
Instruction Fuzzy Hash: C011A3725116069BDB14BB69DC46ABE77ACEF05328B10447BE901D7241EB38E9048758

Function 0048591D Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 004800CA: GetLastError.KERNEL32(00000000,?,0048244D), ref: 004800CE
Part of subcall function 004800CA: SetLastError.KERNEL32(00000000,?,?,00000028,0047CD93), ref: 00480170

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,004855AC,00000000,00000000,?), ref: 00485949

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 3a4dfc6db04577bff8446b65e1dd7438907b862b34358bc2fa8a7009b37c335f
Instruction ID: 171677c1b4401275ee12613a6d378b3d48a95c82ab52600fb05bc56158b9599e
Opcode Fuzzy Hash: 3a4dfc6db04577bff8446b65e1dd7438907b862b34358bc2fa8a7009b37c335f
Instruction Fuzzy Hash: 95012B72610512FFDB1867648805BBF7754DB40368F144C2AEC02A3280DA38FD42DBD8

Function 004855E3 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004800CA: GetLastError.KERNEL32(00000000,?,0048244D), ref: 004800CE
Part of subcall function 004800CA: SetLastError.KERNEL32(00000000,?,?,00000028,0047CD93), ref: 00480170

EnumSystemLocalesW.KERNEL32(00485650,00000001,?,?,-00000050,?,0048513B,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?), ref: 0048562D

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 719ead4727b4538a988356acf56d357dd86cec96023afba17783f2080c0fd801
Instruction ID: 7d6d85c24d169c8b959b108c93151a870129eb177f6fbbd81663de6d356b51e2
Opcode Fuzzy Hash: 719ead4727b4538a988356acf56d357dd86cec96023afba17783f2080c0fd801
Instruction Fuzzy Hash: 10F0F6763007045FDB246F39E881A7F7B91EF81368F558C6EF9094B680E6B5AC42C758

Function 0048107D Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0047CB11: EnterCriticalSection.KERNEL32(?,?,0047A2FD,00000000,0049CC70,0000000C,0047A2B6,00001000,?,004811A7,00001000,?,00480268,00000001,00000364,?), ref: 0047CB20

EnumSystemLocalesW.KERNEL32(00481070,00000001,0049D088,0000000C,00480A71,-00000050), ref: 004810B5

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: c6c3a722d136fc36f9e7d99896d73756d88aed0eeeb1fea3a79235e67da2d521
Instruction ID: b7554b5bbdd85f776a734c28675692f8f61e74d723bda75787475d9fff7c5702
Opcode Fuzzy Hash: c6c3a722d136fc36f9e7d99896d73756d88aed0eeeb1fea3a79235e67da2d521
Instruction Fuzzy Hash: 00F0A972A40204DFDB00EF98E882B9CBBB0EB49324F10817BF400DB2A0C77D8804CB48

Function 00485725 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004800CA: GetLastError.KERNEL32(00000000,?,0048244D), ref: 004800CE
Part of subcall function 004800CA: SetLastError.KERNEL32(00000000,?,?,00000028,0047CD93), ref: 00480170

EnumSystemLocalesW.KERNEL32(00485770,00000001,?,?,?,00485195,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?,?), ref: 0048575C

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 5f638af925f5d9b83f4ceac84dd2fb0b047db3fb8dc44f807238310eab5e0265
Instruction ID: ccbe6248a9f0bde7949f476863e27c21aefe9c713b19ac60c59659f1e407454b
Opcode Fuzzy Hash: 5f638af925f5d9b83f4ceac84dd2fb0b047db3fb8dc44f807238310eab5e0265
Instruction Fuzzy Hash: 46F0EC3930020597CB04BF35D85576F7F94EFC1754F46846AEA058B650C6799C42C794

Function 00480B75 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,00000000,?,0047B863,?,20001004,00000000,00000002,?,?,0047A771), ref: 00480BA9

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: c96774567c93a93a374eca46f7cf9b9968fb69017b4f1513ea17a5a04193b885
Instruction ID: 2f017d06032b2e9bb342fc25db9765081ce01c9c313b0407130b228518283e64
Opcode Fuzzy Hash: c96774567c93a93a374eca46f7cf9b9968fb69017b4f1513ea17a5a04193b885
Instruction Fuzzy Hash: 4EE04F31500218BBDF223FA1DC05E9E3F26EF54761F044426FD0965221CB799971ABDA

Function 00474567 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00014690), ref: 0047456C

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 60485be466b433da45844eb42321a74e26237a0b5b0478624c91305150a4baab
Instruction ID: c8f4aef903b0f18baa861380af93e8ce487dbbeb5228408551ea53f2a8bd2e01
Opcode Fuzzy Hash: 60485be466b433da45844eb42321a74e26237a0b5b0478624c91305150a4baab
Instruction Fuzzy Hash:

Function 004817A0 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 004817A0

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 0e4c9f0cb5818a35cbb40c0239ffe655ce4e969d5d234494acac407ef26c38df
Instruction ID: ecc271ecb8175078c3e1128ba3ffd569f13c1a319703ef03bb044f74b45c6c29
Opcode Fuzzy Hash: 0e4c9f0cb5818a35cbb40c0239ffe655ce4e969d5d234494acac407ef26c38df
Instruction Fuzzy Hash: 98A002705011019B67405F355B456493AD5655959174944795405C5570D62444909749

Function 00461000 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e59eb52ad6400f8b7817ae8e3a6c77c1c6adc6f6197eed25922eb2e7c2c03d57
Instruction ID: 7feaee0e9849d268dc914cd7ef4ceb7f52a420106b3ff07f1aa9961993922fe8
Opcode Fuzzy Hash: e59eb52ad6400f8b7817ae8e3a6c77c1c6adc6f6197eed25922eb2e7c2c03d57
Instruction Fuzzy Hash: 54516AB4D0020D9FCB40DFA8D5919EEBBF4EB09350F24946AE815FB351E734AA41CB66

Function 00461EB0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a2d0641aae40754c7c0dc470fa683dddda46619953fec595aac3d9bd4eaeca8
Instruction ID: 8888d658576a148269e10a4d816c39d56bb3600280cac021b83b8dd10db3d999
Opcode Fuzzy Hash: 1a2d0641aae40754c7c0dc470fa683dddda46619953fec595aac3d9bd4eaeca8
Instruction Fuzzy Hash: 4ED0923A645A58EFC210CF49E440D41F7B8FB9E770B158166EA0893B20D331FC11CAE0

Function 0048E852 Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(0530FDE8,0530FDE8,00000000,7FFFFFFF,?,0048E83D,0530FDE8,0530FDE8,00000000,0530FDE8,?,?,?,?,0530FDE8,00000000), ref: 0048E8F8
__alloca_probe_16.LIBCMT ref: 0048E9B3
__alloca_probe_16.LIBCMT ref: 0048EA42
__freea.LIBCMT ref: 0048EA8D
__freea.LIBCMT ref: 0048EA93
__freea.LIBCMT ref: 0048EAC9
__freea.LIBCMT ref: 0048EACF
__freea.LIBCMT ref: 0048EADF

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 5d079f3a0f120612a4b39ee8805f931088e085cf2b0bbd6b5949233b26ebe8cb
Instruction ID: 514ac8a8ae6ed43301b11424f8748bebaffbafa5a3b3df7ed6750b7ec8ae3818
Opcode Fuzzy Hash: 5d079f3a0f120612a4b39ee8805f931088e085cf2b0bbd6b5949233b26ebe8cb
Instruction Fuzzy Hash: 05710572A0020AAFDF25BE968C41BFF7BA9AF45714F14481BF918A7291D77CDC008759

Function 00474AB9 Relevance: 12.2, APIs: 8, Instructions: 177COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?), ref: 00474B00
__alloca_probe_16.LIBCMT ref: 00474B2C
MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?,00000000,00000000), ref: 00474B6B
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00474B88
LCMapStringEx.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00474BC7
__alloca_probe_16.LIBCMT ref: 00474BE4
LCMapStringEx.KERNEL32(?,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00474C26
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00474C49

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: 04e290932a72335545f531e4c46e573a1d52eb874991a3ab05cebbd56f972f04
Instruction ID: 78ed50d16b258ef44775443073c2deb70748d041dd079f45e3940c1426cdf263
Opcode Fuzzy Hash: 04e290932a72335545f531e4c46e573a1d52eb874991a3ab05cebbd56f972f04
Instruction Fuzzy Hash: 0651B132501205AFEB214F51CC45FFB7BA9EF84744F26842AF929E62A0D738DD10CB59

Function 00482D36 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00482DBC

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 397bbcb3882a010d45e2357f2cccbd5be2c1488f20f2fd85135c7354d530a15f
Instruction ID: c7df4791038212c631555be4a7d537cb5c4f8394ab80ed6bbf8ffa5013196a4b
Opcode Fuzzy Hash: 397bbcb3882a010d45e2357f2cccbd5be2c1488f20f2fd85135c7354d530a15f
Instruction Fuzzy Hash: F6B179329002559FDB15EF28CD81BAF7BB5EF16710F14495BEA04AB382D3B8D901C7A8

Function 0047F4CE Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 0047F5ED
CallUnexpected.LIBVCRUNTIME ref: 0047F866

Strings

csm, xrefs: 0047F624
csm, xrefs: 0047F578
csm, xrefs: 0047F50B
`"I, xrefs: 0047F5E4

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: CallUnexpectedtype_info::operator==
String ID: `"I$csm$csm$csm
API String ID: 2673424686-1829692350
Opcode ID: 4dc3065a9f2f154b66881a59ab067632fc5bdc7e414211e13071cca02187add1
Instruction ID: f6d201c427f41c25f7798adb8bda382950e6fd65d97688518e47a766c16d256e
Opcode Fuzzy Hash: 4dc3065a9f2f154b66881a59ab067632fc5bdc7e414211e13071cca02187add1
Instruction Fuzzy Hash: 99B18D71800209EFCF29DFA5C8819EEB7B5BF14314F14856BE8086B312D738DA55CB9A

Function 00475990 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 004759C7
___except_validate_context_record.LIBVCRUNTIME ref: 004759CF
_ValidateLocalCookies.LIBCMT ref: 00475A58
__IsNonwritableInCurrentImage.LIBCMT ref: 00475A83
_ValidateLocalCookies.LIBCMT ref: 00475AD8

Strings

csm, xrefs: 00475A6D

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 96c70170e1d8e9565c949956ace8d9c705c77c18598b86ab243dcda35f9b9142
Instruction ID: 1332768071e8981ef83c35b11e4b5d5f26ff61ea5f53caeda09b1e21ac866cbe
Opcode Fuzzy Hash: 96c70170e1d8e9565c949956ace8d9c705c77c18598b86ab243dcda35f9b9142
Instruction Fuzzy Hash: 2D41C734A006089BCF10DF69C885ADE7BA1EF44328F14C17BE91C9F352D779AA15CB99

Function 00480DC2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,B2B73640,?,00480ED1,00462FE2,?,00000000,?), ref: 00480E83

Strings

api-ms-, xrefs: 00480E19
ext-ms-, xrefs: 00480E2D

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: e8212342eb35d198054cbbaaa6819bb5c876131257c2e96914376526c1b047b2
Instruction ID: 36d43305fd9d1d73ea3b817c61be023bccb8260d83ade7e5dcd050f44426acca
Opcode Fuzzy Hash: e8212342eb35d198054cbbaaa6819bb5c876131257c2e96914376526c1b047b2
Instruction Fuzzy Hash: DB213671A11211ABDB22AB64EC40A6F3B59EB527A0F240D32ED16A7390D738ED04C7DC

Function 00474CD0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00474CD6
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00474CE4
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 00474CF5

Strings

kernel32.dll, xrefs: 00474CD1
GetSystemTimePreciseAsFileTime, xrefs: 00474CDE
GetTempPath2W, xrefs: 00474CEA

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1047828073
Opcode ID: 22346156ea3fcc3c2fc1e2b9c540bc29275161547c970e195dd077da8520e779
Instruction ID: 6ba22c73084d71e7f37013d7c5e9071b1cd49072318883d22e2cb6e44ea8fac3
Opcode Fuzzy Hash: 22346156ea3fcc3c2fc1e2b9c540bc29275161547c970e195dd077da8520e779
Instruction Fuzzy Hash: 17D0A932916220AF8B00AFF0BE0C88B3FA4EA563003100933FC00E2220D67C0410CFDE

Function 004889DE Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 370b8381aaa3d1c29f95e1177f72e3cad8427870867510f9e59b2dd894497d39
Instruction ID: 1f984f35ecbf388141105f3f61d416ef64466d7517e932690e4f4848bc9f2438
Opcode Fuzzy Hash: 370b8381aaa3d1c29f95e1177f72e3cad8427870867510f9e59b2dd894497d39
Instruction Fuzzy Hash: F5B12670A042099FDB11EF98D881BAE7BF1FF56314F94456FE4049B392CB789942CB68

Function 0047EC4C Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0047EC43,004753B0,00471C5F,B2B73640,?,?,?,?,0048FDEA,000000FF,?,00468CA5), ref: 0047EC5A
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0047EC68
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0047EC81
SetLastError.KERNEL32(00000000,?,0047EC43,004753B0,00471C5F,B2B73640,?,?,?,?,0048FDEA,000000FF,?,00468CA5), ref: 0047ECD3

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 11fe9de099d3085d0381037852ac39ff6aad521f11d4b4899716fb84cd890e12
Instruction ID: 59dd23cf258c11035179bd0b32fd97f4d30fdb5ecd975daba884df92ba577c60
Opcode Fuzzy Hash: 11fe9de099d3085d0381037852ac39ff6aad521f11d4b4899716fb84cd890e12
Instruction Fuzzy Hash: ED019C361093123EB22627B37C8A6AB2B84DB143BC320433FF118852F1EF594C14D24D

Function 00479FF8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,B2B73640,?,?,00000000,0048FCB4,000000FF,?,0047A0B9,00479FA0,?,0047A155,00000000), ref: 0047A02D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0047A03F
FreeLibrary.KERNEL32(00000000,?,?,00000000,0048FCB4,000000FF,?,0047A0B9,00479FA0,?,0047A155,00000000), ref: 0047A061

Strings

mscoree.dll, xrefs: 0047A026
CorExitProcess, xrefs: 0047A037

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: acc42d15261f4f30ab0b4ca7c164af5e11bd8ca8f6fecb9ed7e611ff51d84a6b
Instruction ID: 16d4e18be0fdc1df2ed005c610e3729be472cfd9b2e79e89f55c66d7a5b45425
Opcode Fuzzy Hash: acc42d15261f4f30ab0b4ca7c164af5e11bd8ca8f6fecb9ed7e611ff51d84a6b
Instruction Fuzzy Hash: C601F731904654AFDB118F40DC09FAE7BB8FB44715F040537E811A26D0DB789914CB89

Function 004815AA Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 0048162F
__alloca_probe_16.LIBCMT ref: 004816F8
__freea.LIBCMT ref: 0048175F

Part of subcall function 0047FE71: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00470E1D,?,?,00462FE2,00001000,?,00462F2A), ref: 0047FEA3

__freea.LIBCMT ref: 00481772
__freea.LIBCMT ref: 0048177F

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: 97af34fe277b096ec0d15cdcdd08fa12240162fcd5ccaa91f8d0a223484800cf
Instruction ID: 40e00e049ea0c38178c0aca27db3a7a1072ef24b1a7ae431ae712393a91001e1
Opcode Fuzzy Hash: 97af34fe277b096ec0d15cdcdd08fa12240162fcd5ccaa91f8d0a223484800cf
Instruction Fuzzy Hash: 2C51A576600206AFDB206FA58C81EBF36ADDF48754F15492FFD08D6261EB78CC129768

