File name:

587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d

Full analysis: https://app.any.run/tasks/aa7efae0-3ef3-4526-babf-b6c82736e4e5
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: January 11, 2025, 00:18:50
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
discord
exfiltration
stealer
evasion
unknownspf
ims-api
generic
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows, 2 sections
MD5:

2526087ABF65E717B9967D361E321A00

SHA1:

2D368660FBDF8A2D62CB70ED1B2EE06A888A2F52

SHA256:

587C10D632F8611321B9CD89498AAC57484C708AA31CFB1E513AAAE6D4CAE07D

SSDEEP:

6144:C7BvpzbEkw3oL9gdH92aXhibeNR7gcuDm:CdpX528aXsbeHgcSm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Disables Windows Defender

      • 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe (PID: 6628)
      • 5d4dsrb3.bat (PID: 624)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 6232)
      • cmd.exe (PID: 7160)

    • Attempting to use instant messaging service

      • 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe (PID: 6628)
      • 5d4dsrb3.bat (PID: 624)

    • Stealers network behavior

      • 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe (PID: 6628)
      • 5d4dsrb3.bat (PID: 624)

    • UNKNOWNSPF has been detected (YARA)

      • 5d4dsrb3.bat (PID: 624)

  • SUSPICIOUS

    • Reads the date of Windows installation

      • 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe (PID: 6628)
      • 5d4dsrb3.bat (PID: 624)

    • Windows service management via SC.EXE

      • sc.exe (PID: 6764)
      • sc.exe (PID: 6772)
      • sc.exe (PID: 6788)
      • sc.exe (PID: 6780)
      • sc.exe (PID: 7044)
      • sc.exe (PID: 5556)
      • sc.exe (PID: 5008)
      • sc.exe (PID: 1864)
      • sc.exe (PID: 6156)
      • sc.exe (PID: 6988)

    • Starts SC.EXE for service management

      • 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe (PID: 6628)
      • cmd.exe (PID: 7116)
      • cmd.exe (PID: 3608)
      • cmd.exe (PID: 2744)
      • cmd.exe (PID: 6236)
      • 5d4dsrb3.bat (PID: 624)
      • cmd.exe (PID: 6792)
      • cmd.exe (PID: 5432)
      • cmd.exe (PID: 644)
      • cmd.exe (PID: 6184)
      • cmd.exe (PID: 7156)
      • cmd.exe (PID: 5572)

    • Reads security settings of Internet Explorer

      • 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe (PID: 6628)
      • 5d4dsrb3.bat (PID: 624)

    • Stops a currently running service

      • sc.exe (PID: 3364)
      • sc.exe (PID: 6428)
      • sc.exe (PID: 6424)
      • sc.exe (PID: 2548)
      • sc.exe (PID: 6096)
      • sc.exe (PID: 7060)
      • sc.exe (PID: 6816)
      • sc.exe (PID: 6312)
      • sc.exe (PID: 6348)
      • sc.exe (PID: 6408)
      • sc.exe (PID: 6332)
      • sc.exe (PID: 6600)

    • Starts CMD.EXE for commands execution

      • 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe (PID: 6628)
      • 5d4dsrb3.bat (PID: 624)

    • Executable content was dropped or overwritten

      • 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe (PID: 6628)

    • The process connected to a server suspected of theft

      • 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe (PID: 6628)
      • 5d4dsrb3.bat (PID: 624)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 3620)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 3620)

    • Suspicious files were dropped or overwritten

      • 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe (PID: 6628)

    • Starts itself from another location

      • 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe (PID: 6628)

    • Starts application with an unusual extension

      • 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe (PID: 6628)

    • Executing commands from a ".bat" file

      • 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe (PID: 6628)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 3620)

    • Uses WEVTUTIL.EXE to get a list of log names

      • cmd.exe (PID: 3620)

    • Starts POWERSHELL.EXE for commands execution

      • 5d4dsrb3.bat (PID: 624)

    • Checks for external IP

      • 5d4dsrb3.bat (PID: 624)

    • Potential Corporate Privacy Violation

      • 5d4dsrb3.bat (PID: 624)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • 5d4dsrb3.bat (PID: 624)

  • INFO

    • Disables trace logs

      • 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe (PID: 6628)
      • 5d4dsrb3.bat (PID: 624)

    • Reads the machine GUID from the registry

      • 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe (PID: 6628)
      • 5d4dsrb3.bat (PID: 624)

    • Reads the computer name

      • 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe (PID: 6628)
      • 5d4dsrb3.bat (PID: 624)

