File name:

Solaris 2.0.zip

Full analysis: https://app.any.run/tasks/eb2a2497-ee74-4015-95b6-0fda7d0ca7be
Verdict: Malicious activity
Analysis date: February 09, 2025, 16:36:18
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/octet-stream
File info: data
MD5:

70689946DB6AED0958F37BA2F17D8271

SHA1:

620748231B1DA670182D7A45660438390A2A7EF3

SHA256:

2F42FC40A52387C55807F6B8317AE35B3CF8C1120F97554A6CF4B1201DF0845E

SSDEEP:

98304:DFT+frTOGwn0OZpk8lw5pDJjta3q6iNCmGMzTOwUTjqyS++pZhuNhgQdIJDhXjeP:fTIqWAMWtdglhP0Fso09+o6Si

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • Solaris 2.0.exe (PID: 6952)

    • Creates file in the systems drive root

      • Solaris 2.0.exe (PID: 6952)
      • Solaris.exe (PID: 7040)
      • conhost.exe (PID: 7048)
      • HITBMAP.exe (PID: 7144)
      • cmd.exe (PID: 7108)
      • AFirst.exe (PID: 4128)
      • FIRST3.exe (PID: 2600)
      • wave.exe (PID: 5872)
      • FIRST.exe (PID: 2728)
      • conhost.exe (PID: 5460)
      • FIRST3.exe (PID: 6576)
      • conhost.exe (PID: 3224)
      • conhost.exe (PID: 6056)
      • FIRST.exe (PID: 6760)
      • FIRST3.exe (PID: 6844)
      • ATohou.exe (PID: 936)
      • FIRST3.exe (PID: 7060)
      • conhost.exe (PID: 6380)
      • conhost.exe (PID: 7032)
      • FIRST.exe (PID: 7052)
      • conhost.exe (PID: 6564)
      • Circle2.exe (PID: 3144)
      • RGB2.exe (PID: 6536)
      • conhost.exe (PID: 3612)
      • conhost.exe (PID: 3664)
      • AWave.exe (PID: 3920)
      • conhost.exe (PID: 6732)
      • CircleR.exe (PID: 6508)
      • Circle.exe (PID: 3832)
      • conhost.exe (PID: 6332)
      • conhost.exe (PID: 6452)
      • ARGB.exe (PID: 5572)
      • wave.exe (PID: 6404)
      • Shake.exe (PID: 1400)
      • APurple.exe (PID: 4300)
      • wave.exe (PID: 1172)
      • conhost.exe (PID: 3000)
      • Purple.exe (PID: 5208)
      • Circle.exe (PID: 1224)
      • AWhoa2.exe (PID: 1576)
      • conhost.exe (PID: 5964)
      • Whoa.exe (PID: 6652)
      • conhost.exe (PID: 4360)
      • AWhoa.exe (PID: 640)
      • FIRST3.exe (PID: 6384)
      • conhost.exe (PID: 6484)
      • Squares2.exe (PID: 6432)
      • conhost.exe (PID: 6668)
      • LAST.exe (PID: 6464)
      • conhost.exe (PID: 6700)
      • conhost.exe (PID: 6632)
      • Squares.exe (PID: 6696)
      • Squares3.exe (PID: 6528)
      • rotate.exe (PID: 6724)

    • Executable content was dropped or overwritten

      • Solaris 2.0.exe (PID: 6952)
      • Whoa.exe (PID: 6652)

    • Starts CMD.EXE for commands execution

      • Solaris.exe (PID: 7040)
      • Whoa.exe (PID: 6652)

    • Executing commands from a ".bat" file

      • Solaris.exe (PID: 7040)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 7108)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 7108)
      • cmd.exe (PID: 6032)

    • There is functionality for taking screenshot (YARA)

      • HITBMAP.exe (PID: 7144)
      • wave.exe (PID: 5872)
      • Circle2.exe (PID: 3144)
      • RGB2.exe (PID: 6536)

  • INFO

    • Manual execution by a user

      • Solaris 2.0.exe (PID: 6896)
      • Solaris 2.0.exe (PID: 6952)

    • Checks supported languages

      • SearchApp.exe (PID: 5064)
      • Solaris 2.0.exe (PID: 6952)
      • Solaris.exe (PID: 7040)
      • HITBMAP.exe (PID: 7144)
      • AFirst.exe (PID: 4128)
      • FIRST3.exe (PID: 2600)
      • wave.exe (PID: 5872)
      • FIRST.exe (PID: 2728)
      • FIRST3.exe (PID: 6576)
      • FIRST.exe (PID: 6760)
      • FIRST3.exe (PID: 6844)
      • FIRST.exe (PID: 7052)
      • FIRST3.exe (PID: 7060)
      • ATohou.exe (PID: 936)
      • RGB2.exe (PID: 6536)
      • Circle2.exe (PID: 3144)
      • CircleR.exe (PID: 6508)
      • Circle.exe (PID: 3832)
      • AWave.exe (PID: 3920)
      • ARGB.exe (PID: 5572)
      • wave.exe (PID: 6404)
      • APurple.exe (PID: 4300)
      • wave.exe (PID: 1172)
      • Shake.exe (PID: 1400)
      • Purple.exe (PID: 5208)
      • Circle.exe (PID: 1224)
      • AWhoa2.exe (PID: 1576)
      • AWhoa.exe (PID: 640)
      • FIRST3.exe (PID: 6384)
      • LAST.exe (PID: 6464)
      • Squares2.exe (PID: 6432)
      • Squares3.exe (PID: 6528)
      • Squares.exe (PID: 6696)
      • rotate.exe (PID: 6724)
      • ExternalLib.exe (PID: 4708)
      • Whoa.exe (PID: 6652)

    • Reads the computer name

      • Solaris 2.0.exe (PID: 6952)
      • AFirst.exe (PID: 4128)
      • ATohou.exe (PID: 936)
      • AWave.exe (PID: 3920)
      • ARGB.exe (PID: 5572)
      • APurple.exe (PID: 4300)
      • AWhoa2.exe (PID: 1576)
      • AWhoa.exe (PID: 640)

    • Process checks computer location settings

      • Solaris 2.0.exe (PID: 6952)
      • SearchApp.exe (PID: 5064)

    • Create files in a temporary directory

      • Solaris.exe (PID: 7040)

    • Reads the software policy settings

      • SearchApp.exe (PID: 5064)

    • Reads the machine GUID from the registry

      • SearchApp.exe (PID: 5064)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
233
Monitored processes
106
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs solaris 2.0.exe no specs solaris 2.0.exe solaris.exe no specs conhost.exe no specs cmd.exe no specs hitbmap.exe no specs ping.exe no specs afirst.exe no specs ping.exe no specs wave.exe no specs ping.exe no specs conhost.exe no specs first.exe no specs first3.exe no specs conhost.exe no specs ping.exe no specs taskkill.exe no specs ping.exe no specs first3.exe no specs ping.exe no specs taskkill.exe no specs ping.exe no specs first.exe no specs ping.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs ping.exe no specs first3.exe no specs ping.exe no specs taskkill.exe no specs taskkill.exe no specs ping.exe no specs first3.exe no specs first.exe no specs ping.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs atohou.exe no specs ping.exe no specs rgb2.exe no specs circle2.exe no specs conhost.exe no specs ping.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs awave.exe no specs wave.exe no specs circler.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs ping.exe no specs taskkill.exe no specs taskkill.exe no specs argb.exe no specs circle.exe no specs conhost.exe no specs wave.exe no specs ping.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs apurple.exe no specs purple.exe no specs shake.exe no specs conhost.exe no specs ping.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs whoa.exe circle.exe no specs conhost.exe no specs awhoa2.exe no specs conhost.exe no specs ping.exe no specs cmd.exe no specs externallib.exe no specs taskkill.exe no specs ping.exe no specs taskkill.exe no specs awhoa.exe no specs ping.exe no specs squares.exe no specs squares2.exe no specs conhost.exe no specs squares3.exe no specs conhost.exe no specs rotate.exe no specs conhost.exe no specs last.exe no specs first3.exe no specs conhost.exe no specs ping.exe no specs cmd.exe no specs taskkill.exe no specs searchapp.exe

Process information

PID
CMD
Path
Indicators
Parent process
396PING localhost -n 3 C:\Windows\System32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\mswsock.dll
540taskkill /f /im ExternalLib.exeC:\Windows\System32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
640C:\AWhoa.exe C:\AWhoa.execmd.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\awhoa.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
836PING localhost -n 2 C:\Windows\System32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\mswsock.dll
848PING localhost -n 2 C:\Windows\System32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\mswsock.dll
936PING localhost -n 2 C:\Windows\System32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\mswsock.dll
936C:\ATohou.exe C:\ATohou.execmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1
Modules
Images
c:\atohou.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1016PING localhost -n 20 C:\Windows\System32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\mswsock.dll
1172C:\wave.exe C:\wave.execmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1
Modules
Images
c:\wave.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1216taskkill /f /im FIRST3.exeC:\Windows\System32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
14 258
Read events
14 192
Write events
50
Delete events
16

Modification events

(PID) Process:(5432) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(5432) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(5432) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(5432) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Solaris 2.0.zip
(PID) Process:(5432) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(5432) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(5432) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(5432) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(5064) SearchApp.exeKey:\REGISTRY\A\{ee080948-b2ea-145a-6870-f9164b908eb9}\LocalState\ConstraintIndex
Operation:writeName:CurrentConstraintIndexCabPath
Value:
43003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C005000610063006B0061006700650073005C004D006900630072006F0073006F00660074002E00570069006E0064006F00770073002E005300650061007200630068005F006300770035006E003100680032007400780079006500770079005C004C006F00630061006C00530074006100740065005C0043006F006E00730074007200610069006E00740049006E006400650078005C0049006E007000750074005F007B00380033003200620036003800640032002D0037006600650032002D0034006500370031002D0061003300610064002D003200360031003600360062003600350036006500630036007D00000030A812C2107BDB01
(PID) Process:(5064) SearchApp.exeKey:\REGISTRY\A\{ee080948-b2ea-145a-6870-f9164b908eb9}\LocalState\AppsConstraintIndex
Operation:writeName:LatestConstraintIndexFolder
Value:
43003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C005000610063006B0061006700650073005C004D006900630072006F0073006F00660074002E00570069006E0064006F00770073002E005300650061007200630068005F006300770035006E003100680032007400780079006500770079005C004C006F00630061006C00530074006100740065005C0043006F006E00730074007200610069006E00740049006E006400650078005C0041007000700073005F007B00330030006300360036003800330066002D0039006500650033002D0034003700660037002D0062003700340033002D003700610033006300620061003800310065003700340030007D00000030A812C2107BDB01
Executable files
34
Suspicious files
7
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
5432WinRAR.exeC:\Users\admin\Desktop\Solaris 2.0.exe
MD5:
SHA256:
6952Solaris 2.0.exeC:\tasks.txttext
MD5:4173787AC51B8AED10BB422AC44D1202
SHA256:0AFE41FCA69BF58CB6374C8BFF84218B7692F452915EACF9C3ABA83966376CEB
6952Solaris 2.0.exeC:\ARGB.exeexecutable
MD5:B9B4D21C68463275560711C8DB325E27
SHA256:9E8B374C0003DB285076E6E2E8BAF8663CDBF5AAC826BF20EC0456E497F77D4B
6952Solaris 2.0.exeC:\ALast.exeexecutable
MD5:FD355A1BCE6F75B1903D1909BFC5FE75
SHA256:FBAAA2AB7461723868F0217F1318645970999BA544D6E947AA6F0C47703FF389
5064SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\ZWUI0EBX\www.bing[1].xmltext
MD5:F4BEF75976547E379D0141B7B30F180D
SHA256:2C68859050A42C252E9D114312D1880AB45A05066B028F639A8A35DC2B0E80EC
6952Solaris 2.0.exeC:\AFirst.exeexecutable
MD5:E21EB450137C6E787270F58A1074E9BB
SHA256:2E04CCC256D2F7590AFEAADC7C052AC4B2BE3C7FEBA16F3226979D5A1FB19D48
6952Solaris 2.0.exeC:\APurple.exeexecutable
MD5:E2100774735D298BA44FE500FD39685E
SHA256:BCEDAFAF4BFC87F26DE5B9B5BEC2CC41155E7C3BA5C0836090EBE9D4E44BB8B7
6952Solaris 2.0.exeC:\Circle.exeexecutable
MD5:21A957D9AC67B97B5CB640BCF99BECA8
SHA256:092CA8EDBC5F03BCFB9C4E181D36DC66DF6130CB061382A9BB17ED8EDD260AFC
6952Solaris 2.0.exeC:\ATohou.exeexecutable
MD5:0DC9C5C94A4A198EB09EAD0FAB6A0D04
SHA256:83C1708EF180844A99673CBB42D2CF4854FC023B5656CBA2D0DB2A755A35ADE3
6952Solaris 2.0.exeC:\Circle2.exeexecutable
MD5:89C39815003090838EB6B7BD87F5525D
SHA256:9EBDA86D4ED28999D69C1E0F50FCAB9B191BF15ACC1D9CC0A597263EE36B6610
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
35
DNS requests
25
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3220
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1176
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5064
SearchApp.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
6752
SIHClient.exe
GET
200
2.19.217.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6752
SIHClient.exe
GET
200
2.19.217.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3220
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
5064
SearchApp.exe
2.21.65.153:443
www.bing.com
Akamai International B.V.
NL
whitelisted
5064
SearchApp.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1076
svchost.exe
184.28.89.167:443
go.microsoft.com
AKAMAI-AS
US
whitelisted
1176
svchost.exe
20.190.160.20:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1176
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
www.microsoft.com
  • 95.101.149.131
  • 2.19.217.218
whitelisted
google.com
  • 172.217.16.206
whitelisted
www.bing.com
  • 2.21.65.153
  • 2.21.65.132
  • 2.21.65.154
  • 23.212.110.160
  • 23.212.110.163
  • 23.212.110.153
  • 23.212.110.154
  • 23.212.110.155
  • 23.212.110.170
  • 23.212.110.169
  • 23.212.110.171
  • 23.212.110.176
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
login.live.com
  • 20.190.160.20
  • 40.126.32.136
  • 20.190.160.2
  • 40.126.32.68
  • 20.190.160.22
  • 40.126.32.133
  • 20.190.160.64
  • 20.190.160.3
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
fp.msedge.net
  • 204.79.197.222
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Solaris 2.0.zip