File name:

GPUpdate.exe

Full analysis: https://app.any.run/tasks/9b58875d-8690-4e95-91e4-f2f8eeac68da
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: August 17, 2024, 19:21:49
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
pyinstaller
python
stealer
susp-powershell
discordgrabber
generic
discord
upx
evasion
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64, for MS Windows
MD5:

2C716FA57ACE38B37A2E282D602258F4

SHA1:

4021823602D74B61539A1266C017229A576A4C4D

SHA256:

24EB9216AF5A55BA4305002B484B450BBECC85180128D59550CE458D3EFB3C4D

SSDEEP:

393216:VtYt07Zw4GGeqdCpDv//6dcjY+c5wI5JynTnRxvKOBwc+Q9lmxJeg:VWt6O4GvqdCpD35jYbzXynRDB/+Q9zg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • GPUpdate.exe (PID: 1680)

    • Actions looks like stealing of personal data

      • GPUpdate.exe (PID: 1680)

    • Windows Defender preferences modified via 'Set-MpPreference'

      • cmd.exe (PID: 6232)
      • cmd.exe (PID: 6348)

    • Adds extension to the Windows Defender exclusion list

      • GPUpdate.exe (PID: 1680)
      • cmd.exe (PID: 6348)

    • Adds path to the Windows Defender exclusion list

      • cmd.exe (PID: 6348)

    • DISCORDGRABBER has been detected (YARA)

      • GPUpdate.exe (PID: 1680)

    • Steals credentials from Web Browsers

      • GPUpdate.exe (PID: 1680)

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • GPUpdate.exe (PID: 6564)
      • GPUpdate.exe (PID: 1680)

    • Process drops python dynamic module

      • GPUpdate.exe (PID: 6564)

    • Executable content was dropped or overwritten

      • GPUpdate.exe (PID: 6564)

    • Drops the executable file immediately after the start

      • GPUpdate.exe (PID: 6564)

    • Process drops legitimate windows executable

      • GPUpdate.exe (PID: 6564)

    • The process drops C-runtime libraries

      • GPUpdate.exe (PID: 6564)

    • Application launched itself

      • GPUpdate.exe (PID: 6564)

    • Loads Python modules

      • GPUpdate.exe (PID: 1680)

    • Starts CMD.EXE for commands execution

      • GPUpdate.exe (PID: 1680)

    • Uses NETSH.EXE to obtain data on the network

      • GPUpdate.exe (PID: 1680)

    • Script disables Windows Defender's IPS

      • cmd.exe (PID: 6232)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 6232)
      • cmd.exe (PID: 6348)

    • Script disables Windows Defender's real-time protection

      • cmd.exe (PID: 6232)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 6464)

    • The process hide an interactive prompt from the user

      • cmd.exe (PID: 6348)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 6348)

    • Script adds exclusion extension to Windows Defender

      • cmd.exe (PID: 6348)

    • Uses WMIC.EXE to obtain operating system information

      • cmd.exe (PID: 2476)

    • Uses WMIC.EXE to obtain CPU information

      • GPUpdate.exe (PID: 1680)

    • Accesses operating system name via WMI (SCRIPT)

      • WMIC.exe (PID: 6448)

    • Uses WMIC.EXE to obtain a list of video controllers

      • cmd.exe (PID: 4924)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 5052)
      • cmd.exe (PID: 6168)

    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 460)

    • Uses WMIC.EXE to obtain computer system information

      • cmd.exe (PID: 1132)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 936)

    • Uses WMIC.EXE to obtain service application data

      • cmd.exe (PID: 320)

    • Checks for external IP

      • svchost.exe (PID: 2256)
      • GPUpdate.exe (PID: 1680)

    • Accesses antivirus product name via WMI (SCRIPT)

      • WMIC.exe (PID: 6388)

    • Potential Corporate Privacy Violation

      • GPUpdate.exe (PID: 1680)

