| File name: | 8e0d21a2180ad64e691e14eddf1d94b5833c33ce685411d6f156148c41f8a579.exe |
| Full analysis: | https://app.any.run/tasks/b39af934-d151-456b-b500-3055a23e8b0e |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | June 02, 2025, 07:28:37 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32+ executable (GUI) x86-64, for MS Windows, 6 sections |
| MD5: | 7A9DDE97B8670546982D7FD6D8321101 |
| SHA1: | 0DDB743771CFE369EC95D47902911EA4ACFD7697 |
| SHA256: | 8E0D21A2180AD64E691E14EDDF1D94B5833C33CE685411D6F156148C41F8A579 |
| SSDEEP: | 196608:fYo0M57yNGRvzIuGgHXoKrd+/RAWfPF5lXa:gDs2jI3brp2H |
MALICIOUS
TROX has been detected
- 8e0d21a2180ad64e691e14eddf1d94b5833c33ce685411d6f156148c41f8a579.exe (PID: 4020)
Changes the autorun value in the registry
- 8e0d21a2180ad64e691e14eddf1d94b5833c33ce685411d6f156148c41f8a579.exe (PID: 2084)
Actions looks like stealing of personal data
- 8e0d21a2180ad64e691e14eddf1d94b5833c33ce685411d6f156148c41f8a579.exe (PID: 2084)
Steals credentials from Web Browsers
- 8e0d21a2180ad64e691e14eddf1d94b5833c33ce685411d6f156148c41f8a579.exe (PID: 2084)
SUSPICIOUS
The process drops C-runtime libraries
- 8e0d21a2180ad64e691e14eddf1d94b5833c33ce685411d6f156148c41f8a579.exe (PID: 4020)
Process drops legitimate windows executable
- 8e0d21a2180ad64e691e14eddf1d94b5833c33ce685411d6f156148c41f8a579.exe (PID: 4020)
Loads Python modules
- 8e0d21a2180ad64e691e14eddf1d94b5833c33ce685411d6f156148c41f8a579.exe (PID: 2084)
Uses WMIC.EXE to obtain data on the base board management (motherboard or system board)
- cmd.exe (PID: 3884)
Uses WMIC.EXE to obtain computer system information
- cmd.exe (PID: 3124)
Application launched itself
- 8e0d21a2180ad64e691e14eddf1d94b5833c33ce685411d6f156148c41f8a579.exe (PID: 4020)
Starts CMD.EXE for commands execution
- 8e0d21a2180ad64e691e14eddf1d94b5833c33ce685411d6f156148c41f8a579.exe (PID: 2084)
Uses WMIC.EXE to obtain Windows Installer data
- cmd.exe (PID: 1696)
Accesses product unique identifier via WMI (SCRIPT)
- WMIC.exe (PID: 6980)
Process drops python dynamic module
- 8e0d21a2180ad64e691e14eddf1d94b5833c33ce685411d6f156148c41f8a579.exe (PID: 4020)
Executable content was dropped or overwritten
- 8e0d21a2180ad64e691e14eddf1d94b5833c33ce685411d6f156148c41f8a579.exe (PID: 4020)
Checks for external IP
- svchost.exe (PID: 2196)
- 8e0d21a2180ad64e691e14eddf1d94b5833c33ce685411d6f156148c41f8a579.exe (PID: 2084)
Uses WMIC.EXE to obtain BIOS management information
- cmd.exe (PID: 7804)
Reads security settings of Internet Explorer
- 8e0d21a2180ad64e691e14eddf1d94b5833c33ce685411d6f156148c41f8a579.exe (PID: 4020)
Uses WMIC.EXE to obtain physical disk drive information
- cmd.exe (PID: 5592)
INFO
Checks supported languages
- 8e0d21a2180ad64e691e14eddf1d94b5833c33ce685411d6f156148c41f8a579.exe (PID: 4020)
- 8e0d21a2180ad64e691e14eddf1d94b5833c33ce685411d6f156148c41f8a579.exe (PID: 2084)
The sample compiled with english language support
- 8e0d21a2180ad64e691e14eddf1d94b5833c33ce685411d6f156148c41f8a579.exe (PID: 4020)
Create files in a temporary directory
- 8e0d21a2180ad64e691e14eddf1d94b5833c33ce685411d6f156148c41f8a579.exe (PID: 4020)
- 8e0d21a2180ad64e691e14eddf1d94b5833c33ce685411d6f156148c41f8a579.exe (PID: 2084)
Launch of the file from Registry key
- 8e0d21a2180ad64e691e14eddf1d94b5833c33ce685411d6f156148c41f8a579.exe (PID: 2084)
Reads security settings of Internet Explorer
