File name:

RemasterSouls1.0.0.msi

Full analysis: https://app.any.run/tasks/98baad22-f5a8-4385-b3c6-517d2c72ba62
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: June 22, 2025, 23:33:16
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
generated-doc
auto-startup
stealer
arch-doc
auto-download
discord
evasion
ims-api
generic
discordgrabber
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: RemasterSouls, Author: Unreal Game Inc., Keywords: Installer, Comments: This installer database contains the logic and data required to install RemasterSouls., Template: x64;1033, Revision Number: {D0C3A7BA-8C3A-45F4-9376-1247E442C08B}, Create Time/Date: Sun Jun 8 23:00:34 2025, Last Saved Time/Date: Sun Jun 8 23:00:34 2025, Number of Pages: 500, Number of Words: 2, Name of Creating Application: WiX Toolset (4.0.0.5512), Security: 2
MD5:

A8E6C877B08E7D57DCA3BC630E61D7F2

SHA1:

7CA074378C2A75088C85BA9E773B025046135D6F

SHA256:

F3A00C61814CFBB3D5ACE0BFC9AB618637034B1BABC852B3CC2EB59699E5F338

SSDEEP:

1572864:myYv/svjhfPP3EtISzLHNOy3EpdxajkrK8TuhZ:myo2NfH3CpHHNfEpOjuLKh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • RemasterSouls.exe (PID: 6472)

    • Actions looks like stealing of personal data

      • RemasterSouls.exe (PID: 6472)

    • Steals credentials from Web Browsers

      • RemasterSouls.exe (PID: 6472)

    • Modifies files in the Chrome extension folder

      • RemasterSouls.exe (PID: 6472)

    • DISCORDGRABBER has been detected (YARA)

      • RemasterSouls.exe (PID: 6472)

    • Suspicious browser debugging (Possible cookie theft)

      • msedge.exe (PID: 6504)
      • msedge.exe (PID: 2792)
      • msedge.exe (PID: 4116)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 1160)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 1160)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 6256)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 4808)

    • Starts CMD.EXE for commands execution

      • RemasterSouls.exe (PID: 6472)

    • Executes as Windows Service

      • VSSVC.exe (PID: 2648)

    • The process executes VB scripts

      • cmd.exe (PID: 3388)
      • cmd.exe (PID: 3640)
      • cmd.exe (PID: 2604)
      • cmd.exe (PID: 4172)
      • cmd.exe (PID: 7320)
      • cmd.exe (PID: 7608)
      • cmd.exe (PID: 6220)
      • cmd.exe (PID: 7404)
      • cmd.exe (PID: 2272)
      • cmd.exe (PID: 7776)

    • Cryptography encrypted command line is found

      • cmd.exe (PID: 3396)
      • powershell.exe (PID: 6960)
      • powershell.exe (PID: 6876)
      • cmd.exe (PID: 6376)
      • powershell.exe (PID: 2272)
      • cmd.exe (PID: 7288)
      • cmd.exe (PID: 8092)
      • powershell.exe (PID: 7192)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 3396)
      • cmd.exe (PID: 6376)
      • cmd.exe (PID: 7288)
      • cmd.exe (PID: 8092)

    • Uses TASKKILL.EXE to kill Browsers

      • cmd.exe (PID: 7040)
      • cmd.exe (PID: 7984)
      • cmd.exe (PID: 8112)
      • cmd.exe (PID: 7500)
      • cmd.exe (PID: 4984)
      • cmd.exe (PID: 7260)
      • cmd.exe (PID: 6236)
      • cmd.exe (PID: 2580)
      • cmd.exe (PID: 4676)

    • Application launched itself

      • RemasterSouls.exe (PID: 6472)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • RemasterSouls.exe (PID: 6472)

    • MS Edge headless start

      • msedge.exe (PID: 6504)
      • msedge.exe (PID: 2792)
      • msedge.exe (PID: 7892)
      • msedge.exe (PID: 4116)
      • msedge.exe (PID: 7420)

