File name:

Solara.exe

Full analysis: https://app.any.run/tasks/68e320e0-6a0b-4d54-8dcc-cc7177a5be4d
Verdict: Malicious activity
Threats:

Exela Stealer is an infostealer malware written in Python. It is capable of collecting a wide range of sensitive information from compromised systems and exfiltrating it to attackers over Discord. It is frequently used to steal browser data, and obtain session files from various applications, including gaming platforms, social media platforms, and messaging apps.

Malware Trends Tracker     >>>
Analysis date: January 12, 2025, 05:39:07
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
exela
stealer
python
discord
arch-doc
screenshot
miner
pyinstaller
susp-powershell
ims-api
generic
discordgrabber
growtopia
upx
rust
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

CC6D7A6B17FEBE201B7F7D26CE944C08

SHA1:

231E8439C0FACCA7CC4B730BF950351D48E3A7C2

SHA256:

B1883486B5E6DA993AF6DEB6F4D0F524CCDC6317BDC32ED50DCCD1799867A3BD

SSDEEP:

98304:5VyLcVe8Nf9TxXi5D2iZ5kRAGTrn8vwj6rj+BD/qQP61LZeg9Z3R6Msw5pxxYxwR:cfXUGVo5G8/YIbgPyUmwfXNWMM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Adds path to the Windows Defender exclusion list

      • Solara.exe (PID: 628)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 5640)
      • powershell.exe (PID: 6076)
      • powershell.exe (PID: 1544)

    • Changes powershell execution policy (Bypass)

      • Solara.exe (PID: 628)
      • cmd.exe (PID: 2072)

    • Changes the autorun value in the registry

      • Solara.exe (PID: 628)

    • Create files in the Startup directory

      • Exela.exe (PID: 4244)

    • Steals credentials from Web Browsers

      • Exela.exe (PID: 4244)

    • Actions looks like stealing of personal data

      • Exela.exe (PID: 4244)

    • ExelaStealer has been detected

      • Exela.exe (PID: 4244)

    • Starts NET.EXE to view/change users localgroup

      • net.exe (PID: 4052)
      • net.exe (PID: 1988)
      • cmd.exe (PID: 1580)

    • Starts NET.EXE to view/add/change user profiles

      • net.exe (PID: 5036)
      • cmd.exe (PID: 1580)
      • net.exe (PID: 3912)
      • net.exe (PID: 4120)

    • Adds extension to the Windows Defender exclusion list

      • Solara.exe (PID: 3560)
      • rdqanwpudvuj.exe (PID: 5000)

    • DISCORDGRABBER has been detected (YARA)

      • Exela.exe (PID: 4244)

    • GROWTOPIA has been detected (YARA)

      • Exela.exe (PID: 4244)

    • Uninstalls Malicious Software Removal Tool (MRT)

      • cmd.exe (PID: 3836)
      • cmd.exe (PID: 5780)

    • MINER has been detected (SURICATA)

      • svchost.exe (PID: 2192)

  • SUSPICIOUS

    • Reads the date of Windows installation

      • Solara.exe (PID: 628)

    • Reads security settings of Internet Explorer

      • Solara.exe (PID: 628)

    • Starts POWERSHELL.EXE for commands execution

      • Solara.exe (PID: 628)
      • Solara.exe (PID: 3640)
      • cmd.exe (PID: 4872)
      • cmd.exe (PID: 2072)
      • Solara.exe (PID: 3560)
      • rdqanwpudvuj.exe (PID: 5000)

    • Script adds exclusion path to Windows Defender

      • Solara.exe (PID: 628)
      • Solara.exe (PID: 3560)
      • rdqanwpudvuj.exe (PID: 5000)

    • Executable content was dropped or overwritten

      • Solara.exe (PID: 628)
      • Exela.exe (PID: 3288)
      • Exela.exe (PID: 4244)
      • csc.exe (PID: 1740)
      • Solara.exe (PID: 3560)
      • rdqanwpudvuj.exe (PID: 5000)

    • Starts process via Powershell

      • powershell.exe (PID: 1412)

    • Starts a Microsoft application from unusual location

      • Exela.exe (PID: 3288)
      • Exela.exe (PID: 4244)

    • Process drops legitimate windows executable

      • Exela.exe (PID: 3288)
      • Solara.exe (PID: 628)
      • Exela.exe (PID: 4244)

