File name:

Solara Bootstrapper.exe

Full analysis: https://app.any.run/tasks/790a7baf-2020-4b9d-8a36-31db67519a72
Verdict: Malicious activity
Threats:

Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth.

Malware Trends Tracker     >>>
Analysis date: January 07, 2025, 15:10:46
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
github
miner
upx
xmrig
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 4 sections
MD5:

00A1864355A5EA47902E5757C0D87FD9

SHA1:

4BE5647308E0925FB00FAE068CB4A89A8A449AFC

SHA256:

4289002FD7528974AE7A9BF4D855BFD3812D248A46DBD7F94E7336F260AE7A39

SSDEEP:

196608:E6AEXnVB2t0vW54zu9cQ+6TLwC9tpg9FHh2C32cIPTv3O:E6jFECvW5R9ccTLfYHhhbMv3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Adds extension to the Windows Defender exclusion list

      • Kawpow new.exe (PID: 556)
      • xmr new.exe (PID: 6148)
      • eejhedztifcv.exe (PID: 7036)

    • Uninstalls Malicious Software Removal Tool (MRT)

      • cmd.exe (PID: 6800)
      • cmd.exe (PID: 6808)
      • cmd.exe (PID: 1876)

    • Application was injected by another process

      • winlogon.exe (PID: 684)
      • svchost.exe (PID: 320)
      • lsass.exe (PID: 760)
      • dwm.exe (PID: 912)
      • svchost.exe (PID: 1068)
      • svchost.exe (PID: 1260)
      • svchost.exe (PID: 1316)
      • svchost.exe (PID: 1276)
      • svchost.exe (PID: 1452)
      • svchost.exe (PID: 1660)
      • svchost.exe (PID: 1768)
      • svchost.exe (PID: 1268)
      • svchost.exe (PID: 1776)
      • svchost.exe (PID: 1364)
      • svchost.exe (PID: 1424)
      • svchost.exe (PID: 1500)
      • svchost.exe (PID: 1076)
      • svchost.exe (PID: 1784)
      • svchost.exe (PID: 1880)
      • svchost.exe (PID: 1972)
      • svchost.exe (PID: 1908)
      • svchost.exe (PID: 2064)
      • svchost.exe (PID: 1980)
      • svchost.exe (PID: 2340)
      • svchost.exe (PID: 2272)
      • svchost.exe (PID: 2364)
      • svchost.exe (PID: 2192)
      • svchost.exe (PID: 2500)
      • svchost.exe (PID: 2816)
      • svchost.exe (PID: 2372)
      • svchost.exe (PID: 2944)
      • svchost.exe (PID: 2256)
      • svchost.exe (PID: 2892)
      • spoolsv.exe (PID: 2652)
      • svchost.exe (PID: 2288)
      • svchost.exe (PID: 2660)
      • svchost.exe (PID: 2920)
      • svchost.exe (PID: 2852)
      • svchost.exe (PID: 2748)
      • svchost.exe (PID: 3016)
      • svchost.exe (PID: 3600)
      • svchost.exe (PID: 3824)
      • svchost.exe (PID: 3704)
      • dasHost.exe (PID: 3896)
      • svchost.exe (PID: 3164)
      • svchost.exe (PID: 3592)
      • svchost.exe (PID: 4000)
      • svchost.exe (PID: 4168)
      • sihost.exe (PID: 1712)
      • RuntimeBroker.exe (PID: 4676)
      • svchost.exe (PID: 2952)
      • svchost.exe (PID: 4176)
      • svchost.exe (PID: 4696)
      • svchost.exe (PID: 3668)
      • RuntimeBroker.exe (PID: 4960)
      • dllhost.exe (PID: 5904)
      • explorer.exe (PID: 4488)
      • svchost.exe (PID: 4436)
      • svchost.exe (PID: 1564)
      • dllhost.exe (PID: 5164)
      • svchost.exe (PID: 3160)
      • ctfmon.exe (PID: 4268)
      • ApplicationFrameHost.exe (PID: 6108)
      • RuntimeBroker.exe (PID: 5820)
      • svchost.exe (PID: 3976)
      • MoUsoCoreWorker.exe (PID: 4712)
      • UserOOBEBroker.exe (PID: 3004)
      • svchost.exe (PID: 1176)
      • uhssvc.exe (PID: 2908)
      • svchost.exe (PID: 1764)
      • svchost.exe (PID: 1340)
      • svchost.exe (PID: 4200)
      • svchost.exe (PID: 4456)
      • svchost.exe (PID: 812)
      • svchost.exe (PID: 3056)
      • dllhost.exe (PID: 1816)
      • svchost.exe (PID: 1612)
      • svchost.exe (PID: 2992)
      • svchost.exe (PID: 1916)
      • svchost.exe (PID: 4512)
      • WmiPrvSE.exe (PID: 2084)
      • svchost.exe (PID: 376)
      • RuntimeBroker.exe (PID: 2216)
      • WmiPrvSE.exe (PID: 6384)
      • OfficeClickToRun.exe (PID: 2884)
      • svchost.exe (PID: 2360)

