File name:

1243ab174621dd80118bd66cdf105e4b9289ba13f50aaf6b6d78547e416b345c

Full analysis: https://app.any.run/tasks/847f52be-5fef-41bb-8f1a-6112510ac47a
Verdict: Malicious activity
Threats:

A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools.

Malware Trends Tracker     >>>
Analysis date: March 24, 2025, 16:18:09
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
evasion
snake
keylogger
stealer
ims-api
generic
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

D4E110B1530A02979126F94850E03681

SHA1:

6EF73088C26E2A8A70AD3652426BD78A107BE847

SHA256:

1243AB174621DD80118BD66CDF105E4B9289BA13F50AAF6B6D78547E416B345C

SSDEEP:

24576:GN/dwJhoBGKRRZ490FhElO8mkJ+Mlova9XegqkZSU3Bo7JfWK02DDXra:GN/dwJhoBGKRRZ490FhElO8mkJ+Mloi3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 5256)

    • Create files in the Startup directory

      • Idonna.exe (PID: 6712)

    • SNAKEKEYLOGGER has been detected (SURICATA)

      • RegSvcs.exe (PID: 2692)
      • RegSvcs.exe (PID: 6972)

    • SNAKE has been detected (YARA)

      • RegSvcs.exe (PID: 2692)
      • RegSvcs.exe (PID: 6972)

    • Steals credentials from Web Browsers

      • RegSvcs.exe (PID: 2692)
      • RegSvcs.exe (PID: 6972)

    • Actions looks like stealing of personal data

      • RegSvcs.exe (PID: 2692)
      • RegSvcs.exe (PID: 6972)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • New Order.exe (PID: 1184)

    • Starts itself from another location

      • New Order.exe (PID: 1184)

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • RegSvcs.exe (PID: 2692)
      • RegSvcs.exe (PID: 6972)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 5548)

    • Executing commands from a ".bat" file

      • WinRAR.exe (PID: 5256)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 5256)
      • ShellExperienceHost.exe (PID: 6248)

    • Starts CMD.EXE for commands execution

      • WinRAR.exe (PID: 5256)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • RegSvcs.exe (PID: 2692)
      • RegSvcs.exe (PID: 6972)

    • The process verifies whether the antivirus software is installed

      • RegSvcs.exe (PID: 2692)
      • RegSvcs.exe (PID: 6972)

  • INFO

    • Reads the machine GUID from the registry

      • New Order.exe (PID: 1184)
      • RegSvcs.exe (PID: 2692)
      • RegSvcs.exe (PID: 6972)

    • Manual execution by a user

      • New Order.exe (PID: 1184)
      • wscript.exe (PID: 5548)

    • Create files in a temporary directory

      • New Order.exe (PID: 1184)
      • Idonna.exe (PID: 6712)
      • Idonna.exe (PID: 6700)
      • MpCmdRun.exe (PID: 1660)

    • Checks supported languages

      • New Order.exe (PID: 1184)
      • Idonna.exe (PID: 6712)
      • RegSvcs.exe (PID: 2692)
      • Idonna.exe (PID: 6700)
      • RegSvcs.exe (PID: 6972)
      • MpCmdRun.exe (PID: 1660)
      • ShellExperienceHost.exe (PID: 6248)

    • Reads mouse settings

      • New Order.exe (PID: 1184)
      • Idonna.exe (PID: 6712)
      • Idonna.exe (PID: 6700)

    • Creates files or folders in the user directory

      • New Order.exe (PID: 1184)
      • Idonna.exe (PID: 6712)
      • BackgroundTransferHost.exe (PID: 1096)

    • The sample compiled with english language support

      • New Order.exe (PID: 1184)
      • WinRAR.exe (PID: 5256)

    • Autorun file from Startup directory

      • Idonna.exe (PID: 6712)

    • Reads the computer name

      • RegSvcs.exe (PID: 2692)
      • RegSvcs.exe (PID: 6972)
      • MpCmdRun.exe (PID: 1660)

    • Disables trace logs

      • RegSvcs.exe (PID: 2692)
      • RegSvcs.exe (PID: 6972)

    • Reads the software policy settings

      • RegSvcs.exe (PID: 2692)
      • RegSvcs.exe (PID: 6972)
      • slui.exe (PID: 1188)
      • BackgroundTransferHost.exe (PID: 1096)

