File name:

KRNL-bootstrapper.exe

Full analysis: https://app.any.run/tasks/d15a0195-855c-4d00-b68a-f5f6802e8a7f
Verdict: Malicious activity
Threats:

Exela Stealer is an infostealer malware written in Python. It is capable of collecting a wide range of sensitive information from compromised systems and exfiltrating it to attackers over Discord. It is frequently used to steal browser data, and obtain session files from various applications, including gaming platforms, social media platforms, and messaging apps.

Malware Trends Tracker     >>>
Analysis date: December 04, 2024, 15:58:51
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
exela
stealer
discord
arch-doc
pyinstaller
susp-powershell
ims-api
generic
growtopia
discordgrabber
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

5C14E347317A51194B82EF0855E26E3B

SHA1:

77FB645077B717ACFB78DEE36371A04976B26E2C

SHA256:

E0ACA3445C99C4BE321FCF167F7EDFE4B307C8CDED7BFEDA7F61673DEE79C955

SSDEEP:

98304:UydotVCHpGctPIw9p5j8YjjHz5z3OlJxPg26PLJhckB/oc1mgrgBi5u5ZTdGkB5h:g/HEVQa2Y+rS7rHc+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ExelaStealer has been detected

      • KRNL-bootstrapper.exe (PID: 4308)

    • Starts NET.EXE to view/change users localgroup

      • cmd.exe (PID: 4640)
      • net.exe (PID: 1804)
      • net.exe (PID: 5128)

    • Starts NET.EXE to view/add/change user profiles

      • net.exe (PID: 4444)
      • net.exe (PID: 3808)
      • cmd.exe (PID: 4640)
      • net.exe (PID: 5916)

    • DISCORDGRABBER has been detected (YARA)

      • KRNL-bootstrapper.exe (PID: 4308)

    • GROWTOPIA has been detected (YARA)

      • KRNL-bootstrapper.exe (PID: 4308)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6372)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 6316)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • KRNL-bootstrapper.exe (PID: 4668)

    • Application launched itself

      • KRNL-bootstrapper.exe (PID: 4668)
      • cmd.exe (PID: 5652)
      • cmd.exe (PID: 5572)

    • Executable content was dropped or overwritten

      • KRNL-bootstrapper.exe (PID: 4668)
      • KRNL-bootstrapper.exe (PID: 4308)
      • csc.exe (PID: 6508)

    • Get information on the list of running processes

      • cmd.exe (PID: 5576)
      • KRNL-bootstrapper.exe (PID: 4308)
      • cmd.exe (PID: 776)
      • cmd.exe (PID: 5240)
      • cmd.exe (PID: 5776)
      • cmd.exe (PID: 4640)

    • The process drops C-runtime libraries

      • KRNL-bootstrapper.exe (PID: 4668)

    • Process drops python dynamic module

      • KRNL-bootstrapper.exe (PID: 4668)

    • Uses WMIC.EXE to obtain a list of video controllers

      • cmd.exe (PID: 2132)

    • Uses WMIC.EXE to obtain computer system information

      • cmd.exe (PID: 5776)
      • cmd.exe (PID: 6004)

    • Starts CMD.EXE for commands execution

      • KRNL-bootstrapper.exe (PID: 4308)
      • cmd.exe (PID: 5652)
      • cmd.exe (PID: 5572)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 3172)
      • cmd.exe (PID: 6212)
      • cmd.exe (PID: 6572)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 5696)

    • Starts application with an unusual extension

      • cmd.exe (PID: 5316)
      • cmd.exe (PID: 3364)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 4804)
      • cmd.exe (PID: 6316)

    • Uses SYSTEMINFO.EXE to read the environment

      • cmd.exe (PID: 4640)

    • Uses QUSER.EXE to read information about current user sessions

      • query.exe (PID: 2600)

    • Process uses IPCONFIG to discover network configuration

      • cmd.exe (PID: 4640)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 4640)

    • Uses WMIC.EXE to obtain commands that are run when users log in

      • cmd.exe (PID: 4640)

    • Uses ROUTE.EXE to obtain the routing table information

      • cmd.exe (PID: 4640)

    • Process uses ARP to discover network configuration

      • cmd.exe (PID: 4640)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • KRNL-bootstrapper.exe (PID: 4308)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 6508)

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 6316)

    • BASE64 encoded PowerShell command has been detected

      • cmd.exe (PID: 6316)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 6316)

    • Checks for external IP

      • svchost.exe (PID: 2192)
      • KRNL-bootstrapper.exe (PID: 4308)

    • Uses WMIC.EXE to obtain local storage devices information

      • cmd.exe (PID: 4640)

    • Uses NETSH.EXE to obtain data on the network

      • cmd.exe (PID: 5472)

    • Suspicious use of NETSH.EXE

      • cmd.exe (PID: 4640)