    • Runs injected code in another process

      • dialer.exe (PID: 6452)
      • dialer.exe (PID: 6272)

    • MINER has been detected (SURICATA)

      • svchost.exe (PID: 2192)
      • dialer.exe (PID: 3608)

    • XMRIG has been detected (YARA)

      • dialer.exe (PID: 3608)

    • Connects to the CnC server

      • dialer.exe (PID: 3608)

  • SUSPICIOUS

    • Base64-obfuscated command line is found

      • Solara Bootstrapper.exe (PID: 5404)
      • kx new.exe (PID: 5836)

    • BASE64 encoded PowerShell command has been detected

      • Solara Bootstrapper.exe (PID: 5404)
      • kx new.exe (PID: 5836)

    • Starts POWERSHELL.EXE for commands execution

      • Solara Bootstrapper.exe (PID: 5404)
      • kx new.exe (PID: 5836)
      • Kawpow new.exe (PID: 556)
      • xmr new.exe (PID: 6148)
      • eejhedztifcv.exe (PID: 7036)

    • Reads security settings of Internet Explorer

      • Solara Bootstrapper.exe (PID: 5404)
      • kx new.exe (PID: 5836)

    • Executable content was dropped or overwritten

      • Solara Bootstrapper.exe (PID: 5404)
      • kx new.exe (PID: 5836)
      • xmr new.exe (PID: 6148)
      • eejhedztifcv.exe (PID: 7036)

    • Adds/modifies Windows certificates

      • lsass.exe (PID: 760)

    • Script adds exclusion path to Windows Defender

      • Kawpow new.exe (PID: 556)
      • xmr new.exe (PID: 6148)
      • eejhedztifcv.exe (PID: 7036)

    • Script adds exclusion extension to Windows Defender

      • Kawpow new.exe (PID: 556)
      • xmr new.exe (PID: 6148)
      • eejhedztifcv.exe (PID: 7036)

    • Manipulates environment variables

      • powershell.exe (PID: 6492)
      • powershell.exe (PID: 6588)
      • powershell.exe (PID: 7104)

    • Stops a currently running service

      • sc.exe (PID: 6856)
      • sc.exe (PID: 6848)
      • sc.exe (PID: 7004)
      • sc.exe (PID: 7016)
      • sc.exe (PID: 1536)
      • sc.exe (PID: 6284)
      • sc.exe (PID: 3224)
      • sc.exe (PID: 7144)
      • sc.exe (PID: 7160)
      • sc.exe (PID: 3032)
      • sc.exe (PID: 6780)
      • sc.exe (PID: 6788)
      • sc.exe (PID: 1520)
      • sc.exe (PID: 6652)
      • sc.exe (PID: 5556)
      • sc.exe (PID: 6468)
      • sc.exe (PID: 6640)

    • Starts CMD.EXE for commands execution

      • Kawpow new.exe (PID: 556)
      • xmr new.exe (PID: 6148)
      • eejhedztifcv.exe (PID: 7036)

    • Process uninstalls Windows update

      • wusa.exe (PID: 7024)
      • wusa.exe (PID: 7040)
      • wusa.exe (PID: 6696)

    • Uses powercfg.exe to modify the power settings

      • xmr new.exe (PID: 6148)
      • Kawpow new.exe (PID: 556)
      • eejhedztifcv.exe (PID: 7036)

    • Windows service management via SC.EXE

      • sc.exe (PID: 1344)
      • sc.exe (PID: 6456)
      • sc.exe (PID: 6796)
      • sc.exe (PID: 6532)

    • Starts SC.EXE for service management

      • xmr new.exe (PID: 6148)
      • Kawpow new.exe (PID: 556)
      • eejhedztifcv.exe (PID: 7036)

    • Creates a new Windows service

      • sc.exe (PID: 6728)
      • sc.exe (PID: 7108)

    • Executes as Windows Service

      • eejhedztifcv.exe (PID: 7036)

    • Drops a system driver (possible attempt to evade defenses)

      • eejhedztifcv.exe (PID: 7036)

    • Crypto Currency Mining Activity Detected

      • svchost.exe (PID: 2192)
      • dialer.exe (PID: 3608)

    • Connects to unusual port

      • dialer.exe (PID: 3608)

    • Potential Corporate Privacy Violation

      • dialer.exe (PID: 3608)

  • INFO

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 4488)

    • Checks supported languages

      • Solara Bootstrapper.exe (PID: 5404)
      • SolaraBootstrapper.exe (PID: 3816)
      • Kawpow new.exe (PID: 556)
      • kx new.exe (PID: 5836)
      • xmr new.exe (PID: 6148)

    • Reads the computer name

      • Solara Bootstrapper.exe (PID: 5404)
      • kx new.exe (PID: 5836)
      • SolaraBootstrapper.exe (PID: 3816)

    • Reads the software policy settings

      • lsass.exe (PID: 760)

    • The process uses the downloaded file

      • kx new.exe (PID: 5836)
      • explorer.exe (PID: 4488)
      • powershell.exe (PID: 4188)
      • powershell.exe (PID: 4628)

    • Process checks computer location settings

      • kx new.exe (PID: 5836)

    • Disables trace logs

      • SolaraBootstrapper.exe (PID: 3816)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 4188)
      • powershell.exe (PID: 4628)
      • powershell.exe (PID: 6588)
      • powershell.exe (PID: 6492)
      • powershell.exe (PID: 7104)

    • Reads the time zone

      • WmiPrvSE.exe (PID: 2084)

    • Creates files in the program directory

      • MoUsoCoreWorker.exe (PID: 4712)
      • svchost.exe (PID: 1076)

    • Reads the machine GUID from the registry

      • SolaraBootstrapper.exe (PID: 3816)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 4628)
      • powershell.exe (PID: 6492)
      • powershell.exe (PID: 6588)
      • powershell.exe (PID: 4188)
      • powershell.exe (PID: 7104)

    • Create files in a temporary directory

      • kx new.exe (PID: 5836)

    • The sample compiled with japanese language support

      • eejhedztifcv.exe (PID: 7036)

    • UPX packer has been detected

      • dialer.exe (PID: 3608)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (61.6)
.dll | Win32 Dynamic Link Library (generic) (14.6)
.exe | Win32 Executable (generic) (10)
.exe | Win16/32 Executable Delphi generic (4.6)
.exe | Generic Win/DOS Executable (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 2048
InitializedDataSize: 10963968
UninitializedDataSize: -
EntryPoint: 0x14d1
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
217
Monitored processes
188
Malicious processes
93
Suspicious processes
4