    • Checks proxy server information

      • RegSvcs.exe (PID: 2692)
      • RegSvcs.exe (PID: 6972)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 5256)

    • Reads security settings of Internet Explorer

      • BackgroundTransferHost.exe (PID: 1096)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

SnakeKeylogger

(PID) Process(2692) RegSvcs.exe
Keys
DES6fc98cd68a1aab8b
Options
Telegram Bot Token8190738970:AAHDKy-RjRSDn_rrrNASRNpb-wFunaqVjHY
Telegram Chat ID932962718
(PID) Process(6972) RegSvcs.exe
Keys
DES6fc98cd68a1aab8b
Options
Telegram Bot Token8190738970:AAHDKy-RjRSDn_rrrNASRNpb-wFunaqVjHY
Telegram Chat ID932962718

ims-api

(PID) Process(2692) RegSvcs.exe
Telegram-Tokens (1)8190738970:AAHDKy-RjRSDn_rrrNASRNpb-wFunaqVjHY
Telegram-Info-Links
8190738970:AAHDKy-RjRSDn_rrrNASRNpb-wFunaqVjHY
Get info about bothttps://api.telegram.org/bot8190738970:AAHDKy-RjRSDn_rrrNASRNpb-wFunaqVjHY/getMe
Get incoming updateshttps://api.telegram.org/bot8190738970:AAHDKy-RjRSDn_rrrNASRNpb-wFunaqVjHY/getUpdates
Get webhookhttps://api.telegram.org/bot8190738970:AAHDKy-RjRSDn_rrrNASRNpb-wFunaqVjHY/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot8190738970:AAHDKy-RjRSDn_rrrNASRNpb-wFunaqVjHY/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot8190738970:AAHDKy-RjRSDn_rrrNASRNpb-wFunaqVjHY/deleteWebhook?drop_pending_updates=true
(PID) Process(6972) RegSvcs.exe
Telegram-Tokens (1)8190738970:AAHDKy-RjRSDn_rrrNASRNpb-wFunaqVjHY
Telegram-Info-Links
8190738970:AAHDKy-RjRSDn_rrrNASRNpb-wFunaqVjHY
Get info about bothttps://api.telegram.org/bot8190738970:AAHDKy-RjRSDn_rrrNASRNpb-wFunaqVjHY/getMe
Get incoming updateshttps://api.telegram.org/bot8190738970:AAHDKy-RjRSDn_rrrNASRNpb-wFunaqVjHY/getUpdates
Get webhookhttps://api.telegram.org/bot8190738970:AAHDKy-RjRSDn_rrrNASRNpb-wFunaqVjHY/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot8190738970:AAHDKy-RjRSDn_rrrNASRNpb-wFunaqVjHY/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot8190738970:AAHDKy-RjRSDn_rrrNASRNpb-wFunaqVjHY/deleteWebhook?drop_pending_updates=true
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2025:03:24 02:20:36
ZipCRC: 0x8994c082
ZipCompressedSize: 580912
ZipUncompressedSize: 1007616
ZipFileName: New Order.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
149
Monitored processes
18
Malicious processes
6
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe new order.exe idonna.exe #SNAKE regsvcs.exe svchost.exe wscript.exe no specs idonna.exe no specs #SNAKE regsvcs.exe cmd.exe no specs conhost.exe no specs mpcmdrun.exe no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs slui.exe shellexperiencehost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1096"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
1184"C:\Users\admin\Desktop\New Order.exe" C:\Users\admin\Desktop\New Order.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\new order.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
1188C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1660"C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "C:\Users\admin\AppData\Local\Temp\Rar$VR5256.42143"C:\Program Files\Windows Defender\MpCmdRun.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Malware Protection Command Line Utility
Exit code:
2
Version:
4.18.1909.6 (WinBuild.160101.0800)
Modules
Images
c:\program files\windows defender\mpcmdrun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2240"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
2644"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
2692"C:\Users\admin\Desktop\New Order.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Idonna.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
SnakeKeylogger
(PID) Process(2692) RegSvcs.exe
Keys
DES6fc98cd68a1aab8b
Options
Telegram Bot Token8190738970:AAHDKy-RjRSDn_rrrNASRNpb-wFunaqVjHY
Telegram Chat ID932962718
ims-api
(PID) Process(2692) RegSvcs.exe
Telegram-Tokens (1)8190738970:AAHDKy-RjRSDn_rrrNASRNpb-wFunaqVjHY
Telegram-Info-Links
8190738970:AAHDKy-RjRSDn_rrrNASRNpb-wFunaqVjHY
Get info about bothttps://api.telegram.org/bot8190738970:AAHDKy-RjRSDn_rrrNASRNpb-wFunaqVjHY/getMe
Get incoming updateshttps://api.telegram.org/bot8190738970:AAHDKy-RjRSDn_rrrNASRNpb-wFunaqVjHY/getUpdates
Get webhookhttps://api.telegram.org/bot8190738970:AAHDKy-RjRSDn_rrrNASRNpb-wFunaqVjHY/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot8190738970:AAHDKy-RjRSDn_rrrNASRNpb-wFunaqVjHY/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot8190738970:AAHDKy-RjRSDn_rrrNASRNpb-wFunaqVjHY/deleteWebhook?drop_pending_updates=true
3884C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Rar$VR5256.42143\Rar$Scan11652.bat" "C:\Windows\System32\cmd.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
5244"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
Total events
19 376
Read events
19 336
Write events
40
Delete events
0

