File name:

Cards-Checker by @BossShooTeR.exe

Full analysis: https://app.any.run/tasks/ec48136a-566f-46a0-bb92-b4aa3cf80df3
Verdict: Malicious activity
Analysis date: March 24, 2025, 17:05:07
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
python
pyinstaller
ims-api
generic
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 6 sections
MD5:

547703AF566E5323E5A0D1F5F09068E5

SHA1:

8041CDC9910B90E39B571C469697116F7B9F4CF8

SHA256:

66CA1B7EDFB0F12CEF307DC28D81AE0BE5FE9F5193DC1F6C10557D7257F719DF

SSDEEP:

98304:lVIyDEL0ynqSO+Evepqczwevzqd25TjgOX+b9RvOYVAYwVf9TtYw9pk9dbXtpEKO:TwWI4fR433LnAUbrvJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • The process drops C-runtime libraries

      • Cards-Checker by @BossShooTeR.exe (PID: 6240)

    • Process drops legitimate windows executable

      • Cards-Checker by @BossShooTeR.exe (PID: 6240)

    • Executable content was dropped or overwritten

      • Cards-Checker by @BossShooTeR.exe (PID: 6240)

    • Process drops python dynamic module

      • Cards-Checker by @BossShooTeR.exe (PID: 6240)

    • Application launched itself

      • Cards-Checker by @BossShooTeR.exe (PID: 6240)

    • Starts CMD.EXE for commands execution

      • Cards-Checker by @BossShooTeR.exe (PID: 736)

    • Loads Python modules

      • Cards-Checker by @BossShooTeR.exe (PID: 736)

    • Reads security settings of Internet Explorer

      • ShellExperienceHost.exe (PID: 2616)
      • Cards-Checker by @BossShooTeR.exe (PID: 736)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • Cards-Checker by @BossShooTeR.exe (PID: 736)

    • There is functionality for taking screenshot (YARA)

      • Cards-Checker by @BossShooTeR.exe (PID: 736)

  • INFO

    • The sample compiled with english language support

      • Cards-Checker by @BossShooTeR.exe (PID: 6240)

    • Reads the computer name

      • Cards-Checker by @BossShooTeR.exe (PID: 6240)
      • ShellExperienceHost.exe (PID: 2616)
      • Cards-Checker by @BossShooTeR.exe (PID: 736)

    • Checks supported languages

      • Cards-Checker by @BossShooTeR.exe (PID: 6240)
      • Cards-Checker by @BossShooTeR.exe (PID: 736)
      • ShellExperienceHost.exe (PID: 2616)

    • Create files in a temporary directory

      • Cards-Checker by @BossShooTeR.exe (PID: 6240)

    • Reads security settings of Internet Explorer

      • BackgroundTransferHost.exe (PID: 6424)
      • BackgroundTransferHost.exe (PID: 2772)
      • BackgroundTransferHost.exe (PID: 6576)
      • BackgroundTransferHost.exe (PID: 5308)
      • BackgroundTransferHost.exe (PID: 1164)
      • BackgroundTransferHost.exe (PID: 4068)
      • notepad.exe (PID: 7628)

    • Creates files or folders in the user directory

      • BackgroundTransferHost.exe (PID: 2772)

    • Checks proxy server information

      • BackgroundTransferHost.exe (PID: 2772)
      • slui.exe (PID: 2064)

    • Reads the software policy settings

      • BackgroundTransferHost.exe (PID: 2772)
      • slui.exe (PID: 4408)
      • slui.exe (PID: 2064)

    • PyInstaller has been detected (YARA)

      • Cards-Checker by @BossShooTeR.exe (PID: 6240)
      • Cards-Checker by @BossShooTeR.exe (PID: 736)

    • Reads the machine GUID from the registry

      • Cards-Checker by @BossShooTeR.exe (PID: 736)

    • Checks operating system version

      • Cards-Checker by @BossShooTeR.exe (PID: 736)

    • Manual execution by a user

      • firefox.exe (PID: 5036)
      • notepad.exe (PID: 7628)