    • The process drops C-runtime libraries

      • Exela.exe (PID: 3288)

    • Process drops python dynamic module

      • Exela.exe (PID: 3288)

    • Application launched itself

      • Exela.exe (PID: 3288)
      • cmd.exe (PID: 556)
      • cmd.exe (PID: 5388)

    • Get information on the list of running processes

      • Exela.exe (PID: 4244)
      • cmd.exe (PID: 3732)
      • cmd.exe (PID: 4500)
      • cmd.exe (PID: 4076)
      • cmd.exe (PID: 1412)
      • cmd.exe (PID: 1580)

    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 5472)

    • Uses WMIC.EXE to obtain computer system information

      • cmd.exe (PID: 2324)
      • cmd.exe (PID: 5640)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 1740)
      • cmd.exe (PID: 5304)
      • cmd.exe (PID: 880)

    • Uses WMIC.EXE to obtain a list of video controllers

      • cmd.exe (PID: 5712)

    • Loads Python modules

      • Exela.exe (PID: 4244)

    • Starts CMD.EXE for commands execution

      • Exela.exe (PID: 4244)
      • cmd.exe (PID: 556)
      • cmd.exe (PID: 5388)
      • Solara.exe (PID: 3560)
      • rdqanwpudvuj.exe (PID: 5000)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 5728)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 5696)
      • WMIC.exe (PID: 2008)
      • WMIC.exe (PID: 5588)

    • Starts application with an unusual extension

      • cmd.exe (PID: 3488)
      • cmd.exe (PID: 1988)

    • Uses SYSTEMINFO.EXE to read the environment

      • cmd.exe (PID: 1580)

    • Uses NETSH.EXE to obtain data on the network

      • cmd.exe (PID: 2260)

    • Checks for external IP

      • svchost.exe (PID: 2192)
      • Exela.exe (PID: 4244)

    • Uses QUSER.EXE to read information about current user sessions

      • query.exe (PID: 3564)

    • Uses WMIC.EXE to obtain local storage devices information

      • cmd.exe (PID: 1580)

    • Uses WMIC.EXE to obtain commands that are run when users log in

      • cmd.exe (PID: 1580)

    • Process uses ARP to discover network configuration

      • cmd.exe (PID: 1580)

    • Process uses IPCONFIG to discover network configuration

      • cmd.exe (PID: 1580)

    • Uses ROUTE.EXE to obtain the routing table information

      • cmd.exe (PID: 1580)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 1580)
      • Solara.exe (PID: 3560)
      • rdqanwpudvuj.exe (PID: 5000)

    • Windows service management via SC.EXE

      • sc.exe (PID: 2800)
      • sc.exe (PID: 2280)
      • sc.exe (PID: 2792)

    • Suspicious use of NETSH.EXE

      • cmd.exe (PID: 1580)

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 2072)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 2072)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 1740)

    • BASE64 encoded PowerShell command has been detected

      • cmd.exe (PID: 2072)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • Exela.exe (PID: 4244)

    • Script adds exclusion extension to Windows Defender

      • Solara.exe (PID: 3560)
      • rdqanwpudvuj.exe (PID: 5000)

    • Captures screenshot (POWERSHELL)

      • powershell.exe (PID: 1544)

    • Manipulates environment variables

      • powershell.exe (PID: 5304)
      • powershell.exe (PID: 4672)

    • Stops a currently running service

      • sc.exe (PID: 2280)
      • sc.exe (PID: 3564)
      • sc.exe (PID: 5000)
      • sc.exe (PID: 3224)
      • sc.exe (PID: 444)
      • sc.exe (PID: 2436)
      • sc.exe (PID: 5680)
      • sc.exe (PID: 3612)
      • sc.exe (PID: 5748)
      • sc.exe (PID: 2408)
      • sc.exe (PID: 3040)

    • Process uninstalls Windows update

      • wusa.exe (PID: 2512)
      • wusa.exe (PID: 5536)

    • Uses powercfg.exe to modify the power settings

      • Solara.exe (PID: 3560)
      • rdqanwpudvuj.exe (PID: 5000)

    • Creates a new Windows service

      • sc.exe (PID: 2624)

    • Executes as Windows Service

      • rdqanwpudvuj.exe (PID: 5000)

    • Drops a system driver (possible attempt to evade defenses)

      • rdqanwpudvuj.exe (PID: 5000)