Modification events

(PID) Process:(5256) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(5256) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(5256) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(5256) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\1243ab174621dd80118bd66cdf105e4b9289ba13f50aaf6b6d78547e416b345c.zip
(PID) Process:(5256) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(5256) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(5256) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(5256) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2692) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2692) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
Executable files
2
Suspicious files
9
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
1096BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\b503337d-160b-435f-b2e3-07047969dfd2.down_data
MD5:
SHA256:
1184New Order.exeC:\Users\admin\AppData\Local\Temp\lophophorinebinary
MD5:899C0395188ED574A7F337AEEA72A124
SHA256:FE6AC1DE2E94789166DA27172611311C043C5F3243F68D917EEFB55D2A026A6D
1184New Order.exeC:\Users\admin\AppData\Local\ambiparous\Idonna.exeexecutable
MD5:785065D28A9AD5186B5936EAD47E8E3F
SHA256:41924157EF5F3D24742D210E8A62807C387DD5592BEE9814B78A45D26B446FA6
1184New Order.exeC:\Users\admin\AppData\Local\Temp\autCD83.tmpbinary
MD5:F5750DEB77C78E9C6F7895ED9EAF2888
SHA256:75FC105A6DE77CB60461F87EE0679FEF7DDEAA1A7BF8F419FAD7621FE6A41119
1660MpCmdRun.exeC:\Users\admin\AppData\Local\Temp\MpCmdRun.logbinary
MD5:EA418DA6DF12191A72A9D71A59521651
SHA256:55604361E814781C0B9F89B2B90F29391CB45FC2AA8D4D77F50386D2D93CBCD7
6712Idonna.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Idonna.vbsbinary
MD5:240E6772EA66E8111CDED311BDD649D0
SHA256:29B8F3C99AF40662F90E1B018117AFDF83FC809C0B6BAF0EFCA3023A166253A4
5256WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR5256.42143\Rar$Scan11652.battext
MD5:F2468DA5B6E1B57D6AA2060B72E5E2B5
SHA256:E821B17E378A0F879B4B18D61BFA82C01C4B450A1FB9ED5177E961C8F2197D80
1096BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\197f9bce-8ede-4c93-83d0-ae7916973e29.3f4d7f32-6d3c-42cc-93f8-1205896a4977.down_metabinary
MD5:C84A4DBEB02B049485751C95CF1446FC
SHA256:BBBDC17BF6D39A5133783B9601973F252CAC2A90F29377FC7F09138FEE30CF85
1096BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\197f9bce-8ede-4c93-83d0-ae7916973e29.up_meta_securebinary
MD5:B42B56C7B66088EF561BC6AC815DDF18
SHA256:10863B84F2C2941BEBC5DB8E57BB2553A569715D425D80E750754DF17106D05B
5256WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR5256.42143\1243ab174621dd80118bd66cdf105e4b9289ba13f50aaf6b6d78547e416b345c.zip\New Order.exeexecutable
MD5:785065D28A9AD5186B5936EAD47E8E3F
SHA256:41924157EF5F3D24742D210E8A62807C387DD5592BEE9814B78A45D26B446FA6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
66
TCP/UDP connections
51
DNS requests
22
Threats
25

