File name:

0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe

Full analysis: https://app.any.run/tasks/11caef2a-a147-44ac-846e-850486affb9a
Verdict: Malicious activity
Threats:

GuLoader is an advanced downloader written in shellcode. It’s used by criminals to distribute other malware, notably trojans, on a large scale. It’s infamous for using anti-detection and anti-analysis capabilities.

Malware Trends Tracker     >>>
Analysis date: March 25, 2025, 00:04:51
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
auto
guloader
snake
keylogger
evasion
stealer
telegram
autorun-download
ims-api
generic
advancedinstaller
pastebin
phishing-ml
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

D0074EDAB5CEE4B432BF2E9F075E6301

SHA1:

71A829B476596AD54566C823499B1BFDFA86AE3E

SHA256:

0FF51F1BFCEF0CABF76AF8A2C9BB5C01AEF4940A97C9B5CEBE83CDDF62D5BE77

SSDEEP:

24576:9G3VZ4D6o/QBl6tmlUc/TqCWIgA1QLQjzt:E3VZ4D6o/QBl6tmlUc/TqCWIgA1QLQjx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • GULOADER has been found (auto)

      • 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe (PID: 1276)

    • SNAKEKEYLOGGER has been detected (SURICATA)

      • 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe (PID: 7036)
      • 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe (PID: 5668)

    • Steals credentials from Web Browsers

      • 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe (PID: 7036)
      • 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe (PID: 5668)

    • Actions looks like stealing of personal data

      • 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe (PID: 7036)
      • certutil.exe (PID: 7468)
      • HTTPDebuggerSvc.exe (PID: 2136)
      • 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe (PID: 5668)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe (PID: 1276)
      • msiexec.exe (PID: 8836)
      • 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe (PID: 2340)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe (PID: 1276)
      • 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe (PID: 2340)

    • Application launched itself

      • 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe (PID: 1276)
      • 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe (PID: 2340)

    • Executable content was dropped or overwritten

      • 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe (PID: 1276)
      • HTTPDebuggerSvc.exe (PID: 2136)
      • 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe (PID: 2340)

    • Reads security settings of Internet Explorer

      • 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe (PID: 7036)
      • msiexec.exe (PID: 8876)
      • HTTPDebuggerUI.exe (PID: 5020)
      • 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe (PID: 5668)
      • ShellExperienceHost.exe (PID: 7812)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe (PID: 7036)
      • 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe (PID: 5668)

    • Checks for external IP

      • 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe (PID: 7036)
      • svchost.exe (PID: 2196)
      • 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe (PID: 5668)

    • There is functionality for taking screenshot (YARA)

      • 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe (PID: 7036)
      • HTTPDebuggerUI.exe (PID: 5020)
      • 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe (PID: 5668)

    • The process verifies whether the antivirus software is installed

      • 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe (PID: 7036)
      • 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe (PID: 5668)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe (PID: 7036)
      • 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe (PID: 5668)

    • Executes as Windows Service

      • VSSVC.exe (PID: 8996)
      • HTTPDebuggerSvc.exe (PID: 2136)

    • Creates files in the driver directory

      • HTTPDebuggerSvc.exe (PID: 2136)

    • Drops a system driver (possible attempt to evade defenses)

      • HTTPDebuggerSvc.exe (PID: 2136)
      • msiexec.exe (PID: 8836)

    • Detects AdvancedInstaller (YARA)

      • msiexec.exe (PID: 8768)
      • msiexec.exe (PID: 8836)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 8836)

    • Creates/Modifies COM task schedule object

      • msiexec.exe (PID: 8756)

    • Reads Microsoft Outlook installation path

      • HTTPDebuggerUI.exe (PID: 5020)

    • Reads Internet Explorer settings

      • HTTPDebuggerUI.exe (PID: 5020)

    • Adds/modifies Windows certificates

      • HTTPDebuggerSvc.exe (PID: 2136)

  • INFO

    • Checks supported languages

      • 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe (PID: 1276)
      • 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe (PID: 7036)
      • msiexec.exe (PID: 8876)
      • msiexec.exe (PID: 8836)
      • HTTPDebuggerSvc.exe (PID: 2136)
      • msiexec.exe (PID: 5304)
      • HTTPDebuggerSvc.exe (PID: 6112)
      • HTTPDebuggerUI.exe (PID: 5020)
      • certutil.exe (PID: 7468)
      • 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe (PID: 2340)
      • 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe (PID: 5668)
      • ShellExperienceHost.exe (PID: 7812)
      • identity_helper.exe (PID: 8104)

    • Reads the computer name

      • 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe (PID: 1276)
      • 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe (PID: 7036)
      • msiexec.exe (PID: 8836)
      • msiexec.exe (PID: 8876)
      • HTTPDebuggerSvc.exe (PID: 2136)
      • msiexec.exe (PID: 5304)
      • HTTPDebuggerSvc.exe (PID: 6112)
      • HTTPDebuggerUI.exe (PID: 5020)
      • certutil.exe (PID: 7468)
      • 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe (PID: 2340)
      • 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe (PID: 5668)
      • ShellExperienceHost.exe (PID: 7812)
      • identity_helper.exe (PID: 8104)

    • Creates files or folders in the user directory

      • 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe (PID: 1276)
      • 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe (PID: 7036)
      • BackgroundTransferHost.exe (PID: 7260)
      • explorer.exe (PID: 5492)

    • Create files in a temporary directory

      • 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe (PID: 1276)
      • 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe (PID: 2340)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 5492)
      • BackgroundTransferHost.exe (PID: 4724)
      • BackgroundTransferHost.exe (PID: 7260)
      • BackgroundTransferHost.exe (PID: 4300)
      • BackgroundTransferHost.exe (PID: 7808)
      • BackgroundTransferHost.exe (PID: 4120)
      • msiexec.exe (PID: 8768)

    • Application launched itself

      • firefox.exe (PID: 300)
      • firefox.exe (PID: 6560)
      • msedge.exe (PID: 4180)

    • Checks proxy server information

      • 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe (PID: 7036)
      • BackgroundTransferHost.exe (PID: 7260)
      • explorer.exe (PID: 5492)
      • HTTPDebuggerUI.exe (PID: 5020)
      • 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe (PID: 5668)
      • slui.exe (PID: 6324)

    • Manual execution by a user

      • firefox.exe (PID: 300)

    • Reads the machine GUID from the registry

      • 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe (PID: 7036)
      • HTTPDebuggerSvc.exe (PID: 2136)
      • msiexec.exe (PID: 8836)
      • HTTPDebuggerSvc.exe (PID: 6112)
      • HTTPDebuggerUI.exe (PID: 5020)
      • 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe (PID: 5668)

    • Reads the software policy settings

      • 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe (PID: 7036)
      • BackgroundTransferHost.exe (PID: 7260)
      • explorer.exe (PID: 5492)
      • msiexec.exe (PID: 8768)
      • msiexec.exe (PID: 8836)
      • HTTPDebuggerUI.exe (PID: 5020)
      • slui.exe (PID: 5936)
      • 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe (PID: 5668)
      • slui.exe (PID: 6324)

    • Disables trace logs

      • 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe (PID: 7036)
      • 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe (PID: 5668)

    • Autorun file from Downloads

      • firefox.exe (PID: 6560)

    • Reads Microsoft Office registry keys

      • explorer.exe (PID: 5492)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 8768)
      • msiexec.exe (PID: 8836)
      • msedge.exe (PID: 7284)

    • The sample compiled with english language support

      • msiexec.exe (PID: 8768)
      • msiexec.exe (PID: 8836)
      • HTTPDebuggerSvc.exe (PID: 2136)
      • msedge.exe (PID: 7284)

    • Manages system restore points

      • SrTasks.exe (PID: 1280)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 8836)

    • Process checks computer location settings

      • msiexec.exe (PID: 8876)

    • Local mutex for internet shortcut management

      • explorer.exe (PID: 5492)

    • Creates files in the program directory

      • HTTPDebuggerSvc.exe (PID: 2136)

