File name:

SolaraV3.exe

Full analysis: https://app.any.run/tasks/1b763ce5-04f5-406b-8f13-e29a73c14e95
Verdict: Malicious activity
Threats:

Blank Grabber is an infostealer written in Python. It is designed to steal a wide array of data, such as browser login credentials, crypto wallets, Telegram sessions, and Discord tokens. It is an open-source malware, with its code available on GitHub and regularly receiving updates. Blank Grabber builder’s simple interface lets threat actors even with basic skills to deploy it and conduct attacks.

Malware Trends Tracker     >>>
Analysis date: July 17, 2025, 23:38:57
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
uac
blankgrabber
evasion
stealer
screenshot
discord
pyinstaller
discordgrabber
generic
umbralstealer
ims-api
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

469E67B8D7326761A05A1C55D0E94F03

SHA1:

15195AF4888B42484C450F828A262116837ACC20

SHA256:

E2D5E9303965B921F294C7F7A22AC0FB71DE79F8871DE78E6E95C2243B4D79DD

SSDEEP:

98304:0C3CpWj2b/2zFr2ds6YMEwpwtvDmTlvRn1TskDl9ra0FxM/gjAUTTTBLTLriG4Nh:TlgWoiSDcu5GqfMI0jN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • SolaraV3.exe (PID: 4444)
      • SolaraV3.exe (PID: 6680)
      • SolaraV3.exe (PID: 7004)
      • SolaraV3.exe (PID: 6820)

    • BlankGrabber has been detected

      • SolaraV3.exe (PID: 4444)
      • SolaraV3.exe (PID: 7004)

    • Bypass User Account Control (Modify registry)

      • reg.exe (PID: 2032)

    • Bypass User Account Control (ComputerDefaults)

      • ComputerDefaults.exe (PID: 6636)

    • Antivirus name has been found in the command line (generic signature)

      • cmd.exe (PID: 4888)

    • Changes settings for real-time protection

      • powershell.exe (PID: 5240)

    • Changes settings for checking scripts for malicious actions

      • powershell.exe (PID: 5240)

    • Changes settings for reporting to Microsoft Active Protection Service (MAPS)

      • powershell.exe (PID: 5240)

    • Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

      • powershell.exe (PID: 5240)

    • Changes Windows Defender settings

      • cmd.exe (PID: 4888)
      • cmd.exe (PID: 3392)
      • cmd.exe (PID: 1356)

    • Changes Controlled Folder Access settings

      • powershell.exe (PID: 5240)

    • Changes settings for sending potential threat samples to Microsoft servers

      • powershell.exe (PID: 5240)

    • Changes settings for protection against network attacks (IPS)

      • powershell.exe (PID: 5240)

    • Adds path to the Windows Defender exclusion list

      • SolaraV3.exe (PID: 6820)
      • cmd.exe (PID: 3392)
      • cmd.exe (PID: 1356)

    • Create files in the Startup directory

      • SolaraV3.exe (PID: 6820)

    • Actions looks like stealing of personal data

      • SolaraV3.exe (PID: 6820)

    • Steals credentials from Web Browsers

      • SolaraV3.exe (PID: 6820)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7816)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 7596)

    • Resets Windows Defender malware definitions to the base version

      • MpCmdRun.exe (PID: 7324)

    • UMBRALSTEALER has been detected (YARA)

      • SolaraV3.exe (PID: 6820)

    • DISCORDGRABBER has been detected (YARA)

      • SolaraV3.exe (PID: 6820)

    • Steals Growtopia credentials and data (YARA)

      • SolaraV3.exe (PID: 6820)

    • BLANKGRABBER has been detected (SURICATA)

      • SolaraV3.exe (PID: 6820)

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • SolaraV3.exe (PID: 4444)
      • SolaraV3.exe (PID: 6680)
      • SolaraV3.exe (PID: 7004)
      • SolaraV3.exe (PID: 6820)

