File name:

587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d

Full analysis: https://app.any.run/tasks/aa7efae0-3ef3-4526-babf-b6c82736e4e5
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: January 11, 2025, 00:18:50
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
discord
exfiltration
stealer
evasion
unknownspf
ims-api
generic
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows, 2 sections
MD5:

2526087ABF65E717B9967D361E321A00

SHA1:

2D368660FBDF8A2D62CB70ED1B2EE06A888A2F52

SHA256:

587C10D632F8611321B9CD89498AAC57484C708AA31CFB1E513AAAE6D4CAE07D

SSDEEP:

6144:C7BvpzbEkw3oL9gdH92aXhibeNR7gcuDm:CdpX528aXsbeHgcSm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Disables Windows Defender

      • 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe (PID: 6628)
      • 5d4dsrb3.bat (PID: 624)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 6232)
      • cmd.exe (PID: 7160)

    • Attempting to use instant messaging service

      • 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe (PID: 6628)
      • 5d4dsrb3.bat (PID: 624)

    • Stealers network behavior

      • 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe (PID: 6628)
      • 5d4dsrb3.bat (PID: 624)

    • UNKNOWNSPF has been detected (YARA)

      • 5d4dsrb3.bat (PID: 624)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe (PID: 6628)
      • 5d4dsrb3.bat (PID: 624)

    • Reads the date of Windows installation

      • 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe (PID: 6628)
      • 5d4dsrb3.bat (PID: 624)

    • Windows service management via SC.EXE

      • sc.exe (PID: 6764)
      • sc.exe (PID: 6780)
      • sc.exe (PID: 6788)
      • sc.exe (PID: 6772)
      • sc.exe (PID: 7044)
      • sc.exe (PID: 5008)
      • sc.exe (PID: 5556)
      • sc.exe (PID: 1864)
      • sc.exe (PID: 6156)
      • sc.exe (PID: 6988)

    • Stops a currently running service

      • sc.exe (PID: 3364)
      • sc.exe (PID: 6428)
      • sc.exe (PID: 6424)
      • sc.exe (PID: 2548)
      • sc.exe (PID: 6096)
      • sc.exe (PID: 7060)
      • sc.exe (PID: 6312)
      • sc.exe (PID: 6348)
      • sc.exe (PID: 6408)
      • sc.exe (PID: 6332)
      • sc.exe (PID: 6816)
      • sc.exe (PID: 6600)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 7116)
      • 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe (PID: 6628)
      • cmd.exe (PID: 3608)
      • cmd.exe (PID: 2744)
      • cmd.exe (PID: 6236)
      • 5d4dsrb3.bat (PID: 624)
      • cmd.exe (PID: 6792)
      • cmd.exe (PID: 6184)
      • cmd.exe (PID: 7156)
      • cmd.exe (PID: 5432)
      • cmd.exe (PID: 5572)
      • cmd.exe (PID: 644)

    • Starts CMD.EXE for commands execution

      • 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe (PID: 6628)
      • 5d4dsrb3.bat (PID: 624)

    • The process connected to a server suspected of theft

      • 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe (PID: 6628)
      • 5d4dsrb3.bat (PID: 624)

    • Starts application with an unusual extension

      • 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe (PID: 6628)

    • Suspicious files were dropped or overwritten

      • 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe (PID: 6628)

    • Executable content was dropped or overwritten

      • 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe (PID: 6628)

    • Starts itself from another location

      • 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe (PID: 6628)

    • Executing commands from a ".bat" file

      • 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe (PID: 6628)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 3620)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 3620)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 3620)

    • Uses WEVTUTIL.EXE to get a list of log names

      • cmd.exe (PID: 3620)

    • Potential Corporate Privacy Violation

      • 5d4dsrb3.bat (PID: 624)

    • Checks for external IP

      • 5d4dsrb3.bat (PID: 624)

    • Starts POWERSHELL.EXE for commands execution

      • 5d4dsrb3.bat (PID: 624)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • 5d4dsrb3.bat (PID: 624)

  • INFO

    • Disables trace logs

      • 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe (PID: 6628)
      • 5d4dsrb3.bat (PID: 624)

    • Checks proxy server information

      • 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe (PID: 6628)
      • 5d4dsrb3.bat (PID: 624)

