URL:

https://www.churilend.com

Full analysis: https://app.any.run/tasks/ed7de0d0-b822-4e18-a310-1d2bd7a4a939
Verdict: Malicious activity
Threats:

MicroStealer is a rapidly emerging infostealer first prominently observed in late 2025. It specializes in stealing browser credentials, active session data, screenshots, cryptocurrency wallets, and system information. It spreads quickly with low detection rates thanks to a sophisticated multi-stage delivery chain and exfiltrates data via Discord webhooks and attacker-controlled servers.

Malware Trends Tracker     >>>
Analysis date: January 05, 2026, 21:25:06
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
discord
stealer
microstealer
arch-doc
anti-evasion
Indicators:
MD5:

FB1390EE822445DF124ADB14E02C7495

SHA1:

3B7A149AC5822857701B8E40AE06B575B5D2C043

SHA256:

5294950B91A2BDA06656921D481247499F17E3576E35FD5112B8179C3C8CA410

SSDEEP:

3:N8DSLjLK:2OL6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 9020)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 9144)

    • MICROSTEALER has been detected (SURICATA)

      • svchost.exe (PID: 2292)
      • swazla.exe (PID: 8608)

    • Actions looks like stealing of personal data

      • swazla.exe (PID: 8608)

    • Uses Task Scheduler to autorun other applications

      • swazla.exe (PID: 8608)

    • MICROSTEALER has been detected (YARA)

      • swazla.exe (PID: 8608)

    • Antivirus name has been found in the command line (generic signature)

      • taskkill.exe (PID: 7772)

    • Steals credentials from Web Browsers

      • swazla.exe (PID: 8608)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • ChuriLend.exe (PID: 8556)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • ChuriLend.exe (PID: 8556)

    • Executable content was dropped or overwritten

      • ChuriLend.exe (PID: 8556)
      • Game Launcher.exe (PID: 8548)
      • swazla.exe (PID: 8608)

    • Starts CMD.EXE for commands execution

      • ChuriLend.exe (PID: 8556)
      • Game Launcher.exe (PID: 8948)

    • Get information on the list of running processes

      • ChuriLend.exe (PID: 8556)
      • cmd.exe (PID: 8596)
      • swazla.exe (PID: 8608)

    • Application launched itself

      • Game Launcher.exe (PID: 8948)

    • Drops 7-zip archiver for unpacking

      • ChuriLend.exe (PID: 8556)

    • Reads security settings of Internet Explorer

      • ChuriLend.exe (PID: 8556)

    • Process drops legitimate windows executable

      • ChuriLend.exe (PID: 8556)
      • Game Launcher.exe (PID: 8548)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 9020)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 9020)

    • There is functionality for taking screenshot (YARA)

      • ChuriLend.exe (PID: 8556)
      • swazla.exe (PID: 8608)

    • The process hide an interactive prompt from the user

      • cmd.exe (PID: 9020)

    • The process executes Powershell scripts

      • cmd.exe (PID: 9020)

    • The process drops C-runtime libraries

      • Game Launcher.exe (PID: 8548)

    • Uses WMIC.EXE to obtain Windows Installer data

      • swazla.exe (PID: 8608)

    • Contacting a server suspected of hosting an CnC

      • svchost.exe (PID: 2292)

    • Uses TASKKILL.EXE to kill process

      • swazla.exe (PID: 8608)

    • Uses TASKKILL.EXE to kill Browsers

      • swazla.exe (PID: 8608)

    • Loads DLL from Mozilla Firefox

      • swazla.exe (PID: 8608)

    • Possible stealing from browsers

      • swazla.exe (PID: 8608)

  • INFO

    • Application launched itself

      • msedge.exe (PID: 7536)

    • Checks supported languages

      • identity_helper.exe (PID: 4576)
      • ChuriLend.exe (PID: 8556)
      • Game Launcher.exe (PID: 8948)
      • Game Launcher.exe (PID: 9124)
      • Game Launcher.exe (PID: 9136)
      • Game Launcher.exe (PID: 8548)
      • swazla.exe (PID: 8608)
      • TextInputHost.exe (PID: 9184)

