File name:

8f47d92e96d2719a45ce580bf21f207090b52518570025097a3074fd800a82c1

Full analysis: https://app.any.run/tasks/5eeade0f-e9fe-4a31-8464-5e8823409a30
Verdict: Malicious activity
Threats:

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

Malware Trends Tracker     >>>
Analysis date: April 15, 2025, 19:09:28
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
attachments
attc-unc
stealer
ims-api
generic
stormkitty
evasion
telegram
worldwind
asyncrat
rat
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

687055CC2509DA593C356B9C24327CFD

SHA1:

E2B6836352EBEAA4D6C07557CBD966D0EE54D6CB

SHA256:

8F47D92E96D2719A45CE580BF21F207090B52518570025097A3074FD800A82C1

SSDEEP:

49152:dUx51TgQvL94KZ41aKfCylE9TwXvT1clGJZrJ5K2:y/Fzv54K52blc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • SERVER BOT.EXE (PID: 7416)

    • STORMKITTY has been detected (YARA)

      • SERVER BOT.EXE (PID: 7416)

    • Steals credentials from Web Browsers

      • SERVER BOT.EXE (PID: 7416)

    • ASYNCRAT has been detected (MUTEX)

      • SERVER BOT.EXE (PID: 7416)

  • SUSPICIOUS

    • The process checks if it is being run in the virtual environment

      • 8f47d92e96d2719a45ce580bf21f207090b52518570025097a3074fd800a82c1.exe (PID: 7372)

    • Executable content was dropped or overwritten

      • 8f47d92e96d2719a45ce580bf21f207090b52518570025097a3074fd800a82c1.exe (PID: 7372)

    • Reads security settings of Internet Explorer

      • 8f47d92e96d2719a45ce580bf21f207090b52518570025097a3074fd800a82c1.exe (PID: 7372)

    • Write to the desktop.ini file (may be used to cloak folders)

      • SERVER BOT.EXE (PID: 7416)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • SERVER BOT.EXE (PID: 7416)

    • Starts CMD.EXE for commands execution

      • SERVER BOT.EXE (PID: 7416)

    • Uses NETSH.EXE to obtain data on the network

      • cmd.exe (PID: 8068)
      • cmd.exe (PID: 7860)

    • Starts application with an unusual extension

      • cmd.exe (PID: 7860)
      • cmd.exe (PID: 8068)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 7860)

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • SERVER BOT.EXE (PID: 7416)

    • Potential Corporate Privacy Violation

      • SERVER BOT.EXE (PID: 7416)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • SERVER BOT.EXE (PID: 7416)

  • INFO

    • Create files in a temporary directory

      • 8f47d92e96d2719a45ce580bf21f207090b52518570025097a3074fd800a82c1.exe (PID: 7372)
      • SERVER BOT.EXE (PID: 7416)

    • Reads the computer name

      • SILVERBULLETPRO.EXE (PID: 7424)
      • 8f47d92e96d2719a45ce580bf21f207090b52518570025097a3074fd800a82c1.exe (PID: 7372)
      • SERVER BOT.EXE (PID: 7416)

    • Checks supported languages

      • 8f47d92e96d2719a45ce580bf21f207090b52518570025097a3074fd800a82c1.exe (PID: 7372)
      • SILVERBULLETPRO.EXE (PID: 7424)
      • SERVER BOT.EXE (PID: 7416)
      • chcp.com (PID: 7912)
      • chcp.com (PID: 8116)

    • Process checks computer location settings

      • 8f47d92e96d2719a45ce580bf21f207090b52518570025097a3074fd800a82c1.exe (PID: 7372)

    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 7460)
      • OpenWith.exe (PID: 7980)
      • OpenWith.exe (PID: 6700)
      • OpenWith.exe (PID: 672)
      • OpenWith.exe (PID: 7220)
      • OpenWith.exe (PID: 4220)

    • Reads the machine GUID from the registry

      • SERVER BOT.EXE (PID: 7416)

