File name:

DiscordFixUlt.exe

Full analysis: https://app.any.run/tasks/4dcae487-23ba-4bc9-a425-df10f5881a17
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: February 16, 2026, 14:39:54
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
salatstealer
stealer
windivert-sys
mal-driver
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 8 sections
MD5:

78476194C2CBDFBF607268A160E3B646

SHA1:

676A532975EED5D4BDBCF9D6295DE221E2E4B544

SHA256:

25BCF94783EE6AD17F2D9838297B97F8EBDADC4C4BC25FB7C1C72261AEE2E89B

SSDEEP:

98304:sKwSegtb78Xky7PIuV/Bzyj3RQceVhl+9FgngkK5kexCXHHXpSodLriNWHcFGB0x:bmi1WVZ+pd8aD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Malicious driver has been detected

      • DiscordFixUlt.exe (PID: 8456)

    • Detects Cygwin installation

      • DiscordFixUlt.exe (PID: 8456)

    • SALATSTEALER mutex has been found

      • DiscordFix.exe (PID: 6300)
      • DiscordFix.exe (PID: 2900)
      • DiscordFix.exe (PID: 7652)
      • OfficeClickToRun.exe (PID: 1856)
      • DiscordFix.exe (PID: 7236)

    • SALATSTEALER has been detected (SURICATA)

      • DiscordFix.exe (PID: 6300)
      • OfficeClickToRun.exe (PID: 1856)

    • SALATSTEALER has been detected (YARA)

      • DiscordFix.exe (PID: 6300)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • DiscordFixUlt.exe (PID: 8456)

    • Reads the date of Windows installation

      • DiscordFixUlt.exe (PID: 8456)

    • Drops a system driver (possible attempt to evade defenses)

      • DiscordFixUlt.exe (PID: 8456)

    • Reads Internet Explorer settings

      • DiscordFixUlt.exe (PID: 8456)

    • Reads Microsoft Outlook installation path

      • DiscordFixUlt.exe (PID: 8456)

    • Executing commands from a ".bat" file

      • DiscordFixUlt.exe (PID: 8456)

    • Application launched itself

      • DiscordFix.exe (PID: 2844)
      • DiscordFix.exe (PID: 7728)
      • DiscordFix.exe (PID: 8024)

    • Multiple wallet extension IDs have been found

      • DiscordFix.exe (PID: 6300)

    • Starts itself from another location

      • DiscordFix.exe (PID: 6300)

    • The process creates files with name similar to system file names

      • DiscordFix.exe (PID: 6300)

  • INFO

    • Drops script file

      • DiscordFixUlt.exe (PID: 8456)
      • cmd.exe (PID: 5920)

    • Reads security settings of Internet Explorer

      • DiscordFixUlt.exe (PID: 8456)
      • DiscordFix.exe (PID: 2844)
      • DiscordFix.exe (PID: 7728)
      • DiscordFix.exe (PID: 8024)

    • There is functionality for taking screenshot (YARA)

      • DiscordFixUlt.exe (PID: 8456)
      • DiscordFix.exe (PID: 6300)

    • Reads the computer name

      • DiscordFixUlt.exe (PID: 8456)
      • DiscordFix.exe (PID: 2844)
      • DiscordFix.exe (PID: 6300)
      • DiscordFix.exe (PID: 7728)
      • DiscordFix.exe (PID: 8024)
      • OfficeClickToRun.exe (PID: 1856)

    • Checks proxy server information

      • DiscordFixUlt.exe (PID: 8456)

    • Checks supported languages

      • DiscordFixUlt.exe (PID: 8456)
      • DiscordFix.exe (PID: 2844)
      • DiscordFix.exe (PID: 6300)
      • DiscordFix.exe (PID: 2900)
      • DiscordFix.exe (PID: 7728)
      • DiscordFix.exe (PID: 8024)
      • DiscordFix.exe (PID: 7652)
      • DiscordFix.exe (PID: 7236)
      • OfficeClickToRun.exe (PID: 1856)

    • Process checks computer location settings

      • DiscordFixUlt.exe (PID: 8456)
      • DiscordFix.exe (PID: 2844)
      • DiscordFix.exe (PID: 7728)
      • DiscordFix.exe (PID: 8024)

    • Creates files in the program directory

      • DiscordFix.exe (PID: 2844)
      • DiscordFix.exe (PID: 6300)

    • Reads the machine GUID from the registry

      • DiscordFix.exe (PID: 6300)
      • DiscordFix.exe (PID: 2900)
      • DiscordFix.exe (PID: 7652)
      • OfficeClickToRun.exe (PID: 1856)
      • DiscordFix.exe (PID: 7236)

    • Manual execution by a user

      • DiscordFix.exe (PID: 7728)
      • DiscordFix.exe (PID: 8024)
      • DiscordFix.exe (PID: 7236)

    • Application based on Golang

      • DiscordFix.exe (PID: 6300)

    • Found Base64 encoded access to Windows Defender via PowerShell (YARA)