    • Crypto Currency Mining Activity Detected

      • svchost.exe (PID: 2192)

  • INFO

    • Checks supported languages

      • Solara.exe (PID: 628)
      • Solara.exe (PID: 3640)
      • Exela.exe (PID: 3288)
      • Solara.exe (PID: 3560)
      • Exela.exe (PID: 4244)
      • chcp.com (PID: 5728)
      • chcp.com (PID: 1512)
      • csc.exe (PID: 1740)
      • cvtres.exe (PID: 1476)
      • rdqanwpudvuj.exe (PID: 5000)

    • Process checks computer location settings

      • Solara.exe (PID: 628)

    • Reads the computer name

      • Solara.exe (PID: 628)
      • Exela.exe (PID: 3288)
      • Exela.exe (PID: 4244)

    • The process uses the downloaded file

      • powershell.exe (PID: 1412)
      • Solara.exe (PID: 628)
      • powershell.exe (PID: 4672)

    • The executable file from the user directory is run by the Powershell process

      • Solara.exe (PID: 3560)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 5640)
      • powershell.exe (PID: 6076)
      • powershell.exe (PID: 5304)
      • powershell.exe (PID: 4672)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 5640)
      • powershell.exe (PID: 6076)
      • powershell.exe (PID: 5304)
      • powershell.exe (PID: 4672)

    • Create files in a temporary directory

      • Solara.exe (PID: 628)
      • Exela.exe (PID: 3288)
      • Exela.exe (PID: 4244)
      • csc.exe (PID: 1740)
      • cvtres.exe (PID: 1476)

    • Reads the machine GUID from the registry

      • Solara.exe (PID: 628)
      • Exela.exe (PID: 4244)
      • csc.exe (PID: 1740)

    • The sample compiled with english language support

      • Exela.exe (PID: 3288)
      • Solara.exe (PID: 628)
      • Exela.exe (PID: 4244)

    • Checks operating system version

      • Exela.exe (PID: 4244)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 5696)
      • WMIC.exe (PID: 5472)
      • WMIC.exe (PID: 5740)
      • WMIC.exe (PID: 4668)
      • WMIC.exe (PID: 3612)
      • WMIC.exe (PID: 444)
      • WMIC.exe (PID: 2008)
      • WMIC.exe (PID: 5588)
      • notepad.exe (PID: 3620)
      • notepad.exe (PID: 5388)
      • notepad.exe (PID: 2076)
      • notepad.exe (PID: 5304)
      • notepad.exe (PID: 5548)
      • notepad.exe (PID: 5888)
      • rundll32.exe (PID: 5604)
      • rundll32.exe (PID: 6572)

    • The Powershell gets current clipboard

      • powershell.exe (PID: 3692)

    • Creates files or folders in the user directory

      • Exela.exe (PID: 4244)

    • Changes the display of characters in the console

      • cmd.exe (PID: 3488)
      • cmd.exe (PID: 1988)

    • Reads the time zone

      • net1.exe (PID: 5740)
      • net1.exe (PID: 3612)

    • Prints a route via ROUTE.EXE

      • ROUTE.EXE (PID: 4764)

    • PyInstaller has been detected (YARA)

      • Exela.exe (PID: 3288)
      • Exela.exe (PID: 4244)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • Exela.exe (PID: 4244)

    • Attempting to use instant messaging service

      • Exela.exe (PID: 4244)

    • Manual execution by a user

      • notepad.exe (PID: 5388)
      • notepad.exe (PID: 2076)
      • notepad.exe (PID: 3620)
      • notepad.exe (PID: 5304)
      • notepad.exe (PID: 5548)
      • rundll32.exe (PID: 5604)
      • notepad.exe (PID: 5888)
      • rundll32.exe (PID: 6376)
      • rundll32.exe (PID: 6472)
      • rundll32.exe (PID: 6572)
      • rundll32.exe (PID: 6668)

    • UPX packer has been detected

      • Exela.exe (PID: 4244)

    • Application based on Rust

      • Exela.exe (PID: 4244)

    • Creates files in the program directory

      • Solara.exe (PID: 3560)

    • The sample compiled with japanese language support

      • rdqanwpudvuj.exe (PID: 5000)

