File name:

10420e92c2cff6a30e51d25353ddd6c1218854d82f43b58a791fa6f4ce216b99.exe

Full analysis: https://app.any.run/tasks/ccc2da13-16e3-4aa4-b738-46eb29b98494
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: November 20, 2025, 11:56:37
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
anti-evasion
evasion
stealer
telegram
arch-doc
ims-api
generic
golang
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 22 sections
MD5:

89885EDD29C7CA35EC767778AE20F678

SHA1:

96EC7DDD404BBA2893C83A838137B04D12D7E9C9

SHA256:

10420E92C2CFF6A30E51D25353DDD6C1218854D82F43B58A791FA6F4CE216B99

SSDEEP:

98304:OifD0eYx0r2zuqS+2rbaOhTZkd5e24ypnevD6nqNUm54vsaoCRhrBG1ogbWlaZSn:CQeJeMqQ83MOix4iHNJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Steals credentials from Web Browsers

      • 10420e92c2cff6a30e51d25353ddd6c1218854d82f43b58a791fa6f4ce216b99.exe (PID: 7464)

    • Actions looks like stealing of personal data

      • 10420e92c2cff6a30e51d25353ddd6c1218854d82f43b58a791fa6f4ce216b99.exe (PID: 7464)

  • SUSPICIOUS

    • Starts POWERSHELL.EXE for commands execution

      • 10420e92c2cff6a30e51d25353ddd6c1218854d82f43b58a791fa6f4ce216b99.exe (PID: 7464)

    • Executable content was dropped or overwritten

      • 10420e92c2cff6a30e51d25353ddd6c1218854d82f43b58a791fa6f4ce216b99.exe (PID: 7464)

    • Enumerates operating system information (Win32_OperatingSystem) (SCRIPT)

      • powershell.exe (PID: 2060)

    • Checks for external IP

      • svchost.exe (PID: 2276)
      • 10420e92c2cff6a30e51d25353ddd6c1218854d82f43b58a791fa6f4ce216b99.exe (PID: 7464)

    • Write to the desktop.ini file (may be used to cloak folders)

      • 10420e92c2cff6a30e51d25353ddd6c1218854d82f43b58a791fa6f4ce216b99.exe (PID: 7464)

    • Executes application which crashes

      • chrome.exe (PID: 3184)
      • msedge.exe (PID: 3468)

    • There is functionality for taking screenshot (YARA)

      • 10420e92c2cff6a30e51d25353ddd6c1218854d82f43b58a791fa6f4ce216b99.exe (PID: 7464)

    • Multiple wallet extension IDs have been found

      • 10420e92c2cff6a30e51d25353ddd6c1218854d82f43b58a791fa6f4ce216b99.exe (PID: 7464)

    • Loads DLL from Mozilla Firefox

      • 10420e92c2cff6a30e51d25353ddd6c1218854d82f43b58a791fa6f4ce216b99.exe (PID: 7464)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • 10420e92c2cff6a30e51d25353ddd6c1218854d82f43b58a791fa6f4ce216b99.exe (PID: 7464)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • 10420e92c2cff6a30e51d25353ddd6c1218854d82f43b58a791fa6f4ce216b99.exe (PID: 7464)

  • INFO

    • Checks supported languages

      • 10420e92c2cff6a30e51d25353ddd6c1218854d82f43b58a791fa6f4ce216b99.exe (PID: 7464)
      • 1763639829337340600_ChromeDecryptor.exe (PID: 5408)
      • 1763639829337340600_ChromeDecryptor.exe (PID: 5912)
      • 1763639829337340600_ChromeDecryptor.exe (PID: 6400)
      • 1763639829337340600_ChromeDecryptor.exe (PID: 1712)
      • 1763639829337340600_ChromeDecryptor.exe (PID: 404)

    • Reads the machine GUID from the registry

      • 10420e92c2cff6a30e51d25353ddd6c1218854d82f43b58a791fa6f4ce216b99.exe (PID: 7464)

    • Reads the computer name

      • 10420e92c2cff6a30e51d25353ddd6c1218854d82f43b58a791fa6f4ce216b99.exe (PID: 7464)
      • 1763639829337340600_ChromeDecryptor.exe (PID: 5912)
      • 1763639829337340600_ChromeDecryptor.exe (PID: 404)