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.48.23.171:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2692
RegSvcs.exe
GET
200
132.226.8.169:80
http://checkip.dyndns.org/
unknown
whitelisted
2692
RegSvcs.exe
GET
200
132.226.8.169:80
http://checkip.dyndns.org/
unknown
whitelisted
2692
RegSvcs.exe
GET
200
132.226.8.169:80
http://checkip.dyndns.org/
unknown
whitelisted
2692
RegSvcs.exe
GET
200
132.226.8.169:80
http://checkip.dyndns.org/
unknown
whitelisted
2692
RegSvcs.exe
GET
200
132.226.8.169:80
http://checkip.dyndns.org/
unknown
whitelisted
2692
RegSvcs.exe
GET
200
132.226.8.169:80
http://checkip.dyndns.org/
unknown
whitelisted
6972
RegSvcs.exe
GET
200
132.226.8.169:80
http://checkip.dyndns.org/
unknown
whitelisted
2692
RegSvcs.exe
GET
200
132.226.8.169:80
http://checkip.dyndns.org/
unknown
whitelisted
6972
RegSvcs.exe
GET
200
132.226.8.169:80
http://checkip.dyndns.org/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
23.48.23.171:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2692
RegSvcs.exe
132.226.8.169:80
checkip.dyndns.org
ORACLE-BMC-31898
JP
whitelisted
2692
RegSvcs.exe
104.21.112.1:443
reallyfreegeoip.org
CLOUDFLARENET
malicious
6972
RegSvcs.exe
132.226.8.169:80
checkip.dyndns.org
ORACLE-BMC-31898
JP
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
whitelisted
google.com
  • 142.250.184.206
whitelisted
crl.microsoft.com
  • 23.48.23.171
  • 23.48.23.175
  • 23.48.23.177
  • 23.48.23.166
  • 23.48.23.173
  • 23.48.23.181
  • 23.48.23.182
  • 23.48.23.180
  • 23.48.23.188
  • 23.48.23.137
  • 23.48.23.190
  • 23.48.23.185
  • 23.48.23.194
  • 23.48.23.140
  • 23.48.23.191
  • 23.48.23.142
  • 23.48.23.134
whitelisted
checkip.dyndns.org
  • 132.226.8.169
  • 132.226.247.73
  • 193.122.6.168
  • 158.101.44.242
  • 193.122.130.0
whitelisted
reallyfreegeoip.org
  • 104.21.112.1
  • 104.21.32.1
  • 104.21.64.1
  • 104.21.80.1
  • 104.21.48.1
  • 104.21.16.1
  • 104.21.96.1
malicious
client.wns.windows.com
  • 40.113.103.199
  • 40.113.110.67
whitelisted
login.live.com
  • 40.126.31.73
  • 40.126.31.131
  • 40.126.31.1
  • 20.190.159.73
  • 20.190.159.23
  • 20.190.159.64
  • 20.190.159.131
  • 40.126.31.0
  • 20.190.160.131
  • 20.190.160.5
  • 20.190.160.67
  • 40.126.32.134
  • 20.190.160.22
  • 20.190.160.2
  • 20.190.160.17
  • 40.126.32.136
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
www.bing.com
  • 104.126.37.178
  • 104.126.37.155
  • 104.126.37.162
  • 104.126.37.161
  • 104.126.37.163
  • 104.126.37.176
  • 104.126.37.186
  • 104.126.37.168
  • 104.126.37.185
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Device Retrieving External IP Address Detected
ET DYN_DNS External IP Lookup Domain in DNS Query (checkip .dyndns .org)
2692
RegSvcs.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup - checkip.dyndns.org
2692
RegSvcs.exe
Device Retrieving External IP Address Detected
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
2196
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Address Lookup Domain (reallyfreegeoip .org)
2692
RegSvcs.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup - checkip.dyndns.org
2196
svchost.exe
Misc activity
ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
2692
RegSvcs.exe
Misc activity
ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI
2692
RegSvcs.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup - checkip.dyndns.org
2692
RegSvcs.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup - checkip.dyndns.org
2692
RegSvcs.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup - checkip.dyndns.org
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
1243ab174621dd80118bd66cdf105e4b9289ba13f50aaf6b6d78547e416b345c