    • Reads Microsoft Office registry keys

      • rundll32.exe (PID: 5604)
      • rundll32.exe (PID: 6572)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:12:22 17:14:04+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 14117376
InitializedDataSize: 272384
UninitializedDataSize: -
EntryPoint: 0xd7883e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileDescription:
FileVersion: 1.0.0.0
InternalName: Solara.exe
LegalCopyright:
OriginalFileName: Solara.exe
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
285
Monitored processes
163
Malicious processes
9
Suspicious processes
5

Behavior graph

Click at the process to see the details
start solara.exe powershell.exe no specs conhost.exe no specs solara.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs solara.exe exela.exe #EXELASTEALER exela.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs wmic.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs attrib.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs tasklist.exe no specs cmd.exe no specs powershell.exe no specs chcp.com no specs chcp.com no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs systeminfo.exe no specs #MINER svchost.exe tiworker.exe no specs hostname.exe no specs wmic.exe no specs net.exe no specs net1.exe no specs query.exe no specs quser.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs wmic.exe no specs tasklist.exe no specs ipconfig.exe no specs route.exe no specs arp.exe no specs netstat.exe no specs sc.exe no specs netsh.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs csc.exe cvtres.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs powershell.exe no specs conhost.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs wusa.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs rdqanwpudvuj.exe powershell.exe no specs conhost.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs rundll32.exe no specs cmd.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs sc.exe no specs wusa.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
444\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
444wmic startup get caption,command C:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
444\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
444C:\WINDOWS\system32\sc.exe stop dosvcC:\Windows\System32\sc.exeSolara.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
1062
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
556C:\WINDOWS\system32\cmd.exe /c "cmd.exe /c chcp"C:\Windows\System32\cmd.exeExela.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
628"C:\Users\admin\Desktop\Solara.exe" C:\Users\admin\Desktop\Solara.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\solara.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
876\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
880C:\WINDOWS\system32\cmd.exe /c "wmic csproduct get uuid"C:\Windows\System32\cmd.exeExela.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1356tasklistC:\Windows\System32\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1412C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe Start-Process "C:\Users\admin\AppData\Local\Temp\Solara.exe" -Verb runAsC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSolara.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\system32\ucrtbase.dll
Total events
65 481
Read events
65 447
Write events
34
Delete events
0

Modification events

(PID) Process:(628) Solara.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Solara
Value:
C:\Users\admin\AppData\Local\Temp\Solara.exe
(PID) Process:(628) Solara.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Exela
Value:
C:\Users\admin\AppData\Local\Temp\Exela.exe
(PID) Process:(4864) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdHigh
Value:
31155380
(PID) Process:(4864) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdLow
Value:
(PID) Process:(3560) Solara.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT
Operation:writeName:DontOfferThroughWUAU
Value:
1
(PID) Process:(5000) rdqanwpudvuj.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT
Operation:writeName:DontOfferThroughWUAU
Value:
1
(PID) Process:(5604) rundll32.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\OpenWithProgids
Operation:writeName:pngfile
Value:
(PID) Process:(5604) rundll32.exeKey:HKEY_CLASSES_ROOT\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe%5Cmicrosoft.system.package.metadata%5CS-1-5-21-1693682860-607145093-2874071422-1001-MergedResources-0.pri\1d8b7afeb5c569c\55e3c056
Operation:writeName:@{microsoft.screensketch_10.1907.2471.0_x64__8wekyb3d8bbwe?ms-resource://microsoft.screensketch/files/assets/screensketchsquare44x44logo.png}
Value:
C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-16_contrast-black.png
(PID) Process:(6572) rundll32.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\OpenWithProgids
Operation:writeName:jpegfile
Value:
Executable files
40
Suspicious files
21
Text files
58
Unknown types
0