    • Reads Environment values

      • identity_helper.exe (PID: 8104)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2015:12:27 06:26:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 25600
InitializedDataSize: 186368
UninitializedDataSize: 2048
EntryPoint: 0x32a0
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
246
Monitored processes
98
Malicious processes
9
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe sppextcomobj.exe no specs slui.exe #SNAKEKEYLOGGER 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe backgroundtransferhost.exe no specs firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs backgroundtransferhost.exe firefox.exe no specs firefox.exe no specs backgroundtransferhost.exe no specs svchost.exe backgroundtransferhost.exe no specs firefox.exe no specs backgroundtransferhost.exe no specs firefox.exe no specs firefox.exe no specs explorer.exe msiexec.exe msiexec.exe msiexec.exe no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe no specs msiexec.exe no specs httpdebuggersvc.exe httpdebuggersvc.exe no specs httpdebuggerui.exe slui.exe certutil.exe rundll32.exe no specs 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe #SNAKEKEYLOGGER 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe shellexperiencehost.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
300"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Program Files\Mozilla Firefox\firefox.exeexplorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
1012"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7176 --field-trial-handle=2284,i,1573332221300976889,12877824775051595272,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1096"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7148 --field-trial-handle=2284,i,1573332221300976889,12877824775051595272,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1244"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=8028 --field-trial-handle=2284,i,1573332221300976889,12877824775051595272,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1276"C:\Users\admin\AppData\Local\Temp\0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe" C:\Users\admin\AppData\Local\Temp\0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1280C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11C:\Windows\System32\SrTasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1324"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=6044 --field-trial-handle=2284,i,1573332221300976889,12877824775051595272,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1452"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=7536 --field-trial-handle=2284,i,1573332221300976889,12877824775051595272,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2136"C:\Program Files (x86)\HTTPDebuggerPro\HTTPDebuggerSvc.exe"C:\Program Files (x86)\HTTPDebuggerPro\HTTPDebuggerSvc.exe
services.exe
User:
SYSTEM
Company:
HttpDebugger.com
Integrity Level:
SYSTEM
Description:
HTTP Debugger Windows Service
Version:
9.0.0.12
Modules
Images
c:\program files (x86)\httpdebuggerpro\httpdebuggersvc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
Total events
113 217
Read events
112 653
Write events
519
Delete events
45

Modification events

(PID) Process:(1276) 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\CLI\Start
Operation:writeName:CLI start
Value:
2
(PID) Process:(1276) 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exeKey:HKEY_CURRENT_USER\SOFTWARE\Service
Operation:writeName:System_Check
Value:
kernel32::CreateFileA(m r4 , i 0x80000000, i 0, p 0, i 4, i 0x80, i 0)i.r5
(PID) Process:(1276) 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exeKey:HKEY_CURRENT_USER\SOFTWARE\Service
Operation:writeName:System_Check
Value:
kernel32::SetFilePointer(i r5, i 13101 , i 0,i 0)
(PID) Process:(1276) 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exeKey:HKEY_CURRENT_USER\SOFTWARE\Service
Operation:writeName:System_Check
Value:
kernel32::VirtualAlloc(i 0,i 48783360, i 0x3000, i 0x40)p.r2
(PID) Process:(1276) 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exeKey:HKEY_CURRENT_USER\SOFTWARE\Service
Operation:writeName:System_Check
Value:
kernel32::ReadFile(i r5, i r2, i 48783360,*i 0, i 0)
(PID) Process:(1276) 0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exeKey:HKEY_CURRENT_USER\SOFTWARE\Service
Operation:writeName:System_Check
Value:
user32::EnumWindows(i r2 ,i 0)
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppLaunch
Operation:writeName:Microsoft.Windows.Explorer
Value:
52
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts
Operation:writeName:LastUpdate
Value:
2EF3E16700000000
(PID) Process:(5492) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:NodeSlots
Value:
02020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:(5492) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:MRUListEx
Value:
03000000040000000E00000000000000100000000F0000000C0000000D0000000B000000050000000A000000090000000800000001000000070000000600000002000000FFFFFFFF
Executable files
39
Suspicious files
994
Text files
123
Unknown types
0

