URL:

https://www.dropbox.com/scl/fi/v1xqg7ipje0m3ciyi50wp/Gariban.7z?rlkey=bukhnunpaz1f05iufy66dyxog&st=o9a5a5y7&dl=1

Full analysis: https://app.any.run/tasks/84a4b8ac-78bd-442c-ae66-36bbce58b845
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: April 02, 2026, 23:28:28
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
anti-evasion
discord
stealer
Indicators:
MD5:

4B636CE3485E6201E23EA7CEF5326F23

SHA1:

2CD1BEA0C1FCC35B6CEC47DE264FAF52A559F1D3

SHA256:

2E04F11CC9479BA374285A55D82DA04556F5BB78612966563BF38185679DDF61

SSDEEP:

3:N8DSLcVHGkG6w2Ml9W4q9ISCJDmMcy/DW1QCwYUn:2OLHkb4qhC5/DRvn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 7304)
      • cmd.exe (PID: 3036)

    • Steals credentials from Web Browsers

      • Gariban.exe (PID: 7884)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 5608)
      • cmd.exe (PID: 7304)
      • cmd.exe (PID: 7768)
      • cmd.exe (PID: 8088)
      • cmd.exe (PID: 3448)
      • cmd.exe (PID: 3036)
      • cmd.exe (PID: 7592)
      • cmd.exe (PID: 800)
      • cmd.exe (PID: 3048)
      • cmd.exe (PID: 6116)
      • cmd.exe (PID: 6096)
      • cmd.exe (PID: 7392)
      • cmd.exe (PID: 5608)
      • cmd.exe (PID: 2684)
      • cmd.exe (PID: 3212)
      • cmd.exe (PID: 8148)
      • cmd.exe (PID: 7684)

    • Starts CMD.EXE with AutoRun commands disabled

      • cmd.exe (PID: 5608)
      • cmd.exe (PID: 7304)
      • cmd.exe (PID: 7768)
      • cmd.exe (PID: 8088)
      • cmd.exe (PID: 3448)
      • cmd.exe (PID: 3036)
      • cmd.exe (PID: 7592)
      • cmd.exe (PID: 6096)
      • cmd.exe (PID: 3048)
      • cmd.exe (PID: 6116)
      • cmd.exe (PID: 800)
      • cmd.exe (PID: 5608)
      • cmd.exe (PID: 7392)
      • cmd.exe (PID: 3212)
      • cmd.exe (PID: 2684)
      • cmd.exe (PID: 8148)
      • cmd.exe (PID: 7684)

    • Executable content was dropped or overwritten

      • Gariban.exe (PID: 3076)
      • Gariban.exe (PID: 7768)
      • csc.exe (PID: 7192)
      • csc.exe (PID: 5616)

    • Starts CMD.EXE with special quote handling

      • cmd.exe (PID: 5608)
      • cmd.exe (PID: 7304)
      • cmd.exe (PID: 7768)
      • cmd.exe (PID: 8088)
      • cmd.exe (PID: 3448)
      • cmd.exe (PID: 3036)
      • cmd.exe (PID: 7592)
      • cmd.exe (PID: 800)
      • cmd.exe (PID: 6116)
      • cmd.exe (PID: 3048)
      • cmd.exe (PID: 5608)
      • cmd.exe (PID: 6096)
      • cmd.exe (PID: 7392)
      • cmd.exe (PID: 2684)
      • cmd.exe (PID: 3212)
      • cmd.exe (PID: 8148)
      • cmd.exe (PID: 7684)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 7304)
      • cmd.exe (PID: 8088)
      • cmd.exe (PID: 3036)

    • The process checks if it is being run in the virtual environment

      • Gariban.exe (PID: 3076)
      • Gariban.exe (PID: 7884)

    • The process hide an interactive prompt from the user

      • cmd.exe (PID: 7304)
      • cmd.exe (PID: 3036)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7820)
      • powershell.exe (PID: 1684)

    • The process hides Powershell's copyright startup banner

      • cmd.exe (PID: 7304)
      • cmd.exe (PID: 3036)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 7304)
      • cmd.exe (PID: 3036)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 7820)
      • powershell.exe (PID: 1684)

    • BASE64 encoded PowerShell command has been detected

      • cmd.exe (PID: 7304)
      • cmd.exe (PID: 3036)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 7192)
      • csc.exe (PID: 5616)

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 7304)
      • cmd.exe (PID: 3036)

