URL:

kupabol.com/?s=2hs0420680jrp&q=proof+of+relationship+letter+sample+n

Full analysis: https://app.any.run/tasks/a98e8c19-d1ae-40be-85b3-5dc65a9adf9a
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: March 18, 2025, 11:01:05
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
obfuscated-js
phishing
loader
rhadamanthys
stealer
auto
generic
Indicators:
MD5:

5D479ECF91B591C621B4538B699C1B6C

SHA1:

DC2F311674ED193B3AD1AD270531B1D45B88C6EE

SHA256:

47EBC2EF1CDCC199A3B2A64B3F9767878AC38125B1F54664D95C06528F136647

SSDEEP:

3:pRpfFI4aKSY4Hij0nIjAk:/pi4BTj0Zk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • PHISHING has been detected (SURICATA)

      • chrome.exe (PID: 7268)

    • GENERIC has been found (auto)

      • msiexec.exe (PID: 1748)

    • Actions looks like stealing of personal data

      • launcher.exe (PID: 7664)
      • powershell.exe (PID: 4880)
      • explorer.exe (PID: 8140)
      • msedge.exe (PID: 8204)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 4880)

    • RHADAMANTHYS mutex has been found

      • explorer.exe (PID: 8140)
      • svchost.exe (PID: 7900)

    • Uses AES cipher (POWERSHELL)

      • powershell.exe (PID: 4880)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 4880)

    • Steals credentials from Web Browsers

      • powershell.exe (PID: 4880)
      • msedge.exe (PID: 8204)

    • RHADAMANTHYS has been detected (SURICATA)

      • svchost.exe (PID: 3304)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • explorer.exe (PID: 1760)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 1748)

    • Executing commands from a ".bat" file

      • msiexec.exe (PID: 1748)

    • Drops 7-zip archiver for unpacking

      • msiexec.exe (PID: 1748)

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 1748)
      • 7z.exe (PID: 8124)

    • The executable file from the user directory is run by the CMD process

      • 7z.exe (PID: 8124)
      • mksSandbox.exe (PID: 6248)

    • Starts CMD.EXE for commands execution

      • msiexec.exe (PID: 1748)

    • The process drops C-runtime libraries

      • 7z.exe (PID: 8124)

    • Executable content was dropped or overwritten

      • 7z.exe (PID: 8124)

    • Starts POWERSHELL.EXE for commands execution

      • explorer.exe (PID: 8140)

    • Base64-obfuscated command line is found

      • explorer.exe (PID: 8140)

    • BASE64 encoded PowerShell command has been detected

      • explorer.exe (PID: 8140)

    • Executes application which crashes

      • explorer.exe (PID: 8140)
      • mksSandbox.exe (PID: 6248)

    • The process checks if it is being run in the virtual environment

      • svchost.exe (PID: 7900)

    • Gets content of a file (POWERSHELL)

      • powershell.exe (PID: 4880)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 4880)

    • Connects to unusual port

      • svchost.exe (PID: 7900)
      • svchost.exe (PID: 3304)

    • Reads security settings of Internet Explorer

      • launcher.exe (PID: 7664)
      • ShellExperienceHost.exe (PID: 7220)
      • msiexec.exe (PID: 968)
      • msedge.exe (PID: 8204)

    • Converts a string into array of characters (POWERSHELL)

      • powershell.exe (PID: 4880)

    • Converts a specified value to an integer (POWERSHELL)

      • powershell.exe (PID: 4880)

    • Writes data into a file (POWERSHELL)

      • powershell.exe (PID: 4880)

    • Converts a specified value to a byte (POWERSHELL)

      • powershell.exe (PID: 4880)

    • Application launched itself

      • chrome.exe (PID: 7576)
      • chrome.exe (PID: 900)
      • msedge.exe (PID: 8204)

    • There is functionality for taking screenshot (YARA)

      • launcher.exe (PID: 7664)

    • Searches for installed software

      • svchost.exe (PID: 3304)