Function 00473D8E Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00473DA2
AcquireSRWLockExclusive.KERNEL32(?,?,?,0046B05E), ref: 00473DC1
AcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,0046B05E), ref: 00473DEF
TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,0046B05E), ref: 00473E4A
TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,0046B05E), ref: 00473E61

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID:
API String ID: 66001078-0
Opcode ID: 093d1a4bb5785eb14d7977451c11d437638c503a407a873d483ecd8fefecc182
Instruction ID: 6b76542197d854345502a8b5f932d0110d1842773161e181bd86fed47ce0d66a
Opcode Fuzzy Hash: 093d1a4bb5785eb14d7977451c11d437638c503a407a873d483ecd8fefecc182
Instruction Fuzzy Hash: 3A413A31900606DFCB20DF65C4849EAB3F5FF08316B50892FE45AD7640D738EA85EB99

Function 004714F2 Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004714F9
std::_Lockit::_Lockit.LIBCPMT ref: 00471504
std::_Lockit::~_Lockit.LIBCPMT ref: 00471572

Part of subcall function 004713FA: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00471412

std::locale::_Setgloballocale.LIBCPMT ref: 0047151F
_Yarn.LIBCPMT ref: 00471535

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: 3b644496f4ce84cb6f430c8d0800ef9197917c94303848d49f9a2c007dd9d0ec
Instruction ID: 886af7eab66c30e52a4713a50e643e639d0da83c18c459bb7a8892db38ae0e96
Opcode Fuzzy Hash: 3b644496f4ce84cb6f430c8d0800ef9197917c94303848d49f9a2c007dd9d0ec
Instruction Fuzzy Hash: 64019E756001109BD70AEB64C8515BD3B71FFD5744B14806FE81A173A1CF3CAA02CBC9

Function 0048A651 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,?,0048A6ED,?,?,00000000,?,?,?,0048A5AB,00000002,FlsGetValue,00494D24,00494D2C), ref: 0048A65E
GetLastError.KERNEL32(?,0048A6ED,?,?,00000000,?,?,?,0048A5AB,00000002,FlsGetValue,00494D24,00494D2C,?,?,0047EC6D), ref: 0048A668
LoadLibraryExW.KERNEL32(?,00000000,00000000,000000FF,?,00468CA5), ref: 0048A690

Strings

api-ms-, xrefs: 0048A675

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 960c5822247564acefca1d956be8df843c529650331284eca4c169f71c0049ba
Instruction ID: b2ceef518ac73e9935259e264647ca36b66c89a0d4030159997e398e163e1333
Opcode Fuzzy Hash: 960c5822247564acefca1d956be8df843c529650331284eca4c169f71c0049ba
Instruction Fuzzy Hash: 4FE01230680305B7EF126B51DD06B5D3B55AB20B45F184433F94DA85E0E7A99820D68E

Function 00487DAE Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(B2B73640,00000000,00000000,?), ref: 00487E11

Part of subcall function 0047FF81: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00481755,?,00000000,-00000008), ref: 0047FFE2

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00488063
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 004880A9
GetLastError.KERNEL32 ref: 0048814C

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 920f1b6de1349c09c7bc70420fa06fe93c1e868a8b58bf7e5caccd091d941c08
Instruction ID: 4a70dfe94f5d4ab7b589917ca4355a83287c6b49e616c188be207eb1c4179de9
Opcode Fuzzy Hash: 920f1b6de1349c09c7bc70420fa06fe93c1e868a8b58bf7e5caccd091d941c08
Instruction Fuzzy Hash: C4D1BCB5D002489FCF05DFA8C8849EEBBB5FF09314F28496EE815EB351DA34A906CB54

Function 0047F1F5 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 0047F2BC
___AdjustPointer.LIBCMT ref: 0047F2DF
___AdjustPointer.LIBCMT ref: 0047F37B

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 4466e4e9fbba66032d55ef36e6f758c46347b4b3621a95eb6eb9a430a1f65d8d
Instruction ID: 2981e06f06e01416aff5560c17366dc2ee8273c02f5dbf7de14d817ccc95a38d
Opcode Fuzzy Hash: 4466e4e9fbba66032d55ef36e6f758c46347b4b3621a95eb6eb9a430a1f65d8d
Instruction Fuzzy Hash: B851EE766016029FDB288F55D841BFA77A5EF00714F20843FEC0A876A1E739EC59CB98

Function 00485BD6 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 0047FF81: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00481755,?,00000000,-00000008), ref: 0047FFE2

GetLastError.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 00485C3A
__dosmaperr.LIBCMT ref: 00485C41
GetLastError.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 00485C7B
__dosmaperr.LIBCMT ref: 00485C82

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 9aaf6ce550409b7ceb9bc536848c2cc3f178fd1d57edb8d6b0cf75e5f425384e
Instruction ID: 1c7d3bafe9134c4956ddb9cb24e40d3fc87f25af1700e9a32dde0a43cc0442f4
Opcode Fuzzy Hash: 9aaf6ce550409b7ceb9bc536848c2cc3f178fd1d57edb8d6b0cf75e5f425384e
Instruction Fuzzy Hash: 2C21B331600B05AFCB21BF62C88186FB7A9EF04368750892FF81997211E738EC008F98

Function 004777F2 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84d45714b182ada366aa847ebcd22b2328f3bad556fc9c73df54356351a60a69
Instruction ID: d01051a426395d346bcf047f205c5949f021cc6bd0ba93e158772e4837181105
Opcode Fuzzy Hash: 84d45714b182ada366aa847ebcd22b2328f3bad556fc9c73df54356351a60a69
Instruction Fuzzy Hash: 9B219571608105AF9B20BF66CC859EB7769EF00368791C53BF81D97251D738EC10C7AA

Function 004737D1 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004737D8
std::_Lockit::_Lockit.LIBCPMT ref: 004737E2

Part of subcall function 00465DC0: std::_Lockit::_Lockit.LIBCPMT ref: 00465DEE
Part of subcall function 00465DC0: std::_Lockit::~_Lockit.LIBCPMT ref: 00465E19

codecvt.LIBCPMT ref: 0047381C
std::_Lockit::~_Lockit.LIBCPMT ref: 00473853

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3codecvt
String ID:
API String ID: 3716348337-0
Opcode ID: 9c54cf91d1604223267b429a23b9d1d04d703e1c00f946324b1e88988d835ca7
Instruction ID: bc3e4d8177cfa2f177da6163c92084a83f621eff51ed223e43e1e49ce957fcbb
Opcode Fuzzy Hash: 9c54cf91d1604223267b429a23b9d1d04d703e1c00f946324b1e88988d835ca7
Instruction Fuzzy Hash: 5D01AD719001158BCB05FFA9C8016FE77B5AF84718F25852FF518AB291DF3C9E008B9A

Function 0048EB10 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,?,00000000,00000000,?,0048DFFF,00000000,00000001,?,?,?,004881A0,?,00000000,00000000), ref: 0048EB27
GetLastError.KERNEL32(?,0048DFFF,00000000,00000001,?,?,?,004881A0,?,00000000,00000000,?,?,?,00487AE6,?), ref: 0048EB33

Part of subcall function 0048EB90: CloseHandle.KERNEL32(FFFFFFFE,0048EB43,?,0048DFFF,00000000,00000001,?,?,?,004881A0,?,00000000,00000000,?,?), ref: 0048EBA0

___initconout.LIBCMT ref: 0048EB43

Part of subcall function 0048EB65: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0048EB01,0048DFEC,?,?,004881A0,?,00000000,00000000,?), ref: 0048EB78

WriteConsoleW.KERNEL32(00000000,?,?,00000000,?,0048DFFF,00000000,00000001,?,?,?,004881A0,?,00000000,00000000,?), ref: 0048EB58

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: c50493373d809740e86fc7daed15e8c8413071190d449f5024daf7c1fdba9a3a
Instruction ID: 95e1d25086ca4366e68c0aefbcc7b2efe4959b84ad915138c6e42883d7f93166
Opcode Fuzzy Hash: c50493373d809740e86fc7daed15e8c8413071190d449f5024daf7c1fdba9a3a
Instruction Fuzzy Hash: 84F0AC36901218BBCF226F96DC18A9E3F26FF593A1F044875FA1995130DA369C209B99

Function 00484786 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004800CA: GetLastError.KERNEL32(00000000,?,0048244D), ref: 004800CE
Part of subcall function 004800CA: SetLastError.KERNEL32(00000000,?,?,00000028,0047CD93), ref: 00480170

GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,0047A609,?,?,?,00000055,?,-00000050,?,?,?), ref: 00484845
IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,0047A609,?,?,?,00000055,?,-00000050,?,?), ref: 0048487C

Strings

utf8, xrefs: 0048494E

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: ErrorLast$CodePageValid
String ID: utf8
API String ID: 943130320-905460609
Opcode ID: fea9db78eb20ff9c93ab1f99367222ad732be777246f3eaeea49bc6129915368
Instruction ID: 6ff0882bf9fdabbdbd879d6b99111c800b0cf7711d5421d0b330729b63d8b50a
Opcode Fuzzy Hash: fea9db78eb20ff9c93ab1f99367222ad732be777246f3eaeea49bc6129915368
Instruction Fuzzy Hash: D351D475600203AAEB34BB758C42BAF72A8EF85708F144C6BF54597681E77CA94087AD

Function 0047F8F2 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 120COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,0047F7F3,?,?,00000000,00000000,00000000,?), ref: 0047F917

Strings

MOC, xrefs: 0047F929
RCC, xrefs: 0047F931

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: dee9e6f8dd43cecb3157927e4654ed4217e8bbf12bbc1fb04cf4456b6861f196
Instruction ID: aacf273ad87053037eee0f2ee250b5e80262e1190cfb0c3cdc9ac514a4bce3ea
Opcode Fuzzy Hash: dee9e6f8dd43cecb3157927e4654ed4217e8bbf12bbc1fb04cf4456b6861f196
Instruction Fuzzy Hash: 0A41ABB1900209AFCF15DF94DC81AEE7BB5FF48304F15806AFA08B7221D339A950CB59

Function 0047F15E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 0047F3D5

Strings

csm, xrefs: 0047F3F7
csm, xrefs: 0047F468

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: d0fea16c148da2cadb171b8f73f2d37b948b8aa6c9779ccdb1a4bf7152c5118c
Instruction ID: 60677309b4fc16b3834f9c6225f215a1cde70afc6965e1d60a44056a252290d8
Opcode Fuzzy Hash: d0fea16c148da2cadb171b8f73f2d37b948b8aa6c9779ccdb1a4bf7152c5118c
Instruction Fuzzy Hash: 2031C232400215EBCF228F51CC048EB7B66FF29319B14C67BF81C49211D33AC869DB99

Function 00471D11 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00471D99
RaiseException.KERNEL32(?,?,?,?), ref: 00471DBE

Part of subcall function 0047525C: RaiseException.KERNEL32(E06D7363,00000001,00000003,00473FDE,?,?,?,?,00473FDE,00001000,0049B2BC,00001000), ref: 004752BD

Part of subcall function 0047CD83: IsProcessorFeaturePresent.KERNEL32(00000017,004783BB,?,?,?,?,00000000), ref: 0047CD9F

Strings

csm, xrefs: 00471D4D

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: ExceptionRaise$FeaturePresentProcessor__alloca_probe_16
String ID: csm
API String ID: 1924019822-1018135373
Opcode ID: 9eef2f0c134669b773d39c679938e7ae40b69b18df880f6a308c6cb6c6fbbdcf
Instruction ID: be991f43a420c5592aff97262dd595ce69d1d1b643fb711ae5d7decef8c5de3d
Opcode Fuzzy Hash: 9eef2f0c134669b773d39c679938e7ae40b69b18df880f6a308c6cb6c6fbbdcf
Instruction Fuzzy Hash: 9F218131D00218ABCF34DF99D945AEEB7B8EF44714F14841BE409AB260C678BD45CF85

Function 00465DC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00465DEE
std::_Lockit::~_Lockit.LIBCPMT ref: 00465E19

Strings

w[F, xrefs: 00465E26

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID: w[F
API String ID: 593203224-1745864701
Opcode ID: 0721264bb60172618612339f82ff54d9911fea4deff55412a148dd09ff1afd1c
Instruction ID: 2ba5543698f4c01052013386e6ab57fef9ff92b828f869d9783392d96aefa015
Opcode Fuzzy Hash: 0721264bb60172618612339f82ff54d9911fea4deff55412a148dd09ff1afd1c
Instruction Fuzzy Hash: 1301BB70D00209DFCB04EFA9D9516ADBBF0FF19304F8144AAE419AB351D7346A54CF59

Function 00471315 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMONLIBRARYCODE

Download Yara Rule

APIs

_Yarn.LIBCPMT ref: 00471335
_Yarn.LIBCPMT ref: 00471359

Strings

TxI, xrefs: 0047134D

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: Yarn
String ID: TxI
API String ID: 1767336200-2081576372
Opcode ID: b476040c40a781fb827166763c821fb1797744a10057ea5bab1f7ed9e6851386
Instruction ID: e05c81b54f001cc6b236831335a6d58b07ab347759fc55da3a9ac188726136ed
Opcode Fuzzy Hash: b476040c40a781fb827166763c821fb1797744a10057ea5bab1f7ed9e6851386
Instruction Fuzzy Hash: 53E0652230C2006BFB18A6769C52BF637ECCF00760F10812FFD0E9A5E1ED54AD048558

Function 00474D04 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,?,00473E18,?,?,?,?,?,0046B05E), ref: 00474D3C
GetSystemTimeAsFileTime.KERNEL32(?,B2B73640,?,?,0048FC97,000000FF,?,00474A44,?,00000000,00000000,?,00474A68,?,?), ref: 00474D40

Strings

hJG, xrefs: 00474D1E

Memory Dump Source

Source File: 00000000.00000002.2476451677.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.2476435687.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476476863.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476492994.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476506767.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476523962.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2476541218.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_Solara-3.jbxd

Similarity

API ID: Time$FileSystem$Precise
String ID: hJG
API String ID: 743729956-1537945654
Opcode ID: bbe9e5a5df12216d71c0e25d4241c66b9a03cbfe99379c26a6a673881bed681e
Instruction ID: 5429a7f12fe1feb0f2d0e6cfbffa728b47f69a0c6e20b7189e5264e0f0a1f5cc
Opcode Fuzzy Hash: bbe9e5a5df12216d71c0e25d4241c66b9a03cbfe99379c26a6a673881bed681e
Instruction Fuzzy Hash: 75F06572A04554EFC712DF88DC41B99BBA8FB49B20F004577EC1297B90DB38A900CBC9

Analysis Process: Solara-3.0.exePID: 4956, Parent PID: 6464COMMON

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.3%
Total number of Nodes:	46
Total number of Limit Nodes:	3

Executed Functions

Function 00408670 Relevance: 7.7, APIs: 5, Instructions: 158
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00408694
GetCurrentThreadId.KERNEL32 ref: 0040869E
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 0040874F
GetForegroundWindow.USER32 ref: 0040879F
ExitProcess.KERNEL32 ref: 0040883E

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: 5bfbe708327a0cb701dbf289fec03dfc62ffc9644adbd3d25260311262243691
Instruction ID: a6503bfe3380c7a8ec2fce80827862d4b26169df404f7c42eda5d9def2b2b7a0
Opcode Fuzzy Hash: 5bfbe708327a0cb701dbf289fec03dfc62ffc9644adbd3d25260311262243691
Instruction Fuzzy Hash: 2A41167BB443181BD308BEBA8C9536AB5C39BC4721F4A813D6AC9D73C5EDB89C0582C4