    • Checks for external IP

      • RemasterSouls.exe (PID: 6472)

    • Potential Corporate Privacy Violation

      • RemasterSouls.exe (PID: 6472)

  • INFO

    • Reads the computer name

      • msiexec.exe (PID: 1160)
      • RemasterSouls.exe (PID: 6472)
      • RemasterSouls.exe (PID: 6304)
      • RemasterSouls.exe (PID: 2464)

    • An automatically generated document

      • msiexec.exe (PID: 1216)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 1160)
      • RemasterSouls.exe (PID: 6472)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 1160)

    • Reads product name

      • RemasterSouls.exe (PID: 6472)

    • Checks supported languages

      • RemasterSouls.exe (PID: 6472)
      • msiexec.exe (PID: 1160)
      • RemasterSouls.exe (PID: 6304)
      • RemasterSouls.exe (PID: 2464)

    • Reads Environment values

      • RemasterSouls.exe (PID: 6472)

    • Launching a file from the Startup directory

      • RemasterSouls.exe (PID: 6472)

    • Reads security settings of Internet Explorer

      • cscript.exe (PID: 3620)
      • cscript.exe (PID: 5168)
      • cscript.exe (PID: 2192)
      • cscript.exe (PID: 2276)
      • notepad.exe (PID: 7844)
      • mmc.exe (PID: 6460)
      • cscript.exe (PID: 4048)
      • notepad.exe (PID: 7524)
      • cscript.exe (PID: 7536)
      • notepad.exe (PID: 7520)
      • cscript.exe (PID: 3832)
      • notepad.exe (PID: 7968)
      • notepad.exe (PID: 3740)
      • notepad.exe (PID: 3748)
      • cscript.exe (PID: 2536)
      • WMIC.exe (PID: 6256)
      • notepad.exe (PID: 7672)
      • notepad.exe (PID: 8144)
      • cscript.exe (PID: 7340)
      • cscript.exe (PID: 7280)

    • Create files in a temporary directory

      • RemasterSouls.exe (PID: 6472)

    • Manual execution by a user

      • RemasterSouls.exe (PID: 3780)
      • notepad.exe (PID: 7844)
      • notepad.exe (PID: 7600)
      • OpenWith.exe (PID: 5124)
      • mmc.exe (PID: 1068)
      • mmc.exe (PID: 6460)
      • notepad.exe (PID: 7524)
      • notepad.exe (PID: 7520)
      • notepad.exe (PID: 7968)
      • notepad.exe (PID: 3740)
      • notepad.exe (PID: 3748)
      • notepad.exe (PID: 8144)
      • notepad.exe (PID: 7672)

    • Reads the machine GUID from the registry

      • RemasterSouls.exe (PID: 6472)

    • Application launched itself

      • chrome.exe (PID: 6524)
      • chrome.exe (PID: 7584)
      • msedge.exe (PID: 2792)
      • chrome.exe (PID: 5400)
      • chrome.exe (PID: 2588)
      • msedge.exe (PID: 4116)

    • Checks proxy server information

      • RemasterSouls.exe (PID: 6472)
      • slui.exe (PID: 7420)

    • Launching a file from the Downloads directory

      • chrome.exe (PID: 6524)
      • chrome.exe (PID: 5400)

    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 5124)

    • Process checks computer location settings

      • RemasterSouls.exe (PID: 6472)

    • Reads CPU info

      • RemasterSouls.exe (PID: 6472)

    • Manages system restore points

      • SrTasks.exe (PID: 6620)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 1160)

    • The sample compiled with english language support

      • msiexec.exe (PID: 1160)

    • Reads the software policy settings

      • slui.exe (PID: 7420)

    • Attempting to use instant messaging service

      • RemasterSouls.exe (PID: 6472)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(6472) RemasterSouls.exe
Discord-Webhook-Tokens (1)1351005460357972070/SXoMeRxXloxFLC14Iz800D-21axliclPRdXjK4XBrNiuJsTt_PR269CNemtWIZarAeF9
Discord-Info-Links
1351005460357972070/SXoMeRxXloxFLC14Iz800D-21axliclPRdXjK4XBrNiuJsTt_PR269CNemtWIZarAeF9
Get Webhook Infohttps://discord.com/api/webhooks/1351005460357972070/SXoMeRxXloxFLC14Iz800D-21axliclPRdXjK4XBrNiuJsTt_PR269CNemtWIZarAeF9
Discord-Webhook-Tokens (1)1377403035801747496/cmRvL4zrpqc3hFBBH0SkXFrjf0x4ddoZVZ4lKZaHxYAboA4DKC__uXAcp_-_ORHHKWYf
Discord-Info-Links
1377403035801747496/cmRvL4zrpqc3hFBBH0SkXFrjf0x4ddoZVZ4lKZaHxYAboA4DKC__uXAcp_-_ORHHKWYf
Get Webhook Infohttps://discord.com/api/webhooks/1377403035801747496/cmRvL4zrpqc3hFBBH0SkXFrjf0x4ddoZVZ4lKZaHxYAboA4DKC__uXAcp_-_ORHHKWYf
Discord-Webhook-Tokens (3)1380398122836168797/wVhO47Z2iFlmQJL_U-MBmSsi6MJ0ghGyr4ksn0Okel_9wuRkx2c-7yStj0wbc8dZu13B
1351005460357972070/SXoMeRxXloxFLC14Iz800D-21axliclPRdXjK4XBrNiuJsTt_PR269CNemtWIZarAeF9
1377403035801747496/cmRvL4zrpqc3hFBBH0SkXFrjf0x4ddoZVZ4lKZaHxYAboA4DKC__uXAcp_-_ORHHKWYf
Discord-Info-Links
1380398122836168797/wVhO47Z2iFlmQJL_U-MBmSsi6MJ0ghGyr4ksn0Okel_9wuRkx2c-7yStj0wbc8dZu13B
Get Webhook Infohttps://discord.com/api/webhooks/1380398122836168797/wVhO47Z2iFlmQJL_U-MBmSsi6MJ0ghGyr4ksn0Okel_9wuRkx2c-7yStj0wbc8dZu13B
1351005460357972070/SXoMeRxXloxFLC14Iz800D-21axliclPRdXjK4XBrNiuJsTt_PR269CNemtWIZarAeF9
Get Webhook Infohttps://discord.com/api/webhooks/1351005460357972070/SXoMeRxXloxFLC14Iz800D-21axliclPRdXjK4XBrNiuJsTt_PR269CNemtWIZarAeF9
1377403035801747496/cmRvL4zrpqc3hFBBH0SkXFrjf0x4ddoZVZ4lKZaHxYAboA4DKC__uXAcp_-_ORHHKWYf
Get Webhook Infohttps://discord.com/api/webhooks/1377403035801747496/cmRvL4zrpqc3hFBBH0SkXFrjf0x4ddoZVZ4lKZaHxYAboA4DKC__uXAcp_-_ORHHKWYf
Discord-Webhook-Tokens (2)1380398122836168797/wVhO47Z2iFlmQJL_U-MBmSsi6MJ0ghGyr4ksn0Okel_9wuRkx2c-7yStj0wbc8dZu13B
1377403035801747496/cmRvL4zrpqc3hFBBH0SkXFrjf0x4ddoZVZ4lKZaHxYAboA4DKC__uXAcp_-_ORHHKWYf
Discord-Info-Links
1380398122836168797/wVhO47Z2iFlmQJL_U-MBmSsi6MJ0ghGyr4ksn0Okel_9wuRkx2c-7yStj0wbc8dZu13B
Get Webhook Infohttps://discord.com/api/webhooks/1380398122836168797/wVhO47Z2iFlmQJL_U-MBmSsi6MJ0ghGyr4ksn0Okel_9wuRkx2c-7yStj0wbc8dZu13B
1377403035801747496/cmRvL4zrpqc3hFBBH0SkXFrjf0x4ddoZVZ4lKZaHxYAboA4DKC__uXAcp_-_ORHHKWYf
Get Webhook Infohttps://discord.com/api/webhooks/1377403035801747496/cmRvL4zrpqc3hFBBH0SkXFrjf0x4ddoZVZ4lKZaHxYAboA4DKC__uXAcp_-_ORHHKWYf
No Malware configuration.

TRiD

.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: RemasterSouls
Author: Unreal Game Inc.
Keywords: Installer
Comments: This installer database contains the logic and data required to install RemasterSouls.
Template: x64;1033
RevisionNumber: {D0C3A7BA-8C3A-45F4-9376-1247E442C08B}
CreateDate: 2025:06:08 23:00:34
ModifyDate: 2025:06:08 23:00:34
Pages: 500
Words: 2
Software: WiX Toolset (4.0.0.5512)
Security: Read-only recommended
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
292
Monitored processes
165
Malicious processes
5
Suspicious processes
3

Behavior graph

Click at the process to see the details
start msiexec.exe no specs msiexec.exe vssvc.exe no specs srtasks.exe no specs conhost.exe no specs #DISCORDGRABBER remastersouls.exe cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs cscript.exe no specs cmd.exe no specs conhost.exe no specs cscript.exe no specs remastersouls.exe no specs cmd.exe no specs conhost.exe no specs cscript.exe no specs cmd.exe no specs conhost.exe no specs cscript.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs chrome.exe remastersouls.exe no specs remastersouls.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs slui.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs notepad.exe no specs rundll32.exe no specs chrome.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs notepad.exe no specs msedge.exe openwith.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs mmc.exe no specs mmc.exe cmd.exe no specs conhost.exe no specs taskkill.exe no specs svchost.exe cmd.exe no specs conhost.exe no specs cscript.exe no specs notepad.exe no specs cmd.exe no specs conhost.exe no specs cscript.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs cmd.exe no specs conhost.exe no specs cscript.exe no specs cmd.exe no specs conhost.exe no specs cscript.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs cscript.exe no specs notepad.exe no specs notepad.exe no specs cmd.exe no specs conhost.exe no specs cscript.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
756"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3972,i,12411509968188840706,1267158542817515006,262144 --variations-seed-version=20250620-130034.957000 --mojo-platform-channel-handle=3912 /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
768"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5776,i,12411509968188840706,1267158542817515006,262144 --variations-seed-version=20250620-130034.957000 --mojo-platform-channel-handle=5784 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
1
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1068"C:\WINDOWS\system32\mmc.exe" C:\Users\admin\Desktop\Makefile.mscC:\Windows\System32\mmc.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Management Console
Exit code:
3221226540
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mmc.exe
c:\windows\system32\ntdll.dll
1068"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.127 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffc44c6fff8,0x7ffc44c70004,0x7ffc44c70010C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1160C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1216"C:\Windows\System32\msiexec.exe" /i C:\Users\admin\Desktop\RemasterSouls1.0.0.msiC:\Windows\System32\msiexec.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1576taskkill /F /T /IM msedge.exeC:\Windows\System32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1712"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --field-trial-handle=2124,i,12411509968188840706,1267158542817515006,262144 --variations-seed-version=20250620-130034.957000 --mojo-platform-channel-handle=2116 /prefetch:3C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
1
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1800\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2192cscript //Nologo "C:\Users\admin\AppData\Local\Temp\8679372186.vbs"C:\Windows\System32\cscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\cscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
60 545
Read events
60 121
Write events
404
Delete events
20