    • Loads DLL from Mozilla Firefox

      • svchost.exe (PID: 3304)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 4880)

  • INFO

    • Connects to unusual port

      • chrome.exe (PID: 7268)
      • chrome.exe (PID: 2852)

    • Reads security settings of Internet Explorer

      • BackgroundTransferHost.exe (PID: 8028)
      • BackgroundTransferHost.exe (PID: 5964)
      • BackgroundTransferHost.exe (PID: 7944)
      • BackgroundTransferHost.exe (PID: 4988)
      • BackgroundTransferHost.exe (PID: 1096)
      • explorer.exe (PID: 1760)
      • explorer.exe (PID: 8140)

    • Checks proxy server information

      • BackgroundTransferHost.exe (PID: 5964)
      • msiexec.exe (PID: 968)
      • explorer.exe (PID: 8140)
      • chrome.exe (PID: 7576)
      • msedge.exe (PID: 8204)
      • chrome.exe (PID: 900)

    • Execution of CURL command

      • cmd.exe (PID: 2740)

    • Reads the computer name

      • curl.exe (PID: 8000)
      • msiexec.exe (PID: 1748)
      • msiexec.exe (PID: 968)
      • launcher.exe (PID: 7664)
      • 7z.exe (PID: 8124)
      • ShellExperienceHost.exe (PID: 7220)
      • chrome.exe (PID: 7576)
      • chrome.exe (PID: 900)
      • msedge.exe (PID: 8204)

    • Reads the software policy settings

      • BackgroundTransferHost.exe (PID: 5964)
      • msiexec.exe (PID: 968)
      • explorer.exe (PID: 8140)
      • slui.exe (PID: 1300)

    • Manual execution by a user

      • cmd.exe (PID: 2740)
      • svchost.exe (PID: 7900)
      • svchost.exe (PID: 3304)
      • notepad.exe (PID: 8808)

    • Checks supported languages

      • curl.exe (PID: 8000)
      • msiexec.exe (PID: 968)
      • launcher.exe (PID: 7664)
      • 7z.exe (PID: 8124)
      • mksSandbox.exe (PID: 6248)
      • msiexec.exe (PID: 1748)
      • ShellExperienceHost.exe (PID: 7220)
      • chrome.exe (PID: 7576)
      • msedge.exe (PID: 8204)
      • chrome.exe (PID: 900)

    • Reads Microsoft Office registry keys

      • explorer.exe (PID: 1760)

    • Application launched itself

      • chrome.exe (PID: 496)
      • chrome.exe (PID: 2148)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 1748)
      • chrome.exe (PID: 7980)
      • chrome.exe (PID: 4976)

    • Reads Environment values

      • msiexec.exe (PID: 968)
      • chrome.exe (PID: 7576)
      • msedge.exe (PID: 8204)
      • chrome.exe (PID: 900)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 968)
      • chrome.exe (PID: 7576)
      • chrome.exe (PID: 900)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 1748)
      • BackgroundTransferHost.exe (PID: 5964)
      • launcher.exe (PID: 7664)
      • 7z.exe (PID: 8124)
      • explorer.exe (PID: 8140)
      • msiexec.exe (PID: 968)

    • The sample compiled with german language support

      • msiexec.exe (PID: 1748)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 1748)

    • The sample compiled with english language support

      • msiexec.exe (PID: 1748)
      • 7z.exe (PID: 8124)
      • chrome.exe (PID: 7980)
      • chrome.exe (PID: 4976)

    • Reads CPU info

      • launcher.exe (PID: 7664)

    • The sample compiled with japanese language support

      • msiexec.exe (PID: 1748)

    • Create files in a temporary directory

      • explorer.exe (PID: 8140)
      • svchost.exe (PID: 3304)
      • chrome.exe (PID: 7576)
      • msedge.exe (PID: 8204)
      • chrome.exe (PID: 900)

    • Disables trace logs

      • powershell.exe (PID: 4880)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 4880)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 4880)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 4880)

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 4880)

