File name:

de4ad0b01e1913781687cdb841af51668ffcaed82cba24981d88648a715515fb.exe

Full analysis: https://app.any.run/tasks/4ac536cb-57cb-4fd7-9496-d90288875e38
Verdict: Malicious activity
Analysis date: September 26, 2025, 23:14:47
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
discord
evasion
ims-api
generic
golang
ip-check
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 8 sections
MD5:

2271813E586D6D64B4F033765E20E657

SHA1:

E44984F2F9FCFEAA88DBF55A614C95A5281D4C07

SHA256:

DE4AD0B01E1913781687CDB841AF51668FFCAED82CBA24981D88648A715515FB

SSDEEP:

98304:xs9MKzn430H//56KTsAFqIFhtf8aOhLAo3ARifmSxaCV17wN0zcxYPYR6nhcQeZK:

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 4864)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 4864)

    • Changes powershell execution policy (Bypass)

      • de4ad0b01e1913781687cdb841af51668ffcaed82cba24981d88648a715515fb.exe (PID: 1336)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • de4ad0b01e1913781687cdb841af51668ffcaed82cba24981d88648a715515fb.exe (PID: 6404)

    • Reads the date of Windows installation

      • de4ad0b01e1913781687cdb841af51668ffcaed82cba24981d88648a715515fb.exe (PID: 6404)

    • Executable content was dropped or overwritten

      • de4ad0b01e1913781687cdb841af51668ffcaed82cba24981d88648a715515fb.exe (PID: 1336)

    • Application launched itself

      • de4ad0b01e1913781687cdb841af51668ffcaed82cba24981d88648a715515fb.exe (PID: 6404)

    • The process bypasses the loading of PowerShell profile settings

      • de4ad0b01e1913781687cdb841af51668ffcaed82cba24981d88648a715515fb.exe (PID: 1336)

    • Hides errors and continues executing the command without stopping

      • powershell.exe (PID: 4864)

    • Starts POWERSHELL.EXE for commands execution

      • de4ad0b01e1913781687cdb841af51668ffcaed82cba24981d88648a715515fb.exe (PID: 1336)

    • Checks for external IP

      • socks5svc.exe (PID: 6312)

    • Executes as Windows Service

      • socks5svc.exe (PID: 6312)

    • There is functionality for capture public ip (YARA)

      • socks5svc.exe (PID: 6312)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • socks5svc.exe (PID: 6312)

    • The process hide an interactive prompt from the user

      • de4ad0b01e1913781687cdb841af51668ffcaed82cba24981d88648a715515fb.exe (PID: 1336)

  • INFO

    • Checks supported languages

      • de4ad0b01e1913781687cdb841af51668ffcaed82cba24981d88648a715515fb.exe (PID: 6404)
      • de4ad0b01e1913781687cdb841af51668ffcaed82cba24981d88648a715515fb.exe (PID: 1336)
      • socks5svc.exe (PID: 6312)

    • Reads the computer name

      • de4ad0b01e1913781687cdb841af51668ffcaed82cba24981d88648a715515fb.exe (PID: 6404)
      • de4ad0b01e1913781687cdb841af51668ffcaed82cba24981d88648a715515fb.exe (PID: 1336)
      • socks5svc.exe (PID: 6312)

    • Process checks computer location settings

      • de4ad0b01e1913781687cdb841af51668ffcaed82cba24981d88648a715515fb.exe (PID: 6404)

    • Creates files in the program directory

      • de4ad0b01e1913781687cdb841af51668ffcaed82cba24981d88648a715515fb.exe (PID: 1336)

    • Reads the software policy settings

      • powershell.exe (PID: 4864)
      • socks5svc.exe (PID: 6312)
      • slui.exe (PID: 2728)

    • Create files in a temporary directory

      • powershell.exe (PID: 4864)

    • Detects GO elliptic curve encryption (YARA)

      • socks5svc.exe (PID: 6312)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 4864)

    • Application based on Golang

      • socks5svc.exe (PID: 6312)

    • Checks proxy server information

      • slui.exe (PID: 2728)

    • Drops encrypted JS script (Microsoft Script Encoder)