    • Reads Environment values

      • 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe (PID: 6628)
      • 5d4dsrb3.bat (PID: 624)

    • Process checks computer location settings

      • 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe (PID: 6628)
      • 5d4dsrb3.bat (PID: 624)

    • The process uses the downloaded file

      • 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe (PID: 6628)
      • 5d4dsrb3.bat (PID: 624)

    • Checks proxy server information

      • 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe (PID: 6628)
      • 5d4dsrb3.bat (PID: 624)

    • Checks supported languages

      • 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe (PID: 6628)
      • 5d4dsrb3.bat (PID: 624)

    • Creates files or folders in the user directory

      • 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe (PID: 6628)
      • 5d4dsrb3.bat (PID: 624)

    • Attempting to use instant messaging service

      • 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe (PID: 6628)
      • 5d4dsrb3.bat (PID: 624)

    • Create files in a temporary directory

      • 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe (PID: 6628)

    • Reads the software policy settings

      • 5d4dsrb3.bat (PID: 624)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6652)
      • powershell.exe (PID: 4804)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • cmd.exe (PID: 3620)

    • Reads Windows Product ID

      • 5d4dsrb3.bat (PID: 624)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(624) 5d4dsrb3.bat
Discord-Webhook-Tokens (1)1057760472977375252/Fi0ZLlt2w3-3x2kk1pZWOqBPyHA5eA6NMHw8BWKGOgMHO3moaEc1BQjqONY-JgMUwjs5
Discord-Info-Links
1057760472977375252/Fi0ZLlt2w3-3x2kk1pZWOqBPyHA5eA6NMHw8BWKGOgMHO3moaEc1BQjqONY-JgMUwjs5
Get Webhook Infohttps://discord.com/api/webhooks/1057760472977375252/Fi0ZLlt2w3-3x2kk1pZWOqBPyHA5eA6NMHw8BWKGOgMHO3moaEc1BQjqONY-JgMUwjs5
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2094:01:11 19:02:45+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 48
CodeSize: 230400
InitializedDataSize: 4608
UninitializedDataSize: -
EntryPoint: 0x0000
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 9.5.20.22
ProductVersionNumber: 9.5.20.22
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: unknownspf
FileVersion: 09.05.20.22
InternalName: unknownspf.exe
LegalCopyright: unknownapps
LegalTrademarks: unknownapps
OriginalFileName: unknownspf.exe
ProductName: unknownspf
ProductVersion: 09.05.20.22
AssemblyVersion: 0.0.0.0
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
189
Monitored processes
71
Malicious processes
2
Suspicious processes
3

Behavior graph

Click at the process to see the details
start 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs #UNKNOWNSPF 5d4dsrb3.bat cmd.exe no specs conhost.exe no specs attrib.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs timeout.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs attrib.exe no specs wevtutil.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs attrib.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
624"C:\Users\admin\AppData\Local\Temp\5d4dsrb3.bat" okC:\Users\admin\AppData\Local\Temp\5d4dsrb3.bat
587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe
User:
admin
Integrity Level:
HIGH
Description:
unknownspf
Version:
09.05.20.22
Modules
Images
c:\users\admin\appdata\local\temp\5d4dsrb3.bat
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
ims-api
(PID) Process(624) 5d4dsrb3.bat
Discord-Webhook-Tokens (1)1057760472977375252/Fi0ZLlt2w3-3x2kk1pZWOqBPyHA5eA6NMHw8BWKGOgMHO3moaEc1BQjqONY-JgMUwjs5
Discord-Info-Links
1057760472977375252/Fi0ZLlt2w3-3x2kk1pZWOqBPyHA5eA6NMHw8BWKGOgMHO3moaEc1BQjqONY-JgMUwjs5
Get Webhook Infohttps://discord.com/api/webhooks/1057760472977375252/Fi0ZLlt2w3-3x2kk1pZWOqBPyHA5eA6NMHw8BWKGOgMHO3moaEc1BQjqONY-JgMUwjs5
644"C:\Windows\System32\cmd.exe" /c sc stop wdfilterC:\Windows\System32\cmd.exe5d4dsrb3.bat
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
5
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
720REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "HiberbootEnabled" /t REG_DWORD /d 0 /f C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
720\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1448\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1864"C:\Windows\System32\sc.exe" config WdNisSvc start=disabledC:\Windows\System32\sc.exe5d4dsrb3.bat
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
5
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1876\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2548sc stop WerSvcC:\Windows\System32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
1062
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
2744"C:\Windows\System32\cmd.exe" /c sc stop WdNisSvcC:\Windows\System32\cmd.exe587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
5
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
2828\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
23 341
Read events
23 296
Write events
43
Delete events
2

