download:

/hdrover/discord-drover/releases/download/v0.8/drover-v0.8.zip

Full analysis: https://app.any.run/tasks/a0869164-05fc-4bd1-9d86-b9e4b8327d50
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: February 15, 2025, 13:07:55
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
discord
delphi
stealer
payload
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

B6D251609772E182AC9E33254E8848BF

SHA1:

7D720B57F877FEF6C100DBFD2C817F71549C0B97

SHA256:

C9B8C858479BB6CBBB56EA975938DA10349F9F4CA0D3257736220F18FF50EE24

SSDEEP:

98304:YLHrVKCp1JHLhmEtdpqapg5oI0fR8kpWdlRaALE8uQUaoLJWV3OgrQ+5Yyw/rGRc:UWD8x

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • Discord.exe (PID: 3560)
      • Discord.exe (PID: 8168)

    • Changes the autorun value in the registry

      • reg.exe (PID: 8096)

  • SUSPICIOUS

    • There is functionality for taking screenshot (YARA)

      • drover.exe (PID: 7088)

    • Process drops legitimate windows executable

      • Update.exe (PID: 440)

    • Application launched itself

      • Discord.exe (PID: 3560)
      • Discord.exe (PID: 8168)

    • Uses REG/REGEDIT.EXE to modify registry

      • Discord.exe (PID: 3560)
      • Discord.exe (PID: 8168)

    • Reads security settings of Internet Explorer

      • Update.exe (PID: 440)
      • Discord.exe (PID: 6788)
      • Discord.exe (PID: 8168)

    • Searches for installed software

      • Update.exe (PID: 440)
      • drover.exe (PID: 7088)
      • drover.exe (PID: 1752)

    • Executable content was dropped or overwritten

      • Discord.exe (PID: 880)
      • DiscordSetup.exe (PID: 7240)
      • Update.exe (PID: 440)
      • Discord.exe (PID: 8168)
      • Discord.exe (PID: 6532)
      • drover.exe (PID: 7088)

    • Creates a software uninstall entry

      • Update.exe (PID: 440)

    • Discord domain found in command line (probably downloading payload)

      • msedge.exe (PID: 7924)

    • Starts CMD.EXE for commands execution

      • Discord.exe (PID: 6788)

    • Checks Windows Trust Settings

      • Discord.exe (PID: 6788)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 4864)
      • msedge.exe (PID: 7116)
      • msedge.exe (PID: 8044)

    • Checks supported languages

      • drover.exe (PID: 7088)
      • identity_helper.exe (PID: 6852)
      • identity_helper.exe (PID: 7516)
      • Discord.exe (PID: 3560)
      • Discord.exe (PID: 4548)
      • Discord.exe (PID: 6528)
      • Discord.exe (PID: 7968)
      • Update.exe (PID: 6408)
      • Discord.exe (PID: 6752)
      • Discord.exe (PID: 8168)
      • Discord.exe (PID: 6672)
      • Discord.exe (PID: 7644)
      • Discord.exe (PID: 880)
      • Discord.exe (PID: 4244)
      • Discord.exe (PID: 6532)
      • Discord.exe (PID: 8052)
      • Discord.exe (PID: 6788)
      • Update.exe (PID: 440)
      • DiscordSetup.exe (PID: 7240)
      • Discord.exe (PID: 7948)
      • gpu_encoder_helper.exe (PID: 5212)
      • Discord.exe (PID: 3840)
      • gpu_encoder_helper.exe (PID: 4012)
      • gpu_encoder_helper.exe (PID: 6684)
      • drover.exe (PID: 1752)

    • Reads the computer name

      • drover.exe (PID: 7088)
      • identity_helper.exe (PID: 6852)
      • identity_helper.exe (PID: 7516)
      • Discord.exe (PID: 3560)
      • Update.exe (PID: 6408)
      • Discord.exe (PID: 7968)
      • Discord.exe (PID: 6528)
      • Discord.exe (PID: 8168)
      • Discord.exe (PID: 7644)
      • Discord.exe (PID: 6752)
      • Discord.exe (PID: 6788)
      • Update.exe (PID: 440)
      • Discord.exe (PID: 3840)
      • Discord.exe (PID: 7948)
      • gpu_encoder_helper.exe (PID: 5212)
      • gpu_encoder_helper.exe (PID: 6684)
      • gpu_encoder_helper.exe (PID: 4012)
      • drover.exe (PID: 1752)

    • Manual execution by a user

      • msedge.exe (PID: 7116)
      • drover.exe (PID: 7088)
      • drover.exe (PID: 1752)

    • Reads Environment values

      • drover.exe (PID: 7088)
      • identity_helper.exe (PID: 6852)
      • identity_helper.exe (PID: 7516)
      • Discord.exe (PID: 3560)
      • Discord.exe (PID: 8168)
      • Discord.exe (PID: 6788)
      • drover.exe (PID: 1752)

    • Compiled with Borland Delphi (YARA)

      • drover.exe (PID: 7088)

    • Application launched itself

      • msedge.exe (PID: 7116)

    • Create files in a temporary directory

      • DiscordSetup.exe (PID: 7240)
      • Update.exe (PID: 440)
      • Discord.exe (PID: 8168)

    • Creates files or folders in the user directory

      • DiscordSetup.exe (PID: 7240)
      • Update.exe (PID: 440)
      • Discord.exe (PID: 4548)
      • Discord.exe (PID: 3560)
      • Update.exe (PID: 6408)
      • Discord.exe (PID: 7968)
      • Discord.exe (PID: 6672)
      • Discord.exe (PID: 8168)
      • Discord.exe (PID: 7644)
      • Discord.exe (PID: 6788)
      • drover.exe (PID: 7088)

    • Reads the machine GUID from the registry

      • Update.exe (PID: 440)
      • Update.exe (PID: 6408)
      • Discord.exe (PID: 3560)
      • Discord.exe (PID: 8168)
      • Discord.exe (PID: 6788)

    • The sample compiled with english language support

      • Update.exe (PID: 440)
      • Discord.exe (PID: 6532)
      • Discord.exe (PID: 880)
      • Discord.exe (PID: 8168)
      • msedge.exe (PID: 8044)

    • Reads product name

      • Discord.exe (PID: 3560)
      • Discord.exe (PID: 8168)
      • Discord.exe (PID: 6788)

    • Process checks computer location settings

      • Discord.exe (PID: 3560)
      • Update.exe (PID: 440)
      • Discord.exe (PID: 8168)
      • Discord.exe (PID: 4244)
      • Discord.exe (PID: 8052)
      • Discord.exe (PID: 6788)

    • Checks proxy server information

      • Discord.exe (PID: 3560)
      • Discord.exe (PID: 8168)

    • Reads the software policy settings

      • Discord.exe (PID: 8168)
      • Discord.exe (PID: 6788)

    • Reads CPU info

      • Discord.exe (PID: 6788)
      • Discord.exe (PID: 8168)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2024:12:24 12:38:46
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: drover/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
248
Monitored processes
112
Malicious processes
6
Suspicious processes
5

Behavior graph

Click at the process to see the details
start winrar.exe rundll32.exe no specs drover.exe msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs discordsetup.exe update.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs discord.exe discord.exe no specs update.exe no specs discord.exe no specs discord.exe no specs reg.exe conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs discord.exe discord.exe no specs discord.exe no specs discord.exe reg.exe no specs conhost.exe no specs discord.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs discord.exe discord.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs discord.exe no specs discord.exe discord.exe no specs discord.exe no specs gpu_encoder_helper.exe no specs gpu_encoder_helper.exe no specs gpu_encoder_helper.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs drover.exe no specs msedge.exe msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
440"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7028 --field-trial-handle=2456,i,1886367084253318405,12434645172815169535,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
440"C:\Users\admin\AppData\Local\SquirrelTemp\Update.exe" --install . C:\Users\admin\AppData\Local\SquirrelTemp\Update.exe
DiscordSetup.exe
User:
admin
Company:
Discord Inc.
Integrity Level:
MEDIUM
Description:
Update
Exit code:
0
Version:
1.1.1.0
Modules
Images
c:\users\admin\appdata\local\squirreltemp\update.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
524"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --mojo-platform-channel-handle=5424 --field-trial-handle=2456,i,1886367084253318405,12434645172815169535,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
848"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=50 --mojo-platform-channel-handle=7012 --field-trial-handle=2456,i,1886367084253318405,12434645172815169535,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
848"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=8832 --field-trial-handle=2456,i,1886367084253318405,12434645172815169535,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
880"C:\Users\admin\AppData\Local\Discord\app-1.0.9182\Discord.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --user-data-dir="C:\Users\admin\AppData\Roaming\discord" --secure-schemes=disclip,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip,sentry-ipc --field-trial-handle=3616,i,6455045268303155164,3982235960512589909,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=4052 /prefetch:8C:\Users\admin\AppData\Local\Discord\app-1.0.9182\Discord.exe
Discord.exe
User:
admin
Company:
Discord Inc.
Integrity Level:
LOW
Description:
Discord
Exit code:
0
Version:
1.0.9182
Modules
Images
c:\users\admin\appdata\local\discord\app-1.0.9182\discord.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
936"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2720 --field-trial-handle=2456,i,1886367084253318405,12434645172815169535,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1080C:\WINDOWS\System32\reg.exe add HKCU\Software\Classes\Discord /v "URL Protocol" /fC:\Windows\System32\reg.exeDiscord.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
1512"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2692 --field-trial-handle=2456,i,1886367084253318405,12434645172815169535,262144 --variations-seed-version /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1520"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=7624 --field-trial-handle=2456,i,1886367084253318405,12434645172815169535,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
PWA Identity Proxy Host
Exit code:
3221226029
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\identity_helper.exe
c:\windows\system32\ntdll.dll
Total events
24 451
Read events
24 328
Write events
74
Delete events
49

Modification events

(PID) Process:(4864) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(4864) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(4864) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(4864) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\drover-v0.8.zip
(PID) Process:(4864) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(4864) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(4864) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(4864) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(4864) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:15
Value:
(PID) Process:(4864) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:14
Value:
Executable files
96
Suspicious files
1 591
Text files
323
Unknown types
0

Dropped files

PID
Process
Filename
Type
7116msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF13e756.TMP
MD5:
SHA256:
7116msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
7116msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF13e756.TMP
MD5:
SHA256:
7116msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
7116msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF13e794.TMP
MD5:
SHA256:
7116msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF13e756.TMP
MD5:
SHA256:
7116msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
7116msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
7116msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF13e7b4.TMP
MD5:
SHA256:
7116msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
42
TCP/UDP connections
172
DNS requests
170
Threats
26

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6060
svchost.exe
GET
200
23.32.238.34:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
23.51.98.7:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6060
svchost.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
23.51.98.7:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6324
backgroundTaskHost.exe
GET
200
23.51.98.7:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6852
SIHClient.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6852
SIHClient.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7116
msedge.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEA3pzy5xg2SgBi4Ngwk%2BNNc%3D
unknown
whitelisted
7116
msedge.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
7116
msedge.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6092
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6060
svchost.exe
23.32.238.34:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6060
svchost.exe
2.16.253.202:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
6060
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
2.16.204.153:443
www.bing.com
Akamai International B.V.
DE
whitelisted
1176
svchost.exe
20.190.160.20:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 23.32.238.34
  • 2.19.198.194
whitelisted
www.microsoft.com
  • 2.16.253.202
whitelisted
google.com
  • 142.250.186.174
whitelisted
www.bing.com
  • 2.16.204.153
  • 2.16.204.155
  • 2.16.204.138
  • 2.16.204.135
  • 2.16.204.134
  • 2.16.204.148
  • 2.16.204.160
  • 2.16.204.149
  • 2.16.204.158
  • 2.16.204.146
  • 2.23.227.215
  • 2.23.227.208
  • 2.19.96.67
  • 2.19.96.59
  • 2.19.96.18
  • 2.19.96.49
  • 2.19.96.106
  • 2.19.96.96
  • 2.19.96.128
  • 2.19.96.50
  • 2.19.96.24
whitelisted
login.live.com
  • 20.190.160.20
  • 40.126.32.74
  • 20.190.160.22
  • 20.190.160.66
  • 20.190.160.2
  • 40.126.32.138
  • 20.190.160.4
  • 40.126.32.134
  • 40.126.31.71
  • 20.190.159.68
  • 20.190.159.129
  • 20.190.159.131
  • 20.190.159.23
  • 20.190.159.71
  • 40.126.31.1
  • 40.126.31.3
whitelisted
ocsp.digicert.com
  • 23.51.98.7
  • 2.23.77.188
whitelisted
go.microsoft.com
  • 23.218.210.69
  • 2.19.106.8
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
fd.api.iris.microsoft.com
  • 20.199.58.43
whitelisted

Threats

PID
Process
Class
Message
1512
msedge.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
1512
msedge.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
1512
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
1512
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
1512
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
1512
msedge.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
1512
msedge.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
1512
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
1512
msedge.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
1512
msedge.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
Process
Message
DiscordSetup.exe
Start up installer:
DiscordSetup.exe
Elevated process: ?
DiscordSetup.exe
Want standard install
Discord.exe
Error: 31
Discord.exe
Error: 31
Discord.exe
Error: 31
Discord.exe
Error: 31
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
/hdrover/discord-drover/releases/download/v0.8/drover-v0.8.zip