      • DiscordFix.exe (PID: 6300)

    • Found Base64 encoded access to environment variables via PowerShell (YARA)

      • DiscordFix.exe (PID: 6300)

    • UPX packer has been detected

      • DiscordFix.exe (PID: 6300)

    • Detects GO elliptic curve encryption (YARA)

      • DiscordFix.exe (PID: 6300)

    • Creates files or folders in the user directory

      • DiscordFix.exe (PID: 6300)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:07:28 09:26:23+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.44
CodeSize: 314368
InitializedDataSize: 166912
UninitializedDataSize: -
EntryPoint: 0x33db0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
161
Monitored processes
12
Malicious processes
8
Suspicious processes
2

Behavior graph

Click at the process to see the details
start THREAT discordfixult.exe no specs cmd.exe no specs conhost.exe no specs discordfix.exe no specs #SALATSTEALER discordfix.exe discordfix.exe no specs #SALATSTEALER discordfix.exe discordfix.exe no specs #SALATSTEALER discordfix.exe #SALATSTEALER discordfix.exe #SALATSTEALER officeclicktorun.exe slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1856"C:\Program Files (x86)\Common Files\OfficeClickToRun.exe"C:\Program Files (x86)\Common Files\OfficeClickToRun.exe
DiscordFix.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\program files (x86)\common files\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2844DiscordFix.exe C:\Users\admin\Desktop\DiscordFix.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\discordfix.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2900"C:\Users\admin\Desktop\DiscordFix.exe" C:\Users\admin\Desktop\DiscordFix.exe
DiscordFix.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1
Modules
Images
c:\users\admin\desktop\discordfix.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3404\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5920C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\openglmodfix.bat" "C:\Windows\System32\cmd.exeDiscordFixUlt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
6300"C:\Users\admin\Desktop\DiscordFix.exe" C:\Users\admin\Desktop\DiscordFix.exe
DiscordFix.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\discordfix.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6580C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7236"C:\Users\admin\Desktop\DiscordFix.exe" C:\Users\admin\Desktop\DiscordFix.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1
Modules
Images
c:\users\admin\desktop\discordfix.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7652"C:\Users\admin\Desktop\DiscordFix.exe" C:\Users\admin\Desktop\DiscordFix.exe
DiscordFix.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1
Modules
Images
c:\users\admin\desktop\discordfix.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7728"C:\Users\admin\Desktop\DiscordFix.exe" C:\Users\admin\Desktop\DiscordFix.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\discordfix.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
5 042
Read events
5 031
Write events
9
Delete events
2

Modification events

(PID) Process:(8456) DiscordFixUlt.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(8456) DiscordFixUlt.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(8456) DiscordFixUlt.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(8456) DiscordFixUlt.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:GlobalAssocChangedCounter
Value:
139
(PID) Process:(8456) DiscordFixUlt.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts
Operation:writeName:LastUpdate
Value:
4B2C936900000000
(PID) Process:(8456) DiscordFixUlt.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:Browse For Folder Width
Value:
318
(PID) Process:(8456) DiscordFixUlt.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:Browse For Folder Height
Value:
288
(PID) Process:(8456) DiscordFixUlt.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\LowRegistry
Operation:delete valueName:AddToFavoritesInitialSelection
Value:
(PID) Process:(8456) DiscordFixUlt.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\LowRegistry
Operation:delete valueName:AddToFeedsInitialSelection
Value:
Executable files
0
Suspicious files
0
Text files
0
Unknown types
43