Dropped files

PID
Process
Filename
Type
5640powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:CF213AE736DFAADACEA60F5CFB456317
SHA256:74EB4E416FB7DD6F01A162ABE06C7F2BA8286BA363C09EB13094016A62CC083A
5640powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_tsdfzs4p.brq.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3288Exela.exeC:\Users\admin\AppData\Local\Temp\_MEI32882\_ctypes.pydexecutable
MD5:4B90108FABDD64577A84313C765A2946
SHA256:E1B634628839A45AB08913463E07B6B6B7FD502396D768F43B21DA2875B506A1
3288Exela.exeC:\Users\admin\AppData\Local\Temp\_MEI32882\VCRUNTIME140.dllexecutable
MD5:870FEA4E961E2FBD00110D3783E529BE
SHA256:76FDB83FDE238226B5BEBAF3392EE562E2CB7CA8D3EF75983BF5F9D6C7119644
3288Exela.exeC:\Users\admin\AppData\Local\Temp\_MEI32882\_cffi_backend.cp310-win_amd64.pydexecutable
MD5:7727212E7BDBF63B1A39FB7FAAD24265
SHA256:B0116303E1E903D6EB02A69D05879F38AF1640813F4B110CB733FFFF6E4E985C
1412powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_qgqp0xxt.jgd.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6076powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_rf5bweqp.xjw.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3288Exela.exeC:\Users\admin\AppData\Local\Temp\_MEI32882\_asyncio.pydexecutable
MD5:7D4F9A2B793E021F7E37B8448751ED4E
SHA256:2293C1B6B0B901832A57A1C4DCB1265C9E92D21177195712C30632A7B63227D4
3288Exela.exeC:\Users\admin\AppData\Local\Temp\_MEI32882\_bz2.pydexecutable
MD5:6250A28B9D0BFEFC1254BD78ECE7AE9F
SHA256:7D43F7105AA4F856239235C67F61044493EE6F95DDF04533189BF5EA98073F0B
628Solara.exeC:\Users\admin\AppData\Local\Temp\Exela.exeexecutable
MD5:0615D49BE12C174704A3DAAD945F7B56
SHA256:573A7F2FA701A7630318119D9E6D916CB8A0ACD87A0A2797B7197E9AE85C0071
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
28
DNS requests
14
Threats
14

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.19.198.43:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
876
svchost.exe
GET
200
2.19.198.43:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
876
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4244
Exela.exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
shared
POST
204
162.159.138.232:443
https://discordapp.com/api/webhooks/1320429670621118475/ZA2SDlHOyGg_8gIHOPb_StHSHJUvDXjQVsMohQrFJXzcZqXUB4PdHnGLRGgaGXchQyP9
unknown
whitelisted
POST
204
162.159.135.232:443
https://discordapp.com/api/webhooks/1320429670621118475/ZA2SDlHOyGg_8gIHOPb_StHSHJUvDXjQVsMohQrFJXzcZqXUB4PdHnGLRGgaGXchQyP9
unknown
whitelisted
POST
204
162.159.135.232:443
https://discordapp.com/api/webhooks/1320429670621118475/ZA2SDlHOyGg_8gIHOPb_StHSHJUvDXjQVsMohQrFJXzcZqXUB4PdHnGLRGgaGXchQyP9
unknown
whitelisted
GET
404
45.112.123.126:443
https://api.gofile.io/getServer
unknown
text
14 b
whitelisted
POST
200
162.159.128.233:443
https://discordapp.com/api/webhooks/1320429670621118475/ZA2SDlHOyGg_8gIHOPb_StHSHJUvDXjQVsMohQrFJXzcZqXUB4PdHnGLRGgaGXchQyP9
unknown
binary
1.10 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
876
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
2.19.198.43:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
876
svchost.exe
2.19.198.43:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
876
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
876
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 172.217.16.206
whitelisted
crl.microsoft.com
  • 2.19.198.43
  • 23.32.238.112
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
ip-api.com
  • 208.95.112.1
shared
discordapp.com
  • 162.159.134.233
  • 162.159.135.233
  • 162.159.130.233
  • 162.159.133.233
  • 162.159.129.233
whitelisted
pool.hashvault.pro
  • 192.248.189.11
  • 80.240.16.67
whitelisted
api.gofile.io
  • 45.112.123.126
  • 51.91.7.6
whitelisted
store1.gofile.io
  • 45.112.123.227
whitelisted
self.events.data.microsoft.com
  • 104.208.16.91
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
2192
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
4244
Exela.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
2192
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
4244
Exela.exe
Misc activity
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
4244
Exela.exe
Misc activity
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
2192
svchost.exe
Crypto Currency Mining Activity Detected
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
2192
svchost.exe
Potentially Bad Traffic
ET INFO Online File Storage Domain in DNS Lookup (gofile .io)
4244
Exela.exe
Misc activity
ET INFO File Sharing Related Domain in TLS SNI (gofile .io)
2192
svchost.exe
Potentially Bad Traffic
ET INFO Online File Storage Domain in DNS Lookup (gofile .io)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Solara.exe