    • Starts NET.EXE to display or manage information about active sessions

      • cmd.exe (PID: 7768)
      • net.exe (PID: 1164)
      • cmd.exe (PID: 7592)
      • net.exe (PID: 8072)

    • Starts process via Powershell

      • powershell.exe (PID: 7528)

    • Possible stealing of cloud data

      • Gariban.exe (PID: 7884)
      • Gariban.exe (PID: 7768)
      • Gariban.exe (PID: 3076)

    • Uses TASKKILL.EXE to kill Browsers

      • cmd.exe (PID: 800)
      • cmd.exe (PID: 3048)
      • cmd.exe (PID: 6116)
      • cmd.exe (PID: 6096)
      • cmd.exe (PID: 7392)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 5608)
      • cmd.exe (PID: 7684)
      • cmd.exe (PID: 8148)
      • cmd.exe (PID: 3212)
      • cmd.exe (PID: 2684)

    • Possible stealing of messenger data

      • Gariban.exe (PID: 7884)

    • Possible stealing from crypto wallets

      • Gariban.exe (PID: 7884)

    • Loads DLL from Mozilla Firefox

      • Gariban.exe (PID: 7884)

  • INFO

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 8028)

    • Application launched itself

      • chrome.exe (PID: 2676)

    • Reads product name

      • Gariban.exe (PID: 3076)
      • Gariban.exe (PID: 7768)
      • Gariban.exe (PID: 7884)

    • Reads the computer name

      • Gariban.exe (PID: 3076)
      • Gariban.exe (PID: 7884)

    • Reads CPU info

      • Gariban.exe (PID: 3076)
      • Gariban.exe (PID: 7884)

    • Checks supported languages

      • Gariban.exe (PID: 7768)
      • csc.exe (PID: 7192)
      • cvtres.exe (PID: 4816)
      • Gariban.exe (PID: 7884)
      • csc.exe (PID: 5616)
      • cvtres.exe (PID: 420)
      • Gariban.exe (PID: 3076)

    • Reads the machine GUID from the registry

      • Gariban.exe (PID: 7768)
      • csc.exe (PID: 7192)
      • Gariban.exe (PID: 7884)
      • csc.exe (PID: 5616)
      • Gariban.exe (PID: 3076)

    • Reads Environment values

      • Gariban.exe (PID: 7768)
      • Gariban.exe (PID: 7884)
      • Gariban.exe (PID: 3076)

    • Create files in a temporary directory

      • csc.exe (PID: 7192)
      • cvtres.exe (PID: 4816)
      • csc.exe (PID: 5616)
      • cvtres.exe (PID: 420)

    • The executable file from the user directory is run by the Powershell process

      • Gariban.exe (PID: 7884)

    • Manual execution by a user

      • Gariban.exe (PID: 3076)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
211
Monitored processes
78
Malicious processes
6
Suspicious processes
8

