File name:

8f47d92e96d2719a45ce580bf21f207090b52518570025097a3074fd800a82c1

Full analysis: https://app.any.run/tasks/5eeade0f-e9fe-4a31-8464-5e8823409a30
Verdict: Malicious activity
Threats:

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

Malware Trends Tracker     >>>
Analysis date: April 15, 2025, 19:09:28
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
attachments
attc-unc
stealer
ims-api
generic
stormkitty
evasion
telegram
worldwind
asyncrat
rat
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

687055CC2509DA593C356B9C24327CFD

SHA1:

E2B6836352EBEAA4D6C07557CBD966D0EE54D6CB

SHA256:

8F47D92E96D2719A45CE580BF21F207090B52518570025097A3074FD800A82C1

SSDEEP:

49152:dUx51TgQvL94KZ41aKfCylE9TwXvT1clGJZrJ5K2:y/Fzv54K52blc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • SERVER BOT.EXE (PID: 7416)

    • STORMKITTY has been detected (YARA)

      • SERVER BOT.EXE (PID: 7416)

    • Steals credentials from Web Browsers

      • SERVER BOT.EXE (PID: 7416)

    • ASYNCRAT has been detected (MUTEX)

      • SERVER BOT.EXE (PID: 7416)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 8f47d92e96d2719a45ce580bf21f207090b52518570025097a3074fd800a82c1.exe (PID: 7372)

    • The process checks if it is being run in the virtual environment

      • 8f47d92e96d2719a45ce580bf21f207090b52518570025097a3074fd800a82c1.exe (PID: 7372)

    • Reads security settings of Internet Explorer

      • 8f47d92e96d2719a45ce580bf21f207090b52518570025097a3074fd800a82c1.exe (PID: 7372)

    • Write to the desktop.ini file (may be used to cloak folders)

      • SERVER BOT.EXE (PID: 7416)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • SERVER BOT.EXE (PID: 7416)

    • Starts application with an unusual extension

      • cmd.exe (PID: 7860)
      • cmd.exe (PID: 8068)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 7860)

    • Uses NETSH.EXE to obtain data on the network

      • cmd.exe (PID: 7860)
      • cmd.exe (PID: 8068)

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • SERVER BOT.EXE (PID: 7416)

    • Starts CMD.EXE for commands execution

      • SERVER BOT.EXE (PID: 7416)

    • Potential Corporate Privacy Violation

      • SERVER BOT.EXE (PID: 7416)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • SERVER BOT.EXE (PID: 7416)

  • INFO

    • Create files in a temporary directory

      • 8f47d92e96d2719a45ce580bf21f207090b52518570025097a3074fd800a82c1.exe (PID: 7372)
      • SERVER BOT.EXE (PID: 7416)

    • Reads the computer name

      • 8f47d92e96d2719a45ce580bf21f207090b52518570025097a3074fd800a82c1.exe (PID: 7372)
      • SILVERBULLETPRO.EXE (PID: 7424)
      • SERVER BOT.EXE (PID: 7416)

    • Checks supported languages

      • 8f47d92e96d2719a45ce580bf21f207090b52518570025097a3074fd800a82c1.exe (PID: 7372)
      • SERVER BOT.EXE (PID: 7416)
      • SILVERBULLETPRO.EXE (PID: 7424)
      • chcp.com (PID: 8116)
      • chcp.com (PID: 7912)

    • Process checks computer location settings

      • 8f47d92e96d2719a45ce580bf21f207090b52518570025097a3074fd800a82c1.exe (PID: 7372)

    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 7460)
      • OpenWith.exe (PID: 7980)
      • OpenWith.exe (PID: 6700)
      • OpenWith.exe (PID: 672)
      • OpenWith.exe (PID: 7220)
      • OpenWith.exe (PID: 4220)

    • Reads the machine GUID from the registry

      • SERVER BOT.EXE (PID: 7416)

    • Creates files or folders in the user directory

      • SERVER BOT.EXE (PID: 7416)