    • Creates files or folders in the user directory

      • SERVER BOT.EXE (PID: 7416)

    • Changes the display of characters in the console

      • cmd.exe (PID: 7860)
      • cmd.exe (PID: 8068)

    • Disables trace logs

      • SERVER BOT.EXE (PID: 7416)

    • Manual execution by a user

      • OpenWith.exe (PID: 7980)
      • OpenWith.exe (PID: 6700)
      • OpenWith.exe (PID: 672)
      • OpenWith.exe (PID: 4220)
      • OpenWith.exe (PID: 7220)

    • Reads CPU info

      • SERVER BOT.EXE (PID: 7416)

    • Checks proxy server information

      • SERVER BOT.EXE (PID: 7416)
      • slui.exe (PID: 7448)

    • Reads the software policy settings

      • SERVER BOT.EXE (PID: 7416)
      • slui.exe (PID: 7448)

    • Attempting to use instant messaging service

      • SERVER BOT.EXE (PID: 7416)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(7416) SERVER BOT.EXE
Telegram-Tokens (1)1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8
Telegram-Info-Links
1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8
Get info about bothttps://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/getMe
Get incoming updateshttps://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/getUpdates
Get webhookhttps://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8
End-Pointsend
Args

StormKitty

(PID) Process(7416) SERVER BOT.EXE
C2 (1)127.0.0.1
Ports (3)6606
7707
8808
Credentials
Protocoltelegram
URLhttps://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/send
Token7557878970:AAGK-77Z__cCdoMjeFBTGoWLVAg2XPHco-I
ChatId8178371083
Version
BotnetDefault
Options
AutoRunfalse
MutexAsyncMutex_6SI8OkPnk
InstallFolder%AppData%
BSoDfalse
AntiVMfalse
Certificates
Cert1MIIE9jCCAt6gAwIBAgIQAKQXqY8ZdB/modqi69mWGTANBgkqhkiG9w0BAQ0FADAcMRowGAYDVQQDDBFXb3JsZFdpbmQgU3RlYWxlcjAgFw0yMTA3MTMwNDUxMDZaGA85OTk5MTIzMTIzNTk1OVowHDEaMBgGA1UEAwwRV29ybGRXaW5kIFN0ZWFsZXIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCnRXYoxuLqqgXdcvIAYWb9DuVRl5ZpdpPfoIgmb7Y9A9AuiddKNm4is8EvIlEh98bQD4OB...
Server_SignaturekrHOJdFhzbWJkBsd5VIEW+QEYvDROonPkGyIzxGTfMlIeaXPBgcotquYfuh8qcAdi+sbzaVjmQB2HDglDHGJ9JiQ3iNgblpYD4+5lYtp3eZ+765bRzUQ7gVb5uCPUe02udrhlec2LAYU24eQ6Js50FpBTOHrHiTCcn4xkdShoFHyI6KgzUfhmmJizMTwrZaWuWlBJFykCsL5tlGeMnCudp+PC2thCJP2sup32Q6uuBWg/yJCQpG0pDpYZhw7Jd1FzTvDnzZZRa5E0JpRlH5+hwFwuCsvpOjVb3powYLYugzo...
Keys
AESbf574ea6c8b59119cee98b94caf02ca0dee96fd94fbeaed739c901d3a6523935
Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:07:03 09:05:04+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 31232
InitializedDataSize: 1526272
UninitializedDataSize: -
EntryPoint: 0x3248
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
146
Monitored processes
20
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 8f47d92e96d2719a45ce580bf21f207090b52518570025097a3074fd800a82c1.exe #STORMKITTY server bot.exe silverbulletpro.exe no specs openwith.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs netsh.exe no specs findstr.exe no specs openwith.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs netsh.exe no specs openwith.exe no specs svchost.exe openwith.exe no specs openwith.exe no specs openwith.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
672"C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\untitled_attachment_4C:\Windows\System32\OpenWith.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
2147943623
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
4220"C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\untitled_attachment_2C:\Windows\System32\OpenWith.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
2147943623
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6700"C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\untitled_attachment_1C:\Windows\System32\OpenWith.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
2147943623
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
7220"C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\untitled_attachment_3C:\Windows\System32\OpenWith.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
2147943623
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
7372"C:\Users\admin\Desktop\8f47d92e96d2719a45ce580bf21f207090b52518570025097a3074fd800a82c1.exe" C:\Users\admin\Desktop\8f47d92e96d2719a45ce580bf21f207090b52518570025097a3074fd800a82c1.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\desktop\8f47d92e96d2719a45ce580bf21f207090b52518570025097a3074fd800a82c1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
7416"C:\Users\admin\AppData\Local\Temp\SERVER BOT.EXE" C:\Users\admin\AppData\Local\Temp\SERVER BOT.EXE
8f47d92e96d2719a45ce580bf21f207090b52518570025097a3074fd800a82c1.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Client
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\server bot.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
ims-api
(PID) Process(7416) SERVER BOT.EXE
Telegram-Tokens (1)1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8
Telegram-Info-Links
1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8
Get info about bothttps://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/getMe
Get incoming updateshttps://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/getUpdates
Get webhookhttps://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8
End-Pointsend
Args
StormKitty
(PID) Process(7416) SERVER BOT.EXE
C2 (1)127.0.0.1
Ports (3)6606
7707
8808
Credentials
Protocoltelegram
URLhttps://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/send
Token7557878970:AAGK-77Z__cCdoMjeFBTGoWLVAg2XPHco-I
ChatId8178371083
Version
BotnetDefault
Options
AutoRunfalse
MutexAsyncMutex_6SI8OkPnk
InstallFolder%AppData%
BSoDfalse
AntiVMfalse
Certificates
Cert1MIIE9jCCAt6gAwIBAgIQAKQXqY8ZdB/modqi69mWGTANBgkqhkiG9w0BAQ0FADAcMRowGAYDVQQDDBFXb3JsZFdpbmQgU3RlYWxlcjAgFw0yMTA3MTMwNDUxMDZaGA85OTk5MTIzMTIzNTk1OVowHDEaMBgGA1UEAwwRV29ybGRXaW5kIFN0ZWFsZXIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCnRXYoxuLqqgXdcvIAYWb9DuVRl5ZpdpPfoIgmb7Y9A9AuiddKNm4is8EvIlEh98bQD4OB...
Server_SignaturekrHOJdFhzbWJkBsd5VIEW+QEYvDROonPkGyIzxGTfMlIeaXPBgcotquYfuh8qcAdi+sbzaVjmQB2HDglDHGJ9JiQ3iNgblpYD4+5lYtp3eZ+765bRzUQ7gVb5uCPUe02udrhlec2LAYU24eQ6Js50FpBTOHrHiTCcn4xkdShoFHyI6KgzUfhmmJizMTwrZaWuWlBJFykCsL5tlGeMnCudp+PC2thCJP2sup32Q6uuBWg/yJCQpG0pDpYZhw7Jd1FzTvDnzZZRa5E0JpRlH5+hwFwuCsvpOjVb3powYLYugzo...
Keys
AESbf574ea6c8b59119cee98b94caf02ca0dee96fd94fbeaed739c901d3a6523935
Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
7424"C:\Users\admin\AppData\Local\Temp\SILVERBULLETPRO.EXE" C:\Users\admin\AppData\Local\Temp\SILVERBULLETPRO.EXE8f47d92e96d2719a45ce580bf21f207090b52518570025097a3074fd800a82c1.exe
User:
admin
Company:
SilverBulletPro
Integrity Level:
MEDIUM
Description:
SilverBulletPro
Exit code:
2147516570
Version:
1.4.1
Modules
Images
c:\users\admin\appdata\local\temp\silverbulletpro.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
7448C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7460C:\WINDOWS\system32\OpenWith.exe -EmbeddingC:\Windows\System32\OpenWith.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
14 380
Read events
14 364
Write events
16
Delete events
0