Function 00439A00 Relevance: 1.5, APIs: 1, Instructions: 13
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,?,0043B590), ref: 00439A10

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 402fc6cf5d1c5a201b510305a887167e1b08352fe04d1f369358f7f374e867b0
Instruction ID: 395b0f336a78a0bba96cafbddce246f19caea58ddd2fa5dc170b39a43d574376
Opcode Fuzzy Hash: 402fc6cf5d1c5a201b510305a887167e1b08352fe04d1f369358f7f374e867b0
Instruction Fuzzy Hash: 72C01230854220ABC6146F01ED04BAABB78AF0B202F102068B00C731B28664EC40CB8C

Function 0040B922 Relevance: 1.3, Strings: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\^, xrefs: 0040B97A

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID:
String ID: \^
API String ID: 0-805220809
Opcode ID: 2f574424f30827375d814337880c4d9d08d207a2902b047aebd771ebb3fb6196
Instruction ID: 2744f8bc7bda742b9e56fb6149aa7593b5bbc257c1365c2e4a9e0d9a675608c9
Opcode Fuzzy Hash: 2f574424f30827375d814337880c4d9d08d207a2902b047aebd771ebb3fb6196
Instruction Fuzzy Hash: 9321D276E402658BD700CF68C880BAAB7F1FB8A310F298168D685B7385D774AC01CB98

Function 0040C826 Relevance: 3.1, APIs: 2, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32(00000000,00000002), ref: 0040C82A
CoInitializeEx.COMBASE(00000000,00000002), ref: 0040C979

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 7765adba37b6499dc7af11065cade67025a26b0c7cd3a749fee4313c04ef5b81
Instruction ID: 727511e10b6e5284c07e0b12f846379c878a1b7e8ba355e31a7e06fc829d2f3e
Opcode Fuzzy Hash: 7765adba37b6499dc7af11065cade67025a26b0c7cd3a749fee4313c04ef5b81
Instruction Fuzzy Hash: 8E41B7B4910B40AFD370AF39990B7127EB4AB06250F504B2DF9EA866D4E631A4198BD7

Function 0040D171 Relevance: 2.5, APIs: 2, Instructions: 21
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoUninitialize.OLE32 ref: 0040D171
CoUninitialize.COMBASE ref: 0040D180

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID: Uninitialize
String ID:
API String ID: 3861434553-0
Opcode ID: 5baa6f104fb0cff508a9bc216e9be2ce62b3b69d1896aa51bf88b7f91f9c93da
Instruction ID: 07ee8aeafc121675d0124c8cc06933021ebefaf5eb8f9d3e6f6d2c3ad5eac7dd
Opcode Fuzzy Hash: 5baa6f104fb0cff508a9bc216e9be2ce62b3b69d1896aa51bf88b7f91f9c93da
Instruction Fuzzy Hash: EDD0C97DE601019FC78C8F78DD9855637A2EFCB3563089938AA46C3368DF306458CA08

Function 00435544 Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 00435569

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID: DefaultLanguageUser
String ID:
API String ID: 95929093-0
Opcode ID: f1dbdcbfd71bfc5e32260edfabb73e41e302e69ab44fa3f411a46c79733db4b1
Instruction ID: 00de5173a8b2fb6db790855793a38ec94ce2bc654d7f2b5ebe0b97332c113854
Opcode Fuzzy Hash: f1dbdcbfd71bfc5e32260edfabb73e41e302e69ab44fa3f411a46c79733db4b1
Instruction Fuzzy Hash: 23113B36A45B928FD7148B38CC40349BF62AB8A320F1983EDC495973D6CA78A9458B90

Function 0040C9B5 Relevance: 1.5, APIs: 1, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040C9C7

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 4b7abb3418b7acc3d69405b5f51047ff1cce37fd7654a1faa2ffa6ac682c9ad3
Instruction ID: fecb418b5a137889ec4ff072581fea2dc22117615a9020ee7ae24d68bceeb2a7
Opcode Fuzzy Hash: 4b7abb3418b7acc3d69405b5f51047ff1cce37fd7654a1faa2ffa6ac682c9ad3
Instruction Fuzzy Hash: 2BD092783C82807AE1648B08AD27F103650A302F15F740624B3A3EE6E0C9E071118A0C

Function 0043B5B0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0043D73E,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043B5DE

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 00439A42 Relevance: 1.5, APIs: 1, Instructions: 13
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 00439A5D

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 1e8a12ecc0ec74503156943aa24190f1bf3d4cf0ee2cd6251b1bd899a8210b6e
Instruction ID: a061392a7123c0ee01ffe2c380486857b81dc8fb030643ad4cdda46576bdbd59
Opcode Fuzzy Hash: 1e8a12ecc0ec74503156943aa24190f1bf3d4cf0ee2cd6251b1bd899a8210b6e
Instruction Fuzzy Hash: D7C08C32016536EBCA602F18BC06BDA3B119F05322F0308A1F148AC0B6D73CCCA1CAC8

Non-executed Functions

Function 00427670 Relevance: 24.8, APIs: 1, Strings: 13, Instructions: 275COMMON

Download Yara Rule

Strings

h.h , xrefs: 00427D76
ef, xrefs: 00427E2D
l6iH, xrefs: 00427DA9
KM, xrefs: 00427EEF
x"p$, xrefs: 00427D7E
0R/T, xrefs: 00427DF6
P:W<, xrefs: 00427D8E
r2k4, xrefs: 00427D9E
GI, xrefs: 00427EE7
`>~0, xrefs: 00427D96
#V2h, xrefs: 00427E01
q&u8, xrefs: 00427D86
E*y,, xrefs: 00427E3C

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID:
String ID: #V2h$0R/T$E*y,$P:W<$`>~0$ef$h.h $l6iH$q&u8$r2k4$x"p$$GI$KM
API String ID: 0-2276481665
Opcode ID: 6e6ed5d2a495b238406967454973ebc0c7f77eaf9dac3f24e7fc914acf71265d
Instruction ID: 780a017787e81e2f38f99eaa91cdafd001567878a6f416ff0574b80ca07e1898
Opcode Fuzzy Hash: 6e6ed5d2a495b238406967454973ebc0c7f77eaf9dac3f24e7fc914acf71265d
Instruction Fuzzy Hash: B691BBB860C3948BC7209F25E842B9BBBF1EFC2304F45881DE5C48B351EB798505CB9A

Function 00432950 Relevance: 24.6, APIs: 2, Strings: 12, Instructions: 141COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00432999
GetSystemMetrics.USER32 ref: 004329A9

Strings

j.C, xrefs: 00432B90
j.C, xrefs: 00432B43
j.C, xrefs: 00432B6F
j.C, xrefs: 00432B38
j.C, xrefs: 00432B64
j.C, xrefs: 00432BBC
j.C, xrefs: 00432B4E
j.C, xrefs: 00432BB1
, xrefs: 00432A96
j.C, xrefs: 00432B9B
U0C, xrefs: 00432B59
Z1C, xrefs: 00432B17

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID: $U0C$Z1C$j.C$j.C$j.C$j.C$j.C$j.C$j.C$j.C$j.C
API String ID: 4116985748-2988854775
Opcode ID: 353fe973c3a1486b806f95b5cc3d6fb9d301e47eb9e90744b0eaa416cb23db96
Instruction ID: 8c39fc6185095839878568dd2e50c51d2286f1c6d63ee74b32aab8abd99b703c
Opcode Fuzzy Hash: 353fe973c3a1486b806f95b5cc3d6fb9d301e47eb9e90744b0eaa416cb23db96
Instruction Fuzzy Hash: 9D817DB45097809FE760DF69D58878ABBF1BBC5308F01892EE5988B350D7B99448CF87

Function 00436B50 Relevance: 23.5, APIs: 10, Strings: 3, Instructions: 761memorycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0044068C,00000000,00000001,0044067C,00000000), ref: 00436DB8
SysAllocString.OLEAUT32(58984697), ref: 00436E64
CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00436EA2
SysAllocString.OLEAUT32(C412C216), ref: 00436EF6
SysAllocString.OLEAUT32(26E024D0), ref: 00436FB1
VariantInit.OLEAUT32(1807061D), ref: 00437020
SysFreeString.OLEAUT32(DA1CD8DB), ref: 004372E2
SysFreeString.OLEAUT32(?), ref: 004372EB
SysFreeString.OLEAUT32(00000000), ref: 004372FC

Strings

56, xrefs: 0043705E
)*, xrefs: 00436DEE
&, xrefs: 00436C71

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID: String$AllocFree$BlanketCreateInitInstanceProxyVariant
String ID: )*$56$&
API String ID: 2737081056-3848306231
Opcode ID: d149579753b1232e43186927cdae30b83f1da023f04143cc3743191c2436012a
Instruction ID: fd6d09a7b704674ae43d203ed7c8d54446e10283c5f41fd53495f75dcb8e93b3
Opcode Fuzzy Hash: d149579753b1232e43186927cdae30b83f1da023f04143cc3743191c2436012a
Instruction Fuzzy Hash: 7A320272A083419BD324CF64C88175BBBE1FBC9314F18992EE9D49B381D778D906CB96

Function 004327A0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 121clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 004327B0
GetClipboardData.USER32 ref: 004327CB
GlobalLock.KERNEL32 ref: 004327EA
GlobalUnlock.KERNEL32 ref: 00432928
CloseClipboard.USER32 ref: 00432931

Strings

+, xrefs: 0043285F

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock
String ID: +
API String ID: 1006321803-2126386893
Opcode ID: c2bc0f77722d981547d870f6811704fe3d6958b5af3f2db60336899ae8c712f2
Instruction ID: 476c456fba629d78b9980f419dd5c02f4fd3517490d23e100e2c4b500bece8f2
Opcode Fuzzy Hash: c2bc0f77722d981547d870f6811704fe3d6958b5af3f2db60336899ae8c712f2
Instruction Fuzzy Hash: 0A41AFB160C3818ED305BFB8998935FBFE0AB96304F09493DE5C586382D6BC85499757

Function 00423A00 Relevance: 11.0, APIs: 1, Strings: 5, Instructions: 542COMMON

Download Yara Rule

Strings

+,, xrefs: 00423F23
z{, xrefs: 00423A45
JJ, xrefs: 00423D69
'\, xrefs: 00423D79
RT, xrefs: 0042401E

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID:
String ID: '\$+,$JJ$z{$RT
API String ID: 0-1188437889
Opcode ID: e34c7b2f784e973b4114e79cc23b72f79aed382bebb493cb11dd8bfc7ebddd62
Instruction ID: 9d2a1dfb916de0fae9aa621c205d0b7af8858be4d3530f0e5b7c03865cfeaf13
Opcode Fuzzy Hash: e34c7b2f784e973b4114e79cc23b72f79aed382bebb493cb11dd8bfc7ebddd62
Instruction Fuzzy Hash: 1D0210B16083508FD310DF65E89126BBBF1FFC6304F45892DE5968B391E7B89905CB86

Function 0041E870 Relevance: 10.9, Strings: 8, Instructions: 907COMMON

Download Yara Rule

Strings

), xrefs: 0041EA95
!2:*, xrefs: 0041EC5A
}, xrefs: 0041F242
EFp%, xrefs: 0041EAE0
FF, xrefs: 0041F23B
PP-*, xrefs: 0041EC7B
-, xrefs: 0041EFA4
5878, xrefs: 0041EC65

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID:
String ID: !2:*$)$-$5878$EFp%$FF$PP-*$}
API String ID: 0-1482250269
Opcode ID: 93df3b71d546657d77df814c8683c76c90718c7b39af5dcde610a54014c3d73f
Instruction ID: 5812f2dd7598798cbae75b9c3662e2b5ca4c3c40be126637eafa488102205352
Opcode Fuzzy Hash: 93df3b71d546657d77df814c8683c76c90718c7b39af5dcde610a54014c3d73f
Instruction Fuzzy Hash: FA525A7550C3808FC725CF25C8806AFBBE2AFD5304F08856EE8D59B392D739984ACB56

Function 0042D244 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 280libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(9F2D9D29,00000000,00000800), ref: 0042D6AC

Strings

7, xrefs: 0042D5A4
OZlk, xrefs: 0042D42B
8, xrefs: 0042D4FE
pq, xrefs: 0042D64E
EmQu, xrefs: 0042D5E1

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: 7$8$EmQu$OZlk$pq
API String ID: 1029625771-859822191
Opcode ID: f9d2c6676e9e32cbb107e93ef4772e448567a4395860b090061fe488df4ceea2
Instruction ID: 24025dad07aa2a3ca97d262b7fb539f9ee134491b2aa71b72801e24b1df3a3ce
Opcode Fuzzy Hash: f9d2c6676e9e32cbb107e93ef4772e448567a4395860b090061fe488df4ceea2
Instruction Fuzzy Hash: 6A81497060C3E14BE3288B3994617ABBBD0DF93314F68896DD4C98B382DA7D544AC756

Function 0042D2CF Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 278COMMON

Download Yara Rule

Strings

7, xrefs: 0042D5A4
OZlk, xrefs: 0042D42B
8, xrefs: 0042D4FE
pq, xrefs: 0042D64E
EmQu, xrefs: 0042D5E1

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID:
String ID: 7$8$EmQu$OZlk$pq
API String ID: 0-859822191
Opcode ID: 9e47ab4d9dd5a1ebca3a84546f3287363f2049c1cf20c51355940dd8404de833
Instruction ID: cd72c2c45a09a2ec82cbc76e776fa6405f8cfb43a49df63a8af891f1abe1c393
Opcode Fuzzy Hash: 9e47ab4d9dd5a1ebca3a84546f3287363f2049c1cf20c51355940dd8404de833
Instruction Fuzzy Hash: 02814970A0C3E14BE3288B3994617ABBBD0DF93314F68896DD4C98B382DB7D544AC756

Function 0042D333 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 277COMMON

Download Yara Rule

Strings

7, xrefs: 0042D5A4
OZlk, xrefs: 0042D42B
8, xrefs: 0042D4FE
pq, xrefs: 0042D64E
EmQu, xrefs: 0042D5E1

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID:
String ID: 7$8$EmQu$OZlk$pq
API String ID: 0-859822191
Opcode ID: dc80c8ebe53daede23a5e1addea4de19aebea911302de76520ca066ea027ef7c
Instruction ID: e66ce5c70fa3e86033a0ae982dcb23788eb32e0ecaa5aa88eec7c8ee3f82187e
Opcode Fuzzy Hash: dc80c8ebe53daede23a5e1addea4de19aebea911302de76520ca066ea027ef7c
Instruction Fuzzy Hash: 74815970A0C3D18BE3288B3994617ABBBD0DF93304F68896DD0C98B382DB7D544AC756

Function 004093C0 Relevance: 10.4, Strings: 8, Instructions: 370COMMON

Download Yara Rule

Strings

yp, xrefs: 004096AF
Qv, xrefs: 004096A7
}J~u, xrefs: 004095A5
m~qF, xrefs: 0040957A
"#, xrefs: 004097B3
2E, xrefs: 004096B7
Bq, xrefs: 004096BF
~, xrefs: 00409618

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID:
String ID: "#$2E$Bq$Qv$m~qF$yp$}J~u$~
API String ID: 0-2573105590
Opcode ID: df35beb64d44aad450dd72916ac0e565df41af8c67a97be6b14bdda4c28fc84d
Instruction ID: 1142eb1b768d3fa1f0e1265e6f3b62c2c68fcfa557b2a6a3555796c4232fb333
Opcode Fuzzy Hash: df35beb64d44aad450dd72916ac0e565df41af8c67a97be6b14bdda4c28fc84d
Instruction Fuzzy Hash: 39B1447160C7408BD714DF24C891AABBBE1EBC2318F14496DE5D58B392DB3DD90ACB4A

