File name:

SPAM.zip

Full analysis: https://app.any.run/tasks/16ff55bc-4a49-4d41-a2f1-c96930d5c2e9
Verdict: Malicious activity
Analysis date: April 29, 2025, 08:43:25
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
delphi
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

06A3256501936448026A6C91B0D227F9

SHA1:

251FBA2FD359BB71C04D0F7A68CAC1BA31F20A1E

SHA256:

6484BD162B09F19383F6A67E8C2B94610EBDBE662102868AAEB6F17A29E08AED

SSDEEP:

98304:KacwEiAHBE9Y82k7HKQ3P06YReIh2DuPK6vtJbNUP7/htacwEiAHBE9Y82k7HKQZ:uWi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 7204)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • extrac32.exe (PID: 7716)
      • expha.pif (PID: 7740)
      • expha.pif (PID: 7764)
      • expha.pif (PID: 7788)
      • ghf.pif (PID: 7872)
      • extrac32.exe (PID: 8124)
      • expha.pif (PID: 8160)
      • expha.pif (PID: 8184)
      • expha.pif (PID: 5956)

    • Drops a file with a rarely used extension (PIF)

      • extrac32.exe (PID: 7716)
      • expha.pif (PID: 7740)
      • expha.pif (PID: 7764)
      • expha.pif (PID: 7788)
      • ghf.pif (PID: 7872)
      • extrac32.exe (PID: 8124)
      • expha.pif (PID: 8160)
      • expha.pif (PID: 8184)
      • expha.pif (PID: 5956)
      • chrome.PIF (PID: 7988)

    • Starts application with an unusual extension

      • cmd.exe (PID: 7652)
      • alpha.pif (PID: 7812)
      • rdha.pif (PID: 7952)
      • alpha.pif (PID: 7856)
      • cmd.exe (PID: 8060)
      • alpha.pif (PID: 5576)
      • alpha.pif (PID: 5556)
      • rdha.pif (PID: 1660)

    • Process drops legitimate windows executable

      • extrac32.exe (PID: 7716)
      • expha.pif (PID: 7740)
      • expha.pif (PID: 7764)
      • extrac32.exe (PID: 8124)
      • expha.pif (PID: 8160)
      • expha.pif (PID: 8184)

    • Process drops legitimate windows executable (CertUtil.exe)

      • expha.pif (PID: 7788)
      • expha.pif (PID: 5956)

    • Starts itself from another location

      • cmd.exe (PID: 7652)
      • cmd.exe (PID: 8060)

    • Reads security settings of Internet Explorer

      • rdha.pif (PID: 7952)
      • rdha.pif (PID: 1660)
      • chrome.PIF (PID: 7988)
      • chrome.PIF (PID: 6272)

    • Runs PING.EXE to delay simulation

      • alpha.pif (PID: 7900)
      • alpha.pif (PID: 4608)

    • Application launched itself

      • cmd.exe (PID: 7652)
      • cmd.exe (PID: 8060)

    • Reads the date of Windows installation

      • rdha.pif (PID: 7952)
      • rdha.pif (PID: 1660)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 7652)
      • cmd.exe (PID: 8060)

    • There is functionality for taking screenshot (YARA)

      • chrome.PIF (PID: 7988)
      • chrome.PIF (PID: 6272)

  • INFO

    • Manual execution by a user

      • cmd.exe (PID: 7652)
      • cmd.exe (PID: 8060)

    • Reads the computer name

      • extrac32.exe (PID: 7716)
      • ghf.pif (PID: 7828)
      • rdha.pif (PID: 7952)
      • extrac32.exe (PID: 8124)
      • ghf.pif (PID: 7872)
      • ghf.pif (PID: 4868)
      • ghf.pif (PID: 2432)
      • rdha.pif (PID: 1660)
      • chrome.PIF (PID: 7988)
      • chrome.PIF (PID: 6272)

    • Creates files in the program directory

      • extrac32.exe (PID: 7716)
      • expha.pif (PID: 7740)
      • expha.pif (PID: 7764)
      • expha.pif (PID: 7788)
      • ghf.pif (PID: 7828)
      • ghf.pif (PID: 7872)
      • expha.pif (PID: 8160)
      • expha.pif (PID: 8184)
      • extrac32.exe (PID: 8124)
      • ghf.pif (PID: 4868)
      • expha.pif (PID: 5956)