    • Reads the software policy settings

      • 10420e92c2cff6a30e51d25353ddd6c1218854d82f43b58a791fa6f4ce216b99.exe (PID: 7464)
      • slui.exe (PID: 3972)

    • Drops encrypted JS script (Microsoft Script Encoder)

      • 10420e92c2cff6a30e51d25353ddd6c1218854d82f43b58a791fa6f4ce216b99.exe (PID: 7464)

    • Detects GO elliptic curve encryption (YARA)

      • 10420e92c2cff6a30e51d25353ddd6c1218854d82f43b58a791fa6f4ce216b99.exe (PID: 7464)

    • Application based on Golang

      • 10420e92c2cff6a30e51d25353ddd6c1218854d82f43b58a791fa6f4ce216b99.exe (PID: 7464)

    • Manual execution by a user

      • WINWORD.EXE (PID: 8184)
      • WINWORD.EXE (PID: 7800)
      • WINWORD.EXE (PID: 4316)
      • WINWORD.EXE (PID: 4380)
      • WINWORD.EXE (PID: 1284)
      • WINWORD.EXE (PID: 4804)
      • WINWORD.EXE (PID: 2268)
      • WINWORD.EXE (PID: 3468)
      • WINWORD.EXE (PID: 7840)
      • notepad.exe (PID: 3400)
      • WINWORD.EXE (PID: 7452)

    • Create files in a temporary directory

      • 10420e92c2cff6a30e51d25353ddd6c1218854d82f43b58a791fa6f4ce216b99.exe (PID: 7464)

    • Checks proxy server information

      • slui.exe (PID: 3972)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 3400)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(7464) 10420e92c2cff6a30e51d25353ddd6c1218854d82f43b58a791fa6f4ce216b99.exe
Telegram-Tokens (1)8014378157:AAEmx2CYXgTseeXF65To-od-piamMjnM8UY
Telegram-Info-Links
8014378157:AAEmx2CYXgTseeXF65To-od-piamMjnM8UY
Get info about bothttps://api.telegram.org/bot8014378157:AAEmx2CYXgTseeXF65To-od-piamMjnM8UY/getMe
Get incoming updateshttps://api.telegram.org/bot8014378157:AAEmx2CYXgTseeXF65To-od-piamMjnM8UY/getUpdates
Get webhookhttps://api.telegram.org/bot8014378157:AAEmx2CYXgTseeXF65To-od-piamMjnM8UY/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot8014378157:AAEmx2CYXgTseeXF65To-od-piamMjnM8UY/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot8014378157:AAEmx2CYXgTseeXF65To-od-piamMjnM8UY/deleteWebhook?drop_pending_updates=true
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: Executable, No line numbers, Large address aware
PEType: PE32+
LinkerVersion: 2.45
CodeSize: 4509696
InitializedDataSize: 6098944
UninitializedDataSize: 355840
EntryPoint: 0x1400
OSVersion: 6.1
ImageVersion: -
SubsystemVersion: 6.1
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
182
Monitored processes
34
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 10420e92c2cff6a30e51d25353ddd6c1218854d82f43b58a791fa6f4ce216b99.exe conhost.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs svchost.exe 1763639829337340600_chromedecryptor.exe no specs 1763639829337340600_chromedecryptor.exe no specs conhost.exe no specs 1763639829337340600_chromedecryptor.exe no specs conhost.exe no specs 1763639829337340600_chromedecryptor.exe no specs conhost.exe no specs 1763639829337340600_chromedecryptor.exe no specs conhost.exe no specs conhost.exe no specs msedge.exe no specs chrome.exe no specs werfault.exe no specs werfault.exe no specs notepad.exe no specs winword.exe winword.exe no specs ai.exe no specs winword.exe no specs winword.exe no specs winword.exe no specs winword.exe no specs winword.exe no specs winword.exe no specs slui.exe winword.exe no specs winword.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
404C:\Users\admin\AppData\Local\Temp\1763639829337340600_ChromeDecryptor.exe chrome -o C:\Users\admin\AppData\Local\Temp\Chromium\BrowsersC:\Users\admin\AppData\Local\Temp\1763639829337340600_ChromeDecryptor.exe10420e92c2cff6a30e51d25353ddd6c1218854d82f43b58a791fa6f4ce216b99.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\1763639829337340600_chromedecryptor.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\kernel.appcore.dll
600\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe1763639829337340600_ChromeDecryptor.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1284"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n C:\Users\admin\Desktop\Grabber/Grabber/wedesign.rtf /o ""C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1300\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe1763639829337340600_ChromeDecryptor.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1632\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe1763639829337340600_ChromeDecryptor.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1712C:\Users\admin\AppData\Local\Temp\1763639829337340600_ChromeDecryptor.exe brave -o C:\Users\admin\AppData\Local\Temp\Chromium\BrowsersC:\Users\admin\AppData\Local\Temp\1763639829337340600_ChromeDecryptor.exe10420e92c2cff6a30e51d25353ddd6c1218854d82f43b58a791fa6f4ce216b99.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\temp\1763639829337340600_chromedecryptor.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
2060powershell -Command "(Get-CimInstance -ClassName Win32_OperatingSystem).Caption + ' ' + (Get-CimInstance -ClassName Win32_OperatingSystem).Version"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10420e92c2cff6a30e51d25353ddd6c1218854d82f43b58a791fa6f4ce216b99.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
2268\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe1763639829337340600_ChromeDecryptor.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2268"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n C:\Users\admin\Desktop\Grabber/Grabber/cameraprocedures.rtf /o ""C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\advapi32.dll
c:\program files\common files\microsoft shared\clicktorun\c2r64.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
2276C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
Total events
51 137
Read events
50 066
Write events
1 008
Delete events
63

