File name:

HEUR-Trojan-PSW.Python.Disco.gen-36294efbce3eba3f480ceed3032c580886259179a6ceb6271d0ffa3de95b6c8e.7z

Full analysis: https://app.any.run/tasks/1d8d409e-0cd1-4cde-b687-bd5f32936166
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: March 07, 2025, 00:19:57
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
evasion
python
stealer
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

A063B27A842BF98E11E7123B50EF4B82

SHA1:

530AF7A8696C49167D14B79BDCB65E81F7ECF604

SHA256:

1685E5C76CD82BBAD1E42F074B243CBB9BAB98AD94D0E530642CCC23669D84A4

SSDEEP:

98304:M2EIkW2qSlSf7v3BYyLoTcFkg3w2XbyBVojIiolXOELmxhx+DdnINYGxXNVdsQPv:g8mUQcw2E/bVJYvbT1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 7752)

    • Steals credentials from Web Browsers

      • HEUR-Trojan-PSW.Python.Disco.gen-36294efbce3eba3f480ceed3032c580886259179a6ceb6271d0ffa3de95b6c8e.exe (PID: 6572)

    • Actions looks like stealing of personal data

      • HEUR-Trojan-PSW.Python.Disco.gen-36294efbce3eba3f480ceed3032c580886259179a6ceb6271d0ffa3de95b6c8e.exe (PID: 6572)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • HEUR-Trojan-PSW.Python.Disco.gen-36294efbce3eba3f480ceed3032c580886259179a6ceb6271d0ffa3de95b6c8e.exe (PID: 7940)

    • The process drops C-runtime libraries

      • HEUR-Trojan-PSW.Python.Disco.gen-36294efbce3eba3f480ceed3032c580886259179a6ceb6271d0ffa3de95b6c8e.exe (PID: 7940)

    • Process drops python dynamic module

      • HEUR-Trojan-PSW.Python.Disco.gen-36294efbce3eba3f480ceed3032c580886259179a6ceb6271d0ffa3de95b6c8e.exe (PID: 7940)

    • Process drops legitimate windows executable

      • HEUR-Trojan-PSW.Python.Disco.gen-36294efbce3eba3f480ceed3032c580886259179a6ceb6271d0ffa3de95b6c8e.exe (PID: 7940)

    • Application launched itself

      • HEUR-Trojan-PSW.Python.Disco.gen-36294efbce3eba3f480ceed3032c580886259179a6ceb6271d0ffa3de95b6c8e.exe (PID: 7940)

    • Loads Python modules

      • HEUR-Trojan-PSW.Python.Disco.gen-36294efbce3eba3f480ceed3032c580886259179a6ceb6271d0ffa3de95b6c8e.exe (PID: 6572)

    • Checks for external IP

      • HEUR-Trojan-PSW.Python.Disco.gen-36294efbce3eba3f480ceed3032c580886259179a6ceb6271d0ffa3de95b6c8e.exe (PID: 6572)

  • INFO

    • Reads security settings of Internet Explorer

      • BackgroundTransferHost.exe (PID: 7900)
      • BackgroundTransferHost.exe (PID: 4776)
      • BackgroundTransferHost.exe (PID: 6572)
      • BackgroundTransferHost.exe (PID: 7628)
      • BackgroundTransferHost.exe (PID: 5392)

    • Checks proxy server information

      • BackgroundTransferHost.exe (PID: 6572)
      • HEUR-Trojan-PSW.Python.Disco.gen-36294efbce3eba3f480ceed3032c580886259179a6ceb6271d0ffa3de95b6c8e.exe (PID: 6572)

    • Reads the software policy settings

      • BackgroundTransferHost.exe (PID: 6572)

    • Creates files or folders in the user directory

      • BackgroundTransferHost.exe (PID: 6572)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 7752)

    • Manual execution by a user

      • HEUR-Trojan-PSW.Python.Disco.gen-36294efbce3eba3f480ceed3032c580886259179a6ceb6271d0ffa3de95b6c8e.exe (PID: 7940)

    • The sample compiled with english language support

      • HEUR-Trojan-PSW.Python.Disco.gen-36294efbce3eba3f480ceed3032c580886259179a6ceb6271d0ffa3de95b6c8e.exe (PID: 7940)

    • Checks supported languages

      • HEUR-Trojan-PSW.Python.Disco.gen-36294efbce3eba3f480ceed3032c580886259179a6ceb6271d0ffa3de95b6c8e.exe (PID: 7940)
      • HEUR-Trojan-PSW.Python.Disco.gen-36294efbce3eba3f480ceed3032c580886259179a6ceb6271d0ffa3de95b6c8e.exe (PID: 6572)