    • Changes the display of characters in the console

      • cmd.exe (PID: 7860)
      • cmd.exe (PID: 8068)

    • Disables trace logs

      • SERVER BOT.EXE (PID: 7416)

    • Manual execution by a user

      • OpenWith.exe (PID: 7980)
      • OpenWith.exe (PID: 6700)
      • OpenWith.exe (PID: 672)
      • OpenWith.exe (PID: 7220)
      • OpenWith.exe (PID: 4220)

    • Reads CPU info

      • SERVER BOT.EXE (PID: 7416)

    • Checks proxy server information

      • SERVER BOT.EXE (PID: 7416)
      • slui.exe (PID: 7448)

    • Reads the software policy settings

      • SERVER BOT.EXE (PID: 7416)
      • slui.exe (PID: 7448)

    • Attempting to use instant messaging service

      • SERVER BOT.EXE (PID: 7416)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(7416) SERVER BOT.EXE
Telegram-Tokens (1)1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8
Telegram-Info-Links
1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8
Get info about bothttps://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/getMe
Get incoming updateshttps://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/getUpdates
Get webhookhttps://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8
End-Pointsend
Args

StormKitty

(PID) Process(7416) SERVER BOT.EXE
C2 (1)127.0.0.1
Ports (3)6606
7707
8808
Credentials
Protocoltelegram
URLhttps://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/send
Token7557878970:AAGK-77Z__cCdoMjeFBTGoWLVAg2XPHco-I
ChatId8178371083
Version
BotnetDefault
Options
AutoRunfalse
MutexAsyncMutex_6SI8OkPnk
InstallFolder%AppData%
BSoDfalse
AntiVMfalse
Certificates
Cert1MIIE9jCCAt6gAwIBAgIQAKQXqY8ZdB/modqi69mWGTANBgkqhkiG9w0BAQ0FADAcMRowGAYDVQQDDBFXb3JsZFdpbmQgU3RlYWxlcjAgFw0yMTA3MTMwNDUxMDZaGA85OTk5MTIzMTIzNTk1OVowHDEaMBgGA1UEAwwRV29ybGRXaW5kIFN0ZWFsZXIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCnRXYoxuLqqgXdcvIAYWb9DuVRl5ZpdpPfoIgmb7Y9A9AuiddKNm4is8EvIlEh98bQD4OB...
Server_SignaturekrHOJdFhzbWJkBsd5VIEW+QEYvDROonPkGyIzxGTfMlIeaXPBgcotquYfuh8qcAdi+sbzaVjmQB2HDglDHGJ9JiQ3iNgblpYD4+5lYtp3eZ+765bRzUQ7gVb5uCPUe02udrhlec2LAYU24eQ6Js50FpBTOHrHiTCcn4xkdShoFHyI6KgzUfhmmJizMTwrZaWuWlBJFykCsL5tlGeMnCudp+PC2thCJP2sup32Q6uuBWg/yJCQpG0pDpYZhw7Jd1FzTvDnzZZRa5E0JpRlH5+hwFwuCsvpOjVb3powYLYugzo...
Keys
AESbf574ea6c8b59119cee98b94caf02ca0dee96fd94fbeaed739c901d3a6523935
Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:07:03 09:05:04+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 31232
InitializedDataSize: 1526272
UninitializedDataSize: -
EntryPoint: 0x3248
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
146
Monitored processes
20
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 8f47d92e96d2719a45ce580bf21f207090b52518570025097a3074fd800a82c1.exe #STORMKITTY server bot.exe silverbulletpro.exe no specs openwith.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs netsh.exe no specs findstr.exe no specs openwith.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs netsh.exe no specs openwith.exe no specs svchost.exe openwith.exe no specs openwith.exe no specs openwith.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
672"C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\untitled_attachment_4C:\Windows\System32\OpenWith.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
2147943623
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
4220"C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\untitled_attachment_2C:\Windows\System32\OpenWith.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
2147943623