    • Gets a random number, or selects objects randomly from a collection (POWERSHELL)

      • powershell.exe (PID: 4880)

    • Gets or sets the time when the file was last written to (POWERSHELL)

      • powershell.exe (PID: 4880)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 4880)

    • Process checks computer location settings

      • chrome.exe (PID: 7576)
      • msedge.exe (PID: 8204)

    • Process checks whether UAC notifications are on

      • msedge.exe (PID: 8204)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
275
Monitored processes
123
Malicious processes
13
Suspicious processes
1

Behavior graph

Click at the process to see the details
start chrome.exe chrome.exe no specs chrome.exe no specs #PHISHING chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs sppextcomobj.exe no specs slui.exe chrome.exe no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe backgroundtransferhost.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs chrome.exe no specs chrome.exe no specs cmd.exe no specs conhost.exe no specs curl.exe explorer.exe no specs explorer.exe no specs rundll32.exe no specs slui.exe msiexec.exe no specs #GENERIC msiexec.exe msiexec.exe cmd.exe no specs launcher.exe conhost.exe no specs 7z.exe mkssandbox.exe #RHADAMANTHYS explorer.exe werfault.exe no specs chrome.exe powershell.exe conhost.exe no specs #RHADAMANTHYS svchost.exe werfault.exe no specs werfault.exe no specs werfault.exe no specs #RHADAMANTHYS svchost.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs shellexperiencehost.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs notepad.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
496"C:\Program Files\Google\Chrome\Application\chrome.exe" --disk-cache-dir=null --disk-cache-size=1 --media-cache-size=1 --disable-gpu-shader-disk-cache --disable-background-networking --disable-features=OptimizationGuideModelDownloading,OptimizationHintsFetching,OptimizationTargetPrediction,OptimizationHints "kupabol.com/?s=2hs0420680jrp&q=proof+of+relationship+letter+sample+n"C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
4294967295
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
900 --user-data-dir="C:\Users\admin\AppData\Local\Temp\chr79ED.tmp" --explicitly-allowed-ports=8000 --disable-gpu --new-window "http://127.0.0.1:8000/ae5717a1/03a0677f"C:\Program Files\Google\Chrome\Application\chrome.exe
svchost.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
968C:\Windows\syswow64\MsiExec.exe -Embedding 7AAC3D766F5B150E886BC2BA7AD63C6AC:\Windows\SysWOW64\msiexec.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1088"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=4716 --field-trial-handle=1960,i,2905794125301962554,8140520972240735337,262144 --variations-seed-version /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1096"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
1188C:\WINDOWS\system32\WerFault.exe -u -p 6248 -s 552C:\Windows\System32\WerFault.exemksSandbox.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
1300C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1748C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1760C:\WINDOWS\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll
2148"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
powershell.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
Total events
60 896
Read events
60 603
Write events
275
Delete events
18

Modification events

(PID) Process:(496) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(496) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(496) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(496) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(496) chrome.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:writeName:usagestats
Value:
0
(PID) Process:(8028) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(8028) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(8028) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(5964) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5964) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
Executable files
56
Suspicious files
678
Text files
302
Unknown types
0

Dropped files

PID
Process
Filename
Type
496chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RF10d071.TMP
MD5:
SHA256:
496chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old~RF10d071.TMP
MD5:
SHA256:
496chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
496chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old
MD5:
SHA256:
496chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG.old~RF10d081.TMP
MD5:
SHA256:
496chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old~RF10d081.TMP
MD5:
SHA256:
496chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
496chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG.old
MD5:
SHA256:
496chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old~RF10d090.TMP
MD5:
SHA256:
496chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
43
TCP/UDP connections
141
DNS requests
157
Threats
17