Function 0041CC00 Relevance: 9.4, Strings: 7, Instructions: 625COMMON

Download Yara Rule

Strings

d}, xrefs: 0041CF17
rs, xrefs: 0041CEAC
f, xrefs: 0041CF27
7(, xrefs: 0041CDE2
;<, xrefs: 0041CCDF
twia, xrefs: 0041CC03
p c", xrefs: 0041D242

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID:
String ID: 7($;<$d}$f$p c"$rs$twia
API String ID: 0-3111116717
Opcode ID: 98488ed3d2c58bb1f59d407d8c644808b8538398a2f0f1154756ecc029c661b5
Instruction ID: c2b78266222b9b02ad7c85c86d829018b2d9ac9537a64c768cfac456271a5827
Opcode Fuzzy Hash: 98488ed3d2c58bb1f59d407d8c644808b8538398a2f0f1154756ecc029c661b5
Instruction Fuzzy Hash: 601200B650C3108BC708DF65D8916ABF7E2EF95314F08892DF4C68B391E638D549CB9A

Function 00429AF0 Relevance: 9.4, Strings: 7, Instructions: 608COMMON

Download Yara Rule

Strings

HJ@[, xrefs: 0042A0FC
Dk, xrefs: 0042A104
"-03, xrefs: 00429EA8, 00429EAC
gfff, xrefs: 0042A004
`a, xrefs: 00429BB6
3)K, xrefs: 0042A0EC
[c[X, xrefs: 0042A0F4

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID:
String ID: "-03$Dk$HJ@[$[c[X$`a$gfff$3)K
API String ID: 0-1220033372
Opcode ID: 0c46f09a89597722165bd0d9fef8d27240c87a680097b1c9717ad2a8022e5414
Instruction ID: 558bee38ba4d80a6c81b39b275319f8edadd9f83696fd6648f89ab72a3799b54
Opcode Fuzzy Hash: 0c46f09a89597722165bd0d9fef8d27240c87a680097b1c9717ad2a8022e5414
Instruction Fuzzy Hash: 501225B19083519FC724CF14D88176BB7E1AF91304F858A2EF8D68B352E778D915CB8A

Function 004160F8 Relevance: 9.2, Strings: 7, Instructions: 488COMMON

Download Yara Rule

Strings

lfpu, xrefs: 0041646D
i|}, xrefs: 004164AF
$&,?, xrefs: 004162C6
}hA, xrefs: 00416877
O, xrefs: 004162D1
bdA, xrefs: 0041644E
?G?4, xrefs: 004162BB

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID:
String ID: O$$&,?$?G?4$bdA$i|}$lfpu$}hA
API String ID: 0-657521152
Opcode ID: c83ddae73bb36978f873cef37a2430a3c7b6ce6c097510b276572355f7aa5589
Instruction ID: f7cadc74c567da9ff6ccf86b67ffd0ea5373491200df2746dbc93d5bfa285d07
Opcode Fuzzy Hash: c83ddae73bb36978f873cef37a2430a3c7b6ce6c097510b276572355f7aa5589
Instruction Fuzzy Hash: 6FF147B69083518FC720CF28D8416ABB7E1BFD5314F194A2DE89987392E738D945CB86

Function 00485817 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,004851CD,00000002,00000000,?,?,?,004851CD,?,00000000), ref: 004858B0
GetLocaleInfoW.KERNEL32(?,20001004,004851CD,00000002,00000000,?,?,?,004851CD,?,00000000), ref: 004858D9
GetACP.KERNEL32(?,?,004851CD,?,00000000), ref: 004858EE

Strings

ACP, xrefs: 00485835
OCP, xrefs: 0048586B

Memory Dump Source

Source File: 00000003.00000002.2424925075.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000003.00000002.2424902540.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424958239.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424980703.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424995401.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2425010570.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_460000_Solara-3.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: b7b6e04075c34ba6e8befd3790eec65a3a84a8479d01bb772d7b482c0cf2ffba
Instruction ID: 10d763c5a00cf18537874466c7f208a27616a780f66d99654247b6b88e0fa65c
Opcode Fuzzy Hash: b7b6e04075c34ba6e8befd3790eec65a3a84a8479d01bb772d7b482c0cf2ffba
Instruction Fuzzy Hash: 9121D622A00A01AADB34BF15C904A9F73A6EF54B10B568C37E80ADB310E73ADD61D359

Function 00418857 Relevance: 8.3, Strings: 6, Instructions: 792COMMON

Download Yara Rule

Strings

-^/P, xrefs: 00418F57
6V6h, xrefs: 00418F67
E*, xrefs: 00418F05
bcd, xrefs: 00418F7F
n, xrefs: 0041944F
-R*T, xrefs: 00418F5F

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID:
String ID: bcd$-R*T$-^/P$6V6h$E*$n
API String ID: 0-1706003273
Opcode ID: bf9ec200dfee74759a037d5119668a69c4e9510ddc75e3518b88619bafd35562
Instruction ID: 326ff500ac38b06924e4c00ab67173c20ef889dadc59a10b1899d4eb9e275d26
Opcode Fuzzy Hash: bf9ec200dfee74759a037d5119668a69c4e9510ddc75e3518b88619bafd35562
Instruction Fuzzy Hash: B0424C76A083118BC324CF29C8917ABB7E2FFD9764F09892DE8C997351EB389941C745

Function 004159D0 Relevance: 8.0, Strings: 6, Instructions: 550COMMON

Download Yara Rule

Strings

^], xrefs: 00415A65
g*i, xrefs: 00415CA0
AQ, xrefs: 00415A44
!, xrefs: 0041604E
C*E, xrefs: 00415C7D
>O, xrefs: 00415A5A

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID:
String ID: g*i$ !$>O$AQ$^]$C*E
API String ID: 0-4223914267
Opcode ID: d696e306cbf57f5f409145798f771aa3ae27675bcde9058626bc8ef77bf85485
Instruction ID: 66491697b6113fefaaa2ebf303fdf51bcafeefe02f57bb52542103e229c71f66
Opcode Fuzzy Hash: d696e306cbf57f5f409145798f771aa3ae27675bcde9058626bc8ef77bf85485
Instruction Fuzzy Hash: 78024576A08350CBC3348F28D8957EBB3A1FFC5314F19462EE4899B391E7389941C796

Function 00485097 Relevance: 7.7, APIs: 5, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004800CA: GetLastError.KERNEL32(00000000,?,0048244D), ref: 004800CE
Part of subcall function 004800CA: SetLastError.KERNEL32(00000000,?,?,00000028,0047CD93), ref: 00480170

GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 0048519F
IsValidCodePage.KERNEL32(00000000), ref: 004851DD
IsValidLocale.KERNEL32(?,00000001), ref: 004851F0
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00485238
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00485253

Memory Dump Source

Source File: 00000003.00000002.2424925075.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000003.00000002.2424902540.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424958239.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424980703.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424995401.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2425010570.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_460000_Solara-3.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: ab30e1121f8852ad6a1b4c06bf4d79c937cb140eca638a1b9684f2655b86f13d
Instruction ID: f3295c213ed65c8e1ca4d0fece6783c2dc2ad59ff5fbd825c3a2a3b8e953320c
Opcode Fuzzy Hash: ab30e1121f8852ad6a1b4c06bf4d79c937cb140eca638a1b9684f2655b86f13d
Instruction Fuzzy Hash: 5F517F71E00A05ABDF10FFA5CC45BAF73B8AF48304F54496BE901E7290EB789944CB69

Function 0047E2D0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2424925075.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000003.00000002.2424902540.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424958239.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424980703.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424995401.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2425010570.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_460000_Solara-3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65f1bee39169fa6f762fa4cea941cf52af4f013e640272b1e1485c0bbb4dd8b8
Instruction ID: 6354ae27e696beb7ed248515af34c88a277c6a23a5ea6d6e690b79aae1a662de
Opcode Fuzzy Hash: 65f1bee39169fa6f762fa4cea941cf52af4f013e640272b1e1485c0bbb4dd8b8
Instruction Fuzzy Hash: 6D023C71E012199BDF14CFAAC9806EEBBF5FF48314F2482AAD519E7341D735A901CB94

Function 00485DF9 Relevance: 6.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00485EE9

Memory Dump Source

Source File: 00000003.00000002.2424925075.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000003.00000002.2424902540.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424958239.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424980703.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424995401.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2425010570.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_460000_Solara-3.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 5ce36f4cecfedae057b6bb10184b2674bab62b55e156f1f2978605b5652a0c86
Instruction ID: 6fbce18ebb927290f294ee6c9559dc1e58c2b501e72bc76fdb81196c2c27a171
Opcode Fuzzy Hash: 5ce36f4cecfedae057b6bb10184b2674bab62b55e156f1f2978605b5652a0c86
Instruction Fuzzy Hash: 7C71CF718055685FDF21EF28DC89AAEBBB9AF06304F1445EBE009A7211DB394E859F18

Function 00474573 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 0047457F
IsDebuggerPresent.KERNEL32 ref: 0047464B
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00474664
UnhandledExceptionFilter.KERNEL32(?), ref: 0047466E

Memory Dump Source

Source File: 00000003.00000002.2424925075.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000003.00000002.2424902540.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424958239.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424980703.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424995401.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2425010570.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_460000_Solara-3.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 331a6c337b0a67d968fb18326a864c7bf2ec5380e162f9cde456f21798adb067
Instruction ID: 29eb6403ec1eacdd17462cebc1f3a735e11512270b1347bd8f88bda96b67ae56
Opcode Fuzzy Hash: 331a6c337b0a67d968fb18326a864c7bf2ec5380e162f9cde456f21798adb067
Instruction Fuzzy Hash: 4E310875D052289BDF20DFA5DD497CDBBB8AF08304F1041AAE50CAB250EB749A84CF89

Function 00417D1A Relevance: 6.0, Strings: 4, Instructions: 1046COMMON

Download Yara Rule

Strings

FxH, xrefs: 00418670, 0041869E
txvW, xrefs: 0041832A
Z01#, xrefs: 00418356
$"", xrefs: 004182F3

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: $""$Z01#$txvW$FxH
API String ID: 2994545307-221174876
Opcode ID: 8c7949177c218953b0945abe59a1ccf7c5ae2b2fe2d5628c4162ce9bb8025e5c
Instruction ID: 76019fa0f3342d420831f4edd56cf7d8d23a9ea4d7890389b2e5b27708c1d03a
Opcode Fuzzy Hash: 8c7949177c218953b0945abe59a1ccf7c5ae2b2fe2d5628c4162ce9bb8025e5c
Instruction Fuzzy Hash: 5C42AD36608311AFC724CF28D8906BBB7D2FBCA314F19466DD4D693292DA399C42CB95

Function 0042DAAF Relevance: 5.5, Strings: 4, Instructions: 481COMMON

Download Yara Rule

Strings

%1, xrefs: 0042DE00
K, xrefs: 0042DDF2
6, xrefs: 0042E0A9
]^U\, xrefs: 0042DBFC

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID:
String ID: %1$6$K$]^U\
API String ID: 0-2151241452
Opcode ID: 0dbee6bbde750aa6e83e15ac06150aa1bde38b1c00b07b12ae6e0b0f52a7da3c
Instruction ID: 46eacccce919d98b2f228e0b6b92c78c74b9744d991b0fd2432cc03b4edc14d6
Opcode Fuzzy Hash: 0dbee6bbde750aa6e83e15ac06150aa1bde38b1c00b07b12ae6e0b0f52a7da3c
Instruction Fuzzy Hash: 1DD1456061C3E18ED7258F3994507BBBBD1AFA7304F5889AEC4C88B383D7798506C756

Function 0042DAB4 Relevance: 5.5, Strings: 4, Instructions: 476COMMON

Download Yara Rule

Strings

%1, xrefs: 0042DE00
K, xrefs: 0042DDF2
6, xrefs: 0042E0A9
]^U\, xrefs: 0042DBFC

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID:
String ID: %1$6$K$]^U\
API String ID: 0-2151241452
Opcode ID: f9c0e55155a1426874e96a5906052ff9fb7c2f80b6543efe950319e2909d571a
Instruction ID: f32cee5880d1abe434cea79f1d4879dadfbfb535463758f2fa8a7e46c57f2f90
Opcode Fuzzy Hash: f9c0e55155a1426874e96a5906052ff9fb7c2f80b6543efe950319e2909d571a
Instruction Fuzzy Hash: A8D1336061C3E08AD7358F3994607BBBBD19FA7304F5849AEC0C99B383DB794506CB5A

Function 00424120 Relevance: 5.5, Strings: 4, Instructions: 468COMMON

Download Yara Rule

Strings

chB, xrefs: 0042685D
Mt, xrefs: 004241AD
H\, xrefs: 0042419A
PW, xrefs: 00424192

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID:
String ID: H\$Mt$PW$chB
API String ID: 0-2163593154
Opcode ID: 7ddfb2b0f0c7e4b4e015f0436ef2eea6a1538fada804fc3770a1e2307e87024e
Instruction ID: 1bf09a6097434e7f22ddc1bdb3c630c48bc36b23cc1fce60688c9ca20e7d4f59
Opcode Fuzzy Hash: 7ddfb2b0f0c7e4b4e015f0436ef2eea6a1538fada804fc3770a1e2307e87024e
Instruction Fuzzy Hash: 5BE178756083508FD320CF28E8817ABBBE1EBC5304F55893EF5959B381D3789805CB86

Function 0043CC70 Relevance: 3.1, Strings: 2, Instructions: 636COMMON

Download Yara Rule

Strings

=N00, xrefs: 0043D0F3
=N00, xrefs: 0043D100, 0043D13B

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID:
String ID: =N00$=N00
API String ID: 0-484593190
Opcode ID: a975b6ea7c3510288d540a4fa890c906eb6d18bf230e3aaf25afd2ab8d1986d0
Instruction ID: 1f1163bf8e2703864be15493e9233c931d78e1a2cc7ab19a4a2b087fdb0eb98e
Opcode Fuzzy Hash: a975b6ea7c3510288d540a4fa890c906eb6d18bf230e3aaf25afd2ab8d1986d0
Instruction Fuzzy Hash: DA12F23AA18211CFC704CF28E89056AB3E2FBCB315F1A887DD58AA7351D735E855CB46

Function 0043CD60 Relevance: 3.1, Strings: 2, Instructions: 565COMMON

Download Yara Rule

Strings

=N00, xrefs: 0043D0F3
=N00, xrefs: 0043D100, 0043D13B

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID:
String ID: =N00$=N00
API String ID: 0-484593190
Opcode ID: bff7f91a71abed4388b53d4312e4da423a2c4612426fc23d1bb3e594bb641337
Instruction ID: c95ac4a302fd408c40b7df02bed80074a6debb0ea12c0d30d2c258584919a518
Opcode Fuzzy Hash: bff7f91a71abed4388b53d4312e4da423a2c4612426fc23d1bb3e594bb641337
Instruction Fuzzy Hash: 12F1EF39618651CFC308CF28E89056AB3E2FBCB314F1A89BDD58AA7751D634E851CB46