Behavior graph

Click at the process to see the details
start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs winrar.exe no specs gariban.exe conhost.exe no specs chrome.exe no specs gariban.exe conhost.exe no specs chrome.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs powershell.exe no specs csc.exe cvtres.exe no specs cmd.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs powershell.exe no specs gariban.exe conhost.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs powershell.exe no specs csc.exe cvtres.exe no specs cmd.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
420C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES92F0.tmp" "c:\Users\admin\AppData\Local\Temp\fdswn4g0\CSC261A34C4A0654F6BAF6ECCF27BAEF1CF.TMP"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
14.32.31326.0
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\vcruntime140_1_clr0400.dll
680"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --field-trial-handle=5696,i,5271941006849979993,18422083950600277836,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version=20251218-201203.402000 --mojo-platform-channel-handle=5668 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
800C:\WINDOWS\system32\cmd.exe /d /s /c "taskkill /F /IM chrome.exe"C:\Windows\System32\cmd.exeGariban.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1032"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --field-trial-handle=5600,i,5271941006849979993,18422083950600277836,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version=20251218-201203.402000 --mojo-platform-channel-handle=4080 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1132"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,5271941006849979993,18422083950600277836,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version=20251218-201203.402000 --mojo-platform-channel-handle=3184 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
1
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1164net sessionC:\Windows\System32\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1352"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3196,i,5271941006849979993,18422083950600277836,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version=20251218-201203.402000 --mojo-platform-channel-handle=3312 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
1
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1684Powershell -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Encoded WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAUQBXAFIAawBMAFYAUgA1AGMARwBVAGcATABVADUAaABiAFcAVQBnAFYAMgBsAHUAWgBHADkAMwBJAEMAMQBPAFkAVwAxAGwAYwAzAEIAaABZADIAVQBnAFEAMgA5AHUAYwAyADkAcwBaAFMAQQB0AFQAVwBWAHQAWQBtAFYAeQBSAEcAVgBtAGEAVwA1AHAAZABHAGwAdgBiAGkAQQBuAEQAUQBvAGcASQBDAEEAZwBJAEMAQQBnAEkARgB0AEUAYgBHAHgASgBiAFgAQgB2AGMAbgBRAG8ASQBrAHQAbABjAG0ANQBsAGIARABNAHkATABtAFIAcwBiAEMASQBwAFgAUQAwAEsASQBDAEEAZwBJAEMAQQBnAEkAQwBCAHcAZABXAEoAcwBhAFcATQBnAGMAMwBSAGgAZABHAGwAagBJAEcAVgA0AGQARwBWAHkAYgBpAEIASgBiAG4AUgBRAGQASABJAGcAUgAyAFYAMABRADIAOQB1AGMAMgA5AHMAWgBWAGQAcABiAG0AUgB2AGQAeQBnAHAATwB3ADAASwBJAEMAQQBnAEkAQQAwAEsASQBDAEEAZwBJAEMAQQBnAEkAQwBCAGIAUgBHAHgAcwBTAFcAMQB3AGIAMwBKADAASwBDAEoAMQBjADIAVgB5AE0AegBJAHUAWgBHAHgAcwBJAGkAbABkAEQAUQBvAGcASQBDAEEAZwBJAEMAQQBnAEkASABCADEAWQBtAHgAcABZAHkAQgB6AGQARwBGADAAYQBXAE0AZwBaAFgAaAAwAFoAWABKAHUASQBHAEoAdgBiADIAdwBnAFUAMgBoAHYAZAAxAGQAcABiAG0AUgB2AGQAeQBoAEoAYgBuAFIAUQBkAEgASQBnAGEARgBkAHUAWgBDAHcAZwBTAFcANQAwAE0AegBJAGcAYgBrAE4AdABaAEYATgBvAGIAMwBjAHAATwB3ADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEEAbgBEAFEAbwBnAEkAQwBBAGcARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBDAFIAagBiADIANQB6AGIAMgB4AGwAVQBIAFIAeQBJAEQAMABnAFcAMABOAHYAYgBuAE4AdgBiAEcAVQB1AFYAMgBsAHUAWgBHADkAMwBYAFQAbwA2AFIAMgBWADAAUQAyADkAdQBjADIAOQBzAFoAVgBkAHAAYgBtAFIAdgBkAHkAZwBwAEQAUQBvAGcASQBDAEEAZwBJAEMAQQBnAEkAQwBNAHcASQBHAGgAcABaAEcAVQBOAEMAaQBBAGcASQBDAEEAZwBJAEMAQQBnAFcAMABOAHYAYgBuAE4AdgBiAEcAVQB1AFYAMgBsAHUAWgBHADkAMwBYAFQAbwA2AFUAMgBoAHYAZAAxAGQAcABiAG0AUgB2AGQAeQBnAGsAWQAyADkAdQBjADIAOQBzAFoAVgBCADAAYwBpAHcAZwBNAEMAawBOAEMAZwA9AD0AIgB9ACcAIAB8ACAAQwBvAG4AdgBlAHIAdABGAHIAbwBtAC0ASgBzAG8AbgApAC4AUwBjAHIAaQBwAHQAKQApACAAfAAgAGkAZQB4AA==C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
2120taskkill /F /IM discordptb.exeC:\Windows\System32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2216\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeGariban.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
19 286
Read events
19 262
Write events
11
Delete events
13

Modification events

(PID) Process:(8028) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(8028) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(8028) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Downloads\chromium_build 1.zip
(PID) Process:(8028) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Downloads\Gariban.7z
(PID) Process:(8028) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(8028) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(8028) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(8028) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(8028) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:15
Value:
(PID) Process:(8028) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:14
Value:
Executable files
14
Suspicious files
105
Text files
826
Unknown types
0

