File name:

FakeSolaris.zip

Full analysis: https://app.any.run/tasks/82997589-8e0d-479e-a364-970499118f83
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: August 04, 2024, 23:08:25
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

7D1CB3F3081B014B1C14516EA641A7F6

SHA1:

0529D0EC0966CF945AEBF96EF635944FA6D89944

SHA256:

B3AF389601017F76351425160F4632CA91CA07682B623BA79B28AA66BCC55844

SSDEEP:

98304:2AMhKqRmE9NRviJBC4K3ALDwW0+bjP611FAwzZEQCQ9LsXig4mHIkflzcdz5O5Uu:8dX7equ0qQs

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 6372)
      • NotSolaris.exe (PID: 7140)
      • file.exe (PID: 6344)

    • Changes the autorun value in the registry

      • NotSolaris_MBR.exe (PID: 5980)
      • NotSolaris_MBR.exe (PID: 6768)
      • file.exe (PID: 6344)

    • Uses Task Scheduler to run other applications

      • NotSolaris_MBR.exe (PID: 6768)

    • Uses base64 encoding (SCRIPT)

      • cscript.exe (PID: 2580)
      • cscript.exe (PID: 5944)

    • Detects the decoding of a binary file from Base64 (SCRIPT)

      • cscript.exe (PID: 2580)
      • cscript.exe (PID: 5944)

    • Actions looks like stealing of personal data

      • file.exe (PID: 6344)
      • file.exe (PID: 5408)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • NotSolaris.exe (PID: 7140)
      • cscript.exe (PID: 2580)
      • file.exe (PID: 6344)

    • Starts CMD.EXE for commands execution

      • NotSolaris.exe (PID: 7140)
      • NotSolaris.exe (PID: 2584)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 6284)
      • cmd.exe (PID: 6204)

    • Executing commands from a ".bat" file

      • NotSolaris.exe (PID: 7140)
      • NotSolaris.exe (PID: 2584)

    • Application launched itself

      • NotSolaris_MBR.exe (PID: 5980)

    • Reads the date of Windows installation

      • NotSolaris_MBR.exe (PID: 5980)

    • Probably fake Windows Update

      • schtasks.exe (PID: 6840)

    • Reads security settings of Internet Explorer

      • NotSolaris_MBR.exe (PID: 5980)
      • solaris (1) (1).exe (PID: 6584)
      • GetHelp.exe (PID: 5044)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 2424)
      • cmd.exe (PID: 7140)

    • The process executes VB scripts

      • cmd.exe (PID: 2424)
      • cmd.exe (PID: 7140)

    • Creates a Stream, which may work with files, input/output devices, pipes, or TCP/IP sockets (SCRIPT)

      • cscript.exe (PID: 2580)
      • cscript.exe (PID: 5944)

    • Writes binary data to a Stream object (SCRIPT)

      • cscript.exe (PID: 2580)
      • cscript.exe (PID: 5944)

    • Saves data to a binary file (SCRIPT)

      • cscript.exe (PID: 2580)
      • cscript.exe (PID: 5944)

    • Sets XML DOM element text (SCRIPT)

      • cscript.exe (PID: 2580)
      • cscript.exe (PID: 5944)

  • INFO

    • Creates files or folders in the user directory

      • NotSolaris.exe (PID: 7140)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6372)
      • WinRAR.exe (PID: 4844)

    • Manual execution by a user

      • NotSolaris.exe (PID: 7092)
      • NotSolaris.exe (PID: 7140)
      • WinRAR.exe (PID: 5152)
      • WinRAR.exe (PID: 4844)
      • NotSolaris.exe (PID: 6156)
      • NotSolaris.exe (PID: 2584)
      • NotSolaris_Glitch.exe (PID: 5924)
      • NotSolaris_MBR.exe (PID: 5980)
      • msedge.exe (PID: 6884)
      • Solaris.exe (PID: 4296)
      • Solaris.exe (PID: 4780)
      • solaris (Nikitpad release).exe (PID: 6540)
      • cmd.exe (PID: 2424)
      • cmd.exe (PID: 7140)
      • Polaris.exe (PID: 4080)
      • Polaris.exe (PID: 6496)
      • solaris (1) (1).exe (PID: 6584)