Behavior graph

Click at the process to see the details
start solara bootstrapper.exe powershell.exe no specs conhost.exe no specs wmiprvse.exe kx new.exe solarabootstrapper.exe conhost.exe no specs powershell.exe no specs conhost.exe no specs kawpow new.exe no specs xmr new.exe wmiprvse.exe powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs wusa.exe no specs conhost.exe no specs wusa.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs dialer.exe no specs conhost.exe no specs dialer.exe no specs conhost.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs eejhedztifcv.exe powershell.exe no specs conhost.exe no specs cmd.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs wusa.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs dialer.exe no specs conhost.exe no specs conhost.exe no specs dialer.exe no specs #MINER dialer.exe #MINER svchost.exe svchost.exe svchost.exe winlogon.exe lsass.exe svchost.exe dwm.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe sihost.exe svchost.exe svchost.exe svchost.exe svchost.exe dllhost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe runtimebroker.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe spoolsv.exe svchost.exe svchost.exe svchost.exe svchost.exe officeclicktorun.exe svchost.exe uhssvc.exe svchost.exe svchost.exe svchost.exe svchost.exe useroobebroker.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe dashost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe ctfmon.exe svchost.exe svchost.exe explorer.exe solara bootstrapper.exe no specs svchost.exe runtimebroker.exe svchost.exe mousocoreworker.exe runtimebroker.exe dllhost.exe runtimebroker.exe dllhost.exe applicationframehost.exe

Process information

PID
CMD
Path
Indicators
Parent process
132\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
320C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p -s LSMC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\lsm.dll
c:\windows\system32\msvcrt.dll
376C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHostC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
444\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
556"C:\Users\admin\AppData\Local\Temp\Kawpow new.exe" C:\Users\admin\AppData\Local\Temp\Kawpow new.exekx new.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\kawpow new.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
684winlogon.exeC:\Windows\System32\winlogon.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Logon Application
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\winlogon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
760C:\WINDOWS\system32\lsass.exeC:\Windows\System32\lsass.exe
wininit.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Local Security Authority Process
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\lsass.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lsasrv.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\sechost.dll
812C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvcC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
912"dwm.exe"C:\Windows\System32\dwm.exe
winlogon.exe
User:
DWM-1
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Desktop Window Manager
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dwm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1068C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s gpsvcC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
Total events
37 041
Read events
36 740
Write events
172
Delete events
129

Modification events

(PID) Process:(4488) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:writeName:CheckSetting
Value:
23004100430042006C006F00620000000000000000000000010000000800000009000000
(PID) Process:(4712) MoUsoCoreWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Wosc\Client\Persistent\ClientState\FCON
Operation:writeName:ETag
Value:
"39929200:054BDF00DCCFDEBE87A180CAB84F81397E68843F417F30B0CA27C37AB3A7B392CA185DEDEDC8247B0A79ABFE4BB43B27875DCB4BA978EAFA89BDD333A41CBA448E3320B5CCC79838565926C25C7F9965AD6330E1D187A45720A18082A44C5394E18E8340D5CD6B5C8463739004FAB91B7ACF082E923DA3D48648F0C81B0285664985791894C6C9D6BB3863252B08A6DA768B54F7DE18108551FEA8853B905C5F2A73A08C89879833B2D0DAEF6B0718CD706FF5DDF0CDD59D2B2198858D89C6D1CFE975B95D98D161C8A46E37DE6D6D6E0576EC467D56A5A1:2F20687AEE"
(PID) Process:(4712) MoUsoCoreWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Wosc\Client\Persistent\ClientState\FCON
Operation:delete valueName:ETagBackup
Value:
(PID) Process:(4712) MoUsoCoreWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Wosc\Client\Persistent\ClientState\FCON
Operation:writeName:LastUpdated
Value:
B3F05604FFD8DA01
(PID) Process:(4712) MoUsoCoreWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Wosc\Client\Persistent\ClientState\FCON
Operation:writeName:LastRefreshAttempted
Value:
FF9DA3671661DB01
(PID) Process:(4712) MoUsoCoreWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Wosc\Client\Persistent\ClientState\FCON
Operation:writeName:RefreshInterval
Value:
254
(PID) Process:(4712) MoUsoCoreWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Wosc\Client\Persistent\ClientState\FCON
Operation:writeName:LastHTTPCode
Value:
304
(PID) Process:(4712) MoUsoCoreWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Wosc\Client\Persistent\ClientState\FCON
Operation:writeName:LastDeviceTokenResult
Value:
0
(PID) Process:(4712) MoUsoCoreWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Wosc\Client\Persistent\ClientState\FCON
Operation:writeName:LastUserTokenResult
Value:
1
(PID) Process:(4712) MoUsoCoreWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Wosc\Client\Persistent\ClientState\FCON
Operation:writeName:QueryStringHash
Value:
2A70AB78415AD217D6CFCC9D78457516FEE0DBC8157446173406B2E94C99669E
Executable files
6
Suspicious files
40
Text files
20
Unknown types
3