    • Reads the computer name

      • identity_helper.exe (PID: 4576)
      • ChuriLend.exe (PID: 8556)
      • Game Launcher.exe (PID: 8948)
      • Game Launcher.exe (PID: 9124)
      • Game Launcher.exe (PID: 9136)
      • swazla.exe (PID: 8608)
      • TextInputHost.exe (PID: 9184)

    • The sample compiled with english language support

      • msedge.exe (PID: 7536)
      • ChuriLend.exe (PID: 8556)
      • Game Launcher.exe (PID: 8548)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 7536)

    • Reads Environment values

      • identity_helper.exe (PID: 4576)
      • Game Launcher.exe (PID: 8948)
      • Game Launcher.exe (PID: 8548)

    • Create files in a temporary directory

      • ChuriLend.exe (PID: 8556)
      • Game Launcher.exe (PID: 8948)
      • swazla.exe (PID: 8608)

    • Creates a software uninstall entry

      • ChuriLend.exe (PID: 8556)

    • Manual execution by a user

      • Game Launcher.exe (PID: 8948)
      • notepad.exe (PID: 4476)

    • Reads the machine GUID from the registry

      • Game Launcher.exe (PID: 8948)
      • swazla.exe (PID: 8608)

    • Reads product name

      • Game Launcher.exe (PID: 8948)
      • Game Launcher.exe (PID: 8548)

    • Checks proxy server information

      • Game Launcher.exe (PID: 8948)
      • slui.exe (PID: 6296)

    • Creates files or folders in the user directory

      • ChuriLend.exe (PID: 8556)
      • Game Launcher.exe (PID: 8548)
      • swazla.exe (PID: 8608)

    • Process checks computer location settings

      • Game Launcher.exe (PID: 8948)
      • Game Launcher.exe (PID: 8548)

    • The executable file from the user directory is run by the Powershell process

      • Game Launcher.exe (PID: 8548)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 8600)
      • WMIC.exe (PID: 8564)
      • WMIC.exe (PID: 8540)
      • WMIC.exe (PID: 1752)
      • WMIC.exe (PID: 8868)
      • WMIC.exe (PID: 8100)
      • WMIC.exe (PID: 8896)
      • WMIC.exe (PID: 9000)
      • WMIC.exe (PID: 8280)
      • WMIC.exe (PID: 8576)
      • WMIC.exe (PID: 8076)
      • WMIC.exe (PID: 7272)
      • WMIC.exe (PID: 8572)
      • WMIC.exe (PID: 7708)
      • WMIC.exe (PID: 3176)
      • WMIC.exe (PID: 4300)
      • WMIC.exe (PID: 7948)
      • WMIC.exe (PID: 2228)
      • WMIC.exe (PID: 7248)
      • WMIC.exe (PID: 7844)
      • WMIC.exe (PID: 8928)
      • WMIC.exe (PID: 8844)
      • WMIC.exe (PID: 9204)
      • WMIC.exe (PID: 7172)
      • WMIC.exe (PID: 7256)
      • WMIC.exe (PID: 3500)
      • WMIC.exe (PID: 8812)
      • WMIC.exe (PID: 8476)
      • WMIC.exe (PID: 7748)
      • WMIC.exe (PID: 7940)
      • WMIC.exe (PID: 9080)
      • WMIC.exe (PID: 7428)
      • WMIC.exe (PID: 8932)
      • WMIC.exe (PID: 800)
      • WMIC.exe (PID: 7712)
      • WMIC.exe (PID: 6556)
      • WMIC.exe (PID: 8124)
      • notepad.exe (PID: 4476)
      • WMIC.exe (PID: 9128)

    • Attempting to use instant messaging service

      • swazla.exe (PID: 8608)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
445
Monitored processes
292
Malicious processes
6
Suspicious processes
1

