File name:

loader.hta

Full analysis: https://app.any.run/tasks/8233c6d1-5500-4c01-9803-95afd8a54566
Verdict: Malicious activity
Analysis date: June 04, 2025, 16:55:44
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
github
susp-powershell
auto-reg
qrcode
Indicators:
MIME: text/html
File info: HTML document, ASCII text, with very long lines (541), with CRLF line terminators
MD5:

A80D5A07913CED6738F1F845C462F2AB

SHA1:

516B2B1F54448DEAD08B10A86F26D55521E1E6C1

SHA256:

28C7A42EA20ED1C1FF841686E67A8F23B189D038CD16BDEDB6DFD325D1F00A81

SSDEEP:

12:7LrB3Q5Hs80lBq1O0ek5vCb6hkUReok1a1NG/MvTrW0ncKAfoIAucKAd31b:7nBSHGl2eo+URDk1a1NgoTrW0czfoI6X

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 1196)

    • Changes the autorun value in the registry

      • setup.exe (PID: 6436)

  • SUSPICIOUS

    • BASE64 encoded PowerShell command has been detected

      • mshta.exe (PID: 4400)

    • Starts POWERSHELL.EXE for commands execution

      • mshta.exe (PID: 4400)
      • powershell.exe (PID: 5772)

    • Base64-obfuscated command line is found

      • mshta.exe (PID: 4400)

    • Starts process via Powershell

      • powershell.exe (PID: 1196)

    • Downloads file from URI via Powershell

      • powershell.exe (PID: 1196)

    • Application launched itself

      • powershell.exe (PID: 5772)
      • win.exe (PID: 1088)
      • updater.exe (PID: 4188)
      • updater.exe (PID: 1164)
      • updater.exe (PID: 7768)
      • setup.exe (PID: 7220)
      • setup.exe (PID: 6436)
      • updater.exe (PID: 4652)
      • updater.exe (PID: 8272)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 1196)
      • updater.exe (PID: 7768)
      • updater.exe (PID: 4188)
      • 137.0.7151.57_chrome_installer.exe (PID: 7952)
      • setup.exe (PID: 6436)
      • updater.exe (PID: 4652)
      • updater.exe (PID: 8272)

    • Reads security settings of Internet Explorer

      • win.exe (PID: 1088)
      • updater.exe (PID: 7768)

    • Executes as Windows Service

      • updater.exe (PID: 4188)
      • updater.exe (PID: 1164)
      • updater.exe (PID: 4652)

    • Creates a software uninstall entry

      • setup.exe (PID: 6436)
      • chrome.exe (PID: 2284)

    • Searches for installed software

      • setup.exe (PID: 6436)

  • INFO

    • Reads Internet Explorer settings

      • mshta.exe (PID: 4400)

    • Creates files in the program directory

      • win.exe (PID: 7824)
      • updater.exe (PID: 7768)
      • updater.exe (PID: 8180)
      • updater.exe (PID: 4188)
      • updater.exe (PID: 1164)
      • setup.exe (PID: 7220)
      • setup.exe (PID: 6436)

    • Reads the computer name

      • updater.exe (PID: 7768)
      • win.exe (PID: 7824)
      • win.exe (PID: 1088)
      • updater.exe (PID: 4188)
      • updater.exe (PID: 1164)
      • 137.0.7151.57_chrome_installer.exe (PID: 7952)
      • setup.exe (PID: 6436)
      • setup.exe (PID: 7220)
      • elevation_service.exe (PID: 6368)

    • Checks supported languages

      • updater.exe (PID: 7768)
      • win.exe (PID: 1088)
      • updater.exe (PID: 872)
      • updater.exe (PID: 4188)
      • win.exe (PID: 7824)
      • updater.exe (PID: 8180)
      • updater.exe (PID: 7448)
      • updater.exe (PID: 1164)
      • 137.0.7151.57_chrome_installer.exe (PID: 7952)
      • setup.exe (PID: 6436)
      • setup.exe (PID: 7220)
      • setup.exe (PID: 7284)
      • setup.exe (PID: 7948)
      • elevation_service.exe (PID: 6368)

    • The executable file from the user directory is run by the Powershell process

      • win.exe (PID: 1088)

    • Disables trace logs

      • powershell.exe (PID: 1196)

    • Found Base64 encoded network access via PowerShell (YARA)

      • mshta.exe (PID: 4400)
      • powershell.exe (PID: 5772)

    • Process checks computer location settings

      • win.exe (PID: 1088)

    • The sample compiled with english language support

      • powershell.exe (PID: 1196)
      • updater.exe (PID: 7768)
      • updater.exe (PID: 4188)
      • 137.0.7151.57_chrome_installer.exe (PID: 7952)
      • setup.exe (PID: 6436)
      • updater.exe (PID: 4652)
      • updater.exe (PID: 8272)