- WMIC.exe (PID: 7420)
- WMIC.exe (PID: 6980)
- WMIC.exe (PID: 1616)
- notepad.exe (PID: 7948)
- notepad.exe (PID: 8100)
- notepad.exe (PID: 7560)
- notepad.exe (PID: 7424)
- WMIC.exe (PID: 7492)
- WMIC.exe (PID: 7980)
- notepad.exe (PID: 4164)
- notepad.exe (PID: 7788)
- notepad.exe (PID: 7748)
- notepad.exe (PID: 5116)
- notepad.exe (PID: 6464)
- notepad.exe (PID: 856)
Checks proxy server information
- 8e0d21a2180ad64e691e14eddf1d94b5833c33ce685411d6f156148c41f8a579.exe (PID: 2084)
- slui.exe (PID: 7312)
Reads the computer name
- 8e0d21a2180ad64e691e14eddf1d94b5833c33ce685411d6f156148c41f8a579.exe (PID: 2084)
- 8e0d21a2180ad64e691e14eddf1d94b5833c33ce685411d6f156148c41f8a579.exe (PID: 4020)
Manual execution by a user
- notepad.exe (PID: 4164)
- notepad.exe (PID: 8100)
- notepad.exe (PID: 7948)
- notepad.exe (PID: 7560)
- notepad.exe (PID: 7424)
- notepad.exe (PID: 856)
- notepad.exe (PID: 7748)
- notepad.exe (PID: 6464)
- notepad.exe (PID: 5116)
- notepad.exe (PID: 7788)
Reads the software policy settings
- slui.exe (PID: 7312)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (87.3) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (6.3) |
| .exe | | | DOS Executable Generic (6.3) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2025:05:23 23:11:14+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32+ |
| LinkerVersion: | 14.43 |
| CodeSize: | 143360 |
| InitializedDataSize: | 19537408 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xd3a4 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
Total processes
149
Monitored processes
29
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 856 | "C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\chrome_passwords.txt | C:\Windows\System32\notepad.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1616 | wmic bios get smbiosbiosversion,manufacturer | C:\Windows\System32\wbem\WMIC.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1696 | C:\WINDOWS\system32\cmd.exe /c "wmic csproduct get uuid" | C:\Windows\System32\cmd.exe | — | 8e0d21a2180ad64e691e14eddf1d94b5833c33ce685411d6f156148c41f8a579.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2084 | C:\Users\admin\Desktop\8e0d21a2180ad64e691e14eddf1d94b5833c33ce685411d6f156148c41f8a579.exe | C:\Users\admin\Desktop\8e0d21a2180ad64e691e14eddf1d94b5833c33ce685411d6f156148c41f8a579.exe | 8e0d21a2180ad64e691e14eddf1d94b5833c33ce685411d6f156148c41f8a579.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 2196 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3124 | C:\WINDOWS\system32\cmd.exe /c "wmic computersystem get manufacturer,model" | C:\Windows\System32\cmd.exe | — | 8e0d21a2180ad64e691e14eddf1d94b5833c33ce685411d6f156148c41f8a579.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3268 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3884 | C:\WINDOWS\system32\cmd.exe /c "wmic baseboard get product,manufacturer" | C:\Windows\System32\cmd.exe | — | 8e0d21a2180ad64e691e14eddf1d94b5833c33ce685411d6f156148c41f8a579.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4020 | "C:\Users\admin\Desktop\8e0d21a2180ad64e691e14eddf1d94b5833c33ce685411d6f156148c41f8a579.exe" | C:\Users\admin\Desktop\8e0d21a2180ad64e691e14eddf1d94b5833c33ce685411d6f156148c41f8a579.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 4164 | "C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\edge_history.txt | C:\Windows\System32\notepad.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