    • Reads the computer name

      • 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe (PID: 6628)
      • 5d4dsrb3.bat (PID: 624)

    • Process checks computer location settings

      • 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe (PID: 6628)
      • 5d4dsrb3.bat (PID: 624)

    • Checks supported languages

      • 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe (PID: 6628)
      • 5d4dsrb3.bat (PID: 624)

    • Reads Environment values

      • 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe (PID: 6628)
      • 5d4dsrb3.bat (PID: 624)

    • Reads the machine GUID from the registry

      • 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe (PID: 6628)
      • 5d4dsrb3.bat (PID: 624)

    • The process uses the downloaded file

      • 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe (PID: 6628)
      • 5d4dsrb3.bat (PID: 624)

    • Attempting to use instant messaging service

      • 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe (PID: 6628)
      • 5d4dsrb3.bat (PID: 624)

    • Creates files or folders in the user directory

      • 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe (PID: 6628)
      • 5d4dsrb3.bat (PID: 624)

    • Create files in a temporary directory

      • 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe (PID: 6628)

    • Reads the software policy settings

      • 5d4dsrb3.bat (PID: 624)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • cmd.exe (PID: 3620)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 4804)
      • powershell.exe (PID: 6652)

    • Reads Windows Product ID

      • 5d4dsrb3.bat (PID: 624)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(624) 5d4dsrb3.bat
Discord-Webhook-Tokens (1)1057760472977375252/Fi0ZLlt2w3-3x2kk1pZWOqBPyHA5eA6NMHw8BWKGOgMHO3moaEc1BQjqONY-JgMUwjs5
Discord-Info-Links
1057760472977375252/Fi0ZLlt2w3-3x2kk1pZWOqBPyHA5eA6NMHw8BWKGOgMHO3moaEc1BQjqONY-JgMUwjs5
Get Webhook Infohttps://discord.com/api/webhooks/1057760472977375252/Fi0ZLlt2w3-3x2kk1pZWOqBPyHA5eA6NMHw8BWKGOgMHO3moaEc1BQjqONY-JgMUwjs5
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

AssemblyVersion: 0.0.0.0
ProductVersion: 09.05.20.22
ProductName: unknownspf
OriginalFileName: unknownspf.exe
LegalTrademarks: unknownapps
LegalCopyright: unknownapps
InternalName: unknownspf.exe
FileVersion: 09.05.20.22
FileDescription: unknownspf
CompanyName: -
Comments: -
CharacterSet: Unicode
LanguageCode: Neutral
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 9.5.20.22
FileVersionNumber: 9.5.20.22
Subsystem: Windows GUI
SubsystemVersion: 6
ImageVersion: -
OSVersion: 4
EntryPoint: 0x0000
UninitializedDataSize: -
InitializedDataSize: 4608
CodeSize: 230400
LinkerVersion: 48
PEType: PE32+
ImageFileCharacteristics: Executable, Large address aware
TimeStamp: 2094:01:11 19:02:45+00:00
MachineType: AMD AMD64
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
189
Monitored processes
71
Malicious processes
2
Suspicious processes
3

Behavior graph

Click at the process to see the details
start 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs #UNKNOWNSPF 5d4dsrb3.bat cmd.exe no specs conhost.exe no specs attrib.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs timeout.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs attrib.exe no specs wevtutil.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs attrib.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6472"C:\Users\admin\Desktop\587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe" C:\Users\admin\Desktop\587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
unknownspf
Exit code:
3221226540
Version:
09.05.20.22
Modules
Images
c:\users\admin\desktop\587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe
c:\windows\system32\ntdll.dll
6628"C:\Users\admin\Desktop\587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe" C:\Users\admin\Desktop\587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
unknownspf
Exit code:
4294967295
Version:
09.05.20.22
Modules
Images
c:\users\admin\desktop\587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
6764"C:\Windows\System32\sc.exe" config WinDefend start=disabledC:\Windows\System32\sc.exe587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
5
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
6772"C:\Windows\System32\sc.exe" config wdfilter start=disabledC:\Windows\System32\sc.exe587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
5
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
6780"C:\Windows\System32\sc.exe" config WerSvc start=disabledC:\Windows\System32\sc.exe587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
6788"C:\Windows\System32\sc.exe" config WdNisSvc start=disabledC:\Windows\System32\sc.exe587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
5
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
6796\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6804\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6812\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6820\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
23 341
Read events
23 296
Write events
43
Delete events
2