Dropped files

PID
Process
Filename
Type
2676chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\ClientCertificates\LOG.old~RFe02ab.TMP
MD5:
SHA256:
2676chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\ClientCertificates\LOG.old
MD5:
SHA256:
2676chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\LOG.old~RFe02ab.TMP
MD5:
SHA256:
2676chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\LOG.old
MD5:
SHA256:
2676chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\LOG.old~RFe02bb.TMP
MD5:
SHA256:
2676chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RFe02bb.TMP
MD5:
SHA256:
2676chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\LOG.old
MD5:
SHA256:
2676chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
2676chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old~RFe02bb.TMP
MD5:
SHA256:
2676chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
61
TCP/UDP connections
49
DNS requests
47
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5276
MoUsoCoreWorker.exe
GET
200
184.24.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
5276
MoUsoCoreWorker.exe
GET
200
23.59.18.102:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
GET
200
204.79.197.203:80
http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQ3L3%2F%2Fa6ADK8NraY2GXzVaYrHG4AQUb6t%2B2v%2BXQ3LsO2d33oJhNYhHQoUCEzMAAAAGb6JMMcOVb6sAAAAAAAY%3D
US
binary
960 b
whitelisted
GET
200
23.11.40.157:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAjTxtAB8my1oj8MfWpz%2F7Y%3D
NL
binary
314 b
whitelisted
6060
chrome.exe
GET
200
142.251.20.95:443
https://safebrowsingohttpgateway.googleapis.com/v1/ohttp/hpkekeyconfig?key=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE
US
binary
41 b
whitelisted
6060
chrome.exe
POST
200
142.251.127.84:443
https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard
US
text
17 b
whitelisted
6060
chrome.exe
GET
302
162.125.66.18:443
https://www.dropbox.com/scl/fi/v1xqg7ipje0m3ciyi50wp/Gariban.7z?rlkey=bukhnunpaz1f05iufy66dyxog&st=o9a5a5y7&dl=1
US
17 b
unknown
6060
chrome.exe
GET
200
142.251.13.94:443
https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=133
US
compressed
87.9 Kb
whitelisted
6060
chrome.exe
GET
200
142.251.20.100:80
http://clients2.google.com/time/1/current?cup2key=8:3IhWMCxTXufJ-C0nhMKdnZ-eRRXGYa9dNd_PSb1kR2c&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
US
text
104 b
whitelisted
6060
chrome.exe
POST
200
216.58.206.35:443
https://update.googleapis.com/service/update2/json?cup2key=14:FBIqiqISEiD_tkFHp2-TqHv3yg6H2EghIrh1aXRKhL0&cup2hreq=e8b6a2b66d4de128b4c133db20bbfb5adc00174c3858759fe6d3bc2c2b2e0950
US
text
289 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4872
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5276
MoUsoCoreWorker.exe
184.24.77.6:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
5276
MoUsoCoreWorker.exe
23.59.18.102:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
128.24.231.65:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2.16.204.161:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
23.11.40.157:80
ocsp.digicert.com
AKAMAI-AMS
NL
whitelisted
204.79.197.203:80
oneocsp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 184.24.77.6
  • 184.24.77.12
  • 184.24.77.35
  • 23.55.110.211
  • 23.55.110.182
whitelisted
www.microsoft.com
  • 23.59.18.102
  • 23.210.18.103
whitelisted
activation-v2.sls.microsoft.com
  • 128.24.231.65
whitelisted
www.bing.com
  • 2.16.204.161
  • 2.16.204.141
whitelisted
ocsp.digicert.com
  • 23.11.40.157
whitelisted
google.com
  • 142.251.14.138
  • 142.251.14.139
  • 142.251.14.101
  • 142.251.14.100
  • 142.251.14.102
  • 142.251.14.113
whitelisted
oneocsp.microsoft.com
  • 204.79.197.203
whitelisted
clients2.google.com
  • 142.251.20.100
  • 142.251.20.113
  • 142.251.20.101
  • 142.251.20.139
  • 142.251.20.138
  • 142.251.20.102
whitelisted
safebrowsingohttpgateway.googleapis.com
  • 142.251.20.95
  • 192.178.183.95
  • 142.251.110.95
  • 142.250.154.95
  • 142.251.13.95
  • 142.251.14.95
  • 142.251.127.95
whitelisted

Threats

PID
Process
Class
Message
4872
svchost.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
3076
Gariban.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
2232
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
7884
Gariban.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.dropbox.com/scl/fi/v1xqg7ipje0m3ciyi50wp/Gariban.7z?rlkey=bukhnunpaz1f05iufy66dyxog&st=o9a5a5y7&dl=1