    • Application launched itself

      • firefox.exe (PID: 5036)
      • firefox.exe (PID: 2656)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(736) Cards-Checker by @BossShooTeR.exe
Telegram-Tokens (1)6556332206:AAEQSSlkjsSKrj9rW6V0BRevpBt2tTEUIf4
Telegram-Info-Links
6556332206:AAEQSSlkjsSKrj9rW6V0BRevpBt2tTEUIf4
Get info about bothttps://api.telegram.org/bot6556332206:AAEQSSlkjsSKrj9rW6V0BRevpBt2tTEUIf4/getMe
Get incoming updateshttps://api.telegram.org/bot6556332206:AAEQSSlkjsSKrj9rW6V0BRevpBt2tTEUIf4/getUpdates
Get webhookhttps://api.telegram.org/bot6556332206:AAEQSSlkjsSKrj9rW6V0BRevpBt2tTEUIf4/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot6556332206:AAEQSSlkjsSKrj9rW6V0BRevpBt2tTEUIf4/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot6556332206:AAEQSSlkjsSKrj9rW6V0BRevpBt2tTEUIf4/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token6556332206:AAEQSSlkjsSKrj9rW6V0BRevpBt2tTEUIf4
End-PointsendMessage
Args
chat_id (1)5960891953
text (1)z, CARDS V1 BY BOSSSHOOTER | RUNNING | Total :z | Hits : z | Bad : z | CHECKED :z
Telegram-Tokens (1)6556332206:AAEQSSlkjsSKrj9rW6V0BRevpBt2tTEUIf4
Telegram-Info-Links
6556332206:AAEQSSlkjsSKrj9rW6V0BRevpBt2tTEUIf4
Get info about bothttps://api.telegram.org/bot6556332206:AAEQSSlkjsSKrj9rW6V0BRevpBt2tTEUIf4/getMe
Get incoming updateshttps://api.telegram.org/bot6556332206:AAEQSSlkjsSKrj9rW6V0BRevpBt2tTEUIf4/getUpdates
Get webhookhttps://api.telegram.org/bot6556332206:AAEQSSlkjsSKrj9rW6V0BRevpBt2tTEUIf4/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot6556332206:AAEQSSlkjsSKrj9rW6V0BRevpBt2tTEUIf4/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot6556332206:AAEQSSlkjsSKrj9rW6V0BRevpBt2tTEUIf4/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token6556332206:AAEQSSlkjsSKrj9rW6V0BRevpBt2tTEUIf4
End-PointsendMessage
Args
chat_id (1)5960891953
No Malware configuration.