    • Process drops legitimate windows executable

      • SolaraV3.exe (PID: 4444)
      • SolaraV3.exe (PID: 7004)
      • SolaraV3.exe (PID: 6820)

    • The process drops C-runtime libraries

      • SolaraV3.exe (PID: 4444)
      • SolaraV3.exe (PID: 7004)

    • Process drops python dynamic module

      • SolaraV3.exe (PID: 4444)
      • SolaraV3.exe (PID: 7004)

    • Executable content was dropped or overwritten

      • SolaraV3.exe (PID: 4444)
      • SolaraV3.exe (PID: 7004)
      • SolaraV3.exe (PID: 6820)
      • csc.exe (PID: 7936)

    • Application launched itself

      • SolaraV3.exe (PID: 4444)
      • SolaraV3.exe (PID: 7004)

    • Starts CMD.EXE for commands execution

      • SolaraV3.exe (PID: 6680)
      • SolaraV3.exe (PID: 6820)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 3736)
      • cmd.exe (PID: 6764)
      • cmd.exe (PID: 4084)

    • Changes default file association

      • reg.exe (PID: 2032)

    • Uses WEVTUTIL.EXE to query events from a log or log file

      • cmd.exe (PID: 6936)
      • cmd.exe (PID: 856)

    • Found strings related to reading or modifying Windows Defender settings

      • SolaraV3.exe (PID: 6680)
      • SolaraV3.exe (PID: 6820)

    • Get information on the list of running processes

      • SolaraV3.exe (PID: 6820)
      • cmd.exe (PID: 5432)
      • cmd.exe (PID: 4072)
      • cmd.exe (PID: 3672)
      • cmd.exe (PID: 7392)

    • Script disables Windows Defender's real-time protection

      • cmd.exe (PID: 4888)

    • Script disables Windows Defender's IPS

      • cmd.exe (PID: 4888)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 4888)
      • cmd.exe (PID: 3392)
      • cmd.exe (PID: 1356)
      • cmd.exe (PID: 7272)
      • cmd.exe (PID: 7596)
      • cmd.exe (PID: 7880)
      • cmd.exe (PID: 7920)
      • cmd.exe (PID: 3932)
      • cmd.exe (PID: 7140)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 3392)
      • cmd.exe (PID: 1356)

    • Uses WMIC.EXE to obtain a list of video controllers

      • cmd.exe (PID: 6504)
      • cmd.exe (PID: 6812)
      • cmd.exe (PID: 7424)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 5564)
      • cmd.exe (PID: 7252)
      • cmd.exe (PID: 7784)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 4688)
      • WMIC.exe (PID: 7356)

    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 7076)
      • WMIC.exe (PID: 3576)
      • WMIC.exe (PID: 236)

    • Checks for external IP

      • SolaraV3.exe (PID: 6820)
      • svchost.exe (PID: 2200)

    • Executes JavaScript directly as a command

      • cmd.exe (PID: 2716)

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 7596)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 7596)

    • BASE64 encoded PowerShell command has been detected

      • cmd.exe (PID: 7596)

    • Starts application with an unusual extension

      • cmd.exe (PID: 7428)
      • cmd.exe (PID: 8148)
      • cmd.exe (PID: 7788)
      • cmd.exe (PID: 7320)
      • cmd.exe (PID: 3108)
      • cmd.exe (PID: 7580)

    • Uses SYSTEMINFO.EXE to read the environment

      • cmd.exe (PID: 7488)

    • Uses NETSH.EXE to obtain data on the network

      • cmd.exe (PID: 7444)

    • Accesses antivirus product name via WMI (SCRIPT)

      • WMIC.exe (PID: 7752)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 7936)

    • Captures screenshot (POWERSHELL)

      • powershell.exe (PID: 7816)

    • The executable file from the user directory is run by the CMD process

      • rar.exe (PID: 5168)

    • Uses WMIC.EXE to obtain operating system information

      • cmd.exe (PID: 4552)

    • Accesses operating system name via WMI (SCRIPT)

      • WMIC.exe (PID: 7380)

    • Uses WMIC.EXE to obtain computer system information

      • cmd.exe (PID: 5644)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • SolaraV3.exe (PID: 6820)

  • INFO

    • The sample compiled with english language support

      • SolaraV3.exe (PID: 4444)
      • SolaraV3.exe (PID: 7004)
      • SolaraV3.exe (PID: 6820)

    • Checks supported languages

      • SolaraV3.exe (PID: 4444)
      • SolaraV3.exe (PID: 6680)
      • SolaraV3.exe (PID: 7004)
      • SolaraV3.exe (PID: 6820)
      • tree.com (PID: 7900)
      • tree.com (PID: 7552)
      • tree.com (PID: 3956)
      • tree.com (PID: 5528)
      • tree.com (PID: 7952)
      • csc.exe (PID: 7936)
      • cvtres.exe (PID: 7888)
      • tree.com (PID: 7924)
      • rar.exe (PID: 5168)
      • MpCmdRun.exe (PID: 7324)

    • Reads the computer name

      • SolaraV3.exe (PID: 4444)
      • SolaraV3.exe (PID: 7004)
      • SolaraV3.exe (PID: 6820)
      • MpCmdRun.exe (PID: 7324)

    • Create files in a temporary directory

      • SolaraV3.exe (PID: 4444)
      • SolaraV3.exe (PID: 6680)
      • SolaraV3.exe (PID: 7004)
      • SolaraV3.exe (PID: 6820)
      • csc.exe (PID: 7936)
      • cvtres.exe (PID: 7888)
      • MpCmdRun.exe (PID: 7324)
      • rar.exe (PID: 5168)

    • Reads security settings of Internet Explorer

      • ComputerDefaults.exe (PID: 6636)
      • WMIC.exe (PID: 4688)
      • WMIC.exe (PID: 7076)
      • WMIC.exe (PID: 3576)
      • WMIC.exe (PID: 7752)
      • WMIC.exe (PID: 7380)
      • WMIC.exe (PID: 8040)
      • WMIC.exe (PID: 236)
      • WMIC.exe (PID: 7356)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 4680)

    • The Powershell gets current clipboard

      • powershell.exe (PID: 7628)

    • Launching a file from the Startup directory

      • SolaraV3.exe (PID: 6820)

    • Creates files in the program directory

      • SolaraV3.exe (PID: 6820)

    • Checks the directory tree

      • tree.com (PID: 7900)
      • tree.com (PID: 7552)
      • tree.com (PID: 3956)
      • tree.com (PID: 5528)
      • tree.com (PID: 7952)
      • tree.com (PID: 7924)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 440)
      • powershell.exe (PID: 5240)
      • powershell.exe (PID: 5992)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 5240)
      • powershell.exe (PID: 440)
      • powershell.exe (PID: 5992)
      • powershell.exe (PID: 6748)
      • powershell.exe (PID: 5188)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 7936)
      • rar.exe (PID: 5168)

    • Displays MAC addresses of computer network adapters

      • getmac.exe (PID: 7632)

    • PyInstaller has been detected (YARA)

      • SolaraV3.exe (PID: 7004)
      • SolaraV3.exe (PID: 6820)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(6820) SolaraV3.exe
Discord-Webhook-Tokens (1)1395503310974353609/NEj_NhTCKyE4-rqfpTYPBNkmXpG6hz9DBu8ar0jYNH2SNPaSEhyeL9cXCoxn9bmeIjLe
Discord-Info-Links
1395503310974353609/NEj_NhTCKyE4-rqfpTYPBNkmXpG6hz9DBu8ar0jYNH2SNPaSEhyeL9cXCoxn9bmeIjLe
Get Webhook Infohttps://discord.com/api/webhooks/1395503310974353609/NEj_NhTCKyE4-rqfpTYPBNkmXpG6hz9DBu8ar0jYNH2SNPaSEhyeL9cXCoxn9bmeIjLe
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:07:17 20:36:37+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.43
CodeSize: 174592
InitializedDataSize: 96768
UninitializedDataSize: -
EntryPoint: 0xd0d0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 10.0.19041.1
ProductVersionNumber: 10.0.19041.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Security Init
FileVersion: 10.0.19041.1 (WinBuild.160101.0800)
InternalName: secinit
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: secinit
ProductName: Microsoft® Windows® Operating System
ProductVersion: 10.0.19041.1
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
271
Monitored processes
135
Malicious processes
11
Suspicious processes
5