  • INFO

    • Reads the computer name

      • GPUpdate.exe (PID: 6564)
      • GPUpdate.exe (PID: 1680)

    • Checks supported languages

      • GPUpdate.exe (PID: 6564)
      • GPUpdate.exe (PID: 1680)

    • Create files in a temporary directory

      • GPUpdate.exe (PID: 6564)
      • GPUpdate.exe (PID: 1680)

    • PyInstaller has been detected (YARA)

      • GPUpdate.exe (PID: 6564)
      • GPUpdate.exe (PID: 1680)

    • Checks proxy server information

      • GPUpdate.exe (PID: 1680)

    • Creates files or folders in the user directory

      • GPUpdate.exe (PID: 1680)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 5028)
      • powershell.exe (PID: 6300)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 5028)
      • powershell.exe (PID: 6384)
      • powershell.exe (PID: 5940)
      • powershell.exe (PID: 6300)

    • Found Base64 encoded access to Windows Defender via PowerShell (YARA)

      • GPUpdate.exe (PID: 1680)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 6448)
      • WMIC.exe (PID: 6524)
      • WMIC.exe (PID: 460)
      • WMIC.exe (PID: 3180)
      • WMIC.exe (PID: 936)
      • WMIC.exe (PID: 5464)
      • WMIC.exe (PID: 6388)

    • UPX packer has been detected

      • GPUpdate.exe (PID: 1680)

    • Attempting to use instant messaging service

      • svchost.exe (PID: 2256)
      • GPUpdate.exe (PID: 1680)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:08:17 06:43:41+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.4
CodeSize: 172032
InitializedDataSize: 94208
UninitializedDataSize: -
EntryPoint: 0xcdb0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 10.0.22621.3296
ProductVersionNumber: 10.0.22621.3296
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Microsoft® Group Policy Update Utility
FileVersion: 10.0.22621.3296 (WinBuild.160101.0800)
InternalName: GPUpdate.exe
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: GPUpdate.exe
ProductName: Microsoft® Windows® Operating System
ProductVersion: 10.0.22621.3296
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
165
Monitored processes
36
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start THREAT gpupdate.exe THREAT gpupdate.exe cmd.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs attrib.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs wmic.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs svchost.exe wmic.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
320C:\WINDOWS\system32\cmd.exe /c "wmic path softwarelicensingservice get OA3xOriginalProductKey"C:\Windows\System32\cmd.exeGPUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
460wmic path win32_VideoController get nameC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
936C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuidC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
1132C:\WINDOWS\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"C:\Windows\System32\cmd.exeGPUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1564\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1680"C:\Users\admin\AppData\Local\Temp\GPUpdate.exe" C:\Users\admin\AppData\Local\Temp\GPUpdate.exe
GPUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Group Policy Update Utility
Exit code:
0
Version:
10.0.22621.3296 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\temp\gpupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1884\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2080\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2256C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2476C:\WINDOWS\system32\cmd.exe /c "wmic os get Caption"C:\Windows\System32\cmd.exeGPUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
Total events
27 529
Read events
27 529
Write events
0
Delete events
0