TRiD

.exe | InstallShield setup (57.6)
.exe | Win64 Executable (generic) (36.9)
.exe | Generic Win/DOS Executable (2.6)
.exe | DOS Executable Generic (2.6)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:09:01 23:13:54+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.4
CodeSize: 176640
InitializedDataSize: 145408
UninitializedDataSize: -
EntryPoint: 0xc320
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
167
Monitored processes
29
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cards-checker by @bossshooter.exe conhost.exe no specs sppextcomobj.exe no specs slui.exe backgroundtransferhost.exe no specs backgroundtransferhost.exe backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs cards-checker by @bossshooter.exe no specs cmd.exe no specs shellexperiencehost.exe no specs slui.exe firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs rundll32.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
736"C:\Users\admin\AppData\Local\Temp\Cards-Checker by @BossShooTeR.exe" C:\Users\admin\AppData\Local\Temp\Cards-Checker by @BossShooTeR.exe
Cards-Checker by @BossShooTeR.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\cards-checker by @bossshooter.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
ims-api
(PID) Process(736) Cards-Checker by @BossShooTeR.exe
Telegram-Tokens (1)6556332206:AAEQSSlkjsSKrj9rW6V0BRevpBt2tTEUIf4
Telegram-Info-Links
6556332206:AAEQSSlkjsSKrj9rW6V0BRevpBt2tTEUIf4
Get info about bothttps://api.telegram.org/bot6556332206:AAEQSSlkjsSKrj9rW6V0BRevpBt2tTEUIf4/getMe
Get incoming updateshttps://api.telegram.org/bot6556332206:AAEQSSlkjsSKrj9rW6V0BRevpBt2tTEUIf4/getUpdates
Get webhookhttps://api.telegram.org/bot6556332206:AAEQSSlkjsSKrj9rW6V0BRevpBt2tTEUIf4/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot6556332206:AAEQSSlkjsSKrj9rW6V0BRevpBt2tTEUIf4/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot6556332206:AAEQSSlkjsSKrj9rW6V0BRevpBt2tTEUIf4/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token6556332206:AAEQSSlkjsSKrj9rW6V0BRevpBt2tTEUIf4
End-PointsendMessage
Args
chat_id (1)5960891953
text (1)z, CARDS V1 BY BOSSSHOOTER | RUNNING | Total :z | Hits : z | Bad : z | CHECKED :z
(PID) Process(736) Cards-Checker by @BossShooTeR.exe
Telegram-Tokens (1)6556332206:AAEQSSlkjsSKrj9rW6V0BRevpBt2tTEUIf4
Telegram-Info-Links
6556332206:AAEQSSlkjsSKrj9rW6V0BRevpBt2tTEUIf4
Get info about bothttps://api.telegram.org/bot6556332206:AAEQSSlkjsSKrj9rW6V0BRevpBt2tTEUIf4/getMe
Get incoming updateshttps://api.telegram.org/bot6556332206:AAEQSSlkjsSKrj9rW6V0BRevpBt2tTEUIf4/getUpdates
Get webhookhttps://api.telegram.org/bot6556332206:AAEQSSlkjsSKrj9rW6V0BRevpBt2tTEUIf4/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot6556332206:AAEQSSlkjsSKrj9rW6V0BRevpBt2tTEUIf4/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot6556332206:AAEQSSlkjsSKrj9rW6V0BRevpBt2tTEUIf4/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token6556332206:AAEQSSlkjsSKrj9rW6V0BRevpBt2tTEUIf4
End-PointsendMessage
Args
chat_id (1)5960891953
1164"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
1324"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4892 -parentBuildID 20240213221259 -sandboxingKind 0 -prefsHandle 2696 -prefMapHandle 4832 -prefsLen 38055 -prefMapSize 244583 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e2a0a53-d3f2-47aa-8435-6dd1d31d55e8} 2656 "\\.\pipe\gecko-crash-server-pipe.2656" 1995fc2b110 utilityC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\vcruntime140.dll
1348"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5180 -childID 5 -isForBrowser -prefsHandle 5156 -prefMapHandle 5172 -prefsLen 31251 -prefMapSize 244583 -jsInitHandle 1196 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5c680a4-699f-454d-9378-3b24053b313b} 2656 "\\.\pipe\gecko-crash-server-pipe.2656" 19961e6b4d0 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
1672C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
2064C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2320"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1896 -parentBuildID 20240213221259 -prefsHandle 1836 -prefMapHandle 1828 -prefsLen 31031 -prefMapSize 244583 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c88ea6f6-652c-4120-87f5-7bb45aacabc6} 2656 "\\.\pipe\gecko-crash-server-pipe.2656" 199575f0510 gpuC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\bcrypt.dll
2616"C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mcaC:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Shell Experience Host
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\wincorlib.dll
2656"C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
2772"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
Total events
22 098
Read events
22 059
Write events
39
Delete events
0

Modification events

(PID) Process:(6424) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6424) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6424) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2772) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2772) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2772) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(6576) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6576) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6576) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(5308) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:writeName:CachePrefix
Value:
Executable files
23
Suspicious files
182
Text files
946
Unknown types
0

