File name:

921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe

Full analysis: https://app.any.run/tasks/b243c9c9-d3a7-444d-a453-7dd06349a6ad
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: December 14, 2024, 12:04:15
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
discord
exfiltration
stealer
discordgrabber
generic
umbralstealer
ims-api
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

85EADBE66E59F3512BFED3EDD076ED4C

SHA1:

3FAC3F7414BD4CED53BEB1D89402524A2B9CB510

SHA256:

921BA78EF5661EE885D93756F28F7E4DF163F1EA910AF6C68266F856B112CE76

SSDEEP:

3072:61zJQhGjtQmzAvpehGfSdcRCG28CLLRyZmqh7s2e9wgPQxY8e11sXE7B+WXgME6U:fpSdcXoLRah7teCgJ8e1mmNH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes settings for reporting to Microsoft Active Protection Service (MAPS)

      • powershell.exe (PID: 440)

    • Changes settings for checking scripts for malicious actions

      • powershell.exe (PID: 440)

    • Changes settings for real-time protection

      • powershell.exe (PID: 440)

    • Changes settings for sending potential threat samples to Microsoft servers

      • powershell.exe (PID: 440)

    • Changes settings for protection against network attacks (IPS)

      • powershell.exe (PID: 440)

    • Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

      • powershell.exe (PID: 440)

    • Adds path to the Windows Defender exclusion list

      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5244)

    • DISCORDGRABBER has been detected (YARA)

      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5244)

    • UMBRALSTEALER has been detected (YARA)

      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5244)

    • Changes Controlled Folder Access settings

      • powershell.exe (PID: 440)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5880)

    • Reads the date of Windows installation

      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5880)

    • Application launched itself

      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5880)

    • Script adds exclusion path to Windows Defender

      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5244)

    • Starts POWERSHELL.EXE for commands execution

      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5244)

    • Uses WMIC.EXE to obtain computer system information

      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5244)

    • Checks for external IP

      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5244)
      • svchost.exe (PID: 2192)

    • Uses WMIC.EXE to obtain operating system information

      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5244)

    • Accesses operating system name via WMI (SCRIPT)

      • WMIC.exe (PID: 5268)

    • Uses WMIC.EXE to obtain Windows Installer data

      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5244)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 1580)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5244)

    • Uses WMIC.EXE to obtain a list of video controllers

      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5244)

    • Script disables Windows Defender's IPS

      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5244)

    • Script disables Windows Defender's real-time protection

      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5244)

    • The process connected to a server suspected of theft

      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5244)

    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 936)

  • INFO

    • Reads the machine GUID from the registry

      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5880)
      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5244)

    • Checks supported languages

      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5880)
      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5244)

    • Disables trace logs

      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5880)
      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5244)

    • Reads the computer name

      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5880)
      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5244)

    • Checks proxy server information

      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5880)
      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5244)

    • Reads Environment values

      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5880)
      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5244)

    • Reads the software policy settings

      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5880)
      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5244)

    • The process uses the downloaded file

      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5880)

    • Process checks computer location settings

      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5880)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 4388)
      • powershell.exe (PID: 440)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 4388)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 1556)
      • WMIC.exe (PID: 5268)
      • WMIC.exe (PID: 1580)
      • WMIC.exe (PID: 936)

    • Create files in a temporary directory

      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5244)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(5244) 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe
Discord-Webhook-Tokens (1)1312556972008145028/An6X2LqoEBGwtG4KSm9A-_wDz60gtfV86CSOYjRcWH6q5sc08jR3Zs83_jxxtsMadQe2
Discord-Info-Links
1312556972008145028/An6X2LqoEBGwtG4KSm9A-_wDz60gtfV86CSOYjRcWH6q5sc08jR3Zs83_jxxtsMadQe2
Get Webhook Infohttps://discord.com/api/webhooks/1312556972008145028/An6X2LqoEBGwtG4KSm9A-_wDz60gtfV86CSOYjRcWH6q5sc08jR3Zs83_jxxtsMadQe2
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2053:02:19 18:54:36+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 233984
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0x3b12e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: Payload for Umbral Stealer
CompanyName: -
FileDescription: -
FileVersion: 1.0.0.0
InternalName: -
LegalCopyright: -
LegalTrademarks: -
OriginalFileName: -
ProductName: -
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
17
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe #UMBRALSTEALER 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs svchost.exe wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
440"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
936"wmic" path win32_VideoController get nameC:\Windows\System32\wbem\WMIC.exe921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
1556"wmic.exe" computersystem get totalphysicalmemoryC:\Windows\System32\wbem\WMIC.exe921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
1580"wmic.exe" csproduct get uuidC:\Windows\System32\wbem\WMIC.exe921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2380\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3152\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3260\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3812\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4328\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
21 850
Read events
21 836
Write events
14
Delete events
0

Modification events

(PID) Process:(5880) 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(5880) 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(5880) 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(5880) 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(5880) 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(5880) 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(5880) 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(5880) 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(5880) 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(5880) 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
0
Suspicious files
2
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
440powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_et3t3l0e.b3e.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5728powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_wbebcfog.5su.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5728powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_50n1plv0.qgx.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4388powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_nxsnfljh.lak.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4388powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:A260B0E8269AC47DC66C9645597A67F7
SHA256:E22B1591A200004D0BA878C3594A62936BB13A73CF1CB33DCF53B09C935890B6
5244921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exeC:\Users\admin\AppData\Local\Temp\cQRnN4NjeCIkENA.ligmacompressed
MD5:76CDB2BAD9582D23C1F6F4D868218D6C
SHA256:8739C76E681F900923B900C9DF0EF75CF421D39CABB54650C4B9AD19B6A76D85
440powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ghbv2zpx.j3u.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4388powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_j25ag4nj.ewx.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
25
DNS requests
10
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
216.58.206.35:443
https://gstatic.com/generate_204
unknown
unknown
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
876
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
204
216.58.206.35:443
https://gstatic.com/generate_204
unknown
unknown
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
876
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5244
921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/?fields=225545
unknown
shared
POST
404
162.159.138.232:443
https://discord.com/api/webhooks/1312556972008145028/An6X2LqoEBGwtG4KSm9A-_wDz60gtfV86CSOYjRcWH6q5sc08jR3Zs83_jxxtsMadQe2
unknown
binary
45 b
whitelisted
POST
404
162.159.136.232:443
https://discord.com/api/webhooks/1312556972008145028/An6X2LqoEBGwtG4KSm9A-_wDz60gtfV86CSOYjRcWH6q5sc08jR3Zs83_jxxtsMadQe2
unknown
binary
45 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
876
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
104.126.37.128:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
5880
921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe
142.250.184.227:443
gstatic.com
GOOGLE
US
whitelisted
876
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5244
921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe
142.250.184.227:443
gstatic.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
www.bing.com
  • 104.126.37.128
  • 104.126.37.186
  • 104.126.37.136
  • 104.126.37.123
  • 104.126.37.129
  • 104.126.37.162
  • 104.126.37.131
  • 104.126.37.161
  • 104.126.37.130
whitelisted
google.com
  • 142.250.185.174
whitelisted
gstatic.com
  • 142.250.184.227
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
ip-api.com
  • 208.95.112.1
shared
discord.com
  • 162.159.137.232
  • 162.159.138.232
  • 162.159.135.232
  • 162.159.128.233
  • 162.159.136.232
whitelisted
self.events.data.microsoft.com
  • 20.189.173.27
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2192
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
5244
921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
2192
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
5244
921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
5244
921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe
Successful Credential Theft Detected
STEALER [ANY.RUN] Attempt to exfiltrate via Discord
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe