File name:

bootstrapper.exe

Full analysis: https://app.any.run/tasks/19acca8a-7370-48ab-8c91-455317917a71
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: August 19, 2024, 20:05:27
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
pastebin
evasion
stealer
xworm
remote
loader
qrcode
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5:

5F7CCCEBD1E6D445CC87A08A85012DDD

SHA1:

70779F96E6BF2D89D0FB3734D8D868CF78941229

SHA256:

A0A4F7B86592CB84BCD7FC67C85EAABFEDE05D9AD95910C94CE8C7D528F1605D

SSDEEP:

12288:oaOOQCnm+C0gy8XaHmnvdDWDkQ7txwxTz+Xc/FxYALvau6jIwELhj1TWq7yOLsjo:oaOOlnm+C0e+wvdDekctxSt+KypZwjx9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 6728)
      • cmd.exe (PID: 6460)
      • powershell.exe (PID: 6652)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6864)
      • powershell.exe (PID: 6652)
      • powershell.exe (PID: 6452)
      • powershell.exe (PID: 208)
      • powershell.exe (PID: 6228)
      • powershell.exe (PID: 5148)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 6864)
      • powershell.exe (PID: 6652)

    • Uses AES cipher (POWERSHELL)

      • powershell.exe (PID: 6864)
      • powershell.exe (PID: 6652)

    • Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)

      • powershell.exe (PID: 6864)
      • powershell.exe (PID: 6652)

    • Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)

      • powershell.exe (PID: 6864)
      • powershell.exe (PID: 6652)

    • Actions looks like stealing of personal data

      • bootstrapper.exe (PID: 2324)

    • Adds path to the Windows Defender exclusion list

      • powershell.exe (PID: 6652)

    • Adds process to the Windows Defender exclusion list

      • powershell.exe (PID: 6652)

    • Uses Task Scheduler to run other applications

      • powershell.exe (PID: 6652)

    • XWORM has been detected (YARA)

      • powershell.exe (PID: 6652)

    • XWORM has been detected (SURICATA)

      • powershell.exe (PID: 6652)

    • Create files in the Startup directory

      • powershell.exe (PID: 6652)

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • bootstrapper.exe (PID: 6680)
      • powershell.exe (PID: 6652)
      • msiexec.exe (PID: 5304)

    • Reads the date of Windows installation

      • bootstrapper.exe (PID: 6680)
      • bootstrapper.exe (PID: 2324)

    • Reads security settings of Internet Explorer

      • bootstrapper.exe (PID: 6680)
      • bootstrapper.exe (PID: 2324)
      • msiexec.exe (PID: 6664)

    • Probably obfuscated PowerShell command line is found

      • cmd.exe (PID: 6728)
      • cmd.exe (PID: 6460)

    • Executing commands from a ".bat" file

      • bootstrapper.exe (PID: 6680)
      • wscript.exe (PID: 6504)

    • Cryptography encrypted command line is found

      • powershell.exe (PID: 6864)
      • powershell.exe (PID: 6652)

    • Starts CMD.EXE for commands execution

      • bootstrapper.exe (PID: 6680)
      • wscript.exe (PID: 6504)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 6728)
      • cmd.exe (PID: 6460)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 6728)
      • powershell.exe (PID: 6864)
      • cmd.exe (PID: 6460)
      • powershell.exe (PID: 6652)

    • The process executes VB scripts

      • powershell.exe (PID: 6864)

    • Application launched itself

      • powershell.exe (PID: 6864)
      • powershell.exe (PID: 6652)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 6504)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 6652)

    • Script adds exclusion path to Windows Defender

      • powershell.exe (PID: 6652)

    • Script adds exclusion process to Windows Defender

      • powershell.exe (PID: 6652)

    • Checks for external IP

      • svchost.exe (PID: 2256)
      • powershell.exe (PID: 6652)

    • Process drops legitimate windows executable

      • powershell.exe (PID: 6652)

    • Connects to unusual port

      • powershell.exe (PID: 6652)

    • Contacting a server suspected of hosting an CnC

      • powershell.exe (PID: 6652)

    • Checks Windows Trust Settings

      • msiexec.exe (PID: 5304)

    • Adds/modifies Windows certificates

      • msiexec.exe (PID: 5304)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 5304)

  • INFO

    • Process checks computer location settings

      • bootstrapper.exe (PID: 6680)
      • bootstrapper.exe (PID: 2324)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 6864)
      • powershell.exe (PID: 6652)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 6864)
      • powershell.exe (PID: 6652)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6864)
      • powershell.exe (PID: 6652)
      • powershell.exe (PID: 6452)
      • powershell.exe (PID: 208)
      • powershell.exe (PID: 6228)
      • powershell.exe (PID: 5148)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 6200)
      • powershell.exe (PID: 208)
      • powershell.exe (PID: 6228)
      • powershell.exe (PID: 5148)
      • powershell.exe (PID: 6452)

    • Reads Environment values

      • bootstrapper.exe (PID: 2324)

    • Reads the computer name

      • bootstrapper.exe (PID: 2324)
      • bootstrapper.exe (PID: 6680)
      • msiexec.exe (PID: 5304)
      • msiexec.exe (PID: 6520)
      • msiexec.exe (PID: 6664)

    • Checks supported languages

      • bootstrapper.exe (PID: 2324)
      • bootstrapper.exe (PID: 6680)
      • msiexec.exe (PID: 5304)
      • msiexec.exe (PID: 6520)
      • msiexec.exe (PID: 6664)

    • Reads the machine GUID from the registry

      • bootstrapper.exe (PID: 2324)
      • msiexec.exe (PID: 5304)

    • Disables trace logs

      • bootstrapper.exe (PID: 2324)
      • powershell.exe (PID: 6652)

    • Reads the software policy settings

      • bootstrapper.exe (PID: 2324)
      • msiexec.exe (PID: 5304)

    • Checks proxy server information

      • bootstrapper.exe (PID: 2324)
      • powershell.exe (PID: 6652)

    • Create files in a temporary directory

      • bootstrapper.exe (PID: 6680)
      • bootstrapper.exe (PID: 2324)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 5304)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 5304)

    • Application launched itself

      • msiexec.exe (PID: 5304)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

XWorm

(PID) Process(6652) powershell.exe
C2147.185.221.22:11860
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameRobloxCheat
MutexdOoVA8ci3v2Q40F5
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (61.6)
.dll | Win32 Dynamic Link Library (generic) (14.6)
.exe | Win32 Executable (generic) (10)
.exe | Win16/32 Executable Delphi generic (4.6)
.exe | Generic Win/DOS Executable (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 1536
InitializedDataSize: 654336
UninitializedDataSize: -
EntryPoint: 0x143d
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
156
Monitored processes
32
Malicious processes
6
Suspicious processes
2

Behavior graph

Click at the process to see the details
start bootstrapper.exe cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs wscript.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs #XWORM powershell.exe bootstrapper.exe conhost.exe no specs svchost.exe powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs msiexec.exe no specs msiexec.exe msiexec.exe no specs msiexec.exe no specs bootstrapper.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
208"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
420\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exebootstrapper.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1108\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1344C:\WINDOWS\system32\net1 file C:\Windows\SysWOW64\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
2256C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2324"C:\Users\admin\Desktop\bootstrapper.exe" C:\Users\admin\Desktop\bootstrapper.exe
powershell.exe
User:
admin
Integrity Level:
HIGH
Description:
SolaraBootstrapper
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\bootstrapper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2400\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3268net file C:\Windows\SysWOW64\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
5148"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Host Proccess'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
5304C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
Total events
74 452
Read events
71 545
Write events
2 905
Delete events
2

Modification events

(PID) Process:(6680) bootstrapper.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6680) bootstrapper.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6680) bootstrapper.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6680) bootstrapper.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6864) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6864) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6864) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6864) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6200) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6200) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
15
Suspicious files
691
Text files
1 040
Unknown types
11

Dropped files

PID
Process
Filename
Type
6200powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xq3kpaaw.efg.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6200powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:75237D93D16AE4139823754000E3CA3A
SHA256:16EDBC792B7263DFEA8B2270F0E23D0F64A19B0EC7C90E31938EF8BC5E17EC8B
6200powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_yweaenzn.0ce.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6864powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_kgwp0z3c.3ti.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6864powershell.exeC:\Users\admin\AppData\Roaming\startup_str_541.vbstext
MD5:005235B61E53D21BCB74A525E1A9477F
SHA256:13917EA031FBFB2E06B6DBFF5903EDE423E6C87FA2490BBFA974E1F9521EAB46
6864powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ur3y3pr1.av4.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6452powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_qzuyrzx4.fx4.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6200powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_x4jqyouc.zsl.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6652powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_vbrszigy.zgj.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
208powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_foyltw2r.3hx.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
22
DNS requests
11
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6652
powershell.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
shared
GET
200
128.116.123.3:443
https://clientsettings.roblox.com/v2/client-version/WindowsPlayer/channel/live
unknown
binary
119 b
GET
200
104.21.93.27:443
https://getsolara.dev/asset/discord.json
unknown
binary
103 b
GET
200
104.20.22.46:443
https://nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi
unknown
executable
30.0 Mb
GET
307
104.20.22.46:443
https://www.nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi
unknown
text
15 b
GET
200
104.20.3.235:443
https://pastebin.com/raw/xr5Gb4Bn
unknown
binary
497 b
5304
msiexec.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D
unknown
whitelisted
5304
msiexec.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAOO2y%2FG5AVzGnYPFRYUTIU%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1292
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:138
whitelisted
1616
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4324
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1292
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2324
bootstrapper.exe
172.67.203.125:443
getsolara.dev
CLOUDFLARENET
US
unknown
6652
powershell.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
unknown
2324
bootstrapper.exe
172.67.19.24:443
pastebin.com
CLOUDFLARENET
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
whitelisted
google.com
  • 216.58.206.78
whitelisted
getsolara.dev
  • 172.67.203.125
  • 104.21.93.27
unknown
ip-api.com
  • 208.95.112.1
shared
pastebin.com
  • 172.67.19.24
  • 104.20.4.235
  • 104.20.3.235
shared
clientsettings.roblox.com
  • 128.116.123.3
whitelisted
www.nodejs.org
  • 104.20.23.46
  • 104.20.22.46
whitelisted
nodejs.org
  • 104.20.23.46
  • 104.20.22.46
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted

Threats

PID
Process
Class
Message
2256
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2256
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
2256
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Online Pastebin Text Storage
6652
powershell.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
6652
powershell.exe
Device Retrieving External IP Address Detected
POLICY [ANY.RUN] External Hosting Lookup by ip-api
6652
powershell.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm TCP Packet
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
bootstrapper.exe