Modification events

(PID) Process:(7464) 10420e92c2cff6a30e51d25353ddd6c1218854d82f43b58a791fa6f4ce216b99.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-462
Value:
Afghanistan Standard Time
(PID) Process:(7464) 10420e92c2cff6a30e51d25353ddd6c1218854d82f43b58a791fa6f4ce216b99.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-461
Value:
Afghanistan Daylight Time
(PID) Process:(7464) 10420e92c2cff6a30e51d25353ddd6c1218854d82f43b58a791fa6f4ce216b99.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-222
Value:
Alaskan Standard Time
(PID) Process:(7464) 10420e92c2cff6a30e51d25353ddd6c1218854d82f43b58a791fa6f4ce216b99.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-221
Value:
Alaskan Daylight Time
(PID) Process:(7464) 10420e92c2cff6a30e51d25353ddd6c1218854d82f43b58a791fa6f4ce216b99.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-2392
Value:
Aleutian Standard Time
(PID) Process:(7464) 10420e92c2cff6a30e51d25353ddd6c1218854d82f43b58a791fa6f4ce216b99.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-2391
Value:
Aleutian Daylight Time
(PID) Process:(7464) 10420e92c2cff6a30e51d25353ddd6c1218854d82f43b58a791fa6f4ce216b99.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-2162
Value:
Altai Standard Time
(PID) Process:(7464) 10420e92c2cff6a30e51d25353ddd6c1218854d82f43b58a791fa6f4ce216b99.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-2161
Value:
Altai Daylight Time
(PID) Process:(7464) 10420e92c2cff6a30e51d25353ddd6c1218854d82f43b58a791fa6f4ce216b99.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-392
Value:
Arab Standard Time
(PID) Process:(7464) 10420e92c2cff6a30e51d25353ddd6c1218854d82f43b58a791fa6f4ce216b99.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-391
Value:
Arab Daylight Time
Executable files
39
Suspicious files
179
Text files
52
Unknown types
0