Function 0043CEA0 Relevance: 2.9, Strings: 2, Instructions: 449COMMON

Download Yara Rule

Strings

=N00, xrefs: 0043D0F3
=N00, xrefs: 0043D100, 0043D13B

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID:
String ID: =N00$=N00
API String ID: 0-484593190
Opcode ID: 37aec9d84ee4ca9b9976a483d137be77b2afd69a439f57e03d3b9431c22ca643
Instruction ID: c76c08ac7d5648f59d5eac110b890b38750ab6c9d8ad2ad0b40d4f0c1bd0b74c
Opcode Fuzzy Hash: 37aec9d84ee4ca9b9976a483d137be77b2afd69a439f57e03d3b9431c22ca643
Instruction Fuzzy Hash: 2BD1CF39A18651CFC708CF28E89052AB3E2FBCB314F1A897DD54697751D734E851CB46

Function 0043CFE0 Relevance: 2.9, Strings: 2, Instructions: 430COMMON

Download Yara Rule

Strings

=N00, xrefs: 0043D0F3
=N00, xrefs: 0043D100, 0043D13B

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID:
String ID: =N00$=N00
API String ID: 0-484593190
Opcode ID: dedb44672c626f2d125a44800c135856150f8ad88860dbeeecdebe9d7e1eff7f
Instruction ID: 7f25a428c81eee7c4059e880ccb58c817521c845a685e9a5f3e597adafafe9d8
Opcode Fuzzy Hash: dedb44672c626f2d125a44800c135856150f8ad88860dbeeecdebe9d7e1eff7f
Instruction Fuzzy Hash: 5FD1F336A18650CFC708CF28D89052AB7E2FBCB314F1A897DD49A97351DA35E911CB46

Function 0043CF50 Relevance: 2.9, Strings: 2, Instructions: 413COMMON

Download Yara Rule

Strings

=N00, xrefs: 0043D0F3
=N00, xrefs: 0043D100, 0043D13B

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID:
String ID: =N00$=N00
API String ID: 0-484593190
Opcode ID: d8f1895ec524c40bb073043eb21aeb794683ad5a02f68f984eecdefc780cfa29
Instruction ID: c25bd1f4fea852463b98106fbda254b454a6f63310b3c45606409ac9038f0359
Opcode Fuzzy Hash: d8f1895ec524c40bb073043eb21aeb794683ad5a02f68f984eecdefc780cfa29
Instruction Fuzzy Hash: 84C1EF3AA18651CFC708CF28E89052AB3E2FBCB314F1A897DD48A97350D735E911CB46

Function 0042E145 Relevance: 2.9, Strings: 2, Instructions: 395COMMON

Download Yara Rule

Strings

j, xrefs: 0042E2D2
8<=, xrefs: 0042E431

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID:
String ID: 8<=$j
API String ID: 0-2099924815
Opcode ID: 65681a54908fc9b35d39f1ee540c7121ed796c6604b63ae38a7cc7ddccb0bbfc
Instruction ID: 7b303b8bf777e971f110373268dcde5cbc69dc551606882a10246c73124f2efe
Opcode Fuzzy Hash: 65681a54908fc9b35d39f1ee540c7121ed796c6604b63ae38a7cc7ddccb0bbfc
Instruction Fuzzy Hash: D3B1147060C3E18AD735CF3994507ABBBE1AFD7304F5889AEC4C99B382D77984058B96

Function 0043EC00 Relevance: 2.9, Strings: 2, Instructions: 385COMMON

Download Yara Rule

Strings

WVW(, xrefs: 0043EE54
/./ , xrefs: 0043ED0B, 0043EDC7

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: /./ $WVW(
API String ID: 2994545307-2734811727
Opcode ID: 9a0efd9965b90b0a4f968f782d27ea5e1549c023602bda8abf3aefdbfe197118
Instruction ID: 4d78746b4c89249037c063fa0add584b403e383d37b2a895badaa88ab217f140
Opcode Fuzzy Hash: 9a0efd9965b90b0a4f968f782d27ea5e1549c023602bda8abf3aefdbfe197118
Instruction Fuzzy Hash: B1B14476B093115FC714CE2AC8816ABB7E2EBD9314F089A3DE495C7394D678EC42C786

Function 0042C981 Relevance: 2.8, Strings: 2, Instructions: 349COMMON

Download Yara Rule

Strings

j, xrefs: 0042E2D2
8<=, xrefs: 0042E431

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID:
String ID: 8<=$j
API String ID: 0-2099924815
Opcode ID: cb7f2ab816c5ee5c3416f86db42a5774f7b966422091c2b977be05d53e776951
Instruction ID: 1fbe095e502b868bad50c17b29a7d52d5261f26b3b84f5e9316d8f700ac55c65
Opcode Fuzzy Hash: cb7f2ab816c5ee5c3416f86db42a5774f7b966422091c2b977be05d53e776951
Instruction Fuzzy Hash: C8A1257060C3A18FD729CF3990507ABBBE1AF97304F5889AED4C95B382C7794505CB96

Function 004270E0 Relevance: 2.8, Strings: 2, Instructions: 268COMMON

Download Yara Rule

Strings

GI, xrefs: 00426F98
KLM, xrefs: 00426FA0

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID:
String ID: GI$KLM
API String ID: 0-2564753213
Opcode ID: c24e12a8eceb12d46c66ce488d97ee4dc52a95bbedec094955754bfa8cae3ddf
Instruction ID: 794bedf59a0f76500754f43b8cafdafbbf09f456c6a12fa7c18f6a3273c9e351
Opcode Fuzzy Hash: c24e12a8eceb12d46c66ce488d97ee4dc52a95bbedec094955754bfa8cae3ddf
Instruction Fuzzy Hash: D481E27960C311DFE7048F24E89266BB7E0FB96308F50183DF18693252E738D916CB5A

Function 00408D50 Relevance: 2.8, Strings: 2, Instructions: 258COMMON

Download Yara Rule

Strings

b9x, xrefs: 00408E2D
U, xrefs: 00408E92

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID:
String ID: U$b9x
API String ID: 0-1952679456
Opcode ID: e513172e9271522a125607f01b30c3231a8a34564f3f7627a3c7ddfed2f9e0db
Instruction ID: 35c6c5566d1811cbc5f305b4fa90d726db0906600a4622ac6d31ffc73422be14
Opcode Fuzzy Hash: e513172e9271522a125607f01b30c3231a8a34564f3f7627a3c7ddfed2f9e0db
Instruction Fuzzy Hash: 0C71572154C3868EC3119F39899036BFFE19FA3214F0C457DE8D5A7382DB7D890A975A

Function 0040D338 Relevance: 2.7, Strings: 2, Instructions: 223COMMON

Download Yara Rule

Strings

Fxz, xrefs: 0040D4DE
|}~, xrefs: 0040D4E5

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID:
String ID: Fxz$|}~
API String ID: 0-2927207767
Opcode ID: d68493c5eebebad51e19babb3c033f4aac78abed11a2648ee8a9d9f44f836f5e
Instruction ID: 7b4ee9894a37c5e2197fd37e5a0ee18b911a3cc40dae0d52a71c2d5ca27a5863
Opcode Fuzzy Hash: d68493c5eebebad51e19babb3c033f4aac78abed11a2648ee8a9d9f44f836f5e
Instruction Fuzzy Hash: C9611676610B018FD324CF39C891B66B7E3EF95304F18C57DD58A9B356EA38A805CB18

Function 0042B950 Relevance: 1.7, Strings: 1, Instructions: 408COMMON

Download Yara Rule

Strings

", xrefs: 0042BC88

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 7ea78c9403be0e6823fb8f572908cb51abfb5f1ff7cb4bacb89e9e7a3c698a5c
Instruction ID: 8686e608cbf0685a246edbe9a8168b45d10c02e16e22aa04f1e81bdd9b3e680f
Opcode Fuzzy Hash: 7ea78c9403be0e6823fb8f572908cb51abfb5f1ff7cb4bacb89e9e7a3c698a5c
Instruction Fuzzy Hash: 1BD1E471A083255FC714CE25E48076BBBE5EB84314F98892EE9958B382E778EC45C7C6

Function 0040C377 Relevance: 1.5, Strings: 1, Instructions: 286COMMON

Download Yara Rule

Strings

PQ, xrefs: 0040C550

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID:
String ID: PQ
API String ID: 0-3876466377
Opcode ID: 26997fba914a23904a5fecd520f99ec7ce266ef0997d9d17b9c21020a6ab4d0d
Instruction ID: 9dda0cb490998ba9e73ca3fd4dc1686ddde7a2bb021d1bd637cbf27136e3e362
Opcode Fuzzy Hash: 26997fba914a23904a5fecd520f99ec7ce266ef0997d9d17b9c21020a6ab4d0d
Instruction Fuzzy Hash: 6E71897665C3209BC318DF55CC9122BB3E2EFD6304F09963DE8D5AB385E6388905878A

Function 0042BE10 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 0042C00E

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: 37c4e6cebd6108e29af0e7d85e3e4d9bfada760923e8382d02453211b7f85ed8
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: 8D71E532B083258BD714CE68E98031FB7E2EBC5710F9AC52FE59497391D3399D458B8A

Function 0043D570 Relevance: 1.4, Strings: 1, Instructions: 176COMMON

Download Yara Rule

Strings

@, xrefs: 0043D63B

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: d0b3cac32ba4848000d62679212498ebd8bf7a76f124a89ab837be93f20ee6af
Instruction ID: 4f47106b69f9887cf66a15a8f92d369709db0679f9ddab92c8b2034d3bbb5f42
Opcode Fuzzy Hash: d0b3cac32ba4848000d62679212498ebd8bf7a76f124a89ab837be93f20ee6af
Instruction Fuzzy Hash: 41417A76A043119BD7148F64DC917BBB7A2FFE4318F19562DE4854B3E0E7789800C786

Function 0042309E Relevance: 1.4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

r1B, xrefs: 00423166

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID:
String ID: r1B
API String ID: 0-4139467298
Opcode ID: f21fb9205bfe48189ff4743019bab1b71551a6037f243536d69f374f31ef71ff
Instruction ID: e5f1a7d27e025d246ed0810d7813f98301915d5fb696faaf905b88e5f0bff613
Opcode Fuzzy Hash: f21fb9205bfe48189ff4743019bab1b71551a6037f243536d69f374f31ef71ff
Instruction Fuzzy Hash: F8512635A05102DFDB18CF68DC9066AB3B2FF8A712F6945B8E906A7391C335DE52CB44

Function 00429030 Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

su, xrefs: 00429042

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID:
String ID: su
API String ID: 0-2567719060
Opcode ID: 1208cf701747eb9f9f1b4cc45eff990516c70dbb43a00837811f471d8d6ba221
Instruction ID: 3a2b2168663c618823ba9dd59d8bf6afcf7b82f9ce2216899db1cec0c61b9df2
Opcode Fuzzy Hash: 1208cf701747eb9f9f1b4cc45eff990516c70dbb43a00837811f471d8d6ba221
Instruction Fuzzy Hash: 4921593664C3215BF714CE259C4279BFBE6EBC0700F16C83DD9849B285C674950A83C2

Function 00402ED0 Relevance: .7, Instructions: 664COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1309a4fa7df7d806026f5414b74be268b787b146b17bd45b4c3720911f9dfe00
Instruction ID: d40387a985f785262703df0c54ef072f615b50a27890f10fc6f798cac461b8d4
Opcode Fuzzy Hash: 1309a4fa7df7d806026f5414b74be268b787b146b17bd45b4c3720911f9dfe00
Instruction Fuzzy Hash: F35206716083458FCB15CF24C0906AABFE1BF89315F188A7EF8996B381D778D949CB85

Function 00407460 Relevance: .6, Instructions: 627COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9abb27160ab780e122374a729d52e43c2534624d6ce29bcc53344870479f66f8
Instruction ID: a8d173a609d4ded7e2bad96ab1e4b34eab8f19c908292bc413d1f379d9350b32
Opcode Fuzzy Hash: 9abb27160ab780e122374a729d52e43c2534624d6ce29bcc53344870479f66f8
Instruction Fuzzy Hash: 3B12B632A0C7118BC724DF18D9806ABB3E1FFD4315F19493ED9C6A7281D678B855CB86

Function 004376E0 Relevance: .6, Instructions: 553COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa44734e673a6402c2de617bdd2479d3fb05cfd8199f8502162920226815bb71
Instruction ID: ba1e10bf3fea9a5fa83f55f14886f078ef0c1853e995e4fc2c426ebac8d67c73
Opcode Fuzzy Hash: aa44734e673a6402c2de617bdd2479d3fb05cfd8199f8502162920226815bb71
Instruction Fuzzy Hash: 5BD1397130C3015BD7289E24C8D27ABB7E2EBCA314F14692EE5C597392D339AC06DB56

Function 0041D360 Relevance: .5, Instructions: 467COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee90f5278ac038cd0a5ebbaa8bbc951ea4739f8151e16ecc0552300bd52a22d7
Instruction ID: 3625b25d449ff7109c7f33d13eee3a1ac1eb4c48f0e9783f3e249c004e2be0e7
Opcode Fuzzy Hash: ee90f5278ac038cd0a5ebbaa8bbc951ea4739f8151e16ecc0552300bd52a22d7
Instruction Fuzzy Hash: 79C102B59183108BCB24DF28CC522AB77F2EF86314F18996DE895DB394E738D905C74A

Function 00405910 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03fb91940804318dc1743849ef84bb8718c5b54b4986656f818f4eacab807873
Instruction ID: 9f0979e7b715912f22a726b41dd89c2d954775e028d435566855a83fccc654bd
Opcode Fuzzy Hash: 03fb91940804318dc1743849ef84bb8718c5b54b4986656f818f4eacab807873
Instruction Fuzzy Hash: F4F1DE356087418FC724CF29C88066BFBE6EFD9304F08882DE5D597391E639E945CB96

Function 0043E820 Relevance: .4, Instructions: 372COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7d510ccd8bcb0ac8fc97cf14ad7edda505e417fe9441703c6c0a21c807916ef3
Instruction ID: 36bebf25d809be0009731b627cd49e69892b56a6fb0b181eed2a4928305fcef5
Opcode Fuzzy Hash: 7d510ccd8bcb0ac8fc97cf14ad7edda505e417fe9441703c6c0a21c807916ef3
Instruction Fuzzy Hash: FBB16936A093119BC724DE2AC88066BF3E3FBD8710F09D92DE891573A4DB74AC01D785

Function 0042E9E0 Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d95abea31c7ede42a9972406c917afdce7c3e6382d4f3bff8a6743a8ffbd8293
Instruction ID: 2a379b486f630012c82438e6a8f3a57494f8afabdb285188630525c8d2ac60c9
Opcode Fuzzy Hash: d95abea31c7ede42a9972406c917afdce7c3e6382d4f3bff8a6743a8ffbd8293
Instruction Fuzzy Hash: 85F1E7B0606B00AFD769CF29D895797BBE9EB4D304F10896EE0AE8B351C7752801CF59

Function 0043E490 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3942e4086cd5a5fa3683e38ee3203e23672ee0a59dde484b07a4ec7133ac5d10
Instruction ID: 009f94c37c0cb56ab430755ff06e62af40952c7aa61986d222e2d4208ec47ab5
Opcode Fuzzy Hash: 3942e4086cd5a5fa3683e38ee3203e23672ee0a59dde484b07a4ec7133ac5d10
Instruction Fuzzy Hash: E2A106356153019BC714CF2AC841A6BB7E2FFD9724F09966EE985873E4EB34EC018745

Function 00439A70 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cea9301c44037a7b4df3ccc84d7bfa830eb9dd9d54391ab1f93d33711c6f3423
Instruction ID: 2ae903cc50b0dbf1320d53a05efe064405d9b93b3f73c8ec3a8de6b549ef8b2c
Opcode Fuzzy Hash: cea9301c44037a7b4df3ccc84d7bfa830eb9dd9d54391ab1f93d33711c6f3423
Instruction Fuzzy Hash: 0F716D7BA083105BD724DE399C8063BB3D2EBC9710F1A967ED8C657341E6B45C01C789

Function 00427380 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f80bc35eeeca5958f49ad19a4c8dcc787c53183d691d29a8280b7b5a587f73dc
Instruction ID: be835d0c91ea3e5ea3d4aedc008f874caab6f4a8b318e1ffc2d9521a871b1c41
Opcode Fuzzy Hash: f80bc35eeeca5958f49ad19a4c8dcc787c53183d691d29a8280b7b5a587f73dc
Instruction Fuzzy Hash: 09713B7570C3215BD714AF24AC8277BB7A1EF92314F98843EE88557352E638EC06D35A

Function 004243B0 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eec0369fa3dd8237a43cdbe7dba76f2d7b3bbad0defa6cfb83235d6b3e7040a5
Instruction ID: e5f74e7df74ea148bbcb6e335824269c93cc319de6e4edaa78c97c0ee560a6ea
Opcode Fuzzy Hash: eec0369fa3dd8237a43cdbe7dba76f2d7b3bbad0defa6cfb83235d6b3e7040a5
Instruction Fuzzy Hash: A98156766083009BE320CF25EC41BAFB7E5EBC9308F45493EF6899B291D7349515CB5A

Function 004245F7 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6231d9b45743c0b195204eeae6ab584a87f063cb4d02de19b9c8006f00500ae8
Instruction ID: 9c9da8b47ab4b1cc09244863133357a48d8f99abe656757f3aa6f10424084940
Opcode Fuzzy Hash: 6231d9b45743c0b195204eeae6ab584a87f063cb4d02de19b9c8006f00500ae8
Instruction Fuzzy Hash: F96146B6A08300DBE320CF15EC41B6BB7E1EBC9304F51483EF6459B291D674A515CB96

Function 00424550 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f33492ad2a1f4a851eed0892fd488c2d9c4246907eb9cf6b90bb44ffddf2683
Instruction ID: efbfe1680157ef4200e5f26a80f4f441e6834f34fb912714bcea121ac85790f3
Opcode Fuzzy Hash: 3f33492ad2a1f4a851eed0892fd488c2d9c4246907eb9cf6b90bb44ffddf2683
Instruction Fuzzy Hash: 8A615476A08300DBE320CF29EC41B6BB7E1EBC9304F11483EF6899B291D7749515CB9A

Function 00437450 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48c02a24c7379c5f688e2a9d61d88d32d44cf8a0bfa8ea28f6d05e8f7ae29f82
Instruction ID: 5c4747b14b763f6423e32f97156a35dae38f9aea763944f1c71772c15a07efb1
Opcode Fuzzy Hash: 48c02a24c7379c5f688e2a9d61d88d32d44cf8a0bfa8ea28f6d05e8f7ae29f82
Instruction Fuzzy Hash: A15166B5208601AFD7249F28D892B6B77E1EBCA314F04583DE1C583291E7789C16DB66

Function 00428938 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a054b4a56c9cce1e936cc134f0b65e1ee8f8b1dd1a3cbb5d64876246cc084db6
Instruction ID: 2f9bac02b73704bfa949a4928859458b9e7023b788a9c5e7a931a1a560bcfd1a
Opcode Fuzzy Hash: a054b4a56c9cce1e936cc134f0b65e1ee8f8b1dd1a3cbb5d64876246cc084db6
Instruction Fuzzy Hash: 0B5102B4A09351CFE3248F25DC4171BB7E1FBC9304F55897DE5889B3A1DB7898018B9A

Function 0043D330 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 801e118eae484d0226fb87806212c53365a7a79cc740fef18dfb56517691e400
Instruction ID: 883e5595acbfd9eab16bb170e99f51e9927ec6d413e69633466920eedfc5eee6
Opcode Fuzzy Hash: 801e118eae484d0226fb87806212c53365a7a79cc740fef18dfb56517691e400
Instruction Fuzzy Hash: 7F41EE35619291DFC7088F38E85016BB7E2FB8B320F0A897DD886D3250D338E951CB46

Function 00408B50 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 080b9451aafd0f102d2fbcd689eec89c8f8ee7975cfea1d7c53691420701ee52
Instruction ID: 289e3a9386be6df702385e59d47aa5dbabeaaef131dee9c25efab4ab05ec0e99
Opcode Fuzzy Hash: 080b9451aafd0f102d2fbcd689eec89c8f8ee7975cfea1d7c53691420701ee52
Instruction Fuzzy Hash: 25314E2268E7058FF31846688E955B7B7A1CB52310F4E437FD9912B3D2D93C4D0AD3A9

Function 0042AFDB Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca8aa78fab8a15cbddde135a4165fe388285d322321d16969915e2c5a7300df
Instruction ID: ebc0b6189d77aef3bc1a37bdce85675a2a6e0eae855e0c3199d3ec4fa89b25c3
Opcode Fuzzy Hash: dca8aa78fab8a15cbddde135a4165fe388285d322321d16969915e2c5a7300df
Instruction Fuzzy Hash: 29314778A08251DFE7305F64FC82B6B73A4FB8B304F411479FA8493142DB39A821C79A

Function 0042E784 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9daf5e6c5b17073090c76df75735d2d38c33aa34bc5254e0fe86aed0f551f424
Instruction ID: 0f74a0bc667ad031a8bd44ffe6b1acbeb2a7f5784325b2f5bfa54d0261dfd09e
Opcode Fuzzy Hash: 9daf5e6c5b17073090c76df75735d2d38c33aa34bc5254e0fe86aed0f551f424
Instruction Fuzzy Hash: FB31E5A06183D18EEB259F359470BB77FD09F63308F584DAED2C5AB283D6398106C75A

Function 0042ABF8 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 54155e3e2ab7796fcf766ecf8dcf1830180ff23cab53a6c304c67dc2799cad9f
Instruction ID: 120001e595cf963a4e1e78b3716713ebab2fea3f5674165064983483836df477
Opcode Fuzzy Hash: 54155e3e2ab7796fcf766ecf8dcf1830180ff23cab53a6c304c67dc2799cad9f
Instruction Fuzzy Hash: 61213734309310AFEB499B25B8C163B7366FB96714F94687EE84323312D628CC128B4F

Function 00424DC0 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0bd42f577157fa4b0e3a286f48eca0a4a0c2c2811db6931c79dabeb7853fe605
Instruction ID: de91bd6113e6fd9e953af6b7b494d978a294033abd3c0dc3893b669f83ed4139
Opcode Fuzzy Hash: 0bd42f577157fa4b0e3a286f48eca0a4a0c2c2811db6931c79dabeb7853fe605
Instruction Fuzzy Hash: 47214677A58329DBC3209FA4A880537F2E3F7DA310F9B556DC845A3211D671AD048BC9

Function 0043C33D Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34ff674473218ad65e558c08e43268dd02de724bce6290d82549a7049c0bd7ab
Instruction ID: d57e079e430eff4900e55edcc94ffb549304e0f316c3247a95137036e3436290
Opcode Fuzzy Hash: 34ff674473218ad65e558c08e43268dd02de724bce6290d82549a7049c0bd7ab
Instruction Fuzzy Hash: 0C113277E511600BD32CCF2ACCA247A77A29B9B22570E926EC897A3380C6380D0183D8

Function 004342E0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: a045302317afdec66e3d93ba1fd29b1b0bc52319829772b6575ef936e449a085
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 64112933B051D10EC3128D3C84405E9BFE31BE7635F59539AF8F49B2D2D62A9D8A8359

Function 0042B380 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66116ca51413bb69ab787466092ab16813b115ef93d4b4d95bd9a6a1b53a0bf5
Instruction ID: 311e6beaf51666f254adccdd01e54a614d811fba824c150ad49bad23ed539729
Opcode Fuzzy Hash: 66116ca51413bb69ab787466092ab16813b115ef93d4b4d95bd9a6a1b53a0bf5
Instruction Fuzzy Hash: 93018CF1B0021257E720EE55B4C072BB3A8AF84718F48453EE84557342EB7DF805C2DA

Function 00428DC5 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7ab2314f9114284fd3f0474128c1b2a17d565d70a3b9a29952a24feb962e9f
Instruction ID: 7680d6ecd824a9420769c5e53d0d5f5852de09effc4195054f5caa7b16329a9d
Opcode Fuzzy Hash: be7ab2314f9114284fd3f0474128c1b2a17d565d70a3b9a29952a24feb962e9f
Instruction Fuzzy Hash: 9B019235709220AFE7149B14A48193FB3E2BBDA314F95957DE44963252CA38AC028B9E

Function 00428912 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a5d481a4f1e13be97b46ba8f2006b4ad22259d6881528bd7a2ec9d98411b3ea
Instruction ID: 5cc17da1ef3f9e07c089bf5c2002d3eb276fb382bea159082683aa4046d45d4b
Opcode Fuzzy Hash: 5a5d481a4f1e13be97b46ba8f2006b4ad22259d6881528bd7a2ec9d98411b3ea
Instruction Fuzzy Hash: 8DF0C830709261CBE7144B24E49162FB3E1B7DA350FA5967FC48A33701CE79AC028B9E

Function 00402B90 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aae76682fd5aa2a16cdd7d9f4ffb8e996fa499a521c280fddb85e8b2d6518ef0
Instruction ID: 99591e7beb571e2dc590d10804c222ebf8aa6f18697b1d3883b4cf5795d47446
Opcode Fuzzy Hash: aae76682fd5aa2a16cdd7d9f4ffb8e996fa499a521c280fddb85e8b2d6518ef0
Instruction Fuzzy Hash: 53F0E93BB186170BE614DD79ECC4927F3A6E7C6304F099439EA41E7781C5B5F806C2A4

Function 00429D1E Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6606fafbbfe574efe7bbd01be868b59859b6deae594a1ff1ec81f80106e3956d
Instruction ID: 2150ce7d8063d49a682c9b9d226803a3ac1b2625fef89fd3b6930484a24bc537
Opcode Fuzzy Hash: 6606fafbbfe574efe7bbd01be868b59859b6deae594a1ff1ec81f80106e3956d
Instruction Fuzzy Hash: 41F06D307186209BE7189B25E05253BF3E1BBD2310FA5DA7ED48623652C638AC02D78E

Function 0042AEB3 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d04a4e5f87148ee2cff24109152caacd592a560f83287046947e6134e287b25
Instruction ID: e317c7a56bc1e47a98cf6787839e47324a44f3ab8bbdd7c3857e04e6dabc0491
Opcode Fuzzy Hash: 6d04a4e5f87148ee2cff24109152caacd592a560f83287046947e6134e287b25
Instruction Fuzzy Hash: 8BF0B4747096109BD7104F24A2D413B7391A76B304FD1387DEC8227206C528DC16875B

Function 00431946 Relevance: 35.2, APIs: 1, Strings: 19, Instructions: 160memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 004319CC

Strings

g, xrefs: 00431972
X, xrefs: 00431B7A
W, xrefs: 00431B6A
], xrefs: 00431B8A
K, xrefs: 00431BBA
Z, xrefs: 00431B3A
x, xrefs: 00431977
f, xrefs: 0043196D
b, xrefs: 00431959
_, xrefs: 00431B2A
N, xrefs: 00431B9A
6, xrefs: 004319F2
^, xrefs: 00431BAA
0, xrefs: 00431C71
R, xrefs: 00431B1A
R, xrefs: 00431B4A
3, xrefs: 00431B5A
?, xrefs: 00431B0A
d, xrefs: 00431963

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID: AllocString
String ID: 0$3$6$?$K$N$R$R$W$X$Z$]$^$_$b$d$f$g$x
API String ID: 2525500382-3404372981
Opcode ID: 883a627b99c1900e9c6d9b5874601a6bc52d969ed154ffacdf7075a51090d370
Instruction ID: 82a518c2cdec33ec80ce92ff7e631ac2a973d6767876b4f981eadbfe86b1d074
Opcode Fuzzy Hash: 883a627b99c1900e9c6d9b5874601a6bc52d969ed154ffacdf7075a51090d370
Instruction Fuzzy Hash: D491D02050CBD28AE332C73C885879BBED16BA7224F084B9DE4E95B2D2D3B54546C767

Function 00431265 Relevance: 24.6, APIs: 1, Strings: 13, Instructions: 95COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 004312B2

Strings

R, xrefs: 004312DC
H, xrefs: 004312FA
J, xrefs: 00431304
L, xrefs: 0043130E
V, xrefs: 004312F0
@, xrefs: 00431322
F, xrefs: 00431340
T, xrefs: 004312E6
B, xrefs: 0043132C
G, xrefs: 00431345
P, xrefs: 004312D2
N, xrefs: 00431318
D, xrefs: 00431336

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID: InitVariant
String ID: @$B$D$F$G$H$J$L$N$P$R$T$V
API String ID: 1927566239-89143503
Opcode ID: 52566eb43e9c654f3108b28e4ffcff3fa02cf4647f2402a61ed2ef647cca95bc
Instruction ID: 7a59bf7c3329ffddbb0c0f48962579714d40e3e1d4689ef214eb01fc108406bf
Opcode Fuzzy Hash: 52566eb43e9c654f3108b28e4ffcff3fa02cf4647f2402a61ed2ef647cca95bc
Instruction Fuzzy Hash: CC41177050C7C18AD326DB78845879BBFD16BD6318F088A5DE1E94B3E2D7B88409C757

Function 0043165E Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 93COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00431668
VariantInit.OLEAUT32 ref: 0043167B

Strings

s, xrefs: 004316CF
c, xrefs: 004316A7
y, xrefs: 00431701
w, xrefs: 004316F7
~, xrefs: 004316BB
m, xrefs: 004316D9
y, xrefs: 004316ED
X, xrefs: 004316E3
l, xrefs: 0043169D
|, xrefs: 004316C5

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID: X$c$l$m$s$w$y$y$|$~
API String ID: 2610073882-1425934243
Opcode ID: 5befae2ce0566302a6c21c8f45803f3c48d1185cad1e077eba45f1e8229ba15c
Instruction ID: 6adf0b0ca4729edd0e80e748f6647486785651b246061e9b482616a1966cdf77
Opcode Fuzzy Hash: 5befae2ce0566302a6c21c8f45803f3c48d1185cad1e077eba45f1e8229ba15c
Instruction Fuzzy Hash: E441573150C7C18ED375DB38884869EBFE0AB96224F080E6DE5E8873E6C6798549C767

Function 0048E852 Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,00000000,7FFFFFFF,?,0048E83D,00000000,00000000,00000000,00000000,?,?,?,?,00000000,00000000), ref: 0048E8F8
__alloca_probe_16.LIBCMT ref: 0048E9B3
__alloca_probe_16.LIBCMT ref: 0048EA42
__freea.LIBCMT ref: 0048EA8D
__freea.LIBCMT ref: 0048EA93
__freea.LIBCMT ref: 0048EAC9
__freea.LIBCMT ref: 0048EACF
__freea.LIBCMT ref: 0048EADF

Memory Dump Source

Source File: 00000003.00000002.2424925075.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000003.00000002.2424902540.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424958239.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424980703.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424995401.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2425010570.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_460000_Solara-3.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 775a62bb0fced74601c6c812ccfeec02a675a52e124da0c56c90b5aba04fbdf8
Instruction ID: 514ac8a8ae6ed43301b11424f8748bebaffbafa5a3b3df7ed6750b7ec8ae3818
Opcode Fuzzy Hash: 775a62bb0fced74601c6c812ccfeec02a675a52e124da0c56c90b5aba04fbdf8
Instruction Fuzzy Hash: 05710572A0020AAFDF25BE968C41BFF7BA9AF45714F14481BF918A7291D77CDC008759

