URL:

https://157.150.167.72.host.secureserver.net/?fWtYpOhChN=

Full analysis: https://app.any.run/tasks/d04b87ae-63b3-4898-8b2e-e3e76af94af6
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: January 28, 2025, 10:36:36
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
casbaneiro
loader
Indicators:
MD5:

D1F45352A61E5349B10F62FEA58B8E0D

SHA1:

F9BAA805DF3E4BBBA3A39F1DB9FACEDF33A6CF16

SHA256:

3EFDBBE900033D14E2AD2C76F22B7A47D36C2C761F207DC9C3B7A40D6C54572C

SSDEEP:

3:N874UQA5XWAGQDAX14R8VBGn:2MUvlHGQcXGeBGn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • CASBANEIRO has been detected

      • cmd.exe (PID: 7928)
      • cmd.exe (PID: 8084)

    • Accesses name of a computer manufacturer via WMI (SCRIPT)

      • wscript.exe (PID: 8188)

    • Accesses BIOS(Win32_BIOS, may evade sandboxes) via WMI (SCRIPT)

      • wscript.exe (PID: 8188)

    • Accesses environment variables (SCRIPT)

      • wscript.exe (PID: 8188)

    • Gets script object from HTTP/HTTPS (SCRIPT)

      • wscript.exe (PID: 8188)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • mshta.exe (PID: 4540)
      • cmd.exe (PID: 7928)
      • cmd.exe (PID: 8084)
      • cmd.exe (PID: 7584)

    • Likely accesses (executes) a file from the Public directory

      • cmd.exe (PID: 7928)
      • cmd.exe (PID: 8084)
      • cmd.exe (PID: 7584)
      • cmd.exe (PID: 8020)
      • wscript.exe (PID: 8188)

    • Application launched itself

      • cmd.exe (PID: 7928)
      • cmd.exe (PID: 8084)
      • cmd.exe (PID: 7584)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 4672)

    • The process executes VB scripts

      • cmd.exe (PID: 8020)

    • Accesses OperatingSystem(Win32_OperatingSystem) via WMI (SCRIPT)

      • wscript.exe (PID: 8188)

    • Accesses WMI object, sets custom ImpersonationLevel (SCRIPT)

      • wscript.exe (PID: 8188)

    • Accesses domain name via WMI (SCRIPT)

      • wscript.exe (PID: 8188)

    • Accesses ComputerSystem(Win32_ComputerSystem) via WMI (SCRIPT)

      • wscript.exe (PID: 8188)

    • Access Product Name via WMI (SCRIPT)

      • wscript.exe (PID: 8188)

    • Accesses computer name via WMI (SCRIPT)

      • wscript.exe (PID: 8188)

    • Gets computer name (SCRIPT)

      • wscript.exe (PID: 8188)

    • Executes WMI query (SCRIPT)

      • wscript.exe (PID: 8188)

    • Accesses language version of the operating system installed via WMI (SCRIPT)

      • wscript.exe (PID: 8188)

    • Accesses operating system name via WMI (SCRIPT)

      • wscript.exe (PID: 8188)

    • Accesses WMI object caption (SCRIPT)

      • wscript.exe (PID: 8188)

  • INFO

    • Checks supported languages

      • identity_helper.exe (PID: 7956)

    • Application launched itself

      • msedge.exe (PID: 2796)

    • Checks proxy server information

      • mshta.exe (PID: 4540)
      • wscript.exe (PID: 8188)

    • Reads the computer name

      • identity_helper.exe (PID: 7956)

    • Reads Environment values

      • identity_helper.exe (PID: 7956)

    • Reads Microsoft Office registry keys

      • WinRAR.exe (PID: 4672)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
157
Monitored processes
28
Malicious processes
8
Suspicious processes
1