Modification events

(PID) Process:(7372) 8f47d92e96d2719a45ce580bf21f207090b52518570025097a3074fd800a82c1.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithProgids
Operation:writeName:mhtmlfile
Value:
(PID) Process:(7460) OpenWith.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithProgids
Operation:writeName:mhtmlfile
Value:
(PID) Process:(7416) SERVER BOT.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SERVER BOT_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7416) SERVER BOT.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SERVER BOT_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7416) SERVER BOT.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SERVER BOT_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(7416) SERVER BOT.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SERVER BOT_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(7416) SERVER BOT.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SERVER BOT_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(7416) SERVER BOT.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SERVER BOT_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(7416) SERVER BOT.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SERVER BOT_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(7416) SERVER BOT.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SERVER BOT_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
Executable files
2
Suspicious files
20
Text files
29
Unknown types
1

Dropped files

PID
Process
Filename
Type
73728f47d92e96d2719a45ce580bf21f207090b52518570025097a3074fd800a82c1.exeC:\Users\admin\AppData\Local\Temp\SILVERBULLETPRO.EXEexecutable
MD5:AB216B4212F3F27E41B26259A830C777
SHA256:62EF275D396E894861167BD16FFA5FA78773F698447B51315AD84C9C5FF1F0D6
7416SERVER BOT.EXEC:\Users\admin\AppData\Local\701f094dfaca3c51f9ac0a54f43e3856\admin@DESKTOP-JGLLJLD_en-US\Grabber\DRIVE-C\Users\admin\Desktop\evaluationmedium.rtftext
MD5:FCC9313705B671628D972EE7C985E1D4
SHA256:BF55AED037AE30D4B1C7910F9F1B00DEB46495C3D502BB3511B32445F93EE209
7416SERVER BOT.EXEC:\Users\admin\AppData\Local\701f094dfaca3c51f9ac0a54f43e3856\admin@DESKTOP-JGLLJLD_en-US\Grabber\DRIVE-C\Users\admin\Downloads\subscribeboards.pngbinary
MD5:6D9DDEF6EC6D0F6DD851BB7D12251DCD
SHA256:9826786E4CCF06FBBD4801E8E4473A518C4BBF4E6F6C90917163A3E584420F7D
7416SERVER BOT.EXEC:\Users\admin\AppData\Local\701f094dfaca3c51f9ac0a54f43e3856\admin@DESKTOP-JGLLJLD_en-US\Grabber\DRIVE-C\Users\admin\Documents\cancerrequest.rtftext
MD5:88C1636E765BF1C1463AE1CC1FE15966
SHA256:02445E0636FAAD6E2595DBF982E975842159A7631EB666AF32E5B7520F853B36
7416SERVER BOT.EXEC:\Users\admin\AppData\Local\701f094dfaca3c51f9ac0a54f43e3856\admin@DESKTOP-JGLLJLD_en-US\Grabber\DRIVE-C\Users\admin\Desktop\desktop.initext
MD5:9E36CC3537EE9EE1E3B10FA4E761045B
SHA256:4B9D687AC625690FD026ED4B236DAD1CAC90EF69E7AD256CC42766A065B50026
7416SERVER BOT.EXEC:\Users\admin\AppData\Local\701f094dfaca3c51f9ac0a54f43e3856\admin@DESKTOP-JGLLJLD_en-US\Grabber\DRIVE-C\Users\admin\Desktop\aprmatch.pngbinary
MD5:0722020E4FBCC6B7900EBFDD63C1AC0B
SHA256:48F0756CFB8612336A809828F11D1A222D886A7F0D5A447CD941A4F19E47EFAD
7416SERVER BOT.EXEC:\Users\admin\AppData\Local\701f094dfaca3c51f9ac0a54f43e3856\admin@DESKTOP-JGLLJLD_en-US\Grabber\DRIVE-C\Users\admin\Pictures\shipmini.pngbinary
MD5:4EC8CBB3B8F77170C1BAAB7ECDA495A8
SHA256:8E14795F45B1CB23EFC5E6119E360A8BBDE610233F25697C6C96BFFB335D7A60
7416SERVER BOT.EXEC:\Users\admin\AppData\Local\701f094dfaca3c51f9ac0a54f43e3856\admin@DESKTOP-JGLLJLD_en-US\Grabber\DRIVE-C\Users\admin\Documents\desktop.initext
MD5:ECF88F261853FE08D58E2E903220DA14
SHA256:CAFEC240D998E4B6E92AD1329CD417E8E9CBD73157488889FD93A542DE4A4844
7416SERVER BOT.EXEC:\Users\admin\AppData\Local\701f094dfaca3c51f9ac0a54f43e3856\admin@DESKTOP-JGLLJLD_en-US\Grabber\DRIVE-C\Users\admin\Documents\monedge.rtftext
MD5:C3A2502E7B1AB7CC66C6C5F664B09667
SHA256:77A1925297C77F6F199AFF150588EBA01844FFDBCC4028BC21BD3326BAC60E97
7416SERVER BOT.EXEC:\Users\admin\AppData\Local\701f094dfaca3c51f9ac0a54f43e3856\admin@DESKTOP-JGLLJLD_en-US\Grabber\DRIVE-C\Users\admin\Desktop\ratesau.rtftext
MD5:AF0CA1A798898CCCEA1B3908999F0FCF
SHA256:EE8C1951D3E39C539906714002B188678424DC780613EC9CD9A7E0E5B04B6A06
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
37
TCP/UDP connections
52
DNS requests
20
Threats
17

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7416
SERVER BOT.EXE
GET
200
104.16.185.241:80
http://icanhazip.com/
unknown
whitelisted
GET
304
4.245.163.56:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
unknown
1088
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
1088
SIHClient.exe
GET
200
104.124.11.58:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
1088
SIHClient.exe
GET
200
104.124.11.58:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
POST
400
40.126.31.3:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.159.73:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.159.131:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.159.4:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4024
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.31.3:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7416
SERVER BOT.EXE
104.16.185.241:80
icanhazip.com
CLOUDFLARENET
whitelisted
7416
SERVER BOT.EXE
172.67.196.114:443
api.mylnikov.org
CLOUDFLARENET
US
suspicious

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.78
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
  • 104.124.11.58
  • 104.124.11.17
whitelisted
client.wns.windows.com
  • 172.211.123.249
  • 172.211.123.250
whitelisted
login.live.com
  • 40.126.31.3
  • 40.126.31.128
  • 20.190.159.73
  • 20.190.159.131
  • 20.190.159.4
  • 40.126.31.67
  • 20.190.159.2
  • 40.126.31.131
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
whitelisted
icanhazip.com
  • 104.16.185.241
  • 104.16.184.241
whitelisted
api.mylnikov.org
  • 172.67.196.114
  • 104.21.44.66
unknown
api.telegram.org
  • 149.154.167.220
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
  • 52.149.20.212
whitelisted
www.microsoft.com
  • 23.219.150.101
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (icanhazip .com)
7416
SERVER BOT.EXE
Attempted Information Leak
ET INFO IP Check Domain (icanhazip. com in HTTP Host)
7416
SERVER BOT.EXE
Potential Corporate Privacy Violation
ET INFO Observed Wifi Geolocation Domain (api .mylnikov .org in TLS SNI)
Potential Corporate Privacy Violation
ET INFO Wifi Geolocation Lookup Attempt
Potentially Bad Traffic
ET INFO BSSID Location Lookup via api .mylnikov .org
2196
svchost.exe
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
7416
SERVER BOT.EXE
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
7416
SERVER BOT.EXE
Misc activity
ET HUNTING Telegram API Certificate Observed
Misc activity
ET HUNTING Telegram API Request (GET)
Misc activity
ET HUNTING Telegram API Request (GET)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
8f47d92e96d2719a45ce580bf21f207090b52518570025097a3074fd800a82c1