Modification events

(PID) Process:(6628) 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
Operation:writeName:DisableAntiSpyware
Value:
1
(PID) Process:(6628) 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
Operation:writeName:DisableBehaviorMonitoring
Value:
1
(PID) Process:(6628) 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
Operation:writeName:DisableOnAccessProtection
Value:
1
(PID) Process:(6628) 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
Operation:writeName:DisableScanOnRealtimeEnable
Value:
1
(PID) Process:(6628) 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System
Operation:writeName:HiberbootEnabled
Value:
0
(PID) Process:(6628) 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Power
Operation:writeName:HiberbootEnabled
Value:
0
(PID) Process:(6628) 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6628) 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6628) 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(6628) 587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:FileTracingMask
Value:
Executable files
1
Suspicious files
1
Text files
14
Unknown types
0

Dropped files

PID
Process
Filename
Type
6652powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_u1hx3kbs.sii.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6628587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exeC:\Users\admin\AppData\Local\Temp\5d4dsrb3.batexecutable
MD5:B19253A2D7A72050E0AF55090840331C
SHA256:0E8992DE4C8A20B1DF4F929484A5324E3AAC012793014EC02B221637AFA50B05
6245d4dsrb3.batC:\Users\admin\AppData\Roaming\spf\DISKIDtext
MD5:97B7721C4994E2556FF6A439510F665D
SHA256:FCDFFE3898566E2724189DCCB6ED38C7D7CD16B38918B99842754F714E26191C
6628587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exeC:\Users\admin\AppData\Roaming\spf\unknown.logtext
MD5:B90457E1F4214E63DAC9F07600CBFDA1
SHA256:8B302675835044F5209BA99958EECD75D5D14CE7B035BE45DE5354029C47907E
4804powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:0972DCF2F072FC40B0824F5C9F753C52
SHA256:95FF05F2384A6AA1E9D8825B61C76823D8D375D6BC9BE0B9B5B94BC2BB9FBFB6
6245d4dsrb3.batC:\Users\admin\AppData\Roaming\spf\CPUIDtext
MD5:7EC28B8B06426827ACE5DD970B5678DE
SHA256:ABB8D3E641573807B1F1C2E0415956FDA6B7B323C0F7BAB443D485613632F5B4
4804powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_f5ge2cch.tpm.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6652powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_q4dosktd.wfz.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6652powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_pb1qx33q.evq.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6652powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_o2wip0sc.2fe.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
21
DNS requests
8
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2624
svchost.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2624
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
404
162.159.128.233:443
https://ptb.discord.com/api/webhooks/1057760472977375252/Fi0ZLlt2w3-3x2kk1pZWOqBPyHA5eA6NMHw8BWKGOgMHO3moaEc1BQjqONY-JgMUwjs5
unknown
binary
45 b
whitelisted
POST
404
162.159.137.232:443
https://ptb.discord.com/api/webhooks/1057760472977375252/Fi0ZLlt2w3-3x2kk1pZWOqBPyHA5eA6NMHw8BWKGOgMHO3moaEc1BQjqONY-JgMUwjs5
unknown
binary
45 b
whitelisted
GET
200
104.26.13.205:443
https://api.ipify.org/
unknown
text
13 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2624
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
6628
587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe
162.159.128.233:443
ptb.discord.com
CLOUDFLARENET
whitelisted
4712
MoUsoCoreWorker.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2624
svchost.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
2624
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.110
whitelisted
ptb.discord.com
  • 162.159.128.233
  • 162.159.135.232
  • 162.159.136.232
  • 162.159.137.232
  • 162.159.138.232
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
api.ipify.org
  • 104.26.13.205
  • 172.67.74.152
  • 104.26.12.205
shared
self.events.data.microsoft.com
  • 52.178.17.233
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
6628
587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
6628
587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d.exe
Successful Credential Theft Detected
STEALER [ANY.RUN] Attempt to exfiltrate via Discord
624
5d4dsrb3.bat
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
624
5d4dsrb3.bat
Successful Credential Theft Detected
STEALER [ANY.RUN] Attempt to exfiltrate via Discord
624
5d4dsrb3.bat
Potential Corporate Privacy Violation
ET POLICY Possible IP Check api.ipify.org
624
5d4dsrb3.bat
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
2192
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
587c10d632f8611321b9cd89498aac57484c708aa31cfb1e513aaae6d4cae07d