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs winrar.exe no specs mshta.exe no specs #CASBANEIRO cmd.exe no specs conhost.exe no specs cmd.exe no specs #CASBANEIRO cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs wscript.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs openwith.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2076"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=5348 --field-trial-handle=2352,i,16339722446577644810,2122161567935881155,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
2796"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://157.150.167.72.host.secureserver.net/?fWtYpOhChN="C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\windows\system32\capauthz.dll
c:\windows\system32\windows.staterepositorycore.dll
c:\windows\system32\wlanapi.dll
c:\windows\system32\windows.applicationmodel.dll
c:\windows\system32\appxdeploymentclient.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\windows.ui.appdefaults.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\virtdisk.dll
4540"C:\Windows\SysWOW64\mshta.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa4672.43865\Archivo-jsrVAemt-28012025103650.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} C:\Windows\SysWOW64\mshta.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
4672"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\Archivo-jsrVAemt-28012025103650.zip"C:\Program Files\WinRAR\WinRAR.exemsedge.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6208"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x300,0x304,0x308,0x2f8,0x310,0x7ff817bc5fd8,0x7ff817bc5fe4,0x7ff817bc5ff0C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
6424"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2504 --field-trial-handle=2352,i,16339722446577644810,2122161567935881155,262144 --variations-seed-version /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
6856"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4204 --field-trial-handle=2352,i,16339722446577644810,2122161567935881155,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
6924"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6796 --field-trial-handle=2352,i,16339722446577644810,2122161567935881155,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7064"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7460 --field-trial-handle=2352,i,16339722446577644810,2122161567935881155,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7164"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7636 --field-trial-handle=2352,i,16339722446577644810,2122161567935881155,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
6 386
Read events
6 364
Write events
22
Delete events
0

Modification events

(PID) Process:(2796) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:MicrosoftEdgeAutoLaunch_29EBC4579851B72EE312C449CF839B1A
Value:
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
(PID) Process:(2796) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-autolaunch
Operation:writeName:Enabled
Value:
0
(PID) Process:(2796) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\Profiles
Operation:writeName:EnhancedLinkOpeningDefault
Value:
Default
(PID) Process:(2796) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\328386
Operation:writeName:WindowTabManagerFileMappingId
Value:
{7B59F339-2A84-4D92-BF47-97BFCF474F6C}
(PID) Process:(2796) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip\OpenWithProgids
Operation:writeName:WinRAR.ZIP
Value:
(PID) Process:(4672) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(4672) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(4672) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(4672) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Downloads\Archivo-jsrVAemt-28012025103650.zip
(PID) Process:(4672) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
Executable files
6
Suspicious files
78
Text files
31
Unknown types
0

Dropped files

PID
Process
Filename
Type
2796msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF13712c.TMP
MD5:
SHA256:
2796msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
2796msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF13713b.TMP
MD5:
SHA256:
2796msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
2796msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF13713b.TMP
MD5:
SHA256:
2796msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
2796msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF13713b.TMP
MD5:
SHA256:
2796msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
2796msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF13713b.TMP
MD5:
SHA256:
2796msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
53
DNS requests
46
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
3988
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
3988
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
8188
wscript.exe
GET
200
2.16.252.233:80
http://x1.c.lencr.org/
unknown
whitelisted
8188
wscript.exe
GET
200
2.23.82.9:80
http://e6.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBTUejiAQejpjQc4fOz2ttjyD6VkMQQUDcXM%2FZvuFAWhTDCCpT5eisNYCdICEgOb%2BTeAoXK0Qyg22Lck4Iuyaw%3D%3D
unknown
whitelisted
7496
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
239.255.255.250:1900
whitelisted
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
204.79.197.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
13.107.246.44:443
edge-mobile-static.azureedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
72.167.150.157:443
157.150.167.72.host.secureserver.net
AS-26496-GO-DADDY-COM-LLC
US
whitelisted
13.107.6.158:443
business.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2.19.126.143:443
bzib.nelreports.net
Akamai International B.V.
DE
whitelisted
2.21.65.153:443
www.bing.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
config.edge.skype.com
  • 13.107.42.16
whitelisted
157.150.167.72.host.secureserver.net
  • 72.167.150.157
whitelisted
edge.microsoft.com
  • 204.79.197.239
  • 13.107.21.239
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.246.44
whitelisted
business.bing.com
  • 13.107.6.158
whitelisted
bzib.nelreports.net
  • 2.19.126.143
  • 2.19.126.145
whitelisted
www.bing.com
  • 2.21.65.153
  • 2.21.65.132
  • 2.21.65.154
whitelisted
xpaywalletcdn.azureedge.net
  • 13.107.246.44
whitelisted
update.googleapis.com
  • 142.250.185.131
whitelisted
edgeservices.bing.com
  • 2.21.65.132
  • 2.21.65.154
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://157.150.167.72.host.secureserver.net/?fWtYpOhChN=