File name:

Purchase_Order.Tar

Full analysis: https://app.any.run/tasks/46606c79-a426-4cff-90e3-04abcdfdff94
Verdict: Malicious activity
Threats:

DBatLoader is a loader malware used for distributing payloads of different types, including WarzoneRAT and Formbook. It is employed in multi-stage attacks that usually start with a phishing email carrying a malicious attachment.

Malware Trends Tracker     >>>
Analysis date: February 11, 2024, 07:15:07
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
dbatloader
formbook
xloader
stealer
spyware
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

093389E2241D09DC50661B02204D1F67

SHA1:

94F07ACAA3BF4AD44A8ACEE0DB1AF86094B3DCC8

SHA256:

5F24B1097A00C529B41E99D0BB108EEAA12A4EA99A4AF8576460435C9B42C4B3

SSDEEP:

49152:kGp7Oigws+JHFoRG1Ir6ilc9kksPCezng5dkOLQGsD66pSDWMH5e6CopN4gW5F/6:VtFr1cln3PCUCdJQGsDLoW+5xFujE4A3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • DBATLOADER has been detected (YARA)

      • pointer.com (PID: 1040)
      • pointer.com (PID: 1644)
      • pointer.com (PID: 3724)
      • pointer.com (PID: 1376)

    • Drops the executable file immediately after the start

      • pointer.com (PID: 1040)

    • Actions looks like stealing of personal data

      • colorcpl.exe (PID: 2592)

    • FORMBOOK has been detected (YARA)

      • colorcpl.exe (PID: 2592)

    • Connects to the CnC server

      • explorer.exe (PID: 1164)

    • FORMBOOK has been detected (SURICATA)

      • explorer.exe (PID: 1164)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 3864)

    • Reads the Internet Settings

      • pointer.com (PID: 1040)
      • pointer.com (PID: 1644)
      • colorcpl.exe (PID: 2592)
      • rundll32.exe (PID: 2504)
      • pointer.com (PID: 3724)
      • pointer.com (PID: 1376)

    • Application launched itself

      • cmd.exe (PID: 3720)
      • cmd.exe (PID: 2860)
      • cmd.exe (PID: 1348)
      • cmd.exe (PID: 3736)
      • cmd.exe (PID: 1236)

    • Starts CMD.EXE for commands execution

      • WinRAR.exe (PID: 3864)
      • cmd.exe (PID: 3720)
      • cmd.exe (PID: 2860)
      • pointer.com (PID: 1040)
      • cmd.exe (PID: 1348)
      • pointer.com (PID: 1644)
      • cmd.exe (PID: 3736)
      • cmd.exe (PID: 1236)
      • pointer.com (PID: 3724)
      • pointer.com (PID: 1376)

    • Executing commands from a ".bat" file

      • WinRAR.exe (PID: 3864)
      • pointer.com (PID: 1040)

    • Likely accesses (executes) a file from the Public directory

      • cmd.exe (PID: 3772)
      • certutil.exe (PID: 3660)
      • cmd.exe (PID: 4000)
      • certutil.exe (PID: 4004)
      • cmd.exe (PID: 1348)
      • cmd.exe (PID: 2832)
      • xzdfhdfY.pif (PID: 2488)
      • pointer.com (PID: 1644)
      • xzdfhdfY.pif (PID: 2972)
      • certutil.exe (PID: 4000)
      • cmd.exe (PID: 2648)
      • cmd.exe (PID: 2100)
      • certutil.exe (PID: 2732)
      • cmd.exe (PID: 3560)
      • pointer.com (PID: 1040)
      • cmd.exe (PID: 2332)
      • pointer.com (PID: 3724)
      • pointer.com (PID: 1376)
      • cmd.exe (PID: 2168)
      • xzdfhdfY.pif (PID: 3448)
      • xzdfhdfY.pif (PID: 1644)

    • Decoding a file from Base64 using CertUtil

      • cmd.exe (PID: 3720)
      • cmd.exe (PID: 2860)
      • cmd.exe (PID: 1236)
      • cmd.exe (PID: 3736)

    • Reads settings of System Certificates

      • pointer.com (PID: 1040)
      • pointer.com (PID: 1644)
      • pointer.com (PID: 3724)
      • pointer.com (PID: 1376)

    • Executable content was dropped or overwritten

      • pointer.com (PID: 1040)
      • xcopy.exe (PID: 2152)
      • xcopy.exe (PID: 848)
      • certutil.exe (PID: 3660)
      • certutil.exe (PID: 4000)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 2292)
      • cmd.exe (PID: 4004)
      • cmd.exe (PID: 2964)
      • cmd.exe (PID: 2728)

    • Drops a system driver (possible attempt to evade defenses)