Behavior graph

Click at the process to see the details
start #BLANKGRABBER solarav3.exe solarav3.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs computerdefaults.exe no specs computerdefaults.exe no specs computerdefaults.exe #BLANKGRABBER solarav3.exe cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs #UMBRALSTEALER solarav3.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs tasklist.exe no specs conhost.exe no specs mshta.exe no specs powershell.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs svchost.exe cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs tasklist.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs powershell.exe no specs conhost.exe no specs wmic.exe no specs tasklist.exe no specs powershell.exe no specs reg.exe no specs netsh.exe no specs tree.com no specs systeminfo.exe no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs csc.exe cmd.exe no specs conhost.exe no specs cvtres.exe no specs tree.com no specs tiworker.exe no specs mpcmdrun.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs getmac.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs rar.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
72\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
236wmic path win32_VideoController get nameC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
440powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\admin\AppData\Local\Temp\SolaraV3.exe'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
512reg add hkcu\Software\Classes\ms-settings\shell\open\command /d "C:\Users\admin\AppData\Local\Temp\SolaraV3.exe" /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
856C:\WINDOWS\system32\cmd.exe /c "wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /f:text"C:\Windows\System32\cmd.exeSolaraV3.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1356\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1356C:\WINDOWS\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‎​ ​ .scr'"C:\Windows\System32\cmd.exeSolaraV3.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1632\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1668reg delete hkcu\Software\Classes\ms-settings /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1800\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
60 608
Read events
60 596
Write events
8
Delete events
4

Modification events

(PID) Process:(2032) reg.exeKey:HKEY_CLASSES_ROOT\ms-settings\shell\open\command
Operation:writeName:DelegateExecute
Value:
(PID) Process:(6636) ComputerDefaults.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(6636) ComputerDefaults.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6636) ComputerDefaults.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6636) ComputerDefaults.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1668) reg.exeKey:HKEY_CLASSES_ROOT\ms-settings\shell\open\command
Operation:delete keyName:(default)
Value:
(PID) Process:(1668) reg.exeKey:HKEY_CLASSES_ROOT\ms-settings\shell\open
Operation:delete keyName:(default)
Value:
(PID) Process:(1668) reg.exeKey:HKEY_CLASSES_ROOT\ms-settings\shell
Operation:delete keyName:(default)
Value:
(PID) Process:(1668) reg.exeKey:HKEY_CLASSES_ROOT\ms-settings
Operation:delete keyName:(default)
Value:
(PID) Process:(6820) SolaraV3.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Multimedia\DrawDib
Operation:writeName: 1280x720x32(BGR 0)
Value:
31,31,31,31
Executable files
50
Suspicious files
6
Text files
66
Unknown types
10

Dropped files

PID
Process
Filename
Type
4444SolaraV3.exeC:\Users\admin\AppData\Local\Temp\_MEI44442\_decimal.pydexecutable
MD5:075329357F31CE615B0A5A33517A6CE5
SHA256:905EDB2F1127637F636CADA01BA1CABED9EAF9969C0C1DDDC0957ADC1E00AF6D
4444SolaraV3.exeC:\Users\admin\AppData\Local\Temp\_MEI44442\_asyncio.pydexecutable
MD5:9F7B7BF86D9BBD200B191AC870368214
SHA256:1748DF3BB6615363BDF88A26386171EE83287097A61EA15BE9F6759D800410F7
4444SolaraV3.exeC:\Users\admin\AppData\Local\Temp\_MEI44442\_ctypes.pydexecutable
MD5:2BF2EDC5098398FC151C49781D2ABC8E
SHA256:FBD0BDF3E219D36C49662DB1F2A072B97698FFE8B378379E3930304723A121DC
4444SolaraV3.exeC:\Users\admin\AppData\Local\Temp\_MEI44442\_multiprocessing.pydexecutable
MD5:318E48246DF106D6BDDD1A55CBE67719
SHA256:AAD287DA986E773D51C342CE29F5CA8B9BB2A5B7DCDD7B6C634DAEAA3476F71A
4444SolaraV3.exeC:\Users\admin\AppData\Local\Temp\_MEI44442\_overlapped.pydexecutable
MD5:FDDC0FB025570C77ED1B1183AAF65C0A
SHA256:3B43C890A534681DEFC635CAF9C238E2D5B675D494A8AE9B8508BB8D4FB797A3
4444SolaraV3.exeC:\Users\admin\AppData\Local\Temp\_MEI44442\_lzma.pydexecutable
MD5:638B965707A31690933852E61BDB15F8
SHA256:AE01590F021E5D1109FFB1D2E71E3B1455D9529F3BFDC2FE35143F0256E8597F
4444SolaraV3.exeC:\Users\admin\AppData\Local\Temp\_MEI44442\_wmi.pydexecutable
MD5:15407395AA51E03D0CAEA64FE2686405
SHA256:91F9D16EA90C7D75CF718591387A9B6ABD1406BE349BAF2898595EAF6EE3E213
4444SolaraV3.exeC:\Users\admin\AppData\Local\Temp\_MEI44442\_queue.pydexecutable
MD5:93E795E81F4D21938F8DD38EB5E22290
SHA256:470637EE79CF49A439A6767D5710C60B67E19B93FA16BD4D42CD0C0C71504B54
4444SolaraV3.exeC:\Users\admin\AppData\Local\Temp\_MEI44442\_sqlite3.pydexecutable
MD5:117C7027DF4B427DCC683CD18BFC7224
SHA256:B5BCF741C99990A113AC1A5BDB9D00939883E5128005130C7310F05A919BD190
4444SolaraV3.exeC:\Users\admin\AppData\Local\Temp\_MEI44442\_ssl.pydexecutable
MD5:658A6BEF82AF7EAAF5913CC2ACFB7917
SHA256:6F621B33707040465AA5EF34733832C08C15B94633818AF5D8DBC003D6EA9392
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
25
DNS requests
19
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6820
SolaraV3.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
whitelisted
1268
svchost.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2528
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6820
SolaraV3.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/?fields=225545
unknown
whitelisted
7240
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7240
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2216
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
6820
SolaraV3.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
whitelisted
6820
SolaraV3.exe
216.58.206.67:443
gstatic.com
GOOGLE
US
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
  • 51.124.78.146
whitelisted
google.com
  • 142.250.184.206
whitelisted
blank-83qey.in
unknown
ip-api.com
  • 208.95.112.1
whitelisted
gstatic.com
  • 216.58.206.67
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted
login.live.com
  • 40.126.31.131
  • 40.126.31.67
  • 40.126.31.3
  • 20.190.159.2
  • 20.190.159.23
  • 40.126.31.2
  • 20.190.159.71
  • 40.126.31.130
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
discord.com
  • 162.159.138.232
  • 162.159.136.232
  • 162.159.128.233
  • 162.159.137.232
  • 162.159.135.232
whitelisted

Threats

PID
Process
Class
Message
2200
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
6820
SolaraV3.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
2200
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
2200
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
6820
SolaraV3.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
6820
SolaraV3.exe
A Network Trojan was detected
STEALER [ANY.RUN] BlankGrabber (SkochGrabber) Generic External IP Check
2200
svchost.exe
Misc activity
ET INFO Discord Chat Service Domain in DNS Lookup (discord .com)
6820
SolaraV3.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
6820
SolaraV3.exe
Misc activity
ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SolaraV3.exe