Modification events

No data
Executable files
141
Suspicious files
596
Text files
157
Unknown types
0

Dropped files

PID
Process
Filename
Type
6564GPUpdate.exeC:\Users\admin\AppData\Local\Temp\_MEI65642\Cryptodome\Cipher\_chacha20.pydexecutable
MD5:85FC295DC27B94B4852C76884DA773F0
SHA256:42A7E8BEA636335564B0270BD99C60BB0E666379DDACF2708508B9FFE79F2D3A
6564GPUpdate.exeC:\Users\admin\AppData\Local\Temp\_MEI65642\Cryptodome\Cipher\_pkcs1_decode.pydexecutable
MD5:0D121BF8DB0E8BAABBA95A6D45A48C30
SHA256:11D52EEEADB8036ABB79FA3D7CD312662164143F061A551CEBA6B8F78E425126
6564GPUpdate.exeC:\Users\admin\AppData\Local\Temp\_MEI65642\Cryptodome\Cipher\_raw_cfb.pydexecutable
MD5:24E69B6EC11C3099A0CE0F553653FFE8
SHA256:9399B42E3EE1694B84A07229D4B550AE03162A2FCE290CCC8910E0594EB79760
6564GPUpdate.exeC:\Users\admin\AppData\Local\Temp\_MEI65642\Cryptodome\Cipher\_raw_ocb.pydexecutable
MD5:85133AFBF2F894D0FE45399AE8C1BD8B
SHA256:32946F6359CE64EEC6A6EB4160D3D8564F4BB33C27523D70FC919E2C43D8124D
6564GPUpdate.exeC:\Users\admin\AppData\Local\Temp\_MEI65642\Cryptodome\Cipher\_Salsa20.pydexecutable
MD5:1089A1423736D82647D00C27EE24C71E
SHA256:10D371F2A405764BADF6A563EAF0BCB3CB3E5C32B9402906D22C06FD96F2ECE7
6564GPUpdate.exeC:\Users\admin\AppData\Local\Temp\_MEI65642\Cryptodome\Cipher\_raw_blowfish.pydexecutable
MD5:FCFE89C47BD0B45940A85F95BF06784A
SHA256:34D49D25D1778BF7E9CDEDD4BF488BE03196A7B4E2A9F518BF8C955DF1592186
6564GPUpdate.exeC:\Users\admin\AppData\Local\Temp\_MEI65642\Cryptodome\Cipher\_raw_aes.pydexecutable
MD5:2C8AD9C09D3CC6403AD15763399FB4D0
SHA256:F1C68D9A0E942FC2ACB164BAEF3BE36E52FC653D94728575B375895F083CEB00
6564GPUpdate.exeC:\Users\admin\AppData\Local\Temp\_MEI65642\Cryptodome\Cipher\_raw_arc2.pydexecutable
MD5:77CF8A8D5AC929FD59BBF436012E3EF2
SHA256:F76749B300BB24A56F6E8E88339F6399302F1709F7307FD5D53845B89EA67D34
6564GPUpdate.exeC:\Users\admin\AppData\Local\Temp\_MEI65642\Cryptodome\Cipher\_raw_aesni.pydexecutable
MD5:01E32CC1C10608643E89DB89A4061FF2
SHA256:FFC491EFD69E632265CCAE904073C2F1E1C72E59D669C78E25B5AE212918E4C1
6564GPUpdate.exeC:\Users\admin\AppData\Local\Temp\_MEI65642\Cryptodome\Cipher\_raw_cbc.pydexecutable
MD5:D9F0780E8DF9E0ADB12D1C4C39D6C9BE
SHA256:E91C6BBA58CF9DD76CB573F787C76F1DA4481F4CBCDF5DA3899CCE4D3754BBE7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
34
DNS requests
16
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5552
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6732
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
1236
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
1680
GPUpdate.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/?fields=225545
unknown
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
192.168.100.255:138
whitelisted
3068
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4100
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3260
svchost.exe
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5552
svchost.exe
20.190.160.14:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
5552
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
6732
backgroundTaskHost.exe
20.103.156.88:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
whitelisted
google.com
  • 172.217.18.14
whitelisted
client.wns.windows.com
  • 40.113.103.199
whitelisted
login.live.com
  • 20.190.160.14
  • 40.126.32.74
  • 40.126.32.68
  • 20.190.160.22
  • 40.126.32.136
  • 40.126.32.140
  • 40.126.32.72
  • 40.126.32.138
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
arc.msn.com
  • 20.103.156.88
whitelisted
slscr.update.microsoft.com
  • 20.114.59.183
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
gstatic.com
  • 216.58.206.35
whitelisted

Threats

PID
Process
Class
Message
2256
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
1680
GPUpdate.exe
Misc activity
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
2256
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2256
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
1680
GPUpdate.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
1680
GPUpdate.exe
Misc activity
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
GPUpdate.exe