    • Checks proxy server information

      • powershell.exe (PID: 1196)
      • updater.exe (PID: 7768)

    • Process checks whether UAC notifications are on

      • updater.exe (PID: 7768)
      • updater.exe (PID: 4188)
      • updater.exe (PID: 1164)

    • Reads the machine GUID from the registry

      • updater.exe (PID: 7768)

    • Reads the software policy settings

      • updater.exe (PID: 1164)
      • updater.exe (PID: 7768)
      • slui.exe (PID: 2840)

    • Creates files or folders in the user directory

      • updater.exe (PID: 7768)

    • Create files in a temporary directory

      • updater.exe (PID: 7768)

    • Manual execution by a user

      • chrome.exe (PID: 2284)
      • chrmstp.exe (PID: 4448)
      • msedge.exe (PID: 6572)
      • msedge.exe (PID: 8760)

    • Application launched itself

      • chrome.exe (PID: 2284)
      • chrmstp.exe (PID: 4448)
      • chrmstp.exe (PID: 968)
      • msedge.exe (PID: 6572)

    • Launching a file from a Registry key

      • setup.exe (PID: 6436)

    • Executes as Windows Service

      • elevation_service.exe (PID: 6368)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
239
Monitored processes
105
Malicious processes
5
Suspicious processes
4

Behavior graph

Click at the process to see the details
start mshta.exe no specs powershell.exe no specs conhost.exe no specs sppextcomobj.exe no specs slui.exe powershell.exe win.exe no specs win.exe updater.exe updater.exe no specs updater.exe updater.exe no specs updater.exe updater.exe no specs 137.0.7151.57_chrome_installer.exe setup.exe setup.exe no specs setup.exe no specs setup.exe no specs chrome.exe chrome.exe no specs chrmstp.exe no specs chrmstp.exe no specs chrmstp.exe no specs chrmstp.exe no specs chrome.exe no specs chrome.exe elevation_service.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs slui.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs updater.exe updater.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs updatersetup.exe no specs msedge.exe no specs updater.exe updater.exe no specs msedge.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
512"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=7312 --field-trial-handle=2344,i,17364516292009682591,3204150668669567606,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
516"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --force-high-res-timeticks=disabled --field-trial-handle=1852,i,14707591877292821890,11993643971399146958,262144 --variations-seed-version --mojo-platform-channel-handle=7368 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
137.0.7151.57
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\137.0.7151.57\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
536"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --force-high-res-timeticks=disabled --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=1852,i,14707591877292821890,11993643971399146958,262144 --variations-seed-version --mojo-platform-channel-handle=5312 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
137.0.7151.57
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\137.0.7151.57\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
632"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --disable-quic --force-high-res-timeticks=disabled --field-trial-handle=1852,i,14707591877292821890,11993643971399146958,262144 --variations-seed-version --mojo-platform-channel-handle=5820 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
137.0.7151.57
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
772"C:\Program Files\Google\Chrome\Application\137.0.7151.57\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\WINDOWS\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=137.0.7151.57 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x7ff758977ae0,0x7ff758977aec,0x7ff758977af8C:\Program Files\Google\Chrome\Application\137.0.7151.57\Installer\chrmstp.exechrmstp.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome Installer
Exit code:
0
Version:
137.0.7151.57
Modules
Images
c:\program files\google\chrome\application\137.0.7151.57\installer\chrmstp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\acgenral.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
776"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=7164 --field-trial-handle=2344,i,17364516292009682591,3204150668669567606,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
872"C:\Program Files (x86)\Google\GoogleUpdater\136.0.7079.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\136.0.7079.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=136.0.7079.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0xf4d810,0xf4d81c,0xf4d828C:\Program Files (x86)\Google\GoogleUpdater\136.0.7079.0\updater.exeupdater.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
136.0.7079.0
Modules
Images
c:\program files (x86)\google\googleupdater\136.0.7079.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
968"C:\Program Files\Google\Chrome\Application\137.0.7151.57\Installer\chrmstp.exe" --channel=stable --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=2 --install-level=0C:\Program Files\Google\Chrome\Application\137.0.7151.57\Installer\chrmstp.exechrmstp.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome Installer
Exit code:
73
Version:
137.0.7151.57
Modules
Images
c:\program files\google\chrome\application\137.0.7151.57\installer\chrmstp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\acgenral.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1088"C:\Users\admin\AppData\Local\Temp\win.exe" C:\Users\admin\AppData\Local\Temp\win.exepowershell.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Installer
Exit code:
0
Version:
136.0.7079.0
Modules
Images
c:\users\admin\appdata\local\temp\win.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1164"C:\Program Files (x86)\Google\GoogleUpdater\136.0.7079.0\updater.exe" --system --windows-service --service=updateC:\Program Files (x86)\Google\GoogleUpdater\136.0.7079.0\updater.exe
services.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
136.0.7079.0
Modules
Images
c:\program files (x86)\google\googleupdater\136.0.7079.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
Total events
32 110
Read events
31 805
Write events
275
Delete events
30