      • pointer.com (PID: 1040)

    • Process drops legitimate windows executable

      • pointer.com (PID: 1040)
      • xcopy.exe (PID: 848)

    • Drops a file with a rarely used extension (PIF)

      • pointer.com (PID: 1040)

    • Starts application with an unusual extension

      • pointer.com (PID: 1040)
      • cmd.exe (PID: 2832)
      • pointer.com (PID: 1644)
      • cmd.exe (PID: 2168)
      • cmd.exe (PID: 2332)
      • cmd.exe (PID: 3560)
      • pointer.com (PID: 3724)
      • pointer.com (PID: 1376)

    • Uses RUNDLL32.EXE to load library

      • WinRAR.exe (PID: 3864)

    • Loads DLL from Mozilla Firefox

      • colorcpl.exe (PID: 2592)

  • INFO

    • Checks proxy server information

      • pointer.com (PID: 1040)
      • pointer.com (PID: 1644)
      • pointer.com (PID: 3724)
      • pointer.com (PID: 1376)

    • Reads the computer name

      • pointer.com (PID: 1040)
      • pointer.com (PID: 1644)
      • xzdfhdfY.pif (PID: 2488)
      • xzdfhdfY.pif (PID: 2972)
      • pointer.com (PID: 3724)
      • pointer.com (PID: 1376)
      • xzdfhdfY.pif (PID: 3448)
      • xzdfhdfY.pif (PID: 1644)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 1164)

    • Drops the executable file immediately after the start

      • certutil.exe (PID: 3660)
      • xcopy.exe (PID: 848)
      • xcopy.exe (PID: 2152)
      • certutil.exe (PID: 4000)

    • Reads the machine GUID from the registry

      • pointer.com (PID: 1040)
      • pointer.com (PID: 1644)
      • pointer.com (PID: 3724)
      • pointer.com (PID: 1376)

    • Reads the software policy settings

      • pointer.com (PID: 1040)
      • pointer.com (PID: 1644)
      • pointer.com (PID: 3724)
      • pointer.com (PID: 1376)

    • Checks supported languages

      • xzdfhdfY.pif (PID: 2488)
      • pointer.com (PID: 1644)
      • xzdfhdfY.pif (PID: 2972)
      • pointer.com (PID: 3724)
      • pointer.com (PID: 1040)
      • pointer.com (PID: 1376)
      • xzdfhdfY.pif (PID: 3448)
      • xzdfhdfY.pif (PID: 1644)

    • Manual execution by a user

      • colorcpl.exe (PID: 2592)
      • raserver.exe (PID: 2560)

    • Creates files or folders in the user directory

      • colorcpl.exe (PID: 2592)

    • Application launched itself

      • msedge.exe (PID: 968)

    • Reads the Internet Settings

      • explorer.exe (PID: 1164)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

DBatLoader

(PID) Process(1040) pointer.com
C2 (1)https://onedrive.live.com/download?resid=653A5056738F1A02%21143&authkey=!AJ7ivrX4x61Gz-4
(PID) Process(1644) pointer.com
C2 (1)https://onedrive.live.com/download?resid=653A5056738F1A02%21143&authkey=!AJ7ivrX4x61Gz-4
(PID) Process(3724) pointer.com
C2 (1)https://onedrive.live.com/download?resid=653A5056738F1A02%21143&authkey=!AJ7ivrX4x61Gz-4
(PID) Process(1376) pointer.com
C2 (1)https://onedrive.live.com/download?resid=653A5056738F1A02%21143&authkey=!AJ7ivrX4x61Gz-4

Formbook

(PID) Process(2592) colorcpl.exe
C2www.938579.top/fd05/
Strings (79)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
systray
audiodg
certmgr
autochk
taskhost
colorcpl
services
IconCache
ThumbCache
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate dat=
f-start
f-end
Decoy C2 (64)rancangrumah.com
liposuction-54947.bond
9smp.studio
tranquilos.club
slknb9x4.shop
huidvh.xyz
59638.bet
611422.cc
gurdwarakaramsar.com
level42data.com
remedydx.com
aagmal.pro
aicertifiedpro.com
reeoumcuoarriron.shop
syrianphotographers.com
findasideproject.com
frontierconnects.co
cliphothomnay.top
vbywehjri3.top
hydrogenwaterbottles.co
beauty-bloom.online
flowautomations.info
odakegitimaraclari.xyz
wtevans.com
szkrp.com
vellagroup.dev
eyelearnfrommasters.com
weeklythepaper.com
meineinfacheslernbuch.com
6224narlingtonblvd.com
mcchoi.art
dreamcarsgiveaway.com
singlesmatchmaker.com
fi11cc65.com
myvapbnc.top
greattechinc.com
elevatece.co
dkswl.uno
lindellbank.top
grandmarinaluxuryresidences.com
sulekirkguzellik.net
4second-life.info
realestaterunnerwyo.com
veripost.net
krypto.uno
angelhues.store
avagedin.site
vadym-shapran.com
lovesummitreplay.com
lvdco.com
primeroch.com
loadsong.site
wozel.vip
kenielacouture.com
transmigrationholdings.com
thenemolabs.com
personal-loans-11122.bond
selochrono.com
lemonadeux.com
hiv0851.com
paternina100jahre.com
screehab.com
procyoninnovations.cloud
coachmindchange.com
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
131
Monitored processes
83
Malicious processes
16
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs cmd.exe no specs cmd.exe no specs certutil.exe cmd.exe no specs ping.exe no specs cmd.exe no specs #DBATLOADER pointer.com cmd.exe no specs cmd.exe no specs cmd.exe no specs certutil.exe no specs cmd.exe no specs ping.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs xcopy.exe cmd.exe no specs xcopy.exe cmd.exe no specs xcopy.exe no specs cmd.exe no specs xcopy.exe no specs cmd.exe no specs #DBATLOADER pointer.com cmd.exe no specs cmd.exe no specs xzdfhdfy.pif no specs #FORMBOOK colorcpl.exe rundll32.exe no specs cmd.exe no specs xzdfhdfy.pif no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe raserver.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs firefox.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs cmd.exe no specs cmd.exe no specs certutil.exe cmd.exe no specs ping.exe no specs cmd.exe no specs #DBATLOADER pointer.com cmd.exe no specs #FORMBOOK explorer.exe msedge.exe no specs msedge.exe no specs cmd.exe no specs cmd.exe no specs certutil.exe no specs cmd.exe no specs ping.exe no specs cmd.exe no specs #DBATLOADER pointer.com cmd.exe no specs cmd.exe no specs xzdfhdfy.pif no specs autochk.exe no specs spoolsv.exe no specs cmd.exe no specs xzdfhdfy.pif no specs rdpclip.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
268"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3224 --field-trial-handle=1372,i,4353460111254510921,5022922702425074029,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
324"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1580 --field-trial-handle=1372,i,4353460111254510921,5022922702425074029,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
748xcopy "KDECO.bat" "C:\Windows \System32\" /K /D /H /Y C:\Windows\System32\xcopy.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Extended Copy Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\xcopy.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
764"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1308 --field-trial-handle=1372,i,4353460111254510921,5022922702425074029,131072 /prefetch:2C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
848xcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y C:\Windows\System32\xcopy.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Extended Copy Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\xcopy.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
968"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?LinkId=57426&Ext=4rsC:\Program Files\Microsoft\Edge\Application\msedge.exe
rundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1020"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2236 --field-trial-handle=1372,i,4353460111254510921,5022922702425074029,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1036"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --first-renderer-process --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2180 --field-trial-handle=1372,i,4353460111254510921,5022922702425074029,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1040C:\Users\Public\pointer.com C:\Users\Public\pointer.com
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\public\pointer.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
DBatLoader
(PID) Process(1040) pointer.com
C2 (1)https://onedrive.live.com/download?resid=653A5056738F1A02%21143&authkey=!AJ7ivrX4x61Gz-4
1164C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
28 120
Read events
27 871
Write events
195
Delete events
54

Modification events

(PID) Process:(1164) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:writeName:CheckSetting
Value:
01000000D08C9DDF0115D1118C7A00C04FC297EB01000000DBDD10622BD67741A42163F361389C47000000000200000000001066000000010000200000001F7D8CA698F3B06D0A85CF38F29EA8465212AA378E7F8159F76C252A21C9AD83000000000E8000000002000020000000C6B4D2BB76EED05EAEC250917E678BA17DE0642C50E4F24154637076875678CF300000005B5D5386C9A14ACD5E1BA30E63213DDC9618EE76E72A3EA5E0712F6ECB3863B420918DCFD78D968DD32E52AE426EC6FD400000008A5C9405DC3A392CF00F7785B06747DA39F7E5169EB44438A65E902891F4151688EB69449DAD28E1DD3654C163657923B9BEC6B61BC632AFF829F6DD21C9AB17
(PID) Process:(3864) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3864) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3864) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3864) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3864) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3864) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3864) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Purchase_Order.Tar.rar
(PID) Process:(3864) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3864) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
Executable files
11
Suspicious files
38
Text files
41
Unknown types
67

Dropped files

PID
Process
Filename
Type
3864WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa3864.23472\Purchase_Order.battext
MD5:80041429B667D63A95A6DAEA0811C709
SHA256:63BC1A678B12904E176BD25551238D0E2FE91CCADBBAFF7B77577C995A85C88E
3660certutil.exeC:\Users\Public\pointer.comexecutable
MD5:6CB3D9A12002C27E8DF8EC3316DDA075
SHA256:1BFB2A750022169E269B020C3C3ED7994644AC8257039EBDC8DF0271D861FBFF
3864WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa3864.24777\Purchase_Order.battext
MD5:80041429B667D63A95A6DAEA0811C709
SHA256:63BC1A678B12904E176BD25551238D0E2FE91CCADBBAFF7B77577C995A85C88E
1040pointer.comC:\Users\Public\Libraries\easinvoker.exeexecutable
MD5:231CE1E1D7D98B44371FFFF407D68B59
SHA256:30951DB8BFC21640645AA9144CFEAA294BB7C6980EF236D28552B6F4F3F92A96
968msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Variationsbinary
MD5:961E3604F228B0D10541EBF921500C86
SHA256:F7B24F2EB3D5EB0550527490395D2F61C3D2FE74BB9CB345197DAD81B58B5FED
2592colorcpl.exeC:\Users\admin\AppData\Roaming\O81B91AT\O81logri.inibinary
MD5:D63A82E5D81E02E399090AF26DB0B9CB
SHA256:EAECE2EBA6310253249603033C744DD5914089B0BB26BDE6685EC9813611BAAE
748xcopy.exeC:\Windows \System32\KDECO.battext
MD5:785E8193007BCD7858B9DF41C9D45F89
SHA256:C8E1912A3328802E98563E32EB053AE3E28249B701054AF227E9F1BA6BFE24D9
968msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF18ea6b.TMP
MD5:
SHA256:
968msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
968msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datbinary
MD5:DF0BCCD68449F07F531D76F53C718178
SHA256:12025F4DA9E53A8B91892D4F6E6A9B89513F3488BFE9F1EEEC3C05F7EF96BDD8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
41
DNS requests
38
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2588
msedge.exe
GET
301
2.21.20.150:80
http://shell.windows.com/fileassoc/fileassoc.asp?Ext=4rs
unknown
unknown
2588
msedge.exe
GET
302
69.192.162.125:80
http://go.microsoft.com/fwlink/?LinkId=57426&Ext=4rs
unknown
unknown
1164
explorer.exe
POST
404
203.161.46.83:80
http://www.huidvh.xyz/fd05/
unknown
html
276 b
unknown
1164
explorer.exe
POST
404
203.161.46.83:80
http://www.huidvh.xyz/fd05/
unknown
html
276 b
unknown
1164
explorer.exe
POST
404
203.161.46.83:80
http://www.huidvh.xyz/fd05/
unknown
html
276 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
1040
pointer.com
13.107.139.11:443
onedrive.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
1040
pointer.com
13.107.42.12:443
yjdbuq.sn.files.1drv.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
1644
pointer.com
13.107.139.11:443
onedrive.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
1644
pointer.com
13.107.42.12:443
yjdbuq.sn.files.1drv.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
968
msedge.exe
239.255.255.250:1900
unknown
2588
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2588
msedge.exe
69.192.162.125:80
go.microsoft.com
AKAMAI-AS
DE
unknown

DNS requests

Domain
IP
Reputation
onedrive.live.com
  • 13.107.139.11
  • 13.107.137.11
shared
yjdbuq.sn.files.1drv.com
  • 13.107.42.12
unknown
config.edge.skype.com
  • 13.107.42.16
whitelisted
go.microsoft.com
  • 69.192.162.125
whitelisted
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
whitelisted
shell.windows.com
  • 2.21.20.150
  • 2.21.20.141
whitelisted
www.bing.com
  • 92.123.104.38
  • 92.123.104.31
  • 92.123.104.32
  • 92.123.104.33
  • 92.123.104.28
  • 92.123.104.62
whitelisted
r.bing.com
  • 92.123.104.62
  • 92.123.104.32
  • 92.123.104.38
  • 92.123.104.31
  • 92.123.104.33
  • 92.123.104.28
whitelisted
th.bing.com
  • 92.123.104.33
  • 92.123.104.28
  • 92.123.104.62
  • 92.123.104.38
  • 92.123.104.31
  • 92.123.104.32
whitelisted
login.microsoftonline.com
  • 40.126.32.140
  • 40.126.32.76
  • 40.126.32.68
  • 20.190.160.22
  • 20.190.160.17
  • 40.126.32.134
  • 40.126.32.138
  • 40.126.32.133
whitelisted

Threats

PID
Process
Class
Message
1164
explorer.exe
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
1164
explorer.exe
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
1164
explorer.exe
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
1080
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Purchase_Order.Tar