    • Checks supported languages

      • NotSolaris.exe (PID: 7140)
      • NotSolaris.exe (PID: 2584)
      • NotSolaris_MBR.exe (PID: 5980)
      • NotSolaris_MBR.exe (PID: 6768)
      • NotSolaris_Glitch.exe (PID: 5924)
      • solaris (Nikitpad release).exe (PID: 6540)
      • Solaris.exe (PID: 4296)
      • Solaris.exe (PID: 4780)
      • identity_helper.exe (PID: 5052)
      • file.exe (PID: 6344)
      • file.exe (PID: 5408)
      • Polaris.exe (PID: 6496)
      • solaris (1) (1).exe (PID: 6584)
      • identity_helper.exe (PID: 6376)
      • GetHelp.exe (PID: 5044)

    • Create files in a temporary directory

      • NotSolaris.exe (PID: 7140)
      • NotSolaris.exe (PID: 2584)
      • solaris (Nikitpad release).exe (PID: 6540)
      • cscript.exe (PID: 2580)
      • file.exe (PID: 5408)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 4844)
      • cscript.exe (PID: 2580)

    • Reads the computer name

      • NotSolaris_MBR.exe (PID: 5980)
      • identity_helper.exe (PID: 5052)
      • solaris (Nikitpad release).exe (PID: 6540)
      • file.exe (PID: 6344)
      • file.exe (PID: 5408)
      • Polaris.exe (PID: 6496)
      • solaris (1) (1).exe (PID: 6584)
      • identity_helper.exe (PID: 6376)
      • GetHelp.exe (PID: 5044)

    • Process checks computer location settings

      • NotSolaris_MBR.exe (PID: 5980)

    • Reads Microsoft Office registry keys

      • msedge.exe (PID: 6884)
      • msedge.exe (PID: 6724)
      • solaris (1) (1).exe (PID: 6584)
      • msedge.exe (PID: 3372)
      • HelpPane.exe (PID: 2900)

    • Application launched itself

      • msedge.exe (PID: 6884)
      • msedge.exe (PID: 6724)
      • msedge.exe (PID: 3372)

    • Reads Environment values

      • identity_helper.exe (PID: 5052)
      • identity_helper.exe (PID: 6376)
      • GetHelp.exe (PID: 5044)

    • Reads the machine GUID from the registry

      • file.exe (PID: 6344)
      • file.exe (PID: 5408)

    • Reads security settings of Internet Explorer

      • cscript.exe (PID: 2580)
      • cscript.exe (PID: 5944)
      • HelpPane.exe (PID: 2900)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2024:04:30 03:38:26
ZipCRC: 0xe31e9c18
ZipCompressedSize: 98174
ZipUncompressedSize: 277504
ZipFileName: Dolaris.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
220
Monitored processes
89
Malicious processes
6
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winrar.exe rundll32.exe no specs notsolaris.exe no specs notsolaris.exe conhost.exe no specs cmd.exe no specs timeout.exe no specs winrar.exe no specs winrar.exe notsolaris.exe no specs notsolaris.exe conhost.exe no specs cmd.exe no specs timeout.exe no specs notsolaris_glitch.exe no specs conhost.exe no specs notsolaris_mbr.exe notsolaris_mbr.exe schtasks.exe no specs conhost.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs solaris (nikitpad release).exe no specs solaris.exe no specs solaris.exe no specs cmd.exe no specs conhost.exe no specs findstr.exe no specs cscript.exe file.exe cmd.exe no specs conhost.exe no specs findstr.exe no specs cscript.exe no specs file.exe polaris.exe no specs polaris.exe solaris (1) (1).exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs helppane.exe no specs gethelp.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
240"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4836 --field-trial-handle=2244,i,1412359939562685870,4151952093580173549,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
964"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3404 --field-trial-handle=2264,i,5305470779669402977,16765948827970054749,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
PWA Identity Proxy Host
Exit code:
3221226029
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\identity_helper.exe
c:\windows\system32\ntdll.dll
1132"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2240 --field-trial-handle=2244,i,1412359939562685870,4151952093580173549,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1420\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeNotSolaris_Glitch.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1432"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2536 --field-trial-handle=2264,i,5305470779669402977,16765948827970054749,262144 --variations-seed-version /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1448"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3920 --field-trial-handle=2244,i,1412359939562685870,4151952093580173549,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2080"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x300,0x304,0x308,0x2f8,0x310,0x7fffd4775fd8,0x7fffd4775fe4,0x7fffd4775ff0C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2132\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeNotSolaris.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2208"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --mojo-platform-channel-handle=5032 --field-trial-handle=2244,i,1412359939562685870,4151952093580173549,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2212\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesolaris (1) (1).exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
30 802
Read events
30 565
Write events
229
Delete events
8