9 527
Read events
9 526
Write events
1
Delete events
0
Modification events
| (PID) Process: | (2084) 8e0d21a2180ad64e691e14eddf1d94b5833c33ce685411d6f156148c41f8a579.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | SwiftC2Helper |
Value: C:\Users\admin\AppData\Local\Temp\onefile_4020_133933229280449971\stealer v3.py | |||
Executable files
73
Suspicious files
26
Text files
18
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4020 | 8e0d21a2180ad64e691e14eddf1d94b5833c33ce685411d6f156148c41f8a579.exe | C:\Users\admin\AppData\Local\Temp\onefile_4020_133933229280449971\_elementtree.pyd | executable | |
MD5:B8925406DE227FF5F760C323E49E3CB1 | SHA256:70FC914893759ABE1D197378D0C710FC206FA78BB8820E706CCDA6877BA62A91 | |||
| 4020 | 8e0d21a2180ad64e691e14eddf1d94b5833c33ce685411d6f156148c41f8a579.exe | C:\Users\admin\AppData\Local\Temp\onefile_4020_133933229280449971\_decimal.pyd | executable | |
MD5:240A03069D6968741B703D026337AD2C | SHA256:E23C58ACB7B4A85DE32F9FEAE60AC85F9E4580409BACA5D36EC4777F0528F3AF | |||
| 4020 | 8e0d21a2180ad64e691e14eddf1d94b5833c33ce685411d6f156148c41f8a579.exe | C:\Users\admin\AppData\Local\Temp\onefile_4020_133933229280449971\_bz2.pyd | executable | |
MD5:2BE172C3086EFE56C7E1D3279142295A | SHA256:7F20792D8600203F7AC0C229E1387E8D40328F9DA22D2ACBA95B3761B5E49950 | |||
| 4020 | 8e0d21a2180ad64e691e14eddf1d94b5833c33ce685411d6f156148c41f8a579.exe | C:\Users\admin\AppData\Local\Temp\onefile_4020_133933229280449971\_ctypes.pyd | executable | |
MD5:9314AB9707985AAF6E234B5C1FC3C3C6 | SHA256:61B0C1D7A53049859968821B7CA6289AA433B505BCA80C283EB4492EBE9FD2FD | |||
| 4020 | 8e0d21a2180ad64e691e14eddf1d94b5833c33ce685411d6f156148c41f8a579.exe | C:\Users\admin\AppData\Local\Temp\onefile_4020_133933229280449971\_hashlib.pyd | executable | |
MD5:72B2F8CDF8D6B1DBBDD4E0C0BACF849E | SHA256:818C4CF51E93CEFDB6EDD64341B034B46FAC2DBF77158FF60C77FE3D5BBC80EC | |||
| 4020 | 8e0d21a2180ad64e691e14eddf1d94b5833c33ce685411d6f156148c41f8a579.exe | C:\Users\admin\AppData\Local\Temp\onefile_4020_133933229280449971\_queue.pyd | executable | |
MD5:6FFC75670DFED859CC7CA266BCC89816 | SHA256:0B050F8A9292791FA10282632EAFAA35429B29490D318A89ADA9257608B8FBDF | |||
| 4020 | 8e0d21a2180ad64e691e14eddf1d94b5833c33ce685411d6f156148c41f8a579.exe | C:\Users\admin\AppData\Local\Temp\onefile_4020_133933229280449971\_socket.pyd | executable | |
MD5:0106EE3F61A54D922190B3A01C81A453 | SHA256:C22DF48785B684A8EBEAEF5ABFC35840A6B67926BC0366214D74842F7B71D6BA | |||
| 4020 | 8e0d21a2180ad64e691e14eddf1d94b5833c33ce685411d6f156148c41f8a579.exe | C:\Users\admin\AppData\Local\Temp\onefile_4020_133933229280449971\_sqlite3.pyd | executable | |
MD5:AE09223D32AF003B20889BD66A95B963 | SHA256:64B51DF2805C58B023A875E8AE3BE7AC7F61EF664F32CA6C90F6315DA47EF0BC | |||
| 4020 | 8e0d21a2180ad64e691e14eddf1d94b5833c33ce685411d6f156148c41f8a579.exe | C:\Users\admin\AppData\Local\Temp\onefile_4020_133933229280449971\_lzma.pyd | executable | |
MD5:7C25A079B992919CC97221955DAC050C | SHA256:7EA254E37D820EAB6E9D312C390D1039EDB78C8B7D913F5A86A91CB0261CE3FF | |||
| 4020 | 8e0d21a2180ad64e691e14eddf1d94b5833c33ce685411d6f156148c41f8a579.exe | C:\Users\admin\AppData\Local\Temp\onefile_4020_133933229280449971\_ssl.pyd | executable | |