Modification events

(PID) Process:(1196) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(1196) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(1196) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(1196) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(1196) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(1196) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(1196) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(1196) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(1196) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(1196) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
11
Suspicious files
374
Text files
111
Unknown types
45

Dropped files

PID
Process
Filename
Type
7824win.exeC:\Windows\SystemTemp\Google7824_1046160566\UPDATER.PACKED.7Z
MD5:
SHA256:
1196powershell.exeC:\Users\admin\AppData\Local\Temp\win.exeexecutable
MD5:0222B1C74589AF9A464333FD731AE47A
SHA256:9BE6B76940528BEFE340F5EEB60CB5F438905023A005C983028B9345D5B34B19
5772powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:B6BF6BF9A81DA057A43D8961C23E7B5B
SHA256:538748D85253B236C19B012DC47ABAC67A367BCB142D74B6EF7B028D3F84B2A1
5772powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NC01Z753MLSJE25PU2EL.tempbinary
MD5:B6BF6BF9A81DA057A43D8961C23E7B5B
SHA256:538748D85253B236C19B012DC47ABAC67A367BCB142D74B6EF7B028D3F84B2A1
1196powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_cid044ri.aqb.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5772powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_l3x1skvh.lbm.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5772powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_sj15jm5r.s3j.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1196powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_t20yvz10.nn4.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7768updater.exeC:\Program Files (x86)\Google\GoogleUpdater\136.0.7079.0\Crashpad\settings.datbinary
MD5:343B7E0FC3C1D2C59A0BB1DD086BDC3B
SHA256:D8B4726D9F9B20444A127AB58BBDE3BB1593D74676FA7DE9D145DBEDA4F4EACA
7768updater.exeC:\Program Files (x86)\Google\GoogleUpdater\25396094-11d2-4028-af54-514a0a823da7.tmpbinary
MD5:75BBDA62E58EE8F3585AD25F0AB66D03
SHA256:2F65D82BC4038B8003886E6DBCF1BE5C07397C851D61257ADDB88E9B9B6F4E96
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
118
DNS requests
134
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
732
SIHClient.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7768
updater.exe
GET
200
142.250.185.195:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
732
SIHClient.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7768
updater.exe
GET
200
142.250.185.195:80
http://c.pki.goog/r/r4.crl
unknown
whitelisted
7768
updater.exe
GET
200
142.250.185.195:80
http://o.pki.goog/we2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTuMJxAT2trYla0jia%2F5EUSmLrk3QQUdb7Ed66J9kQ3fc%2BxaB8dGuvcNFkCEGXWjqQNO7dNEog5tJx4f5A%3D
unknown
whitelisted
1164
updater.exe
GET
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome/ixziixg3u66a2zh5ol7wwdkrh4_137.0.7151.57/-8a69d345-d564-463c-aff1-a69d9e530f96-_137.0.7151.57_all_igsus64bqp7lsfrodsnxbdhujq.crx3
unknown
whitelisted
4572
chrome.exe
GET
200
172.217.18.110:80
http://clients2.google.com/time/1/current?cup2key=9:itHMl-iOS-0K-nuKHk7E5nvea68mT6Y_WIu9RaXGqso&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5496
MoUsoCoreWorker.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
5496
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
7308
RUXIMICS.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
7560
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
1196
powershell.exe
140.82.121.3:443
github.com
GITHUB
US
whitelisted
1196
powershell.exe
185.199.108.133:443
raw.githubusercontent.com
FASTLY
US
whitelisted
6544
svchost.exe
20.190.159.68:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.46
whitelisted
crl.microsoft.com
  • 2.16.168.114
  • 2.16.168.124
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 2.16.253.202
whitelisted
github.com
  • 140.82.121.3
whitelisted
raw.githubusercontent.com
  • 185.199.108.133
  • 185.199.109.133
  • 185.199.110.133
  • 185.199.111.133
whitelisted
login.live.com
  • 20.190.159.68
  • 20.190.159.71
  • 40.126.31.73
  • 20.190.159.23
  • 40.126.31.71
  • 20.190.159.130
  • 40.126.31.0
  • 20.190.159.131
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
4572
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
4572
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
4572
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
4572
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
8132
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
8132
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
8132
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
8132
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
8132
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
loader.hta