Function 00474AB9 Relevance: 12.2, APIs: 8, Instructions: 177COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?), ref: 00474B00
__alloca_probe_16.LIBCMT ref: 00474B2C
MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?,00000000,00000000), ref: 00474B6B
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00474B88
LCMapStringEx.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00474BC7
__alloca_probe_16.LIBCMT ref: 00474BE4
LCMapStringEx.KERNEL32(?,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00474C26
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00474C49

Memory Dump Source

Source File: 00000003.00000002.2424925075.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000003.00000002.2424902540.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424958239.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424980703.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424995401.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2425010570.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_460000_Solara-3.jbxd

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: 04e290932a72335545f531e4c46e573a1d52eb874991a3ab05cebbd56f972f04
Instruction ID: 78ed50d16b258ef44775443073c2deb70748d041dd079f45e3940c1426cdf263
Opcode Fuzzy Hash: 04e290932a72335545f531e4c46e573a1d52eb874991a3ab05cebbd56f972f04
Instruction Fuzzy Hash: 0651B132501205AFEB214F51CC45FFB7BA9EF84744F26842AF929E62A0D738DD10CB59

Function 00482D36 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00482DBC

Memory Dump Source

Source File: 00000003.00000002.2424925075.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000003.00000002.2424902540.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424958239.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424980703.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424995401.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2425010570.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_460000_Solara-3.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 397bbcb3882a010d45e2357f2cccbd5be2c1488f20f2fd85135c7354d530a15f
Instruction ID: c7df4791038212c631555be4a7d537cb5c4f8394ab80ed6bbf8ffa5013196a4b
Opcode Fuzzy Hash: 397bbcb3882a010d45e2357f2cccbd5be2c1488f20f2fd85135c7354d530a15f
Instruction Fuzzy Hash: F6B179329002559FDB15EF28CD81BAF7BB5EF16710F14495BEA04AB382D3B8D901C7A8

Function 0047F4CE Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 0047F5ED
CallUnexpected.LIBVCRUNTIME ref: 0047F866

Strings

csm, xrefs: 0047F578
csm, xrefs: 0047F50B
`"I, xrefs: 0047F5E4
csm, xrefs: 0047F624

Memory Dump Source

Source File: 00000003.00000002.2424925075.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000003.00000002.2424902540.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424958239.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424980703.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424995401.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2425010570.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_460000_Solara-3.jbxd

Similarity

API ID: CallUnexpectedtype_info::operator==
String ID: `"I$csm$csm$csm
API String ID: 2673424686-1829692350
Opcode ID: 4dc3065a9f2f154b66881a59ab067632fc5bdc7e414211e13071cca02187add1
Instruction ID: f6d201c427f41c25f7798adb8bda382950e6fd65d97688518e47a766c16d256e
Opcode Fuzzy Hash: 4dc3065a9f2f154b66881a59ab067632fc5bdc7e414211e13071cca02187add1
Instruction Fuzzy Hash: 99B18D71800209EFCF29DFA5C8819EEB7B5BF14314F14856BE8086B312D738DA55CB9A

Function 0042D325 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 250COMMON

Download Yara Rule

Strings

7, xrefs: 0042D5A4
OZlk, xrefs: 0042D42B
8, xrefs: 0042D4FE
pq, xrefs: 0042D64E
EmQu, xrefs: 0042D5E1

Memory Dump Source

Source File: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Solara-3.jbxd

Yara matches

Similarity

API ID:
String ID: 7$8$EmQu$OZlk$pq
API String ID: 0-859822191
Opcode ID: 4d6603a8c0c7566ab64d9eb86f4b4e3f2d86c1955ec4a112ace09a3abae9ea82
Instruction ID: cac24ab99b363b77e0eaa7bceb918df53766f019ec1eabbe48716cc02275ce89
Opcode Fuzzy Hash: 4d6603a8c0c7566ab64d9eb86f4b4e3f2d86c1955ec4a112ace09a3abae9ea82
Instruction Fuzzy Hash: 56712770A0C3E18BE3248B3994617ABFBD19FA3315F68496DD0C94B382DB78544ACB57

Function 00475990 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 004759C7
___except_validate_context_record.LIBVCRUNTIME ref: 004759CF
_ValidateLocalCookies.LIBCMT ref: 00475A58
__IsNonwritableInCurrentImage.LIBCMT ref: 00475A83
_ValidateLocalCookies.LIBCMT ref: 00475AD8

Strings

csm, xrefs: 00475A6D

Memory Dump Source

Source File: 00000003.00000002.2424925075.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000003.00000002.2424902540.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424958239.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424980703.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424995401.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2425010570.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_460000_Solara-3.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 96c70170e1d8e9565c949956ace8d9c705c77c18598b86ab243dcda35f9b9142
Instruction ID: 1332768071e8981ef83c35b11e4b5d5f26ff61ea5f53caeda09b1e21ac866cbe
Opcode Fuzzy Hash: 96c70170e1d8e9565c949956ace8d9c705c77c18598b86ab243dcda35f9b9142
Instruction Fuzzy Hash: 2D41C734A006089BCF10DF69C885ADE7BA1EF44328F14C17BE91C9F352D779AA15CB99

Function 00480DC2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,BB40E64E,?,00480ED1,00462FE2,?,00000000,?), ref: 00480E83

Strings

ext-ms-, xrefs: 00480E2D
api-ms-, xrefs: 00480E19

Memory Dump Source

Source File: 00000003.00000002.2424925075.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000003.00000002.2424902540.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424958239.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424980703.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424995401.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2425010570.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_460000_Solara-3.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: e8212342eb35d198054cbbaaa6819bb5c876131257c2e96914376526c1b047b2
Instruction ID: 36d43305fd9d1d73ea3b817c61be023bccb8260d83ade7e5dcd050f44426acca
Opcode Fuzzy Hash: e8212342eb35d198054cbbaaa6819bb5c876131257c2e96914376526c1b047b2
Instruction Fuzzy Hash: DB213671A11211ABDB22AB64EC40A6F3B59EB527A0F240D32ED16A7390D738ED04C7DC

Function 00474CD0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00474CD6
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00474CE4
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 00474CF5

Strings

GetSystemTimePreciseAsFileTime, xrefs: 00474CDE
GetTempPath2W, xrefs: 00474CEA
kernel32.dll, xrefs: 00474CD1

Memory Dump Source

Source File: 00000003.00000002.2424925075.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000003.00000002.2424902540.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424958239.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424980703.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424995401.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2425010570.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_460000_Solara-3.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1047828073
Opcode ID: 22346156ea3fcc3c2fc1e2b9c540bc29275161547c970e195dd077da8520e779
Instruction ID: 6ba22c73084d71e7f37013d7c5e9071b1cd49072318883d22e2cb6e44ea8fac3
Opcode Fuzzy Hash: 22346156ea3fcc3c2fc1e2b9c540bc29275161547c970e195dd077da8520e779
Instruction Fuzzy Hash: 17D0A932916220AF8B00AFF0BE0C88B3FA4EA563003100933FC00E2220D67C0410CFDE

Function 004889DE Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2424925075.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000003.00000002.2424902540.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424958239.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424980703.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424995401.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2425010570.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_460000_Solara-3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3c320c5e4caabef0708fedaa53eead1d058be28db30e806ce576bde958ce8f7
Instruction ID: 1f984f35ecbf388141105f3f61d416ef64466d7517e932690e4f4848bc9f2438
Opcode Fuzzy Hash: f3c320c5e4caabef0708fedaa53eead1d058be28db30e806ce576bde958ce8f7
Instruction Fuzzy Hash: F5B12670A042099FDB11EF98D881BAE7BF1FF56314F94456FE4049B392CB789942CB68

Function 0047EC4C Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0047EC43,004753B0,00471C5F,BB40E64E,?,?,?,?,0048FDEA,000000FF,?,00468CA5), ref: 0047EC5A
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0047EC68
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0047EC81
SetLastError.KERNEL32(00000000,?,0047EC43,004753B0,00471C5F,BB40E64E,?,?,?,?,0048FDEA,000000FF,?,00468CA5), ref: 0047ECD3

Memory Dump Source

Source File: 00000003.00000002.2424925075.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000003.00000002.2424902540.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424958239.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424980703.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424995401.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2425010570.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_460000_Solara-3.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 11fe9de099d3085d0381037852ac39ff6aad521f11d4b4899716fb84cd890e12
Instruction ID: 59dd23cf258c11035179bd0b32fd97f4d30fdb5ecd975daba884df92ba577c60
Opcode Fuzzy Hash: 11fe9de099d3085d0381037852ac39ff6aad521f11d4b4899716fb84cd890e12
Instruction Fuzzy Hash: ED019C361093123EB22627B37C8A6AB2B84DB143BC320433FF118852F1EF594C14D24D

Function 00479FF8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,BB40E64E,?,?,00000000,0048FCB4,000000FF,?,0047A0B9,00479FA0,?,0047A155,00000000), ref: 0047A02D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0047A03F
FreeLibrary.KERNEL32(00000000,?,?,00000000,0048FCB4,000000FF,?,0047A0B9,00479FA0,?,0047A155,00000000), ref: 0047A061

Strings

mscoree.dll, xrefs: 0047A026
CorExitProcess, xrefs: 0047A037

Memory Dump Source

Source File: 00000003.00000002.2424925075.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000003.00000002.2424902540.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424958239.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424980703.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424995401.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2425010570.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_460000_Solara-3.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: acc42d15261f4f30ab0b4ca7c164af5e11bd8ca8f6fecb9ed7e611ff51d84a6b
Instruction ID: 16d4e18be0fdc1df2ed005c610e3729be472cfd9b2e79e89f55c66d7a5b45425
Opcode Fuzzy Hash: acc42d15261f4f30ab0b4ca7c164af5e11bd8ca8f6fecb9ed7e611ff51d84a6b
Instruction Fuzzy Hash: C601F731904654AFDB118F40DC09FAE7BB8FB44715F040537E811A26D0DB789914CB89

Function 004815AA Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 0048162F
__alloca_probe_16.LIBCMT ref: 004816F8
__freea.LIBCMT ref: 0048175F

Part of subcall function 0047FE71: HeapAlloc.KERNEL32(00000000,?,00000000,?,00470E1D,?,?,00462FE2,00001000,?,00462F2A), ref: 0047FEA3

__freea.LIBCMT ref: 00481772
__freea.LIBCMT ref: 0048177F

Memory Dump Source

Source File: 00000003.00000002.2424925075.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000003.00000002.2424902540.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424958239.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424980703.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424995401.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2425010570.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_460000_Solara-3.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: 8daa72a5be70449e34557bad638ca760d70885d9ad1d31476e0b42ef529507dc
Instruction ID: 40e00e049ea0c38178c0aca27db3a7a1072ef24b1a7ae431ae712393a91001e1
Opcode Fuzzy Hash: 8daa72a5be70449e34557bad638ca760d70885d9ad1d31476e0b42ef529507dc
Instruction Fuzzy Hash: 2C51A576600206AFDB206FA58C81EBF36ADDF48754F15492FFD08D6261EB78CC129768

Function 00462080 Relevance: 7.7, APIs: 5, Instructions: 167COMMON

Download Yara Rule

APIs

GetFileSize.KERNEL32 ref: 00462144
CloseHandle.KERNEL32 ref: 00462160

Memory Dump Source

Source File: 00000003.00000002.2424925075.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000003.00000002.2424902540.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424958239.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424980703.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424995401.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2425010570.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_460000_Solara-3.jbxd

Similarity

API ID: CloseFileHandleSize
String ID:
API String ID: 3849164406-0
Opcode ID: 19b62a6e598764c7222ed1fb2e84d65a4a0bd122eb344adffaedbb331904a1aa
Instruction ID: 3c12bbcac4400d6f728ecf589c70393eb76b80c8dc482a8ac3500137a8b4a224
Opcode Fuzzy Hash: 19b62a6e598764c7222ed1fb2e84d65a4a0bd122eb344adffaedbb331904a1aa
Instruction Fuzzy Hash: 6381CDB0D04248DFDB00DFA8D59869DBBF0BF18304F10882EE859AB351E778A985CF56

Function 00473D8E Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00473DA2
AcquireSRWLockExclusive.KERNEL32(?,?,?,0046B05E), ref: 00473DC1
AcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,0046B05E), ref: 00473DEF
TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,0046B05E), ref: 00473E4A
TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,0046B05E), ref: 00473E61

Memory Dump Source

Source File: 00000003.00000002.2424925075.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000003.00000002.2424902540.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424958239.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424980703.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424995401.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2425010570.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_460000_Solara-3.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID:
API String ID: 66001078-0
Opcode ID: 093d1a4bb5785eb14d7977451c11d437638c503a407a873d483ecd8fefecc182
Instruction ID: 6b76542197d854345502a8b5f932d0110d1842773161e181bd86fed47ce0d66a
Opcode Fuzzy Hash: 093d1a4bb5785eb14d7977451c11d437638c503a407a873d483ecd8fefecc182
Instruction Fuzzy Hash: 3A413A31900606DFCB20DF65C4849EAB3F5FF08316B50892FE45AD7640D738EA85EB99

Function 004714F2 Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004714F9
std::_Lockit::_Lockit.LIBCPMT ref: 00471504
std::_Lockit::~_Lockit.LIBCPMT ref: 00471572

Part of subcall function 004713FA: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00471412

std::locale::_Setgloballocale.LIBCPMT ref: 0047151F
_Yarn.LIBCPMT ref: 00471535

Memory Dump Source

Source File: 00000003.00000002.2424925075.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000003.00000002.2424902540.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424958239.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424980703.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424995401.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2425010570.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_460000_Solara-3.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: 3b644496f4ce84cb6f430c8d0800ef9197917c94303848d49f9a2c007dd9d0ec
Instruction ID: 886af7eab66c30e52a4713a50e643e639d0da83c18c459bb7a8892db38ae0e96
Opcode Fuzzy Hash: 3b644496f4ce84cb6f430c8d0800ef9197917c94303848d49f9a2c007dd9d0ec
Instruction Fuzzy Hash: 64019E756001109BD70AEB64C8515BD3B71FFD5744B14806FE81A173A1CF3CAA02CBC9

Function 0048A651 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,?,0048A6ED,?,?,00000000,?,?,?,0048A5AB,00000002,FlsGetValue,00494D24,00494D2C), ref: 0048A65E
GetLastError.KERNEL32(?,0048A6ED,?,?,00000000,?,?,?,0048A5AB,00000002,FlsGetValue,00494D24,00494D2C,?,?,0047EC6D), ref: 0048A668
LoadLibraryExW.KERNEL32(?,00000000,00000000,000000FF,?,00468CA5), ref: 0048A690

Strings

api-ms-, xrefs: 0048A675

Memory Dump Source

Source File: 00000003.00000002.2424925075.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000003.00000002.2424902540.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424958239.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424980703.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424995401.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2425010570.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_460000_Solara-3.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 960c5822247564acefca1d956be8df843c529650331284eca4c169f71c0049ba
Instruction ID: b2ceef518ac73e9935259e264647ca36b66c89a0d4030159997e398e163e1333
Opcode Fuzzy Hash: 960c5822247564acefca1d956be8df843c529650331284eca4c169f71c0049ba
Instruction Fuzzy Hash: 4FE01230680305B7EF126B51DD06B5D3B55AB20B45F184433F94DA85E0E7A99820D68E

Function 00487DAE Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(BB40E64E,00000000,00000000,?), ref: 00487E11