Modification events

(PID) Process:(6372) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(6372) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(6372) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(6372) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\FakeSolaris.zip
(PID) Process:(6372) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6372) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6372) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6372) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6372) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:@C:\WINDOWS\System32\acppage.dll,-6002
Value:
Windows Batch File
(PID) Process:(6372) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:name
Value:
256
Executable files
33
Suspicious files
260
Text files
135
Unknown types
4

Dropped files

PID
Process
Filename
Type
7140NotSolaris.exeC:\Users\admin\AppData\Roaming\NotSolaris_MBR.exeexecutable
MD5:6B93DD483634877826EA063EF312B063
SHA256:760B06B2A0C3A69F7F2801E9D3C9AF9F4ED684CE59E2E4CC66707C4B329F8E0A
7140NotSolaris.exeC:\Users\admin\AppData\Roaming\NotSolaris_Invert.exeexecutable
MD5:EBB811D0396C06A70FE74D9B23679446
SHA256:28E979002CB4DB546BF9D9D58F5A55FD8319BE638A0974C634CAE6E7E9DBCD89
6372WinRAR.exeC:\Users\admin\Desktop\FakeSolaris\NotSolaris.exeexecutable
MD5:DC0E45108859F4417218E86C5CB3A6B3
SHA256:4941A7ED8E62514D327EF41A178EA6B6F99005ACC9A1DF45C877D59BBA4FCF60
7140NotSolaris.exeC:\Users\admin\AppData\Roaming\NotSolaris_Tunnel.exeexecutable
MD5:0909DCA5D016F70B982B3A39B92AA0FF
SHA256:4F74CF50ABB877593CA5FE53281B206ADCF6BDA2FFC9A600ECA0EB1206C5DD6B
7140NotSolaris.exeC:\Users\admin\AppData\Roaming\NotSolaris_Error.exeexecutable
MD5:BCDC1A6F1805A6130DFD1913B1659BC2
SHA256:78E706C684DA0134ACE5FDD5CC5E7263C5F17B905D783F928EB68D558116AAC6
4844WinRAR.exeC:\Users\admin\Desktop\NotSolaris_Glitch.exeexecutable
MD5:47801F0CF73D320054676A56D0264EDB
SHA256:F25853B17EE25C1DF537CD39BA15A338B92B0812833E3A523AA2F90EFBF766E8
7140NotSolaris.exeC:\Users\admin\AppData\Roaming\NotSolaris_Move.exeexecutable
MD5:C1978E4080D1EC7E2EDF49D6C9710045
SHA256:C9E2A7905501745C304FFC5A70B290DB40088D9DC10C47A98A953267468284A8
4844WinRAR.exeC:\Users\admin\Desktop\Dolaris.exeexecutable
MD5:C180A634C007C39A9D8E83317EB53CDF
SHA256:A238670A6A71AE37D098D57E37776A23D999747C2B2BD293C753566DF20158DA
6768NotSolaris_MBR.exe\Device\Harddisk0\DR0
MD5:
SHA256:
7140NotSolaris.exeC:\Users\admin\AppData\Roaming\NotSolaris_Line.exeexecutable
MD5:50CAEEE44DC92A147CF95FD82EB6E299
SHA256:81B9A2E3E9EE39F05B585AD871696A946837FCF784D3D4ECD4B9CAEA16560A1E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
113
TCP/UDP connections
76
DNS requests
86
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
13.107.42.16:443
https://config.edge.skype.com/config/v1/Edge/122.0.2365.59?clientId=4489578223053569932&agents=EdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=38&mngd=0&installdate=1661339457&edu=0&bphint=2&soobedate=1504771245&fg=1
unknown
GET
204.79.197.203:443