  • INFO

    • Checks supported languages

      • KRNL-bootstrapper.exe (PID: 4668)
      • KRNL-bootstrapper.exe (PID: 4308)

    • Reads the computer name

      • KRNL-bootstrapper.exe (PID: 4668)
      • KRNL-bootstrapper.exe (PID: 4308)

    • Create files in a temporary directory

      • KRNL-bootstrapper.exe (PID: 4668)

    • Changes the display of characters in the console

      • cmd.exe (PID: 3364)
      • cmd.exe (PID: 5316)

    • The Powershell gets current clipboard

      • powershell.exe (PID: 1144)

    • Prints a route via ROUTE.EXE

      • ROUTE.EXE (PID: 6096)

    • PyInstaller has been detected (YARA)

      • KRNL-bootstrapper.exe (PID: 4668)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • KRNL-bootstrapper.exe (PID: 4308)

    • Attempting to use instant messaging service

      • KRNL-bootstrapper.exe (PID: 4308)
      • svchost.exe (PID: 2192)

    • Checks operating system version

      • KRNL-bootstrapper.exe (PID: 4308)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(4308) KRNL-bootstrapper.exe
Discord-Webhook-Tokens (1)1250013067698507786/5kWvO4oKVyqu08xNiP2SBDhB6BybgrIeOuLdESo7YLwJj-ppRfCHB96Qh6WVXe61BScJ
Discord-Info-Links
1250013067698507786/5kWvO4oKVyqu08xNiP2SBDhB6BybgrIeOuLdESo7YLwJj-ppRfCHB96Qh6WVXe61BScJ
Get Webhook Infohttps://discord.com/api/webhooks/1250013067698507786/5kWvO4oKVyqu08xNiP2SBDhB6BybgrIeOuLdESo7YLwJj-ppRfCHB96Qh6WVXe61BScJ
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:06:12 15:42:08+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.4
CodeSize: 167936
InitializedDataSize: 258560
UninitializedDataSize: -
EntryPoint: 0xbe20
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
202
Monitored processes
87
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start krnl-bootstrapper.exe #EXELASTEALER krnl-bootstrapper.exe cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs wmic.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs wmic.exe no specs tasklist.exe no specs cmd.exe no specs conhost.exe no specs attrib.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs mshta.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs chcp.com no specs chcp.com no specs tasklist.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs systeminfo.exe no specs svchost.exe tiworker.exe no specs hostname.exe no specs wmic.exe no specs net.exe no specs net1.exe no specs query.exe no specs quser.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs wmic.exe no specs tasklist.exe no specs ipconfig.exe no specs route.exe no specs arp.exe no specs netstat.exe no specs sc.exe no specs netsh.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs csc.exe cvtres.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
776C:\WINDOWS\system32\cmd.exe /c "tasklist"C:\Windows\System32\cmd.exeKRNL-bootstrapper.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
836hostname C:\Windows\System32\HOSTNAME.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Hostname APP
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\hostname.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\napinsp.dll
1144\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1144powershell.exe Get-ClipboardC:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1228\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1344\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1392C:\WINDOWS\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""C:\Windows\System32\cmd.exeKRNL-bootstrapper.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1572netstat -ano C:\Windows\System32\NETSTAT.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Netstat Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\netstat.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\iphlpapi.dll
1616C:\WINDOWS\system32\net1 user guest C:\Windows\System32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\samcli.dll
c:\windows\system32\netutils.dll
1804\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
24 596
Read events
24 591
Write events
5
Delete events
0

Modification events

(PID) Process:(4392) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdHigh
Value:
31147621
(PID) Process:(4392) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdLow
Value:
(PID) Process:(2088) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2088) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2088) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
36
Suspicious files
15
Text files
38
Unknown types
5