Dropped files

PID
Process
Filename
Type
6560firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-current.bin
MD5:
SHA256:
70360ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9E62DD75009A293E0AF9565AE544F23E_6465F3778A77E94C1A0900A28FE8CBDEbinary
MD5:E603F8D8F84C64FCBBE3696DADFFAC8E
SHA256:92439C7CE0E04856AEC8B453261DECB2E631814C9F5AC502C30279E0CC439C4F
6560firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.jsonbinary
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A
SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
5492explorer.exeC:\Users\admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datbinary
MD5:E49C56350AEDF784BFE00E444B879672
SHA256:A8BD235303668981563DFB5AAE338CB802817C4060E2C199B7C84901D57B7E1E
12760ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Beclamor\Neurobiology.zenbinary
MD5:7093E02FCBC0ABDC2521D25D9C579073
SHA256:3F2E84ECB7DD1E934AA9D96C9D0AD5EAB97BF9EB1B5DBC0E69ECE18C9AF547C0
12760ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Beclamor\Riprap43.gawbinary
MD5:39C9A5F767D8C170B5CE38EA8D5734D4
SHA256:87A7017021050071DBE5726BF9AC505763CD923E2BDE93336CA0905802CD8D49
12760ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Beclamor\fyldebtten.soibinary
MD5:AEF78D8D561E8802286A78AAC6C73ED6
SHA256:45F24543C01C9A11CC2246A9B27569AF433EEF61C877A4E191B683315D3566BE
12760ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Benchership141.lnkbinary
MD5:BF9CC6B5857258FEA4B48BB766A90893
SHA256:94774DC897B368347052D00311D80A00D2620757C25A9B1BF426CFA4083B2109
12760ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exeC:\Users\admin\AppData\Local\Temp\nsdB1DE.tmp\System.dllexecutable
MD5:EE260C45E97B62A5E42F17460D406068
SHA256:E94A1F7BCD7E0D532B660D0AF468EB3321536C3EFDCA265E61F9EC174B1AEF27
12760ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Beclamor\antihemolytic.armbinary
MD5:F0886B66577ED608412D985493DF3928
SHA256:72AB5BB7924FDD333AF20EF25AA0F3AC5CEB0DBEBE70694CB1F8128FD57DA1A2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
92
TCP/UDP connections
610
DNS requests
442
Threats
34

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6560
firefox.exe
POST
200
184.24.77.79:80
http://r10.o.lencr.org/
unknown
whitelisted
6560
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
6560
firefox.exe
POST
200
142.250.186.163:80
http://o.pki.goog/s/wr3/cgo
unknown
whitelisted
6560
firefox.exe
POST
200
184.24.77.79:80
http://r10.o.lencr.org/
unknown
whitelisted
6560
firefox.exe
POST
200
142.250.186.163:80
http://o.pki.goog/we2
unknown
whitelisted
6560
firefox.exe
POST
200
184.24.77.54:80
http://r11.o.lencr.org/
unknown
whitelisted
6560
firefox.exe
POST
200
184.24.77.54:80
http://r11.o.lencr.org/
unknown
whitelisted
6560
firefox.exe
POST
200
142.250.186.163:80
http://o.pki.goog/we2
unknown
whitelisted
6560
firefox.exe
POST
200
142.250.186.163:80
http://o.pki.goog/we2
unknown
whitelisted
6560
firefox.exe
POST
200
142.250.186.163:80
http://o.pki.goog/s/wr3/UTA
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
2112
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3216
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
20.190.159.4:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
2236
backgroundTaskHost.exe
20.223.35.26:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
whitelisted
google.com
  • 142.250.181.238
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted
login.live.com
  • 20.190.159.4
  • 20.190.159.75
  • 20.190.159.23
  • 20.190.159.68
  • 40.126.31.69
  • 40.126.31.73
  • 40.126.31.128
  • 20.190.159.129
  • 20.190.160.66
  • 20.190.160.5
  • 20.190.160.20
  • 40.126.32.74
  • 20.190.160.17
  • 20.190.160.14
  • 40.126.32.140
  • 20.190.160.130
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
arc.msn.com
  • 20.223.35.26
  • 20.74.47.205
whitelisted
drive.google.com
  • 142.250.74.206
whitelisted
c.pki.goog
  • 172.217.18.99
whitelisted
o.pki.goog
  • 142.250.186.163
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Device Retrieving External IP Address Detected
ET DYN_DNS External IP Lookup Domain in DNS Query (checkip .dyndns .org)
7036
0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup - checkip.dyndns.org
7036
0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe
Device Retrieving External IP Address Detected
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
7036
0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup - checkip.dyndns.org
2196
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Address Lookup Domain (reallyfreegeoip .org)
2196
svchost.exe
Misc activity
ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
7036
0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe
Misc activity
ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI
2196
svchost.exe
Misc activity
SUSPICIOUS [ANY.RUN] Possible sending an external IP address to Telegram
2196
svchost.exe
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
7036
0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup - checkip.dyndns.org
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
0ff51f1bfcef0cabf76af8a2c9bb5c01aef4940a97c9b5cebe83cddf62d5be77.exe