MD5:ED9242721197FD84231B38E6B42F3F55 | SHA256:6F4E1FCFC8239BFF5F7FBCA5AD804832D6708B5F6DBFCCE47405D7D3750555FF | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
23
TCP/UDP connections
43
DNS requests
18
Threats
12
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 304 | 4.245.163.56:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | — | — | — |
— | — | GET | 200 | 4.245.163.56:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | compressed | 23.9 Kb | whitelisted |
472 | RUXIMICS.exe | GET | 200 | 2.20.245.136:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
472 | RUXIMICS.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 104.237.62.213:443 | https://api64.ipify.org/ | unknown | text | 13 b | — |
— | — | POST | 200 | 40.126.31.1:443 | https://login.live.com/RST2.srf | unknown | xml | 11.0 Kb | whitelisted |
— | — | GET | 304 | 4.245.163.56:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | — | — | — |
— | — | POST | 200 | 40.126.31.1:443 | https://login.live.com/RST2.srf | unknown | xml | 11.1 Kb | whitelisted |
— | — | GET | 200 | 4.245.163.56:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | compressed | 23.9 Kb | whitelisted |
4424 | SIHClient.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 20.73.194.208:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
472 | RUXIMICS.exe | 20.73.194.208:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
472 | RUXIMICS.exe | 2.20.245.136:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
472 | RUXIMICS.exe | 2.23.246.101:80 | www.microsoft.com | Ooredoo Q.S.C. | QA | whitelisted |
2084 | 8e0d21a2180ad64e691e14eddf1d94b5833c33ce685411d6f156148c41f8a579.exe | 104.237.62.213:443 | api64.ipify.org | WEBNX | US | unknown |
2084 | 8e0d21a2180ad64e691e14eddf1d94b5833c33ce685411d6f156148c41f8a579.exe | 104.26.9.44:443 | ipapi.co | CLOUDFLARENET | US | shared |
2084 | 8e0d21a2180ad64e691e14eddf1d94b5833c33ce685411d6f156148c41f8a579.exe | 31.14.70.245:443 | store4.gofile.io | MOJI SAS | FR | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
api64.ipify.org |
| unknown |
ipapi.co |
| shared |
store4.gofile.io |
| whitelisted |
discord.com |
| whitelisted |
login.live.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2196 | svchost.exe | Misc activity | ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup |
2084 | 8e0d21a2180ad64e691e14eddf1d94b5833c33ce685411d6f156148c41f8a579.exe | Misc activity | ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI |
2196 | svchost.exe | Device Retrieving External IP Address Detected | ET INFO External IP Lookup Domain (ipapi .co in DNS lookup) |
— | — | Misc activity | INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0) |
— | — | Device Retrieving External IP Address Detected | SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request |
— | — | Misc activity | INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0) |
2084 | 8e0d21a2180ad64e691e14eddf1d94b5833c33ce685411d6f156148c41f8a579.exe | Misc activity | ET FILE_SHARING File Sharing Related Domain in TLS SNI (gofile .io) |
2196 | svchost.exe | Potentially Bad Traffic | ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io) |
2196 | svchost.exe | Misc activity | ET INFO Observed Discord Domain in DNS Lookup (discord .com) |
2084 | 8e0d21a2180ad64e691e14eddf1d94b5833c33ce685411d6f156148c41f8a579.exe | Misc activity | ET INFO Observed Discord Domain (discord .com in TLS SNI) |