Dropped files

PID
Process
Filename
Type
4668KRNL-bootstrapper.exeC:\Users\admin\AppData\Local\Temp\_MEI46682\_bz2.pydexecutable
MD5:5BEBC32957922FE20E927D5C4637F100
SHA256:3ED0E5058D370FB14AA5469D81F96C5685559C054917C7280DD4125F21D25F62
4668KRNL-bootstrapper.exeC:\Users\admin\AppData\Local\Temp\_MEI46682\_asyncio.pydexecutable
MD5:477DBA4D6E059EA3D61FAD7B6A7DA10E
SHA256:5BEBEB765AB9EF045BC5515166360D6F53890D3AD6FC360C20222D61841410B6
4668KRNL-bootstrapper.exeC:\Users\admin\AppData\Local\Temp\_MEI46682\_cffi_backend.cp312-win_amd64.pydexecutable
MD5:0572B13646141D0B1A5718E35549577C
SHA256:D8A76D1E31BBD62A482DEA9115FC1A109CB39AF4CF6D1323409175F3C93113A7
4668KRNL-bootstrapper.exeC:\Users\admin\AppData\Local\Temp\_MEI46682\_socket.pydexecutable
MD5:DD8FF2A3946B8E77264E3F0011D27704
SHA256:B102522C23DAC2332511EB3502466CAF842D6BCD092FBC276B7B55E9CC01B085
4668KRNL-bootstrapper.exeC:\Users\admin\AppData\Local\Temp\_MEI46682\_ssl.pydexecutable
MD5:C87C5890039C3BDB55A8BC189256315F
SHA256:A5D361707F7A2A2D726B20770E8A6FC25D753BE30BCBCBBB683FFEE7959557C2
4668KRNL-bootstrapper.exeC:\Users\admin\AppData\Local\Temp\_MEI46682\_wmi.pydexecutable
MD5:8A9A59559C614FC2BCEBB50073580C88
SHA256:752FB80EDB51F45D3CC1C046F3B007802432B91AEF400C985640D6B276A67C12
4668KRNL-bootstrapper.exeC:\Users\admin\AppData\Local\Temp\_MEI46682\aiohttp\_helpers.cp312-win_amd64.pydexecutable
MD5:46B9A0DC3C81FB53E6D3D0C0B665AD34
SHA256:1FDAE029896A54522F75291D2CE84A6B296BB0264EA8F2D2B9A46FBEC16FEE1E
4668KRNL-bootstrapper.exeC:\Users\admin\AppData\Local\Temp\_MEI46682\_decimal.pydexecutable
MD5:492C0C36D8ED1B6CA2117869A09214DA
SHA256:B8221D1C9E2C892DD6227A6042D1E49200CD5CB82ADBD998E4A77F4EE0E9ABF1
4668KRNL-bootstrapper.exeC:\Users\admin\AppData\Local\Temp\_MEI46682\_multiprocessing.pydexecutable
MD5:2BD43E8973882E32C9325EF81898AE62
SHA256:3C34031B464E7881D8F9D182F7387A86B883581FD020280EC56C1E3EC6F4CC2D
4668KRNL-bootstrapper.exeC:\Users\admin\AppData\Local\Temp\_MEI46682\_lzma.pydexecutable
MD5:195DEFE58A7549117E06A57029079702
SHA256:7BF9FF61BABEBD90C499A8ED9B62141F947F90D87E0BBD41A12E99D20E06954A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
51
DNS requests
19
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4308
KRNL-bootstrapper.exe
GET
404
208.95.112.1:80
http://ip-api.com/json
unknown
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6072
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
208.95.112.1:80
ip-api.com
TUT-AS
US
shared
192.168.100.255:137
whitelisted
5064
SearchApp.exe
2.23.209.177:443
www.bing.com
Akamai International B.V.
GB
whitelisted
1176
svchost.exe
40.126.32.72:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1076
svchost.exe
23.32.186.57:443
go.microsoft.com
AKAMAI-AS
BR
whitelisted
4308
KRNL-bootstrapper.exe
162.159.138.232:443
discord.com
CLOUDFLARENET
whitelisted
4308
KRNL-bootstrapper.exe
162.159.137.232:443
discord.com
CLOUDFLARENET
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
google.com
  • 172.217.16.206
whitelisted
ip-api.com
  • 208.95.112.1
shared
www.bing.com
  • 2.23.209.177
  • 2.23.209.181
  • 2.23.209.179
  • 2.23.209.186
  • 2.23.209.187
  • 2.23.209.176
  • 2.23.209.183
  • 2.23.209.185
  • 2.23.209.182
whitelisted
login.live.com
  • 40.126.32.72
  • 40.126.32.74
  • 20.190.160.17
  • 40.126.32.133
  • 40.126.32.136
  • 40.126.32.134
  • 20.190.160.20
  • 20.190.160.22
whitelisted
go.microsoft.com
  • 23.32.186.57
whitelisted
discord.com
  • 162.159.138.232
  • 162.159.137.232
  • 162.159.128.233
  • 162.159.135.232
  • 162.159.136.232
whitelisted
api.gofile.io
  • 45.112.123.126
whitelisted
store1.gofile.io
  • 45.112.123.227
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted

Threats

PID
Process
Class
Message
4308
KRNL-bootstrapper.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
2192
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2192
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
2192
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
4308
KRNL-bootstrapper.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
4308
KRNL-bootstrapper.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
4308
KRNL-bootstrapper.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
2192
svchost.exe
Potentially Bad Traffic
ET INFO Online File Storage Domain in DNS Lookup (gofile .io)
4308
KRNL-bootstrapper.exe
Misc activity
ET INFO File Sharing Related Domain in TLS SNI (gofile .io)
2192
svchost.exe
Potentially Bad Traffic
ET INFO Online File Storage Domain in DNS Lookup (gofile .io)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
KRNL-bootstrapper.exe