Part of subcall function 0047FF81: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00481755,?,00000000,-00000008), ref: 0047FFE2

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00488063
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 004880A9
GetLastError.KERNEL32 ref: 0048814C

Memory Dump Source

Source File: 00000003.00000002.2424925075.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000003.00000002.2424902540.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424958239.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424980703.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424995401.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2425010570.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_460000_Solara-3.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 920f1b6de1349c09c7bc70420fa06fe93c1e868a8b58bf7e5caccd091d941c08
Instruction ID: 4a70dfe94f5d4ab7b589917ca4355a83287c6b49e616c188be207eb1c4179de9
Opcode Fuzzy Hash: 920f1b6de1349c09c7bc70420fa06fe93c1e868a8b58bf7e5caccd091d941c08
Instruction Fuzzy Hash: C4D1BCB5D002489FCF05DFA8C8849EEBBB5FF09314F28496EE815EB351DA34A906CB54

Function 0047F1F5 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 0047F2BC
___AdjustPointer.LIBCMT ref: 0047F2DF
___AdjustPointer.LIBCMT ref: 0047F37B

Memory Dump Source

Source File: 00000003.00000002.2424925075.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000003.00000002.2424902540.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424958239.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424980703.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424995401.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2425010570.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_460000_Solara-3.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 4466e4e9fbba66032d55ef36e6f758c46347b4b3621a95eb6eb9a430a1f65d8d
Instruction ID: 2981e06f06e01416aff5560c17366dc2ee8273c02f5dbf7de14d817ccc95a38d
Opcode Fuzzy Hash: 4466e4e9fbba66032d55ef36e6f758c46347b4b3621a95eb6eb9a430a1f65d8d
Instruction Fuzzy Hash: B851EE766016029FDB288F55D841BFA77A5EF00714F20843FEC0A876A1E739EC59CB98

Function 00485BD6 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 0047FF81: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00481755,?,00000000,-00000008), ref: 0047FFE2

GetLastError.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 00485C3A
__dosmaperr.LIBCMT ref: 00485C41
GetLastError.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 00485C7B
__dosmaperr.LIBCMT ref: 00485C82

Memory Dump Source

Source File: 00000003.00000002.2424925075.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000003.00000002.2424902540.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424958239.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424980703.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424995401.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2425010570.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_460000_Solara-3.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 9aaf6ce550409b7ceb9bc536848c2cc3f178fd1d57edb8d6b0cf75e5f425384e
Instruction ID: 1c7d3bafe9134c4956ddb9cb24e40d3fc87f25af1700e9a32dde0a43cc0442f4
Opcode Fuzzy Hash: 9aaf6ce550409b7ceb9bc536848c2cc3f178fd1d57edb8d6b0cf75e5f425384e
Instruction Fuzzy Hash: 2C21B331600B05AFCB21BF62C88186FB7A9EF04368750892FF81997211E738EC008F98

Function 004777F2 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2424925075.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000003.00000002.2424902540.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424958239.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424980703.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424995401.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2425010570.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_460000_Solara-3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84d45714b182ada366aa847ebcd22b2328f3bad556fc9c73df54356351a60a69
Instruction ID: d01051a426395d346bcf047f205c5949f021cc6bd0ba93e158772e4837181105
Opcode Fuzzy Hash: 84d45714b182ada366aa847ebcd22b2328f3bad556fc9c73df54356351a60a69
Instruction Fuzzy Hash: 9B219571608105AF9B20BF66CC859EB7769EF00368791C53BF81D97251D738EC10C7AA

Function 00486FCE Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00486FD6

Part of subcall function 0047FF81: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00481755,?,00000000,-00000008), ref: 0047FFE2

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0048700E
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0048702E

Memory Dump Source

Source File: 00000003.00000002.2424925075.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000003.00000002.2424902540.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424958239.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424980703.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424995401.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2425010570.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_460000_Solara-3.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: c6112499c9e71b9e8adbebb7c476a49eb3679d14281994aec3cdc0d585918836
Instruction ID: 084594cea2ce6d152608e9cb298df14fa7af68ded9d6167ebaca9eaea889e592
Opcode Fuzzy Hash: c6112499c9e71b9e8adbebb7c476a49eb3679d14281994aec3cdc0d585918836
Instruction Fuzzy Hash: A011E1F15096057F672137769DDDCAF3A5CDE973A8720083BF405A1212EA2CCD0192BA

Function 004737D1 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004737D8
std::_Lockit::_Lockit.LIBCPMT ref: 004737E2

Part of subcall function 00465DC0: std::_Lockit::_Lockit.LIBCPMT ref: 00465DEE
Part of subcall function 00465DC0: std::_Lockit::~_Lockit.LIBCPMT ref: 00465E19

codecvt.LIBCPMT ref: 0047381C
std::_Lockit::~_Lockit.LIBCPMT ref: 00473853

Memory Dump Source

Source File: 00000003.00000002.2424925075.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000003.00000002.2424902540.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424958239.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424980703.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424995401.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2425010570.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_460000_Solara-3.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3codecvt
String ID:
API String ID: 3716348337-0
Opcode ID: 9c54cf91d1604223267b429a23b9d1d04d703e1c00f946324b1e88988d835ca7
Instruction ID: bc3e4d8177cfa2f177da6163c92084a83f621eff51ed223e43e1e49ce957fcbb
Opcode Fuzzy Hash: 9c54cf91d1604223267b429a23b9d1d04d703e1c00f946324b1e88988d835ca7
Instruction Fuzzy Hash: 5D01AD719001158BCB05FFA9C8016FE77B5AF84718F25852FF518AB291DF3C9E008B9A

Function 0048EB10 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,?,00000000,00000000,?,0048DFFF,00000000,00000001,?,?,?,004881A0,?,00000000,00000000), ref: 0048EB27
GetLastError.KERNEL32(?,0048DFFF,00000000,00000001,?,?,?,004881A0,?,00000000,00000000,?,?,?,00487AE6,?), ref: 0048EB33

Part of subcall function 0048EB90: CloseHandle.KERNEL32(FFFFFFFE,0048EB43,?,0048DFFF,00000000,00000001,?,?,?,004881A0,?,00000000,00000000,?,?), ref: 0048EBA0

___initconout.LIBCMT ref: 0048EB43

Part of subcall function 0048EB65: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0048EB01,0048DFEC,?,?,004881A0,?,00000000,00000000,?), ref: 0048EB78

WriteConsoleW.KERNEL32(00000000,?,?,00000000,?,0048DFFF,00000000,00000001,?,?,?,004881A0,?,00000000,00000000,?), ref: 0048EB58

Memory Dump Source

Source File: 00000003.00000002.2424925075.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000003.00000002.2424902540.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424958239.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424980703.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424995401.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2425010570.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_460000_Solara-3.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: c50493373d809740e86fc7daed15e8c8413071190d449f5024daf7c1fdba9a3a
Instruction ID: 95e1d25086ca4366e68c0aefbcc7b2efe4959b84ad915138c6e42883d7f93166
Opcode Fuzzy Hash: c50493373d809740e86fc7daed15e8c8413071190d449f5024daf7c1fdba9a3a
Instruction Fuzzy Hash: 84F0AC36901218BBCF226F96DC18A9E3F26FF593A1F044875FA1995130DA369C209B99

Function 00475145 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00475157
GetCurrentThreadId.KERNEL32 ref: 00475166
GetCurrentProcessId.KERNEL32 ref: 0047516F
QueryPerformanceCounter.KERNEL32(?), ref: 0047517C

Memory Dump Source

Source File: 00000003.00000002.2424925075.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000003.00000002.2424902540.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424958239.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424980703.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424995401.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2425010570.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_460000_Solara-3.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: e1599c5150b4f98d13a7a635760fe50ce9a20c2df094ea0cccd13dc78d1fd464
Instruction ID: 23e88c55ad0d04b18723518cc13ea0e30c6d933b6375edb01020aea1c122e6fd
Opcode Fuzzy Hash: e1599c5150b4f98d13a7a635760fe50ce9a20c2df094ea0cccd13dc78d1fd464
Instruction Fuzzy Hash: 44F0B230C0020CEBCB00DBB4CA4899EBBF4FF2C200B9145A6A412E7510EB34AB54DF95

Function 00484786 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004800CA: GetLastError.KERNEL32(00000000,?,0048244D), ref: 004800CE
Part of subcall function 004800CA: SetLastError.KERNEL32(00000000,?,?,00000028,0047CD93), ref: 00480170

GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,0047A609,?,?,?,00000055,?,-00000050,?,?,?), ref: 00484845
IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,0047A609,?,?,?,00000055,?,-00000050,?,?), ref: 0048487C

Strings

utf8, xrefs: 0048494E

Memory Dump Source

Source File: 00000003.00000002.2424925075.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000003.00000002.2424902540.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424958239.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424980703.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424995401.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2425010570.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_460000_Solara-3.jbxd

Similarity

API ID: ErrorLast$CodePageValid
String ID: utf8
API String ID: 943130320-905460609
Opcode ID: fea9db78eb20ff9c93ab1f99367222ad732be777246f3eaeea49bc6129915368
Instruction ID: 6ff0882bf9fdabbdbd879d6b99111c800b0cf7711d5421d0b330729b63d8b50a
Opcode Fuzzy Hash: fea9db78eb20ff9c93ab1f99367222ad732be777246f3eaeea49bc6129915368
Instruction Fuzzy Hash: D351D475600203AAEB34BB758C42BAF72A8EF85708F144C6BF54597681E77CA94087AD

Function 0047F8F2 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 120COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,0047F7F3,?,?,00000000,00000000,00000000,?), ref: 0047F917

Strings

RCC, xrefs: 0047F931
MOC, xrefs: 0047F929

Memory Dump Source

Source File: 00000003.00000002.2424925075.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000003.00000002.2424902540.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424958239.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424980703.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424995401.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2425010570.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_460000_Solara-3.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: dee9e6f8dd43cecb3157927e4654ed4217e8bbf12bbc1fb04cf4456b6861f196
Instruction ID: aacf273ad87053037eee0f2ee250b5e80262e1190cfb0c3cdc9ac514a4bce3ea
Opcode Fuzzy Hash: dee9e6f8dd43cecb3157927e4654ed4217e8bbf12bbc1fb04cf4456b6861f196
Instruction Fuzzy Hash: 0A41ABB1900209AFCF15DF94DC81AEE7BB5FF48304F15806AFA08B7221D339A950CB59

Function 0047F15E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 0047F3D5

Strings

csm, xrefs: 0047F468
csm, xrefs: 0047F3F7

Memory Dump Source

Source File: 00000003.00000002.2424925075.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000003.00000002.2424902540.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424958239.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424980703.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424995401.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2425010570.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_460000_Solara-3.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: d0fea16c148da2cadb171b8f73f2d37b948b8aa6c9779ccdb1a4bf7152c5118c
Instruction ID: 60677309b4fc16b3834f9c6225f215a1cde70afc6965e1d60a44056a252290d8
Opcode Fuzzy Hash: d0fea16c148da2cadb171b8f73f2d37b948b8aa6c9779ccdb1a4bf7152c5118c
Instruction Fuzzy Hash: 2031C232400215EBCF228F51CC048EB7B66FF29319B14C67BF81C49211D33AC869DB99

Function 00471D11 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00471D99
RaiseException.KERNEL32(?,?,?,?), ref: 00471DBE

Part of subcall function 0047525C: RaiseException.KERNEL32(E06D7363,00000001,00000003,00473FDE,?,?,?,?,00473FDE,00001000,0049B2BC,00001000), ref: 004752BD

Part of subcall function 0047CD83: IsProcessorFeaturePresent.KERNEL32(00000017,004783BB,?,?,?,?,00000000), ref: 0047CD9F

Strings

csm, xrefs: 00471D4D

Memory Dump Source

Source File: 00000003.00000002.2424925075.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000003.00000002.2424902540.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424958239.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424980703.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424995401.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2425010570.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_460000_Solara-3.jbxd

Similarity

API ID: ExceptionRaise$FeaturePresentProcessor__alloca_probe_16
String ID: csm
API String ID: 1924019822-1018135373
Opcode ID: 9eef2f0c134669b773d39c679938e7ae40b69b18df880f6a308c6cb6c6fbbdcf
Instruction ID: be991f43a420c5592aff97262dd595ce69d1d1b643fb711ae5d7decef8c5de3d
Opcode Fuzzy Hash: 9eef2f0c134669b773d39c679938e7ae40b69b18df880f6a308c6cb6c6fbbdcf
Instruction Fuzzy Hash: 9F218131D00218ABCF34DF99D945AEEB7B8EF44714F14841BE409AB260C678BD45CF85

Function 00465DC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00465DEE
std::_Lockit::~_Lockit.LIBCPMT ref: 00465E19

Strings

w[F, xrefs: 00465E26

Memory Dump Source

Source File: 00000003.00000002.2424925075.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000003.00000002.2424902540.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424958239.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424980703.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424995401.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2425010570.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_460000_Solara-3.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID: w[F
API String ID: 593203224-1745864701
Opcode ID: 0721264bb60172618612339f82ff54d9911fea4deff55412a148dd09ff1afd1c
Instruction ID: 2ba5543698f4c01052013386e6ab57fef9ff92b828f869d9783392d96aefa015
Opcode Fuzzy Hash: 0721264bb60172618612339f82ff54d9911fea4deff55412a148dd09ff1afd1c
Instruction Fuzzy Hash: 1301BB70D00209DFCB04EFA9D9516ADBBF0FF19304F8144AAE419AB351D7346A54CF59

Function 00471315 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMONLIBRARYCODE

Download Yara Rule

APIs

_Yarn.LIBCPMT ref: 00471335
_Yarn.LIBCPMT ref: 00471359

Strings

TxI, xrefs: 0047134D

Memory Dump Source

Source File: 00000003.00000002.2424925075.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000003.00000002.2424902540.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424958239.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424980703.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2424995401.00000000004A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2425010570.00000000004A7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_460000_Solara-3.jbxd

Similarity

API ID: Yarn
String ID: TxI
API String ID: 1767336200-2081576372
Opcode ID: b476040c40a781fb827166763c821fb1797744a10057ea5bab1f7ed9e6851386
Instruction ID: e05c81b54f001cc6b236831335a6d58b07ab347759fc55da3a9ac188726136ed
Opcode Fuzzy Hash: b476040c40a781fb827166763c821fb1797744a10057ea5bab1f7ed9e6851386
Instruction Fuzzy Hash: 53E0652230C2006BFB18A6769C52BF637ECCF00760F10812FFD0E9A5E1ED54AD048558

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Solara-3.0.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Solara-3.0.exe_21f26f2be0e9e9802a2c187ddde573df4cf61f70_1d855bed_8f1bc4db-ab38-4420-a0b7-6f92aa229a8b\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7C33.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7E28.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7FCF.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Windows Analysis Report
Solara-3.0.exe

Function 0049E19E Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Function 00462080 Relevance: 9.2, APIs: 6, Instructions: 167
fileCOMMON

Function 00486FCE Relevance: 6.1, APIs: 4, Instructions: 74
COMMON

Function 00461F20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86
memoryCOMMON

Function 00487A04 Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMONLIBRARYCODE

Function 004881DD Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Function 00481912 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Function 00462300 Relevance: 3.0, APIs: 2, Instructions: 28
COMMON

Function 0047FE37 Relevance: 3.0, APIs: 2, Instructions: 22
memoryCOMMONLIBRARYCODE

Function 00472E60 Relevance: 1.6, APIs: 1, Instructions: 111
COMMON

Function 00471740 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Function 00472E52 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Function 00462380 Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Function 0047FE71 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE