Malware analysis https://krnl.vip/ Malicious activity

Add for printing

URL:	https://krnl.vip/
Full analysis:	https://app.any.run/tasks/c2799620-c373-4140-aa6f-acc08eff444e
Verdict:	Malicious activity
Analysis date:	February 15, 2025, 04:13:34
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MD5:	EEF9303CC63CAFF14A1A8CA2730D013B
SHA1:	94DDEC8B83DD9A472401C6B3F6AE802D1A77990B
SHA256:	58931F25D2CC31124813B91D1F6F094CCAD6522E478FE62C6B3A44FD0AC4C495
SSDEEP:	3:N8S9T:2S9T

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Run PowerShell with an invisible window
  - powershell.exe (PID: 4320)
- Changes the autorun value in the registry
  - MicrosoftEdgeUpdate.exe (PID: 7040)
SUSPICIOUS
- Reads the Windows owner or organization settings
  - msiexec.exe (PID: 2160)
- Executes as Windows Service
  - VSSVC.exe (PID: 396)
- Manipulates environment variables
  - powershell.exe (PID: 4320)
- Starts process via Powershell
  - powershell.exe (PID: 4320)
- Downloads file from URI via Powershell
  - powershell.exe (PID: 4320)
- Starts POWERSHELL.EXE for commands execution
  - msiexec.exe (PID: 2160)
- The process bypasses the loading of PowerShell profile settings
  - msiexec.exe (PID: 2160)
- Gets or sets the security protocol (POWERSHELL)
  - powershell.exe (PID: 4320)
- Starts a Microsoft application from unusual location
  - MicrosoftEdgeUpdate.exe (PID: 7040)
  - MicrosoftEdgeWebview2Setup.exe (PID: 4640)
- Executable content was dropped or overwritten
  - powershell.exe (PID: 4320)
  - MicrosoftEdgeWebview2Setup.exe (PID: 4640)
  - MicrosoftEdgeUpdate.exe (PID: 7040)
- Process drops legitimate windows executable
  - powershell.exe (PID: 4320)
  - MicrosoftEdgeWebview2Setup.exe (PID: 4640)
  - MicrosoftEdgeUpdate.exe (PID: 7040)
- Starts itself from another location
  - MicrosoftEdgeUpdate.exe (PID: 7040)
- Creates/Modifies COM task schedule object
  - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 3532)
  - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 1888)
  - MicrosoftEdgeUpdate.exe (PID: 7084)
  - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 1400)
- Reads security settings of Internet Explorer
  - MicrosoftEdgeUpdate.exe (PID: 7040)
INFO
- Reads Microsoft Office registry keys
  - chrome.exe (PID: 6256)
- Manages system restore points
  - SrTasks.exe (PID: 5080)
- Checks supported languages
  - msiexec.exe (PID: 2160)
  - msiexec.exe (PID: 2076)
  - MicrosoftEdgeWebview2Setup.exe (PID: 4640)
  - MicrosoftEdgeUpdate.exe (PID: 7040)
  - MicrosoftEdgeUpdate.exe (PID: 7084)
  - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 1400)
  - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 3532)
  - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 1888)
  - MicrosoftEdgeUpdate.exe (PID: 5920)
  - MicrosoftEdgeUpdate.exe (PID: 7188)
  - MicrosoftEdgeUpdate.exe (PID: 7044)
- Reads the computer name
  - msiexec.exe (PID: 2076)
  - msiexec.exe (PID: 2160)
  - MicrosoftEdgeUpdate.exe (PID: 7040)
  - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 1400)
  - MicrosoftEdgeUpdate.exe (PID: 7084)
  - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 3532)
  - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 1888)
  - MicrosoftEdgeUpdate.exe (PID: 5920)
  - MicrosoftEdgeUpdate.exe (PID: 7044)
  - MicrosoftEdgeUpdate.exe (PID: 7188)
- Executable content was dropped or overwritten
  - msiexec.exe (PID: 7120)
  - msiexec.exe (PID: 2160)
- Application launched itself
  - chrome.exe (PID: 6256)
- Creates a software uninstall entry
  - msiexec.exe (PID: 2160)
- Disables trace logs
  - powershell.exe (PID: 4320)
- The sample compiled with english language support
  - powershell.exe (PID: 4320)
  - MicrosoftEdgeWebview2Setup.exe (PID: 4640)
  - MicrosoftEdgeUpdate.exe (PID: 7040)
- The executable file from the user directory is run by the Powershell process
  - MicrosoftEdgeWebview2Setup.exe (PID: 4640)
- Create files in a temporary directory
  - MicrosoftEdgeWebview2Setup.exe (PID: 4640)
  - MicrosoftEdgeUpdate.exe (PID: 7040)
- Checks proxy server information
  - powershell.exe (PID: 4320)
  - MicrosoftEdgeUpdate.exe (PID: 5920)
  - MicrosoftEdgeUpdate.exe (PID: 7188)
- Reads Environment values
  - MicrosoftEdgeUpdate.exe (PID: 5920)
- Creates files or folders in the user directory
  - MicrosoftEdgeUpdate.exe (PID: 7040)
- Reads the software policy settings
  - MicrosoftEdgeUpdate.exe (PID: 5920)
  - MicrosoftEdgeUpdate.exe (PID: 7188)
- Process checks computer location settings
  - MicrosoftEdgeUpdate.exe (PID: 7040)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

162

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

396

C:\WINDOWS\system32\vssvc.exe

C:\Windows\System32\VSSVC.exe

—

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft® Volume Shadow Copy Service

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1400

"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe" /user

C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe

—

MicrosoftEdgeUpdate.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge Update COM Registration Helper

Exit code:

Version:

1.3.195.43

Modules

Images
c:\users\admin\appdata\local\microsoft\edgeupdate\1.3.195.43\microsoftedgeupdatecomregistershell64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

1668

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4476 --field-trial-handle=1936,i,14932118017790097142,6655978348636342536,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

122.0.6261.70

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

1804

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=4488 --field-trial-handle=1936,i,14932118017790097142,6655978348636342536,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Exit code:

Version:

122.0.6261.70

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

1888

"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe" /user

C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe

—

MicrosoftEdgeUpdate.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge Update COM Registration Helper

Exit code:

Version:

1.3.195.43

Modules

Images
c:\users\admin\appdata\local\microsoft\edgeupdate\1.3.195.43\microsoftedgeupdatecomregistershell64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll

2076

C:\Windows\syswow64\MsiExec.exe -Embedding D96C0BD78A60F7925F096839A81AA7C4 C

C:\Windows\SysWOW64\msiexec.exe

—

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows® installer

Version:

5.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

2160

C:\WINDOWS\system32\msiexec.exe /V

C:\Windows\System32\msiexec.exe

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows® installer

Version:

5.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

3532

"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe" /user

C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe

—

MicrosoftEdgeUpdate.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge Update COM Registration Helper

Exit code:

Version:

1.3.195.43

Modules

Images
c:\users\admin\appdata\local\microsoft\edgeupdate\1.3.195.43\microsoftedgeupdatecomregistershell64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll

4320

powershell.exe -NoProfile -windowstyle hidden try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 } catch {}; Invoke-WebRequest -Uri "https://go.microsoft.com/fwlink/p/?LinkId=2124703" -OutFile "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" ; Start-Process -FilePath "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" -ArgumentList ('/silent', '/install') -Wait

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll

4520

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5716 --field-trial-handle=1936,i,14932118017790097142,6655978348636342536,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Version:

122.0.6261.70

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

Add for printing

Total events

15 303

Read events

14 674

Write events

586

Delete events

Modification events


(PID) Process:	(6256) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\StabilityMetrics
Operation:	write	Name:	user_experience_metrics.stability.exited_cleanly
Value: 0
(PID) Process:	(6256) chrome.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:	write	Name:	usagestats
Value: 0
(PID) Process:	(6256) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	failed_count
Value: 0
(PID) Process:	(6256) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	state
Value: 2
(PID) Process:	(6256) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	state
Value: 1
(PID) Process:	(1804) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:	write	Name:	{2781761E-28E0-4109-99FE-B9D127C57AFE} {56FFCC30-D398-11D0-B2AE-00A0C908FA49} 0xFFFF
Value: 0100000000000000ED43F106607FDB01
(PID) Process:	(6256) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.msi\OpenWithProgids
Operation:	write	Name:	Msi.Package
Value:
(PID) Process:	(2160) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGetSnapshots (Enter)
Value: 48000000000000000B54580D607FDB0170080000D4150000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(2160) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:	write	Name:	SrCreateRp (Enter)
Value: 48000000000000004405580D607FDB0170080000D4150000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(2160) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGetSnapshots (Leave)
Value: 4800000000000000370AA70D607FDB0170080000D4150000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Add for printing

Executable files

204

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6256	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old~RF134b06.TMP		—
		MD5:—	SHA256:—
6256	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old		—
		MD5:—	SHA256:—
6256	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RF134b06.TMP		—
		MD5:—	SHA256:—
6256	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old		—
		MD5:—	SHA256:—
6256	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old~RF134b16.TMP		—
		MD5:—	SHA256:—
6256	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old		—
		MD5:—	SHA256:—
6256	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\LOG.old~RF134b16.TMP		—
		MD5:—	SHA256:—
6256	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\LOG.old		—
		MD5:—	SHA256:—
6256	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old~RF134b25.TMP		—
		MD5:—	SHA256:—
6256	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5064	SearchApp.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
1176	svchost.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
5576	SIHClient.exe	GET	200	2.23.181.156:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
5576	SIHClient.exe	GET	200	2.23.181.156:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
7276	svchost.exe	HEAD	200	217.20.57.35:80	http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/af8e5f2c-8b7f-478f-8f6c-f1dc567e0d65?P1=1740197672&P2=404&P3=2&P4=N0J6rT%2fWMMdJMEYVOhZ74Xos5%2fE2kzDSBmZiYq%2fHrN2etXGvbvmSEeOIQHtVRdvg5KC4L3zLjOxawcYlSL8mdQ%3d%3d	unknown	—	—	whitelisted
7004	backgroundTaskHost.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted
7276	svchost.exe	GET	—	217.20.57.35:80	http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/af8e5f2c-8b7f-478f-8f6c-f1dc567e0d65?P1=1740197672&P2=404&P3=2&P4=N0J6rT%2fWMMdJMEYVOhZ74Xos5%2fE2kzDSBmZiYq%2fHrN2etXGvbvmSEeOIQHtVRdvg5KC4L3zLjOxawcYlSL8mdQ%3d%3d	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2132	RUXIMICS.exe	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6552	chrome.exe	104.21.46.75:443	krnl.vip	CLOUDFLARENET	—	suspicious
6256	chrome.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6552	chrome.exe	142.250.145.84:443	accounts.google.com	GOOGLE	US	whitelisted
6552	chrome.exe	142.250.185.106:443	fonts.googleapis.com	GOOGLE	US	whitelisted
6552	chrome.exe	142.250.185.195:443	fonts.gstatic.com	GOOGLE	US	whitelisted
6552	chrome.exe	142.250.185.226:443	pagead2.googlesyndication.com	GOOGLE	US	whitelisted

DNS requests

Domain	IP	Reputation
google.com	142.250.186.174	whitelisted
krnl.vip	104.21.46.75 172.67.136.103	unknown
accounts.google.com	142.250.145.84	whitelisted
fonts.googleapis.com	142.250.185.106	whitelisted
fonts.gstatic.com	142.250.185.195	whitelisted
pagead2.googlesyndication.com	142.250.185.226	whitelisted
googleads.g.doubleclick.net	172.217.18.98	whitelisted
www.googletagmanager.com	172.217.16.200	whitelisted
content-autofill.googleapis.com	216.58.212.138 142.250.185.106 142.250.185.202 142.250.185.234 172.217.18.10 142.250.186.138 142.250.185.138 142.250.186.106 142.250.186.42 142.250.185.74 142.250.184.234 142.250.185.170 172.217.16.138 142.250.186.170 142.250.186.74 142.250.184.202	whitelisted
region1.google-analytics.com	216.239.32.36 216.239.34.36	whitelisted

Threats

PID	Process	Class	Message
7276	svchost.exe	Misc activity	ET INFO Packed Executable Download

Add for printing

No debug info

General Info

https://krnl.vip/

EEF9303CC63CAFF14A1A8CA2730D013B

94DDEC8B83DD9A472401C6B3F6AE802D1A77990B

58931F25D2CC31124813B91D1F6F094CCAD6522E478FE62C6B3A44FD0AC4C495

3:N8S9T:2S9T

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Run PowerShell with an invisible window

Changes the autorun value in the registry

SUSPICIOUS

Reads the Windows owner or organization settings

Executes as Windows Service

Manipulates environment variables

Starts process via Powershell

Downloads file from URI via Powershell

Starts POWERSHELL.EXE for commands execution

The process bypasses the loading of PowerShell profile settings

Gets or sets the security protocol (POWERSHELL)

Starts a Microsoft application from unusual location

Executable content was dropped or overwritten

Process drops legitimate windows executable

Starts itself from another location

Creates/Modifies COM task schedule object

Reads security settings of Internet Explorer

INFO

Reads Microsoft Office registry keys

Manages system restore points

Checks supported languages

Reads the computer name

Executable content was dropped or overwritten

Application launched itself

Creates a software uninstall entry

Disables trace logs

The sample compiled with english language support

The executable file from the user directory is run by the Powershell process

Create files in a temporary directory

Checks proxy server information

Reads Environment values

Creates files or folders in the user directory

Reads the software policy settings

Process checks computer location settings

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections