File name:

BootstrapperNew.exe

Full analysis: https://app.any.run/tasks/8dcc555e-b97d-4c23-a8b5-92c94af24d70
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: January 24, 2025, 18:28:10
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
remote
xworm
stealer
umbralstealer
discord
exfiltration
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

74A494ECA9B0E770BE13928BFB317B84

SHA1:

657527F817CF87FB4504A8166A6B967BD742ADF7

SHA256:

F8E31B5DD426549EFB15C0FF1AC46BE88DCB8F26A69339FE9F48244AAF0E22E7

SSDEEP:

98304:eUYzoojJRba+nPSqNCrRasNk0LW4kr+zIIvt4Fi1VG86jieQEnYr2OCQekIflB2h:k+Jn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • svhost.exe (PID: 6192)
      • XClient.exe (PID: 6260)

    • Adds path to the Windows Defender exclusion list

      • Umbral.exe (PID: 6944)

    • Create files in the Startup directory

      • svhost.exe (PID: 6192)
      • Umbral.exe (PID: 6944)

    • Changes settings for protection against network attacks (IPS)

      • powershell.exe (PID: 3640)

    • Changes settings for checking scripts for malicious actions

      • powershell.exe (PID: 3640)

    • Changes settings for reporting to Microsoft Active Protection Service (MAPS)

      • powershell.exe (PID: 3640)

    • Changes settings for sending potential threat samples to Microsoft servers

      • powershell.exe (PID: 3640)

    • Changes settings for real-time protection

      • powershell.exe (PID: 3640)

    • Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

      • powershell.exe (PID: 3640)

    • XWORM has been detected (YARA)

      • svhost.exe (PID: 6192)
      • XClient.exe (PID: 6260)

    • Actions looks like stealing of personal data

      • Umbral.exe (PID: 6944)

    • Steals credentials from Web Browsers

      • Umbral.exe (PID: 6944)

    • UMBRALSTEALER has been detected (SURICATA)

      • Umbral.exe (PID: 6944)

    • Starts CMD.EXE for self-deleting

      • Umbral.exe (PID: 6944)

    • Changes Controlled Folder Access settings

      • powershell.exe (PID: 3640)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • BootstrapperNew.exe (PID: 3584)
      • BootstrapperNew.exe (PID: 6160)
      • Umbral.exe (PID: 6232)

    • The process creates files with name similar to system file names

      • BootstrapperNew.exe (PID: 3584)
      • svhost.exe (PID: 6192)

    • Executable content was dropped or overwritten

      • BootstrapperNew.exe (PID: 3584)
      • svhost.exe (PID: 6192)
      • Umbral.exe (PID: 6944)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 6356)
      • WMIC.exe (PID: 7068)
      • WMIC.exe (PID: 2100)

    • Reads the date of Windows installation

      • Umbral.exe (PID: 6232)

    • Uses WMIC.EXE to obtain Windows Installer data

      • Umbral.exe (PID: 6232)
      • Umbral.exe (PID: 6944)

    • Checks for external IP

      • svchost.exe (PID: 2192)
      • svhost.exe (PID: 6192)
      • XClient.exe (PID: 6260)
      • Umbral.exe (PID: 6944)
      • Umbral.exe (PID: 6232)

    • Uses ATTRIB.EXE to modify file attributes

      • Umbral.exe (PID: 6944)

    • Starts POWERSHELL.EXE for commands execution

      • Umbral.exe (PID: 6944)

    • Script adds exclusion path to Windows Defender

      • Umbral.exe (PID: 6944)

    • Connects to unusual port

      • XClient.exe (PID: 6260)
      • svhost.exe (PID: 6192)

    • Script disables Windows Defender's real-time protection

      • Umbral.exe (PID: 6944)

    • Script disables Windows Defender's IPS

      • Umbral.exe (PID: 6944)

    • Accesses operating system name via WMI (SCRIPT)

      • WMIC.exe (PID: 5972)

    • Uses WMIC.EXE to obtain operating system information

      • Umbral.exe (PID: 6944)

    • Uses WMIC.EXE to obtain computer system information

      • Umbral.exe (PID: 6944)

    • Uses WMIC.EXE to obtain a list of video controllers

      • Umbral.exe (PID: 6944)

    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 5576)

    • The process connected to a server suspected of theft

      • Umbral.exe (PID: 6944)

    • Starts CMD.EXE for commands execution

      • Umbral.exe (PID: 6944)

    • Application launched itself

      • Umbral.exe (PID: 6232)

  • INFO

    • Checks supported languages

      • BootstrapperNew.exe (PID: 3584)
      • XClient.exe (PID: 6260)
      • svhost.exe (PID: 6192)
      • BootstrapperNew.exe (PID: 6160)
      • Umbral.exe (PID: 6232)
      • Umbral.exe (PID: 6944)

    • Reads the computer name

      • BootstrapperNew.exe (PID: 6160)
      • BootstrapperNew.exe (PID: 3584)
      • XClient.exe (PID: 6260)
      • svhost.exe (PID: 6192)
      • Umbral.exe (PID: 6232)
      • Umbral.exe (PID: 6944)

    • Create files in a temporary directory

      • BootstrapperNew.exe (PID: 3584)
      • Umbral.exe (PID: 6944)

    • Process checks computer location settings

      • BootstrapperNew.exe (PID: 3584)
      • Umbral.exe (PID: 6232)

    • Reads Environment values

      • Umbral.exe (PID: 6232)
      • svhost.exe (PID: 6192)
      • XClient.exe (PID: 6260)
      • Umbral.exe (PID: 6944)

    • Reads the machine GUID from the registry

      • Umbral.exe (PID: 6232)
      • svhost.exe (PID: 6192)
      • BootstrapperNew.exe (PID: 6160)
      • XClient.exe (PID: 6260)
      • Umbral.exe (PID: 6944)

    • Disables trace logs

      • Umbral.exe (PID: 6232)
      • XClient.exe (PID: 6260)
      • svhost.exe (PID: 6192)
      • Umbral.exe (PID: 6944)

    • Checks proxy server information

      • Umbral.exe (PID: 6232)
      • svhost.exe (PID: 6192)
      • XClient.exe (PID: 6260)
      • Umbral.exe (PID: 6944)

    • Reads the software policy settings

      • Umbral.exe (PID: 6232)
      • Umbral.exe (PID: 6944)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 6356)
      • WMIC.exe (PID: 7068)
      • WMIC.exe (PID: 5972)
      • WMIC.exe (PID: 5036)
      • Taskmgr.exe (PID: 1412)
      • WMIC.exe (PID: 2100)
      • WMIC.exe (PID: 5576)

    • Creates files in the program directory

      • BootstrapperNew.exe (PID: 6160)
      • Umbral.exe (PID: 6944)

    • Creates files or folders in the user directory

      • svhost.exe (PID: 6192)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 4428)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 4428)
      • powershell.exe (PID: 3640)
      • powershell.exe (PID: 6292)
      • powershell.exe (PID: 2632)

    • Manual execution by a user

      • Taskmgr.exe (PID: 3000)
      • Taskmgr.exe (PID: 1412)
      • WinRAR.exe (PID: 3820)
      • firefox.exe (PID: 900)

    • Application launched itself

      • firefox.exe (PID: 2280)
      • firefox.exe (PID: 900)

    • Executable content was dropped or overwritten

      • firefox.exe (PID: 2280)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

XWorm

(PID) Process(6192) svhost.exe
C2127.0.0.1,25.ip.gl.ply.gg:15765
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameXWorm V5.6
MutexR2e4X2Hi3hyjBNRL
(PID) Process(6260) XClient.exe
C2127.0.0.1,break-robertson.gl.at.ply.gg:65239
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameXWorm V5.1
MutexuF2WKX8hzubGqlnw
No Malware configuration.

TRiD

.exe | Win32 Executable Delphi generic (37.4)
.scr | Windows screen saver (34.5)
.exe | Win32 Executable (generic) (11.9)
.exe | Win16/32 Executable Delphi generic (5.4)
.exe | Generic Win/DOS Executable (5.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 5120
InitializedDataSize: 3393024
UninitializedDataSize: -
EntryPoint: 0x20cc
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: Bootstrapper
FileVersion: 1.0.0.0
InternalName: Bootstrapper.exe
LegalCopyright: Copyright © 2024
LegalTrademarks: -
OriginalFileName: Bootstrapper.exe
ProductName: Bootstrapper
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
184
Monitored processes
53
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start bootstrappernew.exe bootstrappernew.exe no specs bootstrappernew.exe #XWORM svhost.exe umbral.exe #XWORM xclient.exe wmic.exe no specs conhost.exe no specs svchost.exe #UMBRALSTEALER umbral.exe wmic.exe no specs conhost.exe no specs attrib.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs taskmgr.exe no specs wmic.exe no specs conhost.exe no specs taskmgr.exe wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs ping.exe no specs rundll32.exe no specs winrar.exe no specs firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
900"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Program Files\Mozilla Firefox\firefox.exeexplorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\program files\mozilla firefox\vcruntime140.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140_1.dll
c:\windows\system32\crypt32.dll
1412"C:\WINDOWS\system32\taskmgr.exe" /4C:\Windows\System32\Taskmgr.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Manager
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\combase.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\rpcrt4.dll
1596\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1620\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1760\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2100"wmic.exe" csproduct get uuidC:\Windows\System32\wbem\WMIC.exeUmbral.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2280"C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
2572"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5768 -childID 7 -isForBrowser -prefsHandle 5776 -prefMapHandle 5772 -prefsLen 31243 -prefMapSize 244583 -jsInitHandle 1520 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1dc0523f-78ef-441d-804b-1c21870d5d2e} 2280 "\\.\pipe\gecko-crash-server-pipe.2280" 165952664d0 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\vcruntime140_1.dll
2632"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITYC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeUmbral.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
Total events
52 597
Read events
52 478
Write events
116
Delete events
3

Modification events

(PID) Process:(3584) BootstrapperNew.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(6232) Umbral.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A7803901000010901EF8A46ECE11A7FF00AA003CA9F60A010000
(PID) Process:(6192) svhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svhost_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6192) svhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svhost_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6192) svhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svhost_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(6192) svhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svhost_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(6192) svhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svhost_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(6192) svhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svhost_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(6192) svhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svhost_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(6192) svhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svhost_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
Executable files
8
Suspicious files
189
Text files
73
Unknown types
0

Dropped files

PID
Process
Filename
Type
6160BootstrapperNew.exeC:\Users\admin\Desktop\CONFIGbinary
MD5:0284FA0391784125AD3B12BE8C92C6AE
SHA256:789075B8C810F2B63F86DD1F8B7BE836178AC679A32F2CB2376E013BC78C68C0
6292powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_wxv0ymkf.jjb.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4428powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_fqbdp1va.01h.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6192svhost.exeC:\Users\admin\AppData\Roaming\svhost.exeexecutable
MD5:E99731341BCB623231A6F2C393EEC3C9
SHA256:706C7A270AA6E26870E783DF726AD848C88AC537F6C5C11C775909397B671E61
3584BootstrapperNew.exeC:\Users\admin\AppData\Local\Temp\svhost.exeexecutable
MD5:E99731341BCB623231A6F2C393EEC3C9
SHA256:706C7A270AA6E26870E783DF726AD848C88AC537F6C5C11C775909397B671E61
4428powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:E42B60E6E542EBB82A6FD91F1EEA0C5C
SHA256:917CCAE5338581232FB3AF46D3B5011D2C5971F51A5ED2061BA632887D597172
3584BootstrapperNew.exeC:\Users\admin\AppData\Local\Temp\XClient.exeexecutable
MD5:7CB23215DAD49CA80BD08C25142C6320
SHA256:C38DD9AA49773B817877EB68878E1F4B1FD29EE7ED41123C460FE5E2517A3975
6944Umbral.exeC:\Users\admin\AppData\Local\Temp\U8O1ehhSCstVQHibinary
MD5:29A644B1F0D96166A05602FE27B3F4AD
SHA256:BF96902FEB97E990A471492F78EE8386BCF430D66BDAEFDEAFBF912C8CF7CE46
3584BootstrapperNew.exeC:\Users\admin\AppData\Local\Temp\Umbral.exeexecutable
MD5:29210DB1B467A1B6778C75703DBE7F6D
SHA256:D01F6663FB44E8DCE2616DFA712F9D65EFC3A8D1A4B143649AD9F096ABF2668B
6944Umbral.exeC:\Users\admin\AppData\Local\Temp\NYhxDYaIZDe7oNvbinary
MD5:A45465CDCDC6CB30C8906F3DA4EC114C
SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
55
TCP/UDP connections
131
DNS requests
169
Threats
42

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5064
SearchApp.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
5496
svchost.exe
GET
200
184.24.88.193:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5964
RUXIMICS.exe
GET
200
184.24.88.193:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6192
svhost.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
shared
6944
Umbral.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/?fields=225545
unknown
shared
6260
XClient.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
shared
2280
firefox.exe
POST
200
2.18.127.206:80
http://r11.o.lencr.org/
unknown
whitelisted
6944
Umbral.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
shared
2280
firefox.exe
POST
2.18.127.206:80
http://r11.o.lencr.org/
unknown
whitelisted
5496
svchost.exe
GET
200
23.39.220.57:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5064
SearchApp.exe
2.16.204.153:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
5496
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5064
SearchApp.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5964
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
svchost.exe
23.39.220.57:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
4712
MoUsoCoreWorker.exe
23.39.220.57:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
5964
RUXIMICS.exe
23.39.220.57:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
5496
svchost.exe
184.24.88.193:80
www.microsoft.com
Akamai International B.V.
US
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 2.16.204.153
  • 2.16.204.155
  • 2.16.204.141
  • 2.16.204.146
  • 2.16.204.138
  • 2.16.204.156
  • 2.16.204.135
  • 2.16.204.145
  • 2.16.204.161
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
google.com
  • 142.251.39.110
whitelisted
crl.microsoft.com
  • 23.39.220.57
whitelisted
www.microsoft.com
  • 184.24.88.193
  • 23.200.189.225
whitelisted
gstatic.com
  • 172.217.168.195
whitelisted
ip-api.com
  • 208.95.112.1
shared
break-robertson.gl.at.ply.gg
  • 147.185.221.21
unknown
25.ip.gl.ply.gg
  • 147.185.221.25
malicious

Threats

PID
Process
Class
Message
2192
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
2192
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
6232
Umbral.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
6232
Umbral.exe
Device Retrieving External IP Address Detected
POLICY [ANY.RUN] External Hosting Lookup by ip-api
6260
XClient.exe
Device Retrieving External IP Address Detected
POLICY [ANY.RUN] External Hosting Lookup by ip-api
6260
XClient.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
6192
svhost.exe
Device Retrieving External IP Address Detected
POLICY [ANY.RUN] External Hosting Lookup by ip-api
6192
svhost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
6944
Umbral.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
6944
Umbral.exe
Device Retrieving External IP Address Detected
POLICY [ANY.RUN] External Hosting Lookup by ip-api
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
BootstrapperNew.exe