      • de4ad0b01e1913781687cdb841af51668ffcaed82cba24981d88648a715515fb.exe (PID: 1336)

    • Reads security settings of Internet Explorer

      • powershell.exe (PID: 4864)

    • Reads the machine GUID from the registry

      • socks5svc.exe (PID: 6312)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(6312) socks5svc.exe
Discord-Webhook-Tokens (1)1418298773330985154/_I7EzXpGMundYt8jCvlDdzi9INsBkBq7NSDM74iV0Y_flSzQZ5LxYP0lZtXFzHCkRtKR
Discord-Info-Links
1418298773330985154/_I7EzXpGMundYt8jCvlDdzi9INsBkBq7NSDM74iV0Y_flSzQZ5LxYP0lZtXFzHCkRtKR
Get Webhook Infohttps://discord.com/api/webhooks/1418298773330985154/_I7EzXpGMundYt8jCvlDdzi9INsBkBq7NSDM74iV0Y_flSzQZ5LxYP0lZtXFzHCkRtKR
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 3
CodeSize: 3172352
InitializedDataSize: 414720
UninitializedDataSize: -
EntryPoint: 0x7bec0
OSVersion: 6.1
ImageVersion: 1
SubsystemVersion: 6.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
140
Monitored processes
6
Malicious processes
1
Suspicious processes
3

Behavior graph

Click at the process to see the details
start de4ad0b01e1913781687cdb841af51668ffcaed82cba24981d88648a715515fb.exe no specs de4ad0b01e1913781687cdb841af51668ffcaed82cba24981d88648a715515fb.exe powershell.exe no specs conhost.exe no specs socks5svc.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1336"C:\Users\admin\Desktop\de4ad0b01e1913781687cdb841af51668ffcaed82cba24981d88648a715515fb.exe" --elevatedC:\Users\admin\Desktop\de4ad0b01e1913781687cdb841af51668ffcaed82cba24981d88648a715515fb.exe
de4ad0b01e1913781687cdb841af51668ffcaed82cba24981d88648a715515fb.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\de4ad0b01e1913781687cdb841af51668ffcaed82cba24981d88648a715515fb.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\umpdc.dll
2620\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2728C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4864powershell.exe -NoProfile -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -Command " $e = 'C:\Program Files\socks5svc\socks5svc.exe' if (-not (Get-NetFirewallRule -DisplayName 'Socks5Svc TCP 1080' -ErrorAction SilentlyContinue)) { New-NetFirewallRule -DisplayName 'Socks5Svc TCP 1080' -Direction Inbound -Action Allow -Protocol TCP -LocalPort 1080 -Program $e -Profile Any | Out-Null } if (-not (Get-NetFirewallRule -DisplayName 'Socks5Svc UDP 1080' -ErrorAction SilentlyContinue)) { New-NetFirewallRule -DisplayName 'Socks5Svc UDP 1080' -Direction Inbound -Action Allow -Protocol UDP -LocalPort 1080 -Program $e -Profile Any | Out-Null } "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exede4ad0b01e1913781687cdb841af51668ffcaed82cba24981d88648a715515fb.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
6312"C:\Program Files\socks5svc\socks5svc.exe"C:\Program Files\socks5svc\socks5svc.exe
services.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Modules
Images
c:\program files\socks5svc\socks5svc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\umpdc.dll
ims-api
(PID) Process(6312) socks5svc.exe
Discord-Webhook-Tokens (1)1418298773330985154/_I7EzXpGMundYt8jCvlDdzi9INsBkBq7NSDM74iV0Y_flSzQZ5LxYP0lZtXFzHCkRtKR
Discord-Info-Links
1418298773330985154/_I7EzXpGMundYt8jCvlDdzi9INsBkBq7NSDM74iV0Y_flSzQZ5LxYP0lZtXFzHCkRtKR
Get Webhook Infohttps://discord.com/api/webhooks/1418298773330985154/_I7EzXpGMundYt8jCvlDdzi9INsBkBq7NSDM74iV0Y_flSzQZ5LxYP0lZtXFzHCkRtKR
6404"C:\Users\admin\Desktop\de4ad0b01e1913781687cdb841af51668ffcaed82cba24981d88648a715515fb.exe" C:\Users\admin\Desktop\de4ad0b01e1913781687cdb841af51668ffcaed82cba24981d88648a715515fb.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\de4ad0b01e1913781687cdb841af51668ffcaed82cba24981d88648a715515fb.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\umpdc.dll
Total events
14 714
Read events
14 711
Write events
3
Delete events
0

Modification events

(PID) Process:(1336) de4ad0b01e1913781687cdb841af51668ffcaed82cba24981d88648a715515fb.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\Socks5Svc
Operation:writeName:CustomSource
Value:
1
(PID) Process:(1336) de4ad0b01e1913781687cdb841af51668ffcaed82cba24981d88648a715515fb.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\Socks5Svc
Operation:writeName:EventMessageFile
Value:
%SystemRoot%\System32\EventCreate.exe
(PID) Process:(1336) de4ad0b01e1913781687cdb841af51668ffcaed82cba24981d88648a715515fb.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\Socks5Svc
Operation:writeName:TypesSupported
Value:
7
Executable files
2
Suspicious files
1
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
4864powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:355CB032F00BFD91E09A7D817AC95349
SHA256:217E704C0D17905C44E8CB1818AC99E68842BA484734F2DF012BAADE27A7FA5D
1336de4ad0b01e1913781687cdb841af51668ffcaed82cba24981d88648a715515fb.exeC:\Program Files\socks5svc\socks5svc.exe.tmpexecutable
MD5:2271813E586D6D64B4F033765E20E657
SHA256:DE4AD0B01E1913781687CDB841AF51668FFCAED82CBA24981D88648A715515FB
4864powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_kfwzbd5q.ylo.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4864powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_r0ihnek0.fsg.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1336de4ad0b01e1913781687cdb841af51668ffcaed82cba24981d88648a715515fb.exeC:\Program Files\socks5svc\socks5svc.exeexecutable
MD5:2271813E586D6D64B4F033765E20E657
SHA256:DE4AD0B01E1913781687CDB841AF51668FFCAED82CBA24981D88648A715515FB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
46
TCP/UDP connections
51
DNS requests
18
Threats
49

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.200.213.221:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.200.213.221:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2232
RUXIMICS.exe
GET
200
23.200.213.221:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
400
20.190.159.2:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
204 b
GET
200
172.67.74.152:443
https://api.ipify.org/
unknown
text
13 b
POST
400
20.190.159.75:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
204 b
POST
400
40.126.31.130:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
POST
400
40.126.31.73:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
204 b
GET
200
74.178.76.128:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
compressed
27.7 Kb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2232
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.200.213.221:80
www.microsoft.com
AKAMAI-AS
FR
whitelisted
1268
svchost.exe
23.200.213.221:80
www.microsoft.com
AKAMAI-AS
FR
whitelisted
2232
RUXIMICS.exe
23.200.213.221:80
www.microsoft.com
AKAMAI-AS
FR
whitelisted
5252
svchost.exe
20.190.160.3:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 142.250.184.206
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
  • 2.19.117.84
  • 2.19.117.91
whitelisted
www.microsoft.com
  • 23.200.213.221
whitelisted
login.live.com
  • 20.190.160.3
  • 40.126.32.133
  • 20.190.160.20
  • 20.190.160.4
  • 20.190.160.64
  • 20.190.160.22
  • 20.190.160.65
  • 40.126.32.138
whitelisted
api.ipify.org
  • 172.67.74.152
  • 104.26.12.205
  • 104.26.13.205
whitelisted
discord.com
  • 162.159.137.232
  • 162.159.135.232
  • 162.159.138.232
  • 162.159.136.232
  • 162.159.128.233
whitelisted
slscr.update.microsoft.com
  • 135.233.95.144
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
self.events.data.microsoft.com
  • 20.189.173.3
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
Misc activity
ET INFO Discord Chat Service Domain in DNS Lookup (discord .com)
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
Misc activity
ET INFO Go-http-client User-Agent Observed Outbound
Misc activity
ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
Device Retrieving External IP Address Detected
ET INFO External IP Lookup api.ipify.org
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
de4ad0b01e1913781687cdb841af51668ffcaed82cba24981d88648a715515fb.exe