Modification events

(PID) Process:(6628) 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
Operation:writeName:DisableAntiSpyware
Value:
1
(PID) Process:(6628) 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
Operation:writeName:DisableBehaviorMonitoring
Value:
1
(PID) Process:(6628) 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
Operation:writeName:DisableOnAccessProtection
Value:
1
(PID) Process:(6628) 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
Operation:writeName:DisableScanOnRealtimeEnable
Value:
1
(PID) Process:(6628) 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System
Operation:writeName:HiberbootEnabled
Value:
0
(PID) Process:(6628) 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Power
Operation:writeName:HiberbootEnabled
Value:
0
(PID) Process:(6628) 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6628) 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6628) 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(6628) 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:FileTracingMask
Value:
Executable files
1
Suspicious files
1
Text files
14
Unknown types
0

Dropped files

PID
Process
Filename
Type
6628587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exeC:\Users\admin\AppData\Roaming\spf\unknown.logtext
MD5:B90457E1F4214E63DAC9F07600CBFDA1
SHA256:8B302675835044F5209BA99958EECD75D5D14CE7B035BE45DE5354029C47907E
6652powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_pb1qx33q.evq.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4804powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_iqmgq4ed.pkr.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6652powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_q4dosktd.wfz.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4804powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_f5ge2cch.tpm.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6245d4dsrb3.batC:\Users\admin\AppData\Roaming\spf\CPUIDtext
MD5:7EC28B8B06426827ACE5DD970B5678DE
SHA256:ABB8D3E641573807B1F1C2E0415956FDA6B7B323C0F7BAB443D485613632F5B4
6245d4dsrb3.batC:\Users\admin\AppData\Roaming\spf\DISKIDtext
MD5:97B7721C4994E2556FF6A439510F665D
SHA256:FCDFFE3898566E2724189DCCB6ED38C7D7CD16B38918B99842754F714E26191C
6628587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exeC:\Users\admin\AppData\Local\Temp\5d4dsrb3.batexecutable
MD5:B19253A2D7A72050E0AF55090840331C
SHA256:0E8992DE4C8A20B1DF4F929484A5324E3AAC012793014EC02B221637AFA50B05
6652powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_o2wip0sc.2fe.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4804powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_m3qswutg.zl2.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
21
DNS requests
8
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2624
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2624
svchost.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
104.26.13.205:443
https://api.ipify.org/
unknown
text
13 b
malicious
POST
404
162.159.137.232:443
https://ptb.discord.com/api/webhooks/1057760472977375252/Fi0ZLlt2w3-3x2kk1pZWOqBPyHA5eA6NMHw8BWKGOgMHO3moaEc1BQjqONY-JgMUwjs5
unknown
binary
45 b
whitelisted
POST
404
162.159.128.233:443
https://ptb.discord.com/api/webhooks/1057760472977375252/Fi0ZLlt2w3-3x2kk1pZWOqBPyHA5eA6NMHw8BWKGOgMHO3moaEc1BQjqONY-JgMUwjs5
unknown
binary
45 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2624
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
6628
587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe
162.159.128.233:443
ptb.discord.com
CLOUDFLARENET
whitelisted
4712
MoUsoCoreWorker.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2624
svchost.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
2624
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.110
whitelisted
ptb.discord.com
  • 162.159.128.233
  • 162.159.135.232
  • 162.159.136.232
  • 162.159.137.232
  • 162.159.138.232
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
api.ipify.org
  • 104.26.13.205
  • 172.67.74.152
  • 104.26.12.205
shared
self.events.data.microsoft.com
  • 52.178.17.233
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
Successful Credential Theft Detected
STEALER [ANY.RUN] Attempt to exfiltrate via Discord
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
Successful Credential Theft Detected
STEALER [ANY.RUN] Attempt to exfiltrate via Discord
Potential Corporate Privacy Violation
ET POLICY Possible IP Check api.ipify.org
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d