File name:

Solara Bootstrapper.exe

Full analysis: https://app.any.run/tasks/790a7baf-2020-4b9d-8a36-31db67519a72
Verdict: Malicious activity
Threats:

Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth.

Malware Trends Tracker     >>>
Analysis date: January 07, 2025, 15:10:46
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
github
miner
upx
xmrig
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 4 sections
MD5:

00A1864355A5EA47902E5757C0D87FD9

SHA1:

4BE5647308E0925FB00FAE068CB4A89A8A449AFC

SHA256:

4289002FD7528974AE7A9BF4D855BFD3812D248A46DBD7F94E7336F260AE7A39

SSDEEP:

196608:E6AEXnVB2t0vW54zu9cQ+6TLwC9tpg9FHh2C32cIPTv3O:E6jFECvW5R9ccTLfYHhhbMv3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Adds extension to the Windows Defender exclusion list

      • Kawpow new.exe (PID: 556)
      • xmr new.exe (PID: 6148)
      • eejhedztifcv.exe (PID: 7036)

    • Application was injected by another process

      • svchost.exe (PID: 320)
      • lsass.exe (PID: 760)
      • winlogon.exe (PID: 684)
      • svchost.exe (PID: 1068)
      • svchost.exe (PID: 1276)
      • svchost.exe (PID: 1076)
      • svchost.exe (PID: 1260)
      • svchost.exe (PID: 1500)
      • svchost.exe (PID: 1316)
      • svchost.exe (PID: 1268)
      • svchost.exe (PID: 1364)
      • svchost.exe (PID: 1424)
      • svchost.exe (PID: 1452)
      • svchost.exe (PID: 1660)
      • svchost.exe (PID: 1768)
      • svchost.exe (PID: 1784)
      • svchost.exe (PID: 1776)
      • svchost.exe (PID: 1880)
      • svchost.exe (PID: 1908)
      • dwm.exe (PID: 912)
      • svchost.exe (PID: 1564)
      • svchost.exe (PID: 1980)
      • svchost.exe (PID: 2272)
      • svchost.exe (PID: 2340)
      • svchost.exe (PID: 2192)
      • svchost.exe (PID: 2364)
      • svchost.exe (PID: 2500)
      • svchost.exe (PID: 1972)
      • svchost.exe (PID: 2064)
      • svchost.exe (PID: 2748)
      • svchost.exe (PID: 2372)
      • svchost.exe (PID: 2816)
      • spoolsv.exe (PID: 2652)
      • OfficeClickToRun.exe (PID: 2884)
      • svchost.exe (PID: 2852)
      • svchost.exe (PID: 3016)
      • svchost.exe (PID: 2892)
      • svchost.exe (PID: 2288)
      • svchost.exe (PID: 2944)
      • svchost.exe (PID: 2660)
      • svchost.exe (PID: 2360)
      • svchost.exe (PID: 2920)
      • svchost.exe (PID: 3164)
      • svchost.exe (PID: 2256)
      • svchost.exe (PID: 3592)
      • svchost.exe (PID: 3600)
      • svchost.exe (PID: 3824)
      • dasHost.exe (PID: 3896)
      • svchost.exe (PID: 3704)
      • svchost.exe (PID: 4000)
      • svchost.exe (PID: 3160)
      • MoUsoCoreWorker.exe (PID: 4712)
      • ctfmon.exe (PID: 4268)
      • svchost.exe (PID: 4168)
      • svchost.exe (PID: 3668)
      • ApplicationFrameHost.exe (PID: 6108)
      • sihost.exe (PID: 1712)
      • svchost.exe (PID: 4176)
      • svchost.exe (PID: 4696)
      • explorer.exe (PID: 4488)
      • svchost.exe (PID: 4436)
      • RuntimeBroker.exe (PID: 4676)
      • RuntimeBroker.exe (PID: 4960)
      • dllhost.exe (PID: 5904)
      • dllhost.exe (PID: 5164)
      • RuntimeBroker.exe (PID: 5820)
      • svchost.exe (PID: 2952)
      • svchost.exe (PID: 1340)
      • svchost.exe (PID: 4200)
      • svchost.exe (PID: 3976)
      • UserOOBEBroker.exe (PID: 3004)
      • svchost.exe (PID: 4456)
      • uhssvc.exe (PID: 2908)
      • svchost.exe (PID: 1764)
      • svchost.exe (PID: 812)
      • svchost.exe (PID: 2992)
      • svchost.exe (PID: 4512)
      • svchost.exe (PID: 1176)
      • svchost.exe (PID: 3056)
      • dllhost.exe (PID: 1816)
      • svchost.exe (PID: 1612)
      • svchost.exe (PID: 376)
      • RuntimeBroker.exe (PID: 2216)
      • svchost.exe (PID: 1916)
      • WmiPrvSE.exe (PID: 2084)
      • WmiPrvSE.exe (PID: 6384)

    • Uninstalls Malicious Software Removal Tool (MRT)

      • cmd.exe (PID: 6808)
      • cmd.exe (PID: 6800)
      • cmd.exe (PID: 1876)

    • Runs injected code in another process

      • dialer.exe (PID: 6452)
      • dialer.exe (PID: 6272)

    • MINER has been detected (SURICATA)

      • dialer.exe (PID: 3608)
      • svchost.exe (PID: 2192)

    • Connects to the CnC server

      • dialer.exe (PID: 3608)

    • XMRIG has been detected (YARA)

      • dialer.exe (PID: 3608)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • Solara Bootstrapper.exe (PID: 5404)
      • kx new.exe (PID: 5836)

    • Base64-obfuscated command line is found

      • Solara Bootstrapper.exe (PID: 5404)
      • kx new.exe (PID: 5836)

    • Starts POWERSHELL.EXE for commands execution

      • Solara Bootstrapper.exe (PID: 5404)
      • kx new.exe (PID: 5836)
      • xmr new.exe (PID: 6148)
      • Kawpow new.exe (PID: 556)
      • eejhedztifcv.exe (PID: 7036)

    • Executable content was dropped or overwritten

      • Solara Bootstrapper.exe (PID: 5404)
      • kx new.exe (PID: 5836)
      • xmr new.exe (PID: 6148)
      • eejhedztifcv.exe (PID: 7036)

    • BASE64 encoded PowerShell command has been detected

      • kx new.exe (PID: 5836)
      • Solara Bootstrapper.exe (PID: 5404)

    • Adds/modifies Windows certificates

      • lsass.exe (PID: 760)

    • Script adds exclusion extension to Windows Defender

      • Kawpow new.exe (PID: 556)
      • xmr new.exe (PID: 6148)
      • eejhedztifcv.exe (PID: 7036)

    • Script adds exclusion path to Windows Defender

      • Kawpow new.exe (PID: 556)
      • xmr new.exe (PID: 6148)
      • eejhedztifcv.exe (PID: 7036)

    • Stops a currently running service

      • sc.exe (PID: 6856)
      • sc.exe (PID: 6848)
      • sc.exe (PID: 7004)
      • sc.exe (PID: 7016)
      • sc.exe (PID: 7144)
      • sc.exe (PID: 3224)
      • sc.exe (PID: 7160)
      • sc.exe (PID: 3032)
      • sc.exe (PID: 1536)
      • sc.exe (PID: 6284)
      • sc.exe (PID: 6780)
      • sc.exe (PID: 6788)
      • sc.exe (PID: 6652)
      • sc.exe (PID: 5556)
      • sc.exe (PID: 1520)
      • sc.exe (PID: 6640)
      • sc.exe (PID: 6468)

    • Manipulates environment variables

      • powershell.exe (PID: 6588)
      • powershell.exe (PID: 6492)
      • powershell.exe (PID: 7104)

    • Starts CMD.EXE for commands execution

      • xmr new.exe (PID: 6148)
      • Kawpow new.exe (PID: 556)
      • eejhedztifcv.exe (PID: 7036)

    • Process uninstalls Windows update

      • wusa.exe (PID: 7024)
      • wusa.exe (PID: 7040)
      • wusa.exe (PID: 6696)

    • Uses powercfg.exe to modify the power settings

      • xmr new.exe (PID: 6148)
      • Kawpow new.exe (PID: 556)
      • eejhedztifcv.exe (PID: 7036)

    • Windows service management via SC.EXE

      • sc.exe (PID: 6456)
      • sc.exe (PID: 1344)
      • sc.exe (PID: 6532)
      • sc.exe (PID: 6796)

    • Starts SC.EXE for service management

      • xmr new.exe (PID: 6148)
      • Kawpow new.exe (PID: 556)
      • eejhedztifcv.exe (PID: 7036)

    • Creates a new Windows service

      • sc.exe (PID: 6728)
      • sc.exe (PID: 7108)

    • Executes as Windows Service

      • eejhedztifcv.exe (PID: 7036)

    • Drops a system driver (possible attempt to evade defenses)

      • eejhedztifcv.exe (PID: 7036)

    • Potential Corporate Privacy Violation

      • dialer.exe (PID: 3608)

    • Crypto Currency Mining Activity Detected

      • svchost.exe (PID: 2192)
      • dialer.exe (PID: 3608)

    • Connects to unusual port

      • dialer.exe (PID: 3608)

  • INFO

    • Creates files in the program directory

      • MoUsoCoreWorker.exe (PID: 4712)
      • svchost.exe (PID: 1076)

    • The process uses the downloaded file

      • explorer.exe (PID: 4488)
      • kx new.exe (PID: 5836)
      • powershell.exe (PID: 4188)
      • powershell.exe (PID: 4628)

    • Reads the time zone

      • WmiPrvSE.exe (PID: 2084)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 4488)

    • Reads the computer name

      • kx new.exe (PID: 5836)
      • SolaraBootstrapper.exe (PID: 3816)
      • Solara Bootstrapper.exe (PID: 5404)

    • Checks supported languages

      • Kawpow new.exe (PID: 556)
      • Solara Bootstrapper.exe (PID: 5404)
      • SolaraBootstrapper.exe (PID: 3816)
      • kx new.exe (PID: 5836)
      • xmr new.exe (PID: 6148)

    • Reads the software policy settings

      • lsass.exe (PID: 760)

    • Process checks computer location settings

      • kx new.exe (PID: 5836)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 4188)
      • powershell.exe (PID: 4628)
      • powershell.exe (PID: 6588)
      • powershell.exe (PID: 6492)
      • powershell.exe (PID: 7104)

    • Disables trace logs

      • SolaraBootstrapper.exe (PID: 3816)

    • Reads the machine GUID from the registry

      • SolaraBootstrapper.exe (PID: 3816)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 4188)
      • powershell.exe (PID: 4628)
      • powershell.exe (PID: 6492)
      • powershell.exe (PID: 6588)
      • powershell.exe (PID: 7104)

    • Create files in a temporary directory

      • kx new.exe (PID: 5836)

    • The sample compiled with japanese language support

      • eejhedztifcv.exe (PID: 7036)

    • UPX packer has been detected

      • dialer.exe (PID: 3608)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (61.6)
.dll | Win32 Dynamic Link Library (generic) (14.6)
.exe | Win32 Executable (generic) (10)
.exe | Win16/32 Executable Delphi generic (4.6)
.exe | Generic Win/DOS Executable (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 2048
InitializedDataSize: 10963968
UninitializedDataSize: -
EntryPoint: 0x14d1
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
217
Monitored processes
188
Malicious processes
93
Suspicious processes
4

Behavior graph

Click at the process to see the details
start solara bootstrapper.exe powershell.exe no specs conhost.exe no specs wmiprvse.exe kx new.exe solarabootstrapper.exe conhost.exe no specs powershell.exe no specs conhost.exe no specs kawpow new.exe no specs xmr new.exe wmiprvse.exe powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs wusa.exe no specs conhost.exe no specs wusa.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs dialer.exe no specs conhost.exe no specs dialer.exe no specs conhost.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs eejhedztifcv.exe powershell.exe no specs conhost.exe no specs cmd.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs wusa.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs dialer.exe no specs conhost.exe no specs conhost.exe no specs dialer.exe no specs #MINER dialer.exe #MINER svchost.exe svchost.exe svchost.exe winlogon.exe lsass.exe svchost.exe dwm.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe sihost.exe svchost.exe svchost.exe svchost.exe svchost.exe dllhost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe runtimebroker.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe spoolsv.exe svchost.exe svchost.exe svchost.exe svchost.exe officeclicktorun.exe svchost.exe uhssvc.exe svchost.exe svchost.exe svchost.exe svchost.exe useroobebroker.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe dashost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe ctfmon.exe svchost.exe svchost.exe explorer.exe solara bootstrapper.exe no specs svchost.exe runtimebroker.exe svchost.exe mousocoreworker.exe runtimebroker.exe dllhost.exe runtimebroker.exe dllhost.exe applicationframehost.exe

Process information

PID
CMD
Path
Indicators
Parent process
132\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
320C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p -s LSMC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\lsm.dll
c:\windows\system32\msvcrt.dll
376C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHostC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
444\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
556"C:\Users\admin\AppData\Local\Temp\Kawpow new.exe" C:\Users\admin\AppData\Local\Temp\Kawpow new.exekx new.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\kawpow new.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
684winlogon.exeC:\Windows\System32\winlogon.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Logon Application
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\winlogon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
760C:\WINDOWS\system32\lsass.exeC:\Windows\System32\lsass.exe
wininit.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Local Security Authority Process
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\lsass.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lsasrv.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\sechost.dll
812C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvcC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
912"dwm.exe"C:\Windows\System32\dwm.exe
winlogon.exe
User:
DWM-1
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Desktop Window Manager
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dwm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1068C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s gpsvcC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
Total events
37 041
Read events
36 740
Write events
172
Delete events
129

Modification events

(PID) Process:(4488) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:writeName:CheckSetting
Value:
23004100430042006C006F00620000000000000000000000010000000800000009000000
(PID) Process:(4712) MoUsoCoreWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Wosc\Client\Persistent\ClientState\FCON
Operation:writeName:ETag
Value:
"39929200:054BDF00DCCFDEBE87A180CAB84F81397E68843F417F30B0CA27C37AB3A7B392CA185DEDEDC8247B0A79ABFE4BB43B27875DCB4BA978EAFA89BDD333A41CBA448E3320B5CCC79838565926C25C7F9965AD6330E1D187A45720A18082A44C5394E18E8340D5CD6B5C8463739004FAB91B7ACF082E923DA3D48648F0C81B0285664985791894C6C9D6BB3863252B08A6DA768B54F7DE18108551FEA8853B905C5F2A73A08C89879833B2D0DAEF6B0718CD706FF5DDF0CDD59D2B2198858D89C6D1CFE975B95D98D161C8A46E37DE6D6D6E0576EC467D56A5A1:2F20687AEE"
(PID) Process:(4712) MoUsoCoreWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Wosc\Client\Persistent\ClientState\FCON
Operation:delete valueName:ETagBackup
Value:
(PID) Process:(4712) MoUsoCoreWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Wosc\Client\Persistent\ClientState\FCON
Operation:writeName:LastUpdated
Value:
B3F05604FFD8DA01
(PID) Process:(4712) MoUsoCoreWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Wosc\Client\Persistent\ClientState\FCON
Operation:writeName:LastRefreshAttempted
Value:
FF9DA3671661DB01
(PID) Process:(4712) MoUsoCoreWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Wosc\Client\Persistent\ClientState\FCON
Operation:writeName:RefreshInterval
Value:
254
(PID) Process:(4712) MoUsoCoreWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Wosc\Client\Persistent\ClientState\FCON
Operation:writeName:LastHTTPCode
Value:
304
(PID) Process:(4712) MoUsoCoreWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Wosc\Client\Persistent\ClientState\FCON
Operation:writeName:LastDeviceTokenResult
Value:
0
(PID) Process:(4712) MoUsoCoreWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Wosc\Client\Persistent\ClientState\FCON
Operation:writeName:LastUserTokenResult
Value:
1
(PID) Process:(4712) MoUsoCoreWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Wosc\Client\Persistent\ClientState\FCON
Operation:writeName:QueryStringHash
Value:
2A70AB78415AD217D6CFCC9D78457516FEE0DBC8157446173406B2E94C99669E
Executable files
6
Suspicious files
40
Text files
20
Unknown types
3

Dropped files

PID
Process
Filename
Type
1768svchost.exeC:\Windows\Prefetch\CONSENT.EXE-531BD9EA.pfbinary
MD5:C21ABC1567936BD35F0EBE675B5D3713
SHA256:30F8A9ACDAE6A63EF7D4B80705EEF198EF1FFE79594B82BC36A782DA967ED3A6
1276svchost.exeC:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Workxml
MD5:C6086D02F8CE044F5FA07A98303DC7EB
SHA256:8901D9C9AEA465DA4EA7AA874610A90B8CF0A71EBA0E321CF9675FCEEE0B54A0
5836kx new.exeC:\Users\admin\AppData\Local\Temp\xmr new.exeexecutable
MD5:7D6398EBFB82A24748617189BF4AD691
SHA256:D7CD81563E5B98B9A329286557DE71186D3F8F364A46691ACA253CA00E4C3EF2
4488explorer.exeC:\Users\admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datbinary
MD5:E49C56350AEDF784BFE00E444B879672
SHA256:A8BD235303668981563DFB5AAE338CB802817C4060E2C199B7C84901D57B7E1E
1768svchost.exeC:\Windows\Prefetch\SIHCLIENT.EXE-A872A8BF.pfbinary
MD5:5F7CE817178431B2D9932213EA753B94
SHA256:91BAAA78C6B38213DF91B8B33DC45518AF28CB929B5F2010C493A0516A67CF0D
2892svchost.exeC:\Windows\System32\catroot2\edb.logbinary
MD5:A959919948ED212A876CDE6E7BEAEF31
SHA256:FCBFDD3C666C2EECDE046364691FF7A770A1B202066391914A2B7C4B75186FA4
4188powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_qjho5zpk.lme.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1768svchost.exeC:\Windows\Prefetch\SOLARABOOTSTRAPPER.EXE-F08BF161.pfbinary
MD5:360635B2B496559563AFA56178C5CAC7
SHA256:74F16BC31E1EB94311C83E0DB310D80B93848B0A11E5D5F46109EAC32E4FC97A
2892svchost.exeC:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
MD5:
SHA256:
4188powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_hjnqkttw.kx0.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
37
DNS requests
25
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5340
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5340
svchost.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1536
SIHClient.exe
GET
200
104.90.25.175:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
1536
SIHClient.exe
GET
200
104.90.25.175:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
3820
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
3820
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5340
svchost.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5340
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5064
SearchApp.exe
23.38.123.187:443
www.bing.com
AKAMAI-AS
US
whitelisted
1176
svchost.exe
40.126.32.133:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.142
unknown
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 104.90.25.175
whitelisted
www.bing.com
  • 23.38.123.187
  • 23.38.123.130
  • 23.38.123.133
  • 23.38.123.132
  • 23.38.123.131
  • 23.38.123.183
  • 23.38.123.184
  • 23.38.123.186
  • 23.38.123.134
whitelisted
login.live.com
  • 40.126.32.133
  • 40.126.32.140
  • 40.126.32.134
  • 40.126.32.138
  • 40.126.32.74
  • 20.190.160.22
  • 20.190.160.20
  • 40.126.32.76
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 23.60.190.7
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
2192
svchost.exe
Crypto Currency Mining Activity Detected
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
3608
dialer.exe
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
3608
dialer.exe
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Solara Bootstrapper.exe