    • Reads the computer name

      • HEUR-Trojan-PSW.Python.Disco.gen-36294efbce3eba3f480ceed3032c580886259179a6ceb6271d0ffa3de95b6c8e.exe (PID: 7940)
      • HEUR-Trojan-PSW.Python.Disco.gen-36294efbce3eba3f480ceed3032c580886259179a6ceb6271d0ffa3de95b6c8e.exe (PID: 6572)

    • Create files in a temporary directory

      • HEUR-Trojan-PSW.Python.Disco.gen-36294efbce3eba3f480ceed3032c580886259179a6ceb6271d0ffa3de95b6c8e.exe (PID: 7940)

    • Reads the machine GUID from the registry

      • HEUR-Trojan-PSW.Python.Disco.gen-36294efbce3eba3f480ceed3032c580886259179a6ceb6271d0ffa3de95b6c8e.exe (PID: 6572)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)

EXIF

ZIP

FileVersion: 7z v0.04
ModifyDate: 2021:10:26 12:04:18+00:00
ArchivedFileName: HEUR-Trojan-PSW.Python.Disco.gen-36294efbce3eba3f480ceed3032c580886259179a6ceb6271d0ffa3de95b6c8e.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
9
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe backgroundtransferhost.exe no specs backgroundtransferhost.exe backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs heur-trojan-psw.python.disco.gen-36294efbce3eba3f480ceed3032c580886259179a6ceb6271d0ffa3de95b6c8e.exe conhost.exe no specs heur-trojan-psw.python.disco.gen-36294efbce3eba3f480ceed3032c580886259179a6ceb6271d0ffa3de95b6c8e.exe

Process information

PID
CMD
Path
Indicators
Parent process
4776"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
5392"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
6572"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
6572"C:\Users\admin\Desktop\HEUR-Trojan-PSW.Python.Disco.gen-36294efbce3eba3f480ceed3032c580886259179a6ceb6271d0ffa3de95b6c8e.exe" C:\Users\admin\Desktop\HEUR-Trojan-PSW.Python.Disco.gen-36294efbce3eba3f480ceed3032c580886259179a6ceb6271d0ffa3de95b6c8e.exe
HEUR-Trojan-PSW.Python.Disco.gen-36294efbce3eba3f480ceed3032c580886259179a6ceb6271d0ffa3de95b6c8e.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\heur-trojan-psw.python.disco.gen-36294efbce3eba3f480ceed3032c580886259179a6ceb6271d0ffa3de95b6c8e.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
7288\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeHEUR-Trojan-PSW.Python.Disco.gen-36294efbce3eba3f480ceed3032c580886259179a6ceb6271d0ffa3de95b6c8e.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7628"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
7752"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\HEUR-Trojan-PSW.Python.Disco.gen-36294efbce3eba3f480ceed3032c580886259179a6ceb6271d0ffa3de95b6c8e.7zC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
7900"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
7940"C:\Users\admin\Desktop\HEUR-Trojan-PSW.Python.Disco.gen-36294efbce3eba3f480ceed3032c580886259179a6ceb6271d0ffa3de95b6c8e.exe" C:\Users\admin\Desktop\HEUR-Trojan-PSW.Python.Disco.gen-36294efbce3eba3f480ceed3032c580886259179a6ceb6271d0ffa3de95b6c8e.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\heur-trojan-psw.python.disco.gen-36294efbce3eba3f480ceed3032c580886259179a6ceb6271d0ffa3de95b6c8e.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
3 184
Read events
3 150
Write events
34
Delete events
0

Modification events

(PID) Process:(7752) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(7752) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(7752) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(7752) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\HEUR-Trojan-PSW.Python.Disco.gen-36294efbce3eba3f480ceed3032c580886259179a6ceb6271d0ffa3de95b6c8e.7z
(PID) Process:(7752) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(7752) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(7752) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(7752) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(7900) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7900) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
Executable files
65
Suspicious files
6
Text files
11
Unknown types
0