Dropped files

PID
Process
Filename
Type
8456DiscordFixUlt.exeC:\Users\admin\Desktop\general (FAKE TLS AUTO).batbinary
MD5:BBAD05F91A516D3B6D39A199F485478D
SHA256:5C9AEEA38482FF3B0DBC01D03EAB89C7B532CD3CC47C35D579CCFF1A81E5481F
8456DiscordFixUlt.exeC:\Users\admin\Desktop\bin\tls_clienthello_max_ru.binbinary
MD5:B2B3E684CE449B60F0BC5A9028221A08
SHA256:4EE0870ABE0A0128600B0095189987BA1D210DAE8BF963BC725AFF49CF922624
8456DiscordFixUlt.exeC:\Users\admin\Desktop\bin\winws.exebinary
MD5:D498E19BC7A79DD1EFCB6B928CBE9909
SHA256:AFFB4F69D2EA302A7ABCCD5325D81826E140DDAE014F1E070BC4A6C0DD555188
8456DiscordFixUlt.exeC:\Users\admin\Desktop\general (FAKE TLS AUTO ALT3).batbinary
MD5:F9E9871B530C89ED8FA9454F78359702
SHA256:759565D6935424CFAD2917B88D82D49AF64F45D6FD004D02060ADD2D52662753
8456DiscordFixUlt.exeC:\Users\admin\Desktop\general (SIMPLE FAKE ALT2).batbinary
MD5:611779A72D16AD8A723C617BE5380777
SHA256:7CC0E5DA2AEB5C107255940F430999010A14F212AFC48BBD6730377539720926
8456DiscordFixUlt.exeC:\Users\admin\Desktop\general (SIMPLE FAKE ALT).batbinary
MD5:3A7B730B148F8E412C00DFBFFC598701
SHA256:11C75F8A91A9CA386EF3B3D6C0BEFB9FA297081511C7840F2956A557F5143F2A
8456DiscordFixUlt.exeC:\Users\admin\Desktop\general (FAKE TLS AUTO ALT2).batbinary
MD5:EC1C80727B70C8A6B82A30AE6D295D7F
SHA256:7A26ECA58F9F839353CBF6B9283ADB11D434CCE1DCAD74F07D2A98D57CC8323D
8456DiscordFixUlt.exeC:\Users\admin\Desktop\general.batbinary
MD5:E9FDEDB3B13FB339A2939438FA4F7A16
SHA256:00CC054CDFDDFD3F292F8E7FF6C0B58D8C00E6FC96224C47CB876B42E4A5AC52
8456DiscordFixUlt.exeC:\Users\admin\Desktop\openglmodfix.batbinary
MD5:F884E5E68347EA16575FB7E98F8B7FC6
SHA256:C7FA9BF2E7942549B1A3DAB04F512C64ABB3070392AA646254E927967DBEB69C
8456DiscordFixUlt.exeC:\Users\admin\Desktop\general (SIMPLE FAKE).batbinary
MD5:CCA1F296AC98CF520224B122D5A3763E
SHA256:95CE9B28A877F7BEB38FF9826D4F2C52CD2F745576DE43F205985905DAC2D189
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
19
TCP/UDP connections
42
DNS requests
20
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6768
MoUsoCoreWorker.exe
GET
304
40.127.240.158:443
https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop
US
whitelisted
876
svchost.exe
GET
304
40.127.240.158:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/UpdateHealthTools?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3626&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=SedimentPack&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2
US
whitelisted
552
SIHClient.exe
GET
304
135.232.92.137:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
552
SIHClient.exe
GET
200
20.242.39.171:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
US
whitelisted
552
SIHClient.exe
GET
200
135.232.92.137:443
https://slscr.update.microsoft.com/sls/ping
US
whitelisted
552
SIHClient.exe
GET
304
135.232.92.137:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
356
svchost.exe
POST
200
20.190.159.0:443
https://login.live.com/RST2.srf
US
11.1 Kb
whitelisted
356
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
binary
471 b
whitelisted
GET
200
204.79.197.203:80
http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQ3L3%2F%2Fa6ADK8NraY2GXzVaYrHG4AQUb6t%2B2v%2BXQ3LsO2d33oJhNYhHQoUCEzMAAAAGb6JMMcOVb6sAAAAAAAY%3D
US
binary
960 b
whitelisted
356
svchost.exe
POST
200
20.190.159.0:443
https://login.live.com/RST2.srf
US
10.3 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
876
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7508
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5568
SearchApp.exe
92.123.104.50:443
th.bing.com
AKAMAI-ASN1
NL
whitelisted
92.123.104.50:443
th.bing.com
AKAMAI-ASN1
NL
whitelisted
92.123.104.41:443
th.bing.com
AKAMAI-ASN1
NL
whitelisted
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
204.79.197.203:80
oneocsp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3412
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
  • 40.127.240.158
whitelisted
self.events.data.microsoft.com
  • 20.50.201.206
whitelisted
th.bing.com
  • 92.123.104.50
  • 92.123.104.32
  • 92.123.104.37
  • 92.123.104.56
  • 92.123.104.36
  • 92.123.104.46
  • 92.123.104.49
  • 92.123.104.52
  • 92.123.104.41
whitelisted
www.bing.com
  • 92.123.104.41
  • 92.123.104.50
  • 92.123.104.32
  • 92.123.104.37
  • 92.123.104.56
  • 92.123.104.36
  • 92.123.104.46
  • 92.123.104.49
  • 92.123.104.52
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
oneocsp.microsoft.com
  • 204.79.197.203
whitelisted
google.com
  • 172.217.168.78
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.159.0
  • 40.126.31.128
  • 20.190.159.23
  • 20.190.159.128
  • 20.190.159.64
  • 40.126.31.130
  • 40.126.31.0
  • 20.190.159.4
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted

Threats

PID
Process
Class
Message
876
svchost.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
2292
svchost.exe
Misc activity
INFO [ANY.RUN] Google DNS-over-HTTPS service requested (dns. google)
6300
DiscordFix.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Win32/Salatstealer JA3 hash observed
6300
DiscordFix.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Win32/Salatstealer JA3 hash observed
6300
DiscordFix.exe
Misc activity
ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)
6300
DiscordFix.exe
Misc activity
ET INFO Observed Google DNS over HTTPS Domain (dns .google in TLS SNI)
1856
OfficeClickToRun.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Win32/Salatstealer JA3 hash observed
1856
OfficeClickToRun.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Win32/Salatstealer JA3 hash observed
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
DiscordFixUlt.exe