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6700"C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\untitled_attachment_1C:\Windows\System32\OpenWith.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
2147943623
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
7220"C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\untitled_attachment_3C:\Windows\System32\OpenWith.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
2147943623
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
7372"C:\Users\admin\Desktop\8f47d92e96d2719a45ce580bf21f207090b52518570025097a3074fd800a82c1.exe" C:\Users\admin\Desktop\8f47d92e96d2719a45ce580bf21f207090b52518570025097a3074fd800a82c1.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\desktop\8f47d92e96d2719a45ce580bf21f207090b52518570025097a3074fd800a82c1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
7416"C:\Users\admin\AppData\Local\Temp\SERVER BOT.EXE" C:\Users\admin\AppData\Local\Temp\SERVER BOT.EXE
8f47d92e96d2719a45ce580bf21f207090b52518570025097a3074fd800a82c1.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Client
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\server bot.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
ims-api
(PID) Process(7416) SERVER BOT.EXE
Telegram-Tokens (1)1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8
Telegram-Info-Links
1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8
Get info about bothttps://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/getMe
Get incoming updateshttps://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/getUpdates
Get webhookhttps://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8
End-Pointsend
Args
StormKitty
(PID) Process(7416) SERVER BOT.EXE
C2 (1)127.0.0.1
Ports (3)6606
7707
8808
Credentials
Protocoltelegram
URLhttps://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/send
Token7557878970:AAGK-77Z__cCdoMjeFBTGoWLVAg2XPHco-I
ChatId8178371083
Version
BotnetDefault
Options
AutoRunfalse
MutexAsyncMutex_6SI8OkPnk
InstallFolder%AppData%
BSoDfalse
AntiVMfalse
Certificates
Cert1MIIE9jCCAt6gAwIBAgIQAKQXqY8ZdB/modqi69mWGTANBgkqhkiG9w0BAQ0FADAcMRowGAYDVQQDDBFXb3JsZFdpbmQgU3RlYWxlcjAgFw0yMTA3MTMwNDUxMDZaGA85OTk5MTIzMTIzNTk1OVowHDEaMBgGA1UEAwwRV29ybGRXaW5kIFN0ZWFsZXIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCnRXYoxuLqqgXdcvIAYWb9DuVRl5ZpdpPfoIgmb7Y9A9AuiddKNm4is8EvIlEh98bQD4OB...
Server_SignaturekrHOJdFhzbWJkBsd5VIEW+QEYvDROonPkGyIzxGTfMlIeaXPBgcotquYfuh8qcAdi+sbzaVjmQB2HDglDHGJ9JiQ3iNgblpYD4+5lYtp3eZ+765bRzUQ7gVb5uCPUe02udrhlec2LAYU24eQ6Js50FpBTOHrHiTCcn4xkdShoFHyI6KgzUfhmmJizMTwrZaWuWlBJFykCsL5tlGeMnCudp+PC2thCJP2sup32Q6uuBWg/yJCQpG0pDpYZhw7Jd1FzTvDnzZZRa5E0JpRlH5+hwFwuCsvpOjVb3powYLYugzo...
Keys
AESbf574ea6c8b59119cee98b94caf02ca0dee96fd94fbeaed739c901d3a6523935
Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
7424"C:\Users\admin\AppData\Local\Temp\SILVERBULLETPRO.EXE" C:\Users\admin\AppData\Local\Temp\SILVERBULLETPRO.EXE8f47d92e96d2719a45ce580bf21f207090b52518570025097a3074fd800a82c1.exe
User:
admin
Company:
SilverBulletPro
Integrity Level:
MEDIUM
Description:
SilverBulletPro
Exit code:
2147516570
Version:
1.4.1
Modules
Images
c:\users\admin\appdata\local\temp\silverbulletpro.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
7448C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7460C:\WINDOWS\system32\OpenWith.exe -EmbeddingC:\Windows\System32\OpenWith.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
14 380
Read events
14 364
Write events
16
Delete events
0

Modification events

(PID) Process:(7372) 8f47d92e96d2719a45ce580bf21f207090b52518570025097a3074fd800a82c1.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithProgids
Operation:writeName:mhtmlfile
Value:
(PID) Process:(7460) OpenWith.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithProgids
Operation:writeName:mhtmlfile
Value:
(PID) Process:(7416) SERVER BOT.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SERVER BOT_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7416) SERVER BOT.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SERVER BOT_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7416) SERVER BOT.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SERVER BOT_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(7416) SERVER BOT.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SERVER BOT_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(7416) SERVER BOT.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SERVER BOT_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(7416) SERVER BOT.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SERVER BOT_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(7416) SERVER BOT.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SERVER BOT_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(7416) SERVER BOT.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SERVER BOT_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
Executable files
2
Suspicious files
20
Text files
29
Unknown types
1

Dropped files

PID
Process
Filename
Type
73728f47d92e96d2719a45ce580bf21f207090b52518570025097a3074fd800a82c1.exeC:\Users\admin\AppData\Local\Temp\SERVER BOT.EXEexecutable
MD5:2E7CB0A4C91B31337F17742A2F73AAF7
SHA256:C92CCEBE416798A16A22F1F45978DF59988B4219D118EB9D2100FABE2EB78C3B
7416SERVER BOT.EXEC:\Users\admin\AppData\Local\701f094dfaca3c51f9ac0a54f43e3856\admin@DESKTOP-JGLLJLD_en-US\Grabber\DRIVE-C\Users\admin\Desktop\desktop.initext
MD5:9E36CC3537EE9EE1E3B10FA4E761045B
SHA256:4B9D687AC625690FD026ED4B236DAD1CAC90EF69E7AD256CC42766A065B50026
73728f47d92e96d2719a45ce580bf21f207090b52518570025097a3074fd800a82c1.exeC:\Users\admin\AppData\Local\Temp\SILVERBULLETPRO.EXEexecutable
MD5:AB216B4212F3F27E41B26259A830C777
SHA256:62EF275D396E894861167BD16FFA5FA78773F698447B51315AD84C9C5FF1F0D6
7416SERVER BOT.EXEC:\Users\admin\AppData\Local\701f094dfaca3c51f9ac0a54f43e3856\admin@DESKTOP-JGLLJLD_en-US\Grabber\DRIVE-C\Users\admin\Downloads\stonepm.pngbinary
MD5:081D2B242AD6539CD8CBFDB3835FFA24
SHA256:B1A1545571F93BE731D7A65FB7AFE982D0678EBE637591CAF367CCEE05AB8627
7416SERVER BOT.EXEC:\Users\admin\AppData\Local\701f094dfaca3c51f9ac0a54f43e3856\admin@DESKTOP-JGLLJLD_en-US\Grabber\DRIVE-C\Users\admin\Desktop\aprmatch.pngbinary
MD5:0722020E4FBCC6B7900EBFDD63C1AC0B
SHA256:48F0756CFB8612336A809828F11D1A222D886A7F0D5A447CD941A4F19E47EFAD
7416SERVER BOT.EXEC:\Users\admin\AppData\Local\701f094dfaca3c51f9ac0a54f43e3856\admin@DESKTOP-JGLLJLD_en-US\Grabber\DRIVE-C\Users\admin\Desktop\administrationresponse.rtftext
MD5:938A9C8AE1A74D738A3655427B1230F9
SHA256:4C376BEBCD7B3D54BDBD13B7C3F1BC220A37BA57233FFE795E43369C9117448B
73728f47d92e96d2719a45ce580bf21f207090b52518570025097a3074fd800a82c1.exeC:\Users\admin\AppData\Local\Temp\TELEGRAM_ CONTACT @AMRNET1VIP1.MHTMLbinary
MD5:9CB5E52CB50A2AF6808877D9A1F4CBD0
SHA256:D3C42BD1CF785DD4EF034E5FF43078EDC406A80F8319165DB19CCAFB85B0E3C4
7416SERVER BOT.EXEC:\Users\admin\AppData\Local\701f094dfaca3c51f9ac0a54f43e3856\admin@DESKTOP-JGLLJLD_en-US\Grabber\DRIVE-C\Users\admin\Downloads\desktop.initext
MD5:3A37312509712D4E12D27240137FF377
SHA256:B029393EA7B7CF644FB1C9F984F57C1980077562EE2E15D0FFD049C4C48098D3
7416SERVER BOT.EXEC:\Users\admin\AppData\Local\701f094dfaca3c51f9ac0a54f43e3856\admin@DESKTOP-JGLLJLD_en-US\Grabber\DRIVE-C\Users\admin\Pictures\desktop.initext
MD5:29EAE335B77F438E05594D86A6CA22FF
SHA256:88856962CEF670C087EDA4E07D8F78465BEEABB6143B96BD90F884A80AF925B4
7416SERVER BOT.EXEC:\Users\admin\AppData\Local\701f094dfaca3c51f9ac0a54f43e3856\admin@DESKTOP-JGLLJLD_en-US\Grabber\DRIVE-C\Users\admin\Documents\airportwar.rtftext
MD5:B671E1A8B3C065069E98CE8AEC91C8D1
SHA256:2B38633D45D84B68F75AB498796A450A15915B3BC675A3CD3DEEAB8037BC0E9A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
37
TCP/UDP connections
52
DNS requests
20
Threats
17

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7416
SERVER BOT.EXE
GET
200
104.16.185.241:80
http://icanhazip.com/
unknown
whitelisted
GET
304
4.245.163.56:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
1088
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
1088
SIHClient.exe
GET
200
104.124.11.58:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
POST
400
40.126.31.3:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.159.4:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
40.126.31.128:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.159.73:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.159.2:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4024
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.31.3:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7416
SERVER BOT.EXE
104.16.185.241:80
icanhazip.com
CLOUDFLARENET
whitelisted
7416
SERVER BOT.EXE
172.67.196.114:443
api.mylnikov.org
CLOUDFLARENET
US
suspicious

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.78
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
  • 104.124.11.58
  • 104.124.11.17
whitelisted
client.wns.windows.com
  • 172.211.123.249
  • 172.211.123.250
whitelisted
login.live.com
  • 40.126.31.3
  • 40.126.31.128
  • 20.190.159.73
  • 20.190.159.131
  • 20.190.159.4
  • 40.126.31.67
  • 20.190.159.2
  • 40.126.31.131
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
whitelisted
icanhazip.com
  • 104.16.185.241
  • 104.16.184.241
whitelisted
api.mylnikov.org
  • 172.67.196.114
  • 104.21.44.66
unknown
api.telegram.org
  • 149.154.167.220
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
  • 52.149.20.212
whitelisted
www.microsoft.com
  • 23.219.150.101
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (icanhazip .com)
7416
SERVER BOT.EXE
Attempted Information Leak
ET INFO IP Check Domain (icanhazip. com in HTTP Host)
7416
SERVER BOT.EXE
Potential Corporate Privacy Violation
ET INFO Observed Wifi Geolocation Domain (api .mylnikov .org in TLS SNI)
Potential Corporate Privacy Violation
ET INFO Wifi Geolocation Lookup Attempt
Potentially Bad Traffic
ET INFO BSSID Location Lookup via api .mylnikov .org
2196
svchost.exe
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
7416
SERVER BOT.EXE
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
7416
SERVER BOT.EXE
Misc activity
ET HUNTING Telegram API Certificate Observed
Misc activity
ET HUNTING Telegram API Request (GET)
Misc activity
ET HUNTING Telegram API Request (GET)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
8f47d92e96d2719a45ce580bf21f207090b52518570025097a3074fd800a82c1