Modification events

(PID) Process:(2648) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000982A971FCEE3DB01580A0000E4110000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2648) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000982A971FCEE3DB01580A0000F41A0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2648) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000982A971FCEE3DB01580A00005C160000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2648) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000982A971FCEE3DB01580A000008100000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2648) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Leave)
Value:
480000000000000073F19B1FCEE3DB01580A0000F41A0000E80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2648) VSSVC.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:delete keyName:(default)
Value:
(PID) Process:(2648) VSSVC.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:writeName:Element
Value:
0000000000000000000000000000000006000000000000004800000000000000715E5C2FA985EB1190A89A9B763584210000000000000000745E5C2FA985EB1190A89A9B7635842100000000000000000000000000000000
(PID) Process:(2648) VSSVC.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\12000002
Operation:delete keyName:(default)
Value:
(PID) Process:(2648) VSSVC.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\12000002
Operation:writeName:Element
Value:
\EFI\Microsoft\Boot\bootmgfw.efi
(PID) Process:(2648) VSSVC.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{5b970157-8568-11eb-b45c-806e6f6e6963}\Elements\11000001
Operation:delete keyName:(default)
Value:
Executable files
18
Suspicious files
285
Text files
186
Unknown types
1

Dropped files

PID
Process
Filename
Type
1160msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
1160msiexec.exeC:\Windows\Installer\17b594.msi
MD5:
SHA256:
1160msiexec.exeC:\Users\admin\AppData\Local\Programs\remastersouls\LICENSES.chromium.html
MD5:
SHA256:
1160msiexec.exeC:\Users\admin\AppData\Local\Programs\remastersouls\RemasterSouls.exe
MD5:
SHA256:
1160msiexec.exeC:\Users\admin\AppData\Local\Programs\remastersouls\icudtl.dat
MD5:
SHA256:
1160msiexec.exeC:\Users\admin\AppData\Local\Programs\remastersouls\resources.pak
MD5:
SHA256:
1160msiexec.exeC:\Users\admin\AppData\Local\Programs\remastersouls\resources\app.asar
MD5:
SHA256:
1160msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:662E3F3D949C56ED722DD926E20C49B2
SHA256:7AF092673E1132F65EC27E2F67E3A671485F49F023B9CA0071FBAC19CC71F74E
1160msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{f5070dfd-5b9a-4be5-be66-1b8e47662866}_OnDiskSnapshotPropbinary
MD5:662E3F3D949C56ED722DD926E20C49B2
SHA256:7AF092673E1132F65EC27E2F67E3A671485F49F023B9CA0071FBAC19CC71F74E
1160msiexec.exeC:\Windows\Installer\MSIB892.tmpbinary
MD5:2FADB73A19D68FB0ECEC64FC3AFE7A34
SHA256:07818D5A3AC30FEA3806FF1EB0A8AE1E571AC8894A56E00086CBEEA630C8B578
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
172
TCP/UDP connections
150
DNS requests
111
Threats
27

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.55.104.172:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.55.104.172:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.55.104.172:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
40.126.32.138:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
200
40.126.32.138:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
16.7 Kb
whitelisted
POST
200
20.190.160.4:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
POST
200
40.126.32.140:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.55.104.172:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
1268
svchost.exe
23.55.104.172:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
23.55.104.172:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.238
whitelisted
crl.microsoft.com
  • 23.55.104.172
  • 23.55.104.190
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 2.23.246.101
whitelisted
login.live.com
  • 20.190.160.2
  • 20.190.160.4
  • 40.126.32.136
  • 20.190.160.20
  • 40.126.32.72
  • 20.190.160.5
  • 20.190.160.130
  • 40.126.32.140
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
nexusrules.officeapps.live.com
  • 52.111.236.22
whitelisted
go.microsoft.com
  • 23.53.113.159
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io)
Misc activity
ET FILE_SHARING File Sharing Related Domain in TLS SNI (gofile .io)
A Network Trojan was detected
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
A Network Trojan was detected
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
A Network Trojan was detected
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
Device Retrieving External IP Address Detected
SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
Potential Corporate Privacy Violation
ET INFO IP Check Domain (myexternalip .com in TLS SNI)
Misc activity
ET INFO Discord Chat Service Domain in DNS Lookup (discord .com)
Process
Message
msedge.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Microsoft\Edge\User Data directory exists )
msedge.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Microsoft\Edge\User Data directory exists )
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
RemasterSouls1.0.0.msi