Dropped files

PID
Process
Filename
Type
7572powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_35safvc4.y0f.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
746410420e92c2cff6a30e51d25353ddd6c1218854d82f43b58a791fa6f4ce216b99.exeC:\Users\admin\AppData\Local\Temp\GrabbedFiles\Grabber\desktop.initext
MD5:3A37312509712D4E12D27240137FF377
SHA256:B029393EA7B7CF644FB1C9F984F57C1980077562EE2E15D0FFD049C4C48098D3
2060powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_sn5h2eae.uwg.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
746410420e92c2cff6a30e51d25353ddd6c1218854d82f43b58a791fa6f4ce216b99.exeC:\Users\admin\AppData\Local\Temp\GrabbedFiles\Grabber\cameraprocedures.rtftext
MD5:64E9E48BE5CD3F3D2B04AF1AA484687D
SHA256:6D13BC17B9081AD594918BD3F395D7700EEA6DCC2007578972699C945C137AC9
5584powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_52lii5y2.qj5.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5584powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_pajpv3xc.51c.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
746410420e92c2cff6a30e51d25353ddd6c1218854d82f43b58a791fa6f4ce216b99.exeC:\Users\admin\AppData\Local\Temp\GrabbedFiles\Grabber\closeincluded.rtftext
MD5:5E5AB83ED27E7777C73B29762E859239
SHA256:D8419A7AE0DF4851F3BACB24E85E179C32D8F12C6919EF5A09785EFD169246FB
746410420e92c2cff6a30e51d25353ddd6c1218854d82f43b58a791fa6f4ce216b99.exeC:\Users\admin\AppData\Local\Temp\GrabbedFiles\Grabber\desktoptwo.rtftext
MD5:898888A8A42B7E4D1FB5504F10C90C28
SHA256:57DADC575B2186D216984BAA023094E9FB3215704406A52E47C40D7C1D45288A
746410420e92c2cff6a30e51d25353ddd6c1218854d82f43b58a791fa6f4ce216b99.exeC:\Users\admin\AppData\Local\Temp\GrabbedFiles\Grabber\addressactivity.rtftext
MD5:6E2505F44848996FA3C74E05694EA50B
SHA256:15B37EDDFE39F3DD9F482B1255C1671F0661FFC2A83C0C3A2ED241B90AAE823E
746410420e92c2cff6a30e51d25353ddd6c1218854d82f43b58a791fa6f4ce216b99.exeC:\Users\admin\AppData\Local\Temp\GrabbedFiles\Grabber\kittext.jpgimage
MD5:C136E5C38EF2CE3C3AA15C7C4E4F1AB2
SHA256:DED128CB92F2AE4A64E2BE8BAA6700BB55D4A994D0E5603F01D7B86FE46696B5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
104
TCP/UDP connections
115
DNS requests
32
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4824
svchost.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
200
40.126.31.71:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
unknown
POST
200
40.126.31.71:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
unknown
POST
200
20.190.159.0:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
unknown
POST
200
40.126.31.73:443
https://login.live.com/RST2.srf
unknown
xml
11.0 Kb
unknown
GET
200
20.165.94.63:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
compressed
29.1 Kb
unknown
5596
MoUsoCoreWorker.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7688
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.3.crl
unknown
whitelisted
7688
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl
unknown
whitelisted
POST
200
40.126.31.2:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5596
MoUsoCoreWorker.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2716
RUXIMICS.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.16.241.208:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4824
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4824
svchost.exe
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
5596
MoUsoCoreWorker.exe
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
5596
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4324
svchost.exe
20.190.160.3:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 2.16.241.208
  • 2.16.241.197
  • 2.16.241.207
  • 2.16.241.212
  • 2.16.241.219
  • 2.16.241.221
  • 2.16.241.206
  • 2.16.241.218
  • 2.16.241.222
whitelisted
google.com
  • 216.58.206.78
whitelisted
crl.microsoft.com
  • 2.16.168.124
  • 2.16.168.114
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
login.live.com
  • 20.190.160.3
  • 20.190.160.2
  • 40.126.32.134
  • 20.190.160.65
  • 40.126.32.136
  • 40.126.32.133
  • 20.190.160.5
  • 40.126.32.68
whitelisted
ipinfo.io
  • 34.117.59.81
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
api.telegram.org
  • 149.154.167.220
whitelisted
slscr.update.microsoft.com
  • 74.178.240.61
  • 135.233.95.144
whitelisted
www.microsoft.com
  • 88.221.169.152
  • 95.101.149.131
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
2276
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)
7464
10420e92c2cff6a30e51d25353ddd6c1218854d82f43b58a791fa6f4ce216b99.exe
Device Retrieving External IP Address Detected
ET INFO Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ipinfo.io
Misc activity
ET INFO Go-http-client User-Agent Observed Outbound
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
2276
svchost.exe
Misc activity
SUSPICIOUS [ANY.RUN] Possible sending an external IP address to Telegram
2276
svchost.exe
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
7464
10420e92c2cff6a30e51d25353ddd6c1218854d82f43b58a791fa6f4ce216b99.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
Misc activity
SUSPICIOUS [ANY.RUN] Sent Host Name in HTTP POST Body
Process
Message
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
10420e92c2cff6a30e51d25353ddd6c1218854d82f43b58a791fa6f4ce216b99.exe