Dropped files

PID
Process
Filename
Type
6240Cards-Checker by @BossShooTeR.exeC:\Users\admin\AppData\Local\Temp\_MEI62402\_hashlib.pydexecutable
MD5:96BDC361B3127F01EEFBF0B54DC2813A
SHA256:95760D2F49B695CB0DC03720E2CDCE34D1215285023F2BB7690F268E434C7871
6240Cards-Checker by @BossShooTeR.exeC:\Users\admin\AppData\Local\Temp\_MEI62402\_ctypes.pydexecutable
MD5:22CF43EACA1F0745896CCD7E8910F9E4
SHA256:AAF9F6487B618AEB15DFE7D77B3F0D58185718FD68631323E56392DDEF1D000F
6240Cards-Checker by @BossShooTeR.exeC:\Users\admin\AppData\Local\Temp\_MEI62402\VCRUNTIME140.dllexecutable
MD5:A87575E7CF8967E481241F13940EE4F7
SHA256:DED5ADAA94341E6C62AEA03845762591666381DCA30EB7C17261DD154121B83E
6240Cards-Checker by @BossShooTeR.exeC:\Users\admin\AppData\Local\Temp\_MEI62402\_queue.pydexecutable
MD5:AAC0035F5B5868A3E92DF59F19E00773
SHA256:1FF1C01BE25FD6797B263474C1C8DF45107796A7E4D465E32A908D572D647B64
6240Cards-Checker by @BossShooTeR.exeC:\Users\admin\AppData\Local\Temp\_MEI62402\_pytransform.dllexecutable
MD5:ECC976778257EC37019AF4A4530A1003
SHA256:A71932FF7D5A1C66998DB37A3BB4BBD1DF0BAFFDD29B4380692AD6C44B401E87
6240Cards-Checker by @BossShooTeR.exeC:\Users\admin\AppData\Local\Temp\_MEI62402\_lzma.pydexecutable
MD5:ECD60B380B7875D2521739E7ACF365FC
SHA256:1DCB9689A2A3EB1C2554CAEC217D4F6A10CF677701BCB6F762D6CC2111D14C4A
6240Cards-Checker by @BossShooTeR.exeC:\Users\admin\AppData\Local\Temp\_MEI62402\_decimal.pydexecutable
MD5:EA868D77EDD4FA3281048FDD45D5CDF4
SHA256:A3B5F473BDF602442444DE670B30D768E202B268209774D40C172EBA4E226624
6240Cards-Checker by @BossShooTeR.exeC:\Users\admin\AppData\Local\Temp\_MEI62402\_bz2.pydexecutable
MD5:C013236B137B64FF2F30DC0C2AF56084
SHA256:C435022D2CC868E26CDE10E7749862EE8A177FCED3289D49C3BC33AF0C949D3F
6240Cards-Checker by @BossShooTeR.exeC:\Users\admin\AppData\Local\Temp\_MEI62402\_multiprocessing.pydexecutable
MD5:484A580CA0398AE225EEFE012738687E
SHA256:CB1F313DE6B1C6F152091B5044554C453DE6378DC2EAC17171BA4A262E30711F
6240Cards-Checker by @BossShooTeR.exeC:\Users\admin\AppData\Local\Temp\_MEI62402\_socket.pydexecutable
MD5:AC90B2535025C3D2D88632591B619B73
SHA256:ED1D6E0AA8237E491DDE3C3FDFA6F4DF35585EADF4716473F98AA86AA0A910D9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
59
TCP/UDP connections
153
DNS requests
170
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
88.221.110.122:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2772
BackgroundTransferHost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
4008
backgroundTaskHost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
3896
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2656
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
3896
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
2656
firefox.exe
POST
200
216.58.212.163:80
http://o.pki.goog/s/wr3/cgo
unknown
whitelisted
2656
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
2656
firefox.exe
POST
200
23.53.40.144:80
http://r10.o.lencr.org/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
88.221.110.122:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3216
svchost.exe
40.115.3.253:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
20.190.159.71:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4008
backgroundTaskHost.exe
20.199.58.43:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
4008
backgroundTaskHost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2772
BackgroundTransferHost.exe
2.19.96.11:443
www.bing.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.174
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 88.221.110.122
  • 88.221.110.114
whitelisted
client.wns.windows.com
  • 40.115.3.253
  • 40.113.103.199
whitelisted
login.live.com
  • 20.190.159.71
  • 40.126.31.69
  • 40.126.31.3
  • 40.126.31.67
  • 20.190.159.2
  • 40.126.31.129
  • 20.190.159.23
  • 20.190.159.129
whitelisted
ocsp.digicert.com
  • 2.23.77.188
  • 23.54.109.203
whitelisted
arc.msn.com
  • 20.199.58.43
  • 20.223.36.55
whitelisted
www.bing.com
  • 2.19.96.11
  • 2.19.96.128
  • 2.19.96.83
  • 2.19.96.80
  • 2.19.96.8
  • 2.19.96.130
  • 2.19.96.50
  • 2.19.96.26
  • 2.19.96.18
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Cards-Checker by @BossShooTeR.exe