Dropped files

PID
Process
Filename
Type
6572BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\49669d0e-8642-49ad-958c-952cddd09831.down_data
MD5:
SHA256:
6572BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10Dbinary
MD5:38989CDC9B939CBF439472EC8FEBE5D7
SHA256:0188CCDAB61284075618619F99DBB9FC9BA066DF5B1FF02EC5684476CABA0732
7940HEUR-Trojan-PSW.Python.Disco.gen-36294efbce3eba3f480ceed3032c580886259179a6ceb6271d0ffa3de95b6c8e.exeC:\Users\admin\AppData\Local\Temp\_MEI79402\_socket.pydexecutable
MD5:49F417DE4AAAE069D5B2D5D5A4DDABE1
SHA256:F1930CA4C78029FB41F3F661194B9D3001D0A99F45D68BF3A4A87D9EA36AAD20
7940HEUR-Trojan-PSW.Python.Disco.gen-36294efbce3eba3f480ceed3032c580886259179a6ceb6271d0ffa3de95b6c8e.exeC:\Users\admin\AppData\Local\Temp\_MEI79402\_queue.pydexecutable
MD5:C81D66A03763EDBEDD7ABEC2773974A6
SHA256:C752ABE44BC4D04657B9CB3A415FA1EE592B6AE77A3661F598F9F21FA9EEF710
7752WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb7752.11655\HEUR-Trojan-PSW.Python.Disco.gen-36294efbce3eba3f480ceed3032c580886259179a6ceb6271d0ffa3de95b6c8e.exeexecutable
MD5:7809FA176A3D8C553E6C217EFF9F02EB
SHA256:36294EFBCE3EBA3F480CEED3032C580886259179A6CEB6271D0FFA3DE95B6C8E
7940HEUR-Trojan-PSW.Python.Disco.gen-36294efbce3eba3f480ceed3032c580886259179a6ceb6271d0ffa3de95b6c8e.exeC:\Users\admin\AppData\Local\Temp\_MEI79402\_bz2.pydexecutable
MD5:6FD0281BCA7EEE0F354A91F958714EDB
SHA256:03D8966F4D8AB347140A3AD9938FB91DB11E01E028E980721451070EB0483CF7
6572BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\fc38b544-6042-444d-a6a6-818938d185ee.up_meta_securebinary
MD5:AEEA3377CA8E89BA657620A35A515B82
SHA256:D881EE7A221051B5B0E0DA2AC2F55409B1ADEB9B0817B8B0185FF31B86DC9AE5
7940HEUR-Trojan-PSW.Python.Disco.gen-36294efbce3eba3f480ceed3032c580886259179a6ceb6271d0ffa3de95b6c8e.exeC:\Users\admin\AppData\Local\Temp\_MEI79402\_overlapped.pydexecutable
MD5:7F967C1D2968BF3132C558B03CF9314D
SHA256:CCEA0CD98CC3496A446BCB3A9DA37802815E9AFCA6EAADE2949859CFA0C0D558
6572BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\49669d0e-8642-49ad-958c-952cddd09831.986777cf-ade5-4db3-9468-36ce8393a0fc.down_metabinary
MD5:1CE19CFCEF7BDD2407B27CA39D69AF69
SHA256:C0C95C29523B830510998A31A8E6BFFDA957309745046F21E6A181D436954C5D
7940HEUR-Trojan-PSW.Python.Disco.gen-36294efbce3eba3f480ceed3032c580886259179a6ceb6271d0ffa3de95b6c8e.exeC:\Users\admin\AppData\Local\Temp\_MEI79402\_ssl.pydexecutable
MD5:4DDF64B25544D11A28215052A394B457
SHA256:B673E41306D6DF496151017ECB153A69E0BE509B448697D70427AC82C1664974
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
23
DNS requests
10
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7288
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6572
BackgroundTransferHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:138
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
20.190.160.131:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.190.160.131:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3216
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7288
backgroundTaskHost.exe
20.31.169.57:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.78
whitelisted
login.live.com
  • 20.190.160.131
  • 40.126.32.68
  • 20.190.160.20
  • 20.190.160.14
  • 20.190.160.4
  • 40.126.32.133
  • 20.190.160.128
  • 20.190.160.22
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted
arc.msn.com
  • 20.31.169.57
whitelisted
www.bing.com
  • 104.126.37.163
  • 104.126.37.144
  • 104.126.37.186
  • 104.126.37.130
  • 104.126.37.128
  • 104.126.37.178
  • 104.126.37.136
  • 104.126.37.139
whitelisted
api.ipify.org
  • 104.26.13.205
  • 172.67.74.152
  • 104.26.12.205
shared

Threats

PID
Process
Class
Message
2196
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
6572
HEUR-Trojan-PSW.Python.Disco.gen-36294efbce3eba3f480ceed3032c580886259179a6ceb6271d0ffa3de95b6c8e.exe
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
HEUR-Trojan-PSW.Python.Disco.gen-36294efbce3eba3f480ceed3032c580886259179a6ceb6271d0ffa3de95b6c8e.7z