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2924
SearchApp.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
2924
SearchApp.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6148
svchost.exe
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/imoffpf67hel7kbknqflao2oo4_1.0.2738.0/neifaoindggfcjicffkgpmnlppeffabd_1.0.2738.0_win64_kj4dp5kifwxbdodqls7e5nzhtm.crx3
unknown
whitelisted
1240
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6148
svchost.exe
HEAD
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/imoffpf67hel7kbknqflao2oo4_1.0.2738.0/neifaoindggfcjicffkgpmnlppeffabd_1.0.2738.0_win64_kj4dp5kifwxbdodqls7e5nzhtm.crx3
unknown
whitelisted
6544
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
3896
backgroundTaskHost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6148
svchost.exe
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/imoffpf67hel7kbknqflao2oo4_1.0.2738.0/neifaoindggfcjicffkgpmnlppeffabd_1.0.2738.0_win64_kj4dp5kifwxbdodqls7e5nzhtm.crx3
unknown
whitelisted
6148
svchost.exe
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/imoffpf67hel7kbknqflao2oo4_1.0.2738.0/neifaoindggfcjicffkgpmnlppeffabd_1.0.2738.0_win64_kj4dp5kifwxbdodqls7e5nzhtm.crx3
unknown
whitelisted
6148
svchost.exe
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/imoffpf67hel7kbknqflao2oo4_1.0.2738.0/neifaoindggfcjicffkgpmnlppeffabd_1.0.2738.0_win64_kj4dp5kifwxbdodqls7e5nzhtm.crx3
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
496
chrome.exe
239.255.255.250:1900
whitelisted
3216
svchost.exe
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7268
chrome.exe
108.177.96.84:443
accounts.google.com
GOOGLE
US
whitelisted
7268
chrome.exe
104.21.80.134:443
kupabol.com
CLOUDFLARENET
unknown
7268
chrome.exe
188.114.96.3:443
yfyfx.ext-jscdn.com
CLOUDFLARENET
NL
unknown
6544
svchost.exe
20.190.160.20:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
7268
chrome.exe
216.58.206.67:443
www.gstatic.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
kupabol.com
  • 104.21.80.134
  • 172.67.183.125
unknown
client.wns.windows.com
  • 40.113.103.199
whitelisted
accounts.google.com
  • 108.177.96.84
  • 74.125.133.84
whitelisted
yfyfx.ext-jscdn.com
  • 188.114.96.3
  • 188.114.97.3
unknown
login.live.com
  • 20.190.160.20
  • 40.126.32.74
  • 20.190.160.17
  • 40.126.32.136
  • 40.126.32.133
  • 20.190.160.65
  • 20.190.160.131
  • 20.190.160.3
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
www.gstatic.com
  • 216.58.206.67
  • 172.217.18.3
whitelisted
a.nel.cloudflare.com
  • 35.190.80.1
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
android.clients.google.com
  • 142.250.186.142
  • 172.217.16.206
  • 142.250.181.238
  • 142.250.186.174
  • 172.217.16.142
  • 216.58.212.174
  • 142.250.184.238
  • 142.250.186.78
  • 142.250.186.46
  • 216.58.206.78
  • 216.58.206.46
  • 172.217.18.110
  • 172.217.18.14
  • 142.250.74.206
  • 142.250.184.206
  • 142.250.186.110
  • 142.250.185.174
  • 172.217.23.110
  • 142.250.185.110
  • 142.250.185.206
  • 142.250.185.142
  • 142.250.185.238
  • 142.250.185.78
whitelisted

Threats

PID
Process
Class
Message
7268
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
7268
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
7268
chrome.exe
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Suspected Phishing domain by CrossDomain ( .zofufivuko .com)
7268
chrome.exe
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Suspected Phishing domain by CrossDomain ( .zofufivuko .com)
7268
chrome.exe
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Suspected Phishing domain by CrossDomain ( .zofufivuko .com)
7268
chrome.exe
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Suspected Phishing domain by CrossDomain ( .zofufivuko .com)
7268
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare turnstile CAPTCHA challenge
7268
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare turnstile CAPTCHA challenge
7268
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
7268
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
kupabol.com/?s=2hs0420680jrp&q=proof+of+relationship+letter+sample+n