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs churilend.exe cmd.exe no specs conhost.exe no specs tasklist.exe no specs find.exe no specs game launcher.exe no specs cmd.exe no specs conhost.exe no specs game launcher.exe no specs game launcher.exe no specs powershell.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs game launcher.exe #MICROSTEALER swazla.exe wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs updater.exe no specs updater.exe no specs taskkill.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs #MICROSTEALER svchost.exe taskkill.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs textinputhost.exe no specs taskkill.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs slui.exe tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs conhost.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs conhost.exe no specs conhost.exe no specs taskkill.exe no specs tasklist.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs conhost.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs notepad.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
148tasklist.exeC:\Windows\System32\tasklist.exeswazla.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
408\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetasklist.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
412taskkill /F /IM liebao.exeC:\Windows\System32\taskkill.exeswazla.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
800WMIC /Node:localhost /Namespace:\\root\CIMV2 Path Win32_ComputerSystemProduct Get UUID /Format:ListC:\Windows\System32\wbem\WMIC.exeswazla.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
1180\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetasklist.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1296\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1348\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1352taskkill /F /IM coowon.exeC:\Windows\System32\taskkill.exeswazla.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1412\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetasklist.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1412\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetasklist.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
28 531
Read events
28 518
Write events
13
Delete events
0

Modification events

(PID) Process:(8556) ChuriLend.exeKey:HKEY_CURRENT_USER\SOFTWARE\e5f0cfd6-7137-5d7d-9d50-4069374ff91c
Operation:writeName:InstallLocation
Value:
C:\Users\admin\AppData\Local\Programs\GameLauncher
(PID) Process:(8556) ChuriLend.exeKey:HKEY_CURRENT_USER\SOFTWARE\e5f0cfd6-7137-5d7d-9d50-4069374ff91c
Operation:writeName:KeepShortcuts
Value:
true
(PID) Process:(8556) ChuriLend.exeKey:HKEY_CURRENT_USER\SOFTWARE\e5f0cfd6-7137-5d7d-9d50-4069374ff91c
Operation:writeName:ShortcutName
Value:
Game Launcher
(PID) Process:(8556) ChuriLend.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\e5f0cfd6-7137-5d7d-9d50-4069374ff91c
Operation:writeName:DisplayName
Value:
Game Launcher 1.0.0
(PID) Process:(8556) ChuriLend.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\e5f0cfd6-7137-5d7d-9d50-4069374ff91c
Operation:writeName:UninstallString
Value:
"C:\Users\admin\AppData\Local\Programs\GameLauncher\Uninstall Game Launcher.exe" /currentuser
(PID) Process:(8556) ChuriLend.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\e5f0cfd6-7137-5d7d-9d50-4069374ff91c
Operation:writeName:QuietUninstallString
Value:
"C:\Users\admin\AppData\Local\Programs\GameLauncher\Uninstall Game Launcher.exe" /currentuser /S
(PID) Process:(8556) ChuriLend.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\e5f0cfd6-7137-5d7d-9d50-4069374ff91c
Operation:writeName:DisplayVersion
Value:
1.0.0
(PID) Process:(8556) ChuriLend.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\e5f0cfd6-7137-5d7d-9d50-4069374ff91c
Operation:writeName:DisplayIcon
Value:
C:\Users\admin\AppData\Local\Programs\GameLauncher\Game Launcher.exe,0
(PID) Process:(8556) ChuriLend.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\e5f0cfd6-7137-5d7d-9d50-4069374ff91c
Operation:writeName:Publisher
Value:
Game Development Team
(PID) Process:(8556) ChuriLend.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\e5f0cfd6-7137-5d7d-9d50-4069374ff91c
Operation:writeName:NoModify
Value:
1
Executable files
152
Suspicious files
226
Text files
290
Unknown types
7

Dropped files

PID
Process
Filename
Type
7536msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RFfddf3.TMP
MD5:
SHA256:
7536msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old~RFfdde3.TMP
MD5:
SHA256:
7536msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
7536msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old
MD5:
SHA256:
7536msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RFfde03.TMP
MD5:
SHA256:
7536msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
7536msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RFfde03.TMP
MD5:
SHA256:
7536msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RFfde31.TMP
MD5:
SHA256:
7536msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RFfde31.TMP
MD5:
SHA256:
7536msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
113
TCP/UDP connections
76
DNS requests
58
Threats
17

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7868
msedge.exe
GET
200
216.198.79.65:443
https://www.churilend.com/steam/apps/2851270/extras/FoxyRush_forGif1__1_9eae.gif?t=1712300915
US
unknown
7868
msedge.exe
GET
200
216.198.79.65:443
https://www.churilend.com/steam/apps/2851270/extras/FoxyRush_forGif2__1_9eae.gif?t=1712300915
US
unknown
7868
msedge.exe
GET
200
216.198.79.65:443
https://www.churilend.com/steam/apps/2851270/extras/FoxyRush_forGif3__1_9eae.gif?t=1712300915
US
unknown
7868
msedge.exe
GET
200
150.171.28.11:80
http://edge.microsoft.com/browsernetworktime/time/1/current?cup2key=2:2MIB2-vT3bGAqNt94AX74EBZKJaORSH5tEAUqMhkrYc&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
US
text
102 b
whitelisted
7868
msedge.exe
GET
200
150.171.28.11:443
https://edge.microsoft.com/serviceexperimentation/v3/?osname=win&channel=stable&osver=10.0.19045&devicefamily=desktop&installdate=1661339457&clientversion=133.0.3065.92&experimentationmode=2&scpguard=0&scpfull=0&scpver=0
US
text
446 b
whitelisted
7868
msedge.exe
GET
200
150.171.22.17:443
https://config.edge.skype.com/config/v1/Edge/133.0.3065.92?clientId=4489578223053569932&agents=EdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=65&mngd=0&installdate=1661339457&edu=0&soobedate=1504771245&bphint=2&fg=1&lbfgdate=1741678270&lafgdate=0
US
text
768 b
whitelisted
7868
msedge.exe
GET
200
104.18.22.222:443
https://copilot.microsoft.com/c/api/user/eligibility
US
text
25 b
whitelisted
7868
msedge.exe
GET
200
216.198.79.65:443
https://www.churilend.com/
US
html
24.9 Kb
unknown
7868
msedge.exe
GET
200
216.198.79.65:443
https://www.churilend.com/css/main.css
US
text
128 Kb
unknown
7868
msedge.exe
GET
200
216.198.79.65:443
https://www.churilend.com/css/plugins.css
US
text
128 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
5180
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
816
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
7868
msedge.exe
150.171.22.17:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7868
msedge.exe
150.171.28.11:80
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7868
msedge.exe
150.171.28.11:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7868
msedge.exe
216.198.79.65:443
www.churilend.com
AMAZON-02
US
unknown
7868
msedge.exe
104.18.22.222:443
copilot.microsoft.com
CLOUDFLARENET
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
  • 4.231.128.59
whitelisted
google.com
  • 142.251.208.14
whitelisted
edge.microsoft.com
  • 150.171.28.11
  • 150.171.27.11
whitelisted
config.edge.skype.com
  • 150.171.22.17
whitelisted
www.churilend.com
  • 216.198.79.65
  • 64.29.17.65
unknown
copilot.microsoft.com
  • 104.18.22.222
  • 104.18.23.222
whitelisted
www.bing.com
  • 2.16.204.150
  • 2.16.204.156
  • 2.16.204.160
  • 2.16.204.158
  • 2.16.204.146
  • 2.16.204.135
  • 2.16.204.149
  • 2.16.204.145
  • 2.16.204.161
  • 2.16.204.153
  • 2.16.204.136
  • 2.16.204.134
  • 2.16.204.138
  • 2.16.204.132
  • 2.16.204.155
whitelisted
xpaywalletcdn.azureedge.net
  • 13.107.246.44
  • 13.107.213.44
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
userstatics.com
  • 195.177.94.253
unknown

Threats

PID
Process
Class
Message
7868
msedge.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
7868
msedge.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
7868
msedge.exe
Misc activity
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
Potentially Bad Traffic
ET INFO PE EXE or DLL Windows file download HTTP
Misc activity
ET INFO EXE - Served Attached HTTP
2292
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
2292
svchost.exe
Misc activity
ET INFO Discord Chat Service Domain in DNS Lookup (discord .com)
8608
swazla.exe
Misc activity
ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
8608
swazla.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
8608
swazla.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Win32/MicroStealer activity observed
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.churilend.com