File name:

Solara.exe

Full analysis: https://app.any.run/tasks/a234c194-e6ec-4073-b8d6-e610f8c256ec
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: January 07, 2025, 14:54:23
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
remote
sheetrat
rat
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 5 sections
MD5:

4C851D2A8103D3100572B13D71AA0E53

SHA1:

6B608151FACD01D599E8DA2AD9D0E35B012102FE

SHA256:

1E85AD3F472FF4A3694C0B6F8F7A2366E1A509F43B88D10B034BEF2A3A54B5D2

SSDEEP:

98304:heIs6J0goxSXSsKJWGJA16bPSdbmsnfpoj9De70WMjnxX15rhmqhpfnh9VPCqSwm:6sBV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to autorun other applications

      • cmd.exe (PID: 6148)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 4944)
      • cmd.exe (PID: 4724)
      • cmd.exe (PID: 3040)
      • cmd.exe (PID: 6464)
      • cmd.exe (PID: 3996)
      • cmd.exe (PID: 6720)
      • cmd.exe (PID: 6296)
      • cmd.exe (PID: 4872)
      • cmd.exe (PID: 2844)
      • cmd.exe (PID: 6504)
      • cmd.exe (PID: 6184)
      • cmd.exe (PID: 7120)
      • cmd.exe (PID: 5096)
      • cmd.exe (PID: 6328)
      • cmd.exe (PID: 396)
      • cmd.exe (PID: 3680)
      • cmd.exe (PID: 5252)
      • cmd.exe (PID: 6704)
      • cmd.exe (PID: 3920)
      • cmd.exe (PID: 2144)
      • cmd.exe (PID: 6568)
      • cmd.exe (PID: 6848)
      • cmd.exe (PID: 6976)
      • cmd.exe (PID: 648)
      • cmd.exe (PID: 7100)
      • cmd.exe (PID: 3032)
      • cmd.exe (PID: 1752)
      • cmd.exe (PID: 1144)
      • cmd.exe (PID: 128)
      • cmd.exe (PID: 6780)
      • cmd.exe (PID: 1864)
      • cmd.exe (PID: 3864)
      • cmd.exe (PID: 6092)
      • cmd.exe (PID: 3172)
      • cmd.exe (PID: 1856)
      • cmd.exe (PID: 6160)
      • cmd.exe (PID: 1540)

    • SHEETRAT has been detected (SURICATA)

      • Client.exe (PID: 1472)

    • Connects to the CnC server

      • Client.exe (PID: 1472)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Solara.exe (PID: 6428)
      • Client.exe (PID: 1472)

    • Reads security settings of Internet Explorer

      • Solara.exe (PID: 6428)
      • Solara.exe (PID: 6740)
      • Client.exe (PID: 6776)

    • Reads the date of Windows installation

      • Solara.exe (PID: 6428)
      • Client.exe (PID: 6776)

    • Application launched itself

      • Client.exe (PID: 6776)

    • Likely accesses (executes) a file from the Public directory

      • cmd.exe (PID: 6148)
      • schtasks.exe (PID: 4132)
      • schtasks.exe (PID: 1144)
      • cmd.exe (PID: 4724)
      • cmd.exe (PID: 3040)
      • schtasks.exe (PID: 5316)
      • cmd.exe (PID: 3996)
      • cmd.exe (PID: 6464)
      • cmd.exe (PID: 6720)
      • cmd.exe (PID: 6296)
      • schtasks.exe (PID: 6272)
      • schtasks.exe (PID: 6708)
      • schtasks.exe (PID: 6848)
      • schtasks.exe (PID: 1380)
      • cmd.exe (PID: 4872)
      • schtasks.exe (PID: 6800)
      • cmd.exe (PID: 7120)
      • schtasks.exe (PID: 3664)
      • cmd.exe (PID: 2844)
      • cmd.exe (PID: 6184)
      • cmd.exe (PID: 6504)
      • schtasks.exe (PID: 1864)
      • cmd.exe (PID: 3680)
      • schtasks.exe (PID: 6972)
      • schtasks.exe (PID: 732)
      • cmd.exe (PID: 396)
      • schtasks.exe (PID: 4052)
      • cmd.exe (PID: 5252)
      • schtasks.exe (PID: 6284)
      • cmd.exe (PID: 6328)
      • schtasks.exe (PID: 3560)
      • cmd.exe (PID: 6568)
      • schtasks.exe (PID: 3988)
      • cmd.exe (PID: 5096)
      • schtasks.exe (PID: 4724)
      • cmd.exe (PID: 6848)
      • schtasks.exe (PID: 6552)
      • schtasks.exe (PID: 2084)
      • schtasks.exe (PID: 4544)
      • cmd.exe (PID: 6976)
      • schtasks.exe (PID: 6884)
      • cmd.exe (PID: 3920)
      • schtasks.exe (PID: 4908)
      • cmd.exe (PID: 2144)
      • schtasks.exe (PID: 1944)
      • cmd.exe (PID: 6704)
      • schtasks.exe (PID: 6864)
      • cmd.exe (PID: 648)
      • schtasks.exe (PID: 5388)
      • cmd.exe (PID: 7100)
      • schtasks.exe (PID: 7108)
      • cmd.exe (PID: 1752)
      • cmd.exe (PID: 3032)
      • cmd.exe (PID: 1144)
      • schtasks.exe (PID: 5536)
      • cmd.exe (PID: 128)
      • schtasks.exe (PID: 6276)
      • cmd.exe (PID: 6160)
      • cmd.exe (PID: 6780)
      • schtasks.exe (PID: 4996)
      • schtasks.exe (PID: 6236)
      • cmd.exe (PID: 1864)
      • schtasks.exe (PID: 3696)
      • cmd.exe (PID: 3864)
      • schtasks.exe (PID: 3680)
      • schtasks.exe (PID: 236)
      • cmd.exe (PID: 3172)
      • schtasks.exe (PID: 4628)
      • cmd.exe (PID: 1856)
      • cmd.exe (PID: 1540)
      • cmd.exe (PID: 6092)
      • schtasks.exe (PID: 5252)
      • schtasks.exe (PID: 5876)
      • schtasks.exe (PID: 6568)

    • Executes as Windows Service

      • WmiApSrv.exe (PID: 1760)

    • Contacting a server suspected of hosting an CnC

      • Client.exe (PID: 1472)

    • Connects to unusual port

      • Client.exe (PID: 1472)

    • The process checks if it is being run in the virtual environment

      • Client.exe (PID: 1472)

    • Starts CMD.EXE for commands execution

      • Client.exe (PID: 1472)

  • INFO

    • Reads the machine GUID from the registry

      • Solara.exe (PID: 6428)
      • Solara.exe (PID: 6740)

    • Reads the computer name

      • Solara.exe (PID: 6428)
      • Solara.exe (PID: 6740)
      • Client.exe (PID: 6776)
      • Client.exe (PID: 1472)

    • Process checks computer location settings

      • Solara.exe (PID: 6428)
      • Client.exe (PID: 6776)

    • Create files in a temporary directory

      • Solara.exe (PID: 6428)

    • Checks supported languages

      • Solara.exe (PID: 6428)
      • Solara.exe (PID: 6740)
      • Client.exe (PID: 6776)
      • Client.exe (PID: 1472)

    • The process uses the downloaded file

      • Solara.exe (PID: 6428)
      • Client.exe (PID: 6776)

    • Creates files in the program directory

      • Solara.exe (PID: 6740)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (41)
.exe | Win64 Executable (generic) (36.3)
.dll | Win32 Dynamic Link Library (generic) (8.6)
.exe | Win32 Executable (generic) (5.9)
.exe | Win16/32 Executable Delphi generic (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:01:07 14:11:50+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 41984
InitializedDataSize: 2851840
UninitializedDataSize: -
EntryPoint: 0x2c800a
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileDescription:
FileVersion: 1.0.0.0
InternalName: Solara.exe
LegalCopyright:
OriginalFileName: Solara.exe
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
243
Monitored processes
121
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start solara.exe solara.exe no specs solara.exe client.exe no specs #SHEETRAT client.exe cmd.exe conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs wmiapsrv.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
128SchTaSKs /create /f /sc minute /mo 5 /tn "Eclipse" /tr "C:\Users\admin\xdwdFL Studio.exe" /RL HIGHEST C:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
128"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "IntelliJ IDEA" /tr "C:\Users\Public\Pictures\xdwdMalwarebytes.exe" /RL HIGHEST & exitC:\Windows\System32\cmd.exeClient.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
2147500037
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
236SchTaSKs /create /f /sc minute /mo -1 /tn "IntelliJ IDEA" /tr "C:\Users\Public\Pictures\xdwdMalwarebytes.exe" /RL HIGHEST C:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
2147500037
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
396"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "IntelliJ IDEA" /tr "C:\Users\Public\Pictures\xdwdMalwarebytes.exe" /RL HIGHEST & exitC:\Windows\System32\cmd.exeClient.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
2147500037
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
640\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
648"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "IntelliJ IDEA" /tr "C:\Users\Public\Pictures\xdwdMalwarebytes.exe" /RL HIGHEST & exitC:\Windows\System32\cmd.exeClient.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
2147500037
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
716\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
732SchTaSKs /create /f /sc minute /mo -1 /tn "IntelliJ IDEA" /tr "C:\Users\Public\Pictures\xdwdMalwarebytes.exe" /RL HIGHEST C:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
2147500037
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1020\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1144SchTaSKs /create /f /sc minute /mo -1 /tn "IntelliJ IDEA" /tr "C:\Users\Public\Pictures\xdwdMalwarebytes.exe" /RL HIGHEST C:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
2147500037
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
Total events
6 854
Read events
6 834
Write events
20
Delete events
0