Dropped files

PID
Process
Filename
Type
1276svchost.exeC:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Workxml
MD5:5FADF13CCFBDCC5DD728380F7A615B28
SHA256:FF1F73395F6B5B22D5FDA367521FE0DCC31FF252849B7FA85FA346B953A40451
1276svchost.exeC:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Workxml
MD5:4838EE953DAB2C7A1BF57E0C6620A79D
SHA256:22C798E00C4793749EAC39CFB6EA3DD75112FD4453A3706E839038A64504D45D
5404Solara Bootstrapper.exeC:\Users\admin\AppData\Local\Temp\kx new.exeexecutable
MD5:D9D13FA25E880665FB471A4BE57C494C
SHA256:632E973AB369D51E21B499E440BDD9C4B2FFAAC9E435485A648DE8724E1B19F7
1768svchost.exeC:\Windows\Prefetch\KX NEW.EXE-362D3D6F.pfbinary
MD5:63C15D687D86B38E39D91240BD7E4070
SHA256:BFA4C72F4F283582C4C5AB8BBCE30AA550F22B79E2748203B1F119D127974DFB
1768svchost.exeC:\Windows\Prefetch\CONSENT.EXE-531BD9EA.pfbinary
MD5:C21ABC1567936BD35F0EBE675B5D3713
SHA256:30F8A9ACDAE6A63EF7D4B80705EEF198EF1FFE79594B82BC36A782DA967ED3A6
1768svchost.exeC:\Windows\Prefetch\SOLARA BOOTSTRAPPER.EXE-C27FD181.pfbinary
MD5:7A0B363DCF02F05D649D150A81554D00
SHA256:8ACD4DE09B69B0C62884ACA356AC9CBD86BF40533F1124A8C9B067378ACC4892
4628powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_derc11cw.1dz.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5836kx new.exeC:\Users\admin\AppData\Local\Temp\xmr new.exeexecutable
MD5:7D6398EBFB82A24748617189BF4AD691
SHA256:D7CD81563E5B98B9A329286557DE71186D3F8F364A46691ACA253CA00E4C3EF2
2892svchost.exeC:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
MD5:
SHA256:
5404Solara Bootstrapper.exeC:\Users\admin\AppData\Local\Temp\SolaraBootstrapper.exeexecutable
MD5:6557BD5240397F026E675AFB78544A26
SHA256:A7FECFC225DFDD4E14DCD4D1B4BA1B9F8E4D1984F1CDD8CDA3A9987E5D53C239
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
37
DNS requests
25
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1536
SIHClient.exe
GET
200
104.90.25.175:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1536
SIHClient.exe
GET
200
104.90.25.175:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
3820
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
5340
svchost.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
3820
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
5340
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5340
svchost.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5340
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5064
SearchApp.exe
23.38.123.187:443
www.bing.com
AKAMAI-AS
US
whitelisted
1176
svchost.exe
40.126.32.133:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.142
unknown
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 104.90.25.175
whitelisted
www.bing.com
  • 23.38.123.187
  • 23.38.123.130
  • 23.38.123.133
  • 23.38.123.132
  • 23.38.123.131
  • 23.38.123.183
  • 23.38.123.184
  • 23.38.123.186
  • 23.38.123.134
whitelisted
login.live.com
  • 40.126.32.133
  • 40.126.32.140
  • 40.126.32.134
  • 40.126.32.138
  • 40.126.32.74
  • 20.190.160.22
  • 20.190.160.20
  • 40.126.32.76
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 23.60.190.7
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
2192
svchost.exe
Crypto Currency Mining Activity Detected
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
3608
dialer.exe
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
3608
dialer.exe
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Solara Bootstrapper.exe