https://ntp.msn.com/edge/ntp?locale=en-US&title=New%20tab&dsp=1&sp=Bing&startpage=1&PC=U531
unknown
GET
13.107.21.239:443
https://edge.microsoft.com/serviceexperimentation/v3/?osname=win&channel=stable&osver=10.0.19045&devicefamily=desktop&installdate=1661339457&clientversion=122.0.2365.59&experimentationmode=2&scpguard=0&scpfull=0&scpver=0
unknown
GET
13.107.6.158:443
https://business.bing.com/work/api/v2/tenant/my/settingswithflights?&clienttype=edge-omnibox
unknown
GET
13.107.6.158:443
https://business.bing.com/api/v1/user/token/microsoftgraph?&clienttype=edge-omnibox
unknown
GET
13.107.246.45:443
https://edge-mobile-static.azureedge.net/eccp/get?settenant=edge-config&setplatform=win&setmkt=en-US&setchannel=stable
unknown
GET
304
13.107.21.239:443
https://edge.microsoft.com/abusiveadblocking/api/v1/blocklist
unknown
GET
304
13.107.42.16:443
https://config.edge.skype.com/config/v1/Edge/122.0.2365.59?clientId=4489578223053569932&agents=EdgeRuntime%2CEdgeRuntimeConfig%2CEdgeDomainActions&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=39&mngd=0&installdate=1661339457&edu=0&bphint=2&soobedate=1504771245&fg=0
unknown
GET
304
13.107.42.16:443
https://config.edge.skype.com/config/v1/Edge/122.0.2365.59?clientId=4489578223053569932&agents=EdgeRuntime%2CEdgeRuntimeConfig%2CEdgeDomainActions&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=39&mngd=0&installdate=1661339457&edu=0&bphint=2&soobedate=1504771245&fg=1
unknown
GET
142.250.185.78:443
https://www.youtube.com/watch?v=dQw4w9WgXcQ
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
5900
RUXIMICS.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1108
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
1108
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4324
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6892
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.16.142
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
ntp.msn.com
  • 204.79.197.203
whitelisted
edge.microsoft.com
  • 204.79.197.239
  • 13.107.21.239
whitelisted
business.bing.com
  • 13.107.6.158
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.246.45
whitelisted
update.googleapis.com
  • 142.250.184.195
whitelisted
www.youtube.com
  • 142.250.185.110
  • 172.217.23.110
  • 216.58.206.46
  • 216.58.206.78
  • 142.250.185.174
  • 142.250.186.110
  • 142.250.185.238
  • 142.250.184.206
  • 172.217.18.14
  • 142.250.185.206
  • 142.250.185.142
  • 142.250.184.238
  • 142.250.186.174
  • 142.250.186.142
  • 172.217.16.206
  • 142.250.185.78
whitelisted
edgeservices.bing.com
  • 104.126.37.139
  • 104.126.37.177
  • 104.126.37.128
  • 104.126.37.136
  • 104.126.37.153
  • 104.126.37.160
  • 104.126.37.171
  • 104.126.37.186
whitelisted

Threats

PID
Process
Class
Message
Misc activity
SUSPICIOUS [ANY.RUN] Tracking Service (.popin .cc)
Potentially Bad Traffic
ET DNS Query for .cc TLD
Misc activity
SUSPICIOUS [ANY.RUN] Tracking Service (.popin .cc)
Potentially Bad Traffic
ET DNS Query for .cc TLD
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
FakeSolaris.zip