Modification events

(PID) Process:(6776) Client.exeKey:HKEY_CURRENT_USER\SOFTWARE
Operation:writeName:hwid
Value:
MUFFQ0EyRTVDODhDMzgzNkJFQkZBM0M=
(PID) Process:(1472) Client.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Operation:writeName:AppInit_DLLs
Value:
C:\WINDOWS\xdwd.dll
(PID) Process:(1472) Client.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Operation:writeName:LoadAppInit_DLLs
Value:
1
(PID) Process:(1472) Client.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Operation:writeName:RequireSignedAppInit_DLLs
Value:
0
(PID) Process:(1472) Client.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:writeName:Userinit
Value:
C:\Windows\System32\userinit.exe,C:\Users\Public\Pictures\xdwdMalwarebytes.exe
(PID) Process:(1472) Client.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:svchost
Value:
C:\Users\admin\xdwdFL Studio.exe
(PID) Process:(1472) Client.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSDTC Bridge 4.0.0.0\Linkage
Operation:writeName:Export
Value:
MSDTC Bridge 4.0.0.0
(PID) Process:(1472) Client.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ServiceModelEndpoint 3.0.0.0\Linkage
Operation:writeName:Export
Value:
ServiceModelEndpoint 3.0.0.0
(PID) Process:(1472) Client.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ServiceModelOperation 3.0.0.0\Linkage
Operation:writeName:Export
Value:
ServiceModelOperation 3.0.0.0
(PID) Process:(1472) Client.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ServiceModelService 3.0.0.0\Linkage
Operation:writeName:Export
Value:
ServiceModelService 3.0.0.0
Executable files
5
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6428Solara.exeC:\Users\admin\AppData\Local\Temp\Client.exeexecutable
MD5:BEE0F9F1198315E6051A7BBCCFDA579B
SHA256:33F207DD282868D78D71F19E789E095862BB2F98B63ABD6E9EA4C596D51B9326
6428Solara.exeC:\Users\admin\AppData\Local\Temp\Solara.exeexecutable
MD5:FDEDA3EB502D7EEC02277CF08C7D926F
SHA256:4D73C67DC61543F6116F8C0A8F6794ECE2993E78713793C6E2066285E2607FD0
1472Client.exeC:\Users\admin\xdwdFL Studio.exeexecutable
MD5:BEE0F9F1198315E6051A7BBCCFDA579B
SHA256:33F207DD282868D78D71F19E789E095862BB2F98B63ABD6E9EA4C596D51B9326
1472Client.exeC:\Windows\xdwd.dllexecutable
MD5:16E5A492C9C6AE34C59683BE9C51FA31
SHA256:35C8D022E1D917F1AABDCEAE98097CCC072161B302F84C768CA63E4B32AC2B66
6740Solara.exeC:\Users\admin\Desktop\CONFIGbinary
MD5:0284FA0391784125AD3B12BE8C92C6AE
SHA256:789075B8C810F2B63F86DD1F8B7BE836178AC679A32F2CB2376E013BC78C68C0
1472Client.exeC:\Users\Public\Pictures\xdwdMalwarebytes.exeexecutable
MD5:BEE0F9F1198315E6051A7BBCCFDA579B
SHA256:33F207DD282868D78D71F19E789E095862BB2F98B63ABD6E9EA4C596D51B9326
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
28
DNS requests
8
Threats
13

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5448
svchost.exe
GET
200
184.30.230.103:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
973 b
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.230.103:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
973 b
whitelisted
5448
svchost.exe
GET
200
2.16.164.33:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
1.01 Kb
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.33:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
1.01 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5448
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5448
svchost.exe
2.16.164.33:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.33:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5448
svchost.exe
184.30.230.103:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
4712
MoUsoCoreWorker.exe
184.30.230.103:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.142
whitelisted
crl.microsoft.com
  • 2.16.164.33
  • 2.16.164.89
  • 2.16.164.16
  • 2.16.164.114
  • 2.16.164.10
  • 2.16.164.34
  • 2.16.164.35
  • 2.16.164.48
  • 2.16.164.40
whitelisted
www.microsoft.com
  • 184.30.230.103
whitelisted
shockall-47924.portmap.host
  • 193.161.193.99
malicious
self.events.data.microsoft.com
  • 13.69.239.79
whitelisted

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET POLICY DNS Query to a Reverse Proxy Service Observed
Misc activity
ET INFO DNS Query for Port Mapping/Tunneling Service Domain (.portmap .host)
1472
Client.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] SheetRat (Ping)
10 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Solara.exe