    • Checks supported languages

      • extrac32.exe (PID: 7716)
      • expha.pif (PID: 7740)
      • expha.pif (PID: 7764)
      • expha.pif (PID: 7788)
      • alpha.pif (PID: 7812)
      • alpha.pif (PID: 7856)
      • ghf.pif (PID: 7828)
      • alpha.pif (PID: 7900)
      • rdha.pif (PID: 7952)
      • chrome.PIF (PID: 7988)
      • extrac32.exe (PID: 8124)
      • ghf.pif (PID: 7872)
      • expha.pif (PID: 8160)
      • expha.pif (PID: 8184)
      • alpha.pif (PID: 5576)
      • ghf.pif (PID: 4868)
      • alpha.pif (PID: 5556)
      • alpha.pif (PID: 4608)
      • rdha.pif (PID: 1660)
      • expha.pif (PID: 5956)
      • ghf.pif (PID: 2432)
      • chrome.PIF (PID: 6272)

    • The sample compiled with english language support

      • extrac32.exe (PID: 7716)
      • expha.pif (PID: 7740)
      • expha.pif (PID: 7764)
      • expha.pif (PID: 7788)
      • extrac32.exe (PID: 8124)
      • expha.pif (PID: 8160)
      • expha.pif (PID: 8184)
      • expha.pif (PID: 5956)

    • Process checks computer location settings

      • rdha.pif (PID: 7952)
      • rdha.pif (PID: 1660)

    • Checks proxy server information

      • chrome.PIF (PID: 6272)
      • chrome.PIF (PID: 7988)
      • slui.exe (PID: 2268)

    • Reads the software policy settings

      • chrome.PIF (PID: 7988)
      • chrome.PIF (PID: 6272)
      • slui.exe (PID: 2268)

    • Reads the machine GUID from the registry

      • chrome.PIF (PID: 7988)
      • chrome.PIF (PID: 6272)

    • Compiled with Borland Delphi (YARA)

      • chrome.PIF (PID: 7988)
      • chrome.PIF (PID: 6272)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2025:04:29 08:42:14
ZipCRC: 0x25f317b3
ZipCompressedSize: 946748
ZipUncompressedSize: 3207479
ZipFileName: 32816daa566ac602c7bedd50e353d4028f5dc0baef3efc4a2f22a78f5cb52c4d.cmd
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
182
Monitored processes
37
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs cmd.exe no specs conhost.exe no specs extrac32.exe expha.pif expha.pif expha.pif alpha.pif no specs ghf.pif no specs alpha.pif no specs ghf.pif alpha.pif no specs ping.exe no specs rdha.pif no specs chrome.pif cmd.exe no specs cmd.exe no specs conhost.exe no specs extrac32.exe expha.pif expha.pif expha.pif alpha.pif no specs ghf.pif no specs alpha.pif no specs ghf.pif no specs alpha.pif no specs ping.exe no specs rdha.pif no specs chrome.pif cmd.exe no specs svchost.exe slui.exe ucpdmgr.exe no specs conhost.exe no specs ucpdmgr.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1660C:\\ProgramData\\rdha.pif zipfldr.dll,RouteTheCall C:\\ProgramData\\chrome.PIF C:\ProgramData\rdha.pifcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\programdata\rdha.pif
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
1812PING -n 1 127.0.0.1 C:\Windows\System32\PING.EXEalpha.pif
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\nsi.dll
2092"C:\WINDOWS\system32\UCPDMgr.exe"C:\Windows\System32\UCPDMgr.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
User Choice Protection Manager
Exit code:
0
Version:
1.0.0.414301
Modules
Images
c:\windows\system32\ucpdmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2268C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2432C:\\ProgramData\\ghf.pif -decodehex -f "C:\\ProgramData\\donex.avi" "C:\\ProgramData\\chrome.PIF" 12 C:\ProgramData\ghf.pifalpha.pif
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
CertUtil.exe
Exit code:
2147942432
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\programdata\ghf.pif
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
2656\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeUCPDMgr.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4608C:\\ProgramData\\alpha.pif /c PING -n 1 127.0.0.1 C:\ProgramData\alpha.pifcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\programdata\alpha.pif
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
4868C:\\ProgramData\\ghf.pif -decodehex -f "C:\Users\admin\Desktop\9d968540a796c21ca09feb3efc201ad3e6c57fce267ba05a08a337dd1e14aacf.cmd" "C:\\ProgramData\\donex.avi" 9 C:\ProgramData\ghf.pifalpha.pif
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
CertUtil.exe
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\programdata\ghf.pif
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
5556C:\\ProgramData\\alpha.pif /C C:\\ProgramData\\ghf.pif -decodehex -f "C:\\ProgramData\\donex.avi" "C:\\ProgramData\\chrome.PIF" 12 C:\ProgramData\alpha.pifcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
2147942432
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\programdata\alpha.pif
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
Total events
13 568
Read events
13 548
Write events
20
Delete events
0

Modification events

(PID) Process:(7204) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(7204) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(7204) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(7204) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\SPAM.zip
(PID) Process:(7204) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(7204) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(7204) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(7204) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(7204) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:name
Value:
256
(PID) Process:(7204) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:size
Value:
80
Executable files
9
Suspicious files
0
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
7988chrome.PIFC:\Users\admin\Links\ahgqwnzH.pif
MD5:
SHA256:
7716extrac32.exeC:\ProgramData\expha.pifexecutable
MD5:41330D97BF17D07CD4308264F3032547
SHA256:A224559FD6621066347A5BA8F4AEECEEA8A0A7A881A71BD36DE69ACEB52E9DF7
7740expha.pifC:\ProgramData\alpha.pifexecutable
MD5:CB6CD09F6A25744A8FA6E4B3E4D260C5
SHA256:265B69033CEA7A9F8214A34CD9B17912909AF46C7A47395DD7BB893A24507E59
7788expha.pifC:\ProgramData\ghf.pifexecutable
MD5:A7A5B67EC704EAC6D6E6AF0489353F42
SHA256:BF072F9A6A15B550B13AE86A4FBD3FA809D2A13236847AE9FA9A68F41386106E
7872ghf.pifC:\ProgramData\chrome.PIFexecutable
MD5:35DC1AE3A76A35A4BBEA41CE8CDEC76C
SHA256:676122E3483CF9D3BBF0407FD8B3C4A5E3EED475D59F45DDC1FE17192F96F48B
7204WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7204.3134\32816daa566ac602c7bedd50e353d4028f5dc0baef3efc4a2f22a78f5cb52c4d.cmdtext
MD5:6CC316407815CB436004FA3233BE7067
SHA256:32816DAA566AC602C7BEDD50E353D4028F5DC0BAEF3EFC4A2F22A78F5CB52C4D
7764expha.pifC:\ProgramData\rdha.pifexecutable
MD5:100F56A73211E0B2BCD076A55E6393FD
SHA256:00BE065F405E93233CC2F0012DEFDCBB1D6817B58969D5FFD9FD72FC4783C6F4
5956expha.pifC:\ProgramData\ghf.pifexecutable
MD5:A7A5B67EC704EAC6D6E6AF0489353F42
SHA256:BF072F9A6A15B550B13AE86A4FBD3FA809D2A13236847AE9FA9A68F41386106E
7828ghf.pifC:\ProgramData\donex.avitext
MD5:EF7FF42E6F2698892F07F70FE96113FE
SHA256:47A628E8030DE8DF22BBEF4E71325C3D0DD0A707C8C963432FFAF4BB52C5C2F3
4868ghf.pifC:\ProgramData\donex.avitext
MD5:C351D470389095B4D9FF905027D47303
SHA256:4A6217650FD04F7A3BA1CC105F7FD3A5A4398A24FF8644EE7395283BDC623183
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
62
TCP/UDP connections
102
DNS requests
28
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6436
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
6436
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
GET
304
172.202.163.200:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
172.202.163.200:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
20.3.187.198:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
7468
SIHClient.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7468
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7468
SIHClient.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7468
SIHClient.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
7468
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2516
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6436
firefox.exe
34.107.221.82:80
detectportal.firefox.com
GOOGLE
US
whitelisted
2112
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.174
whitelisted
client.wns.windows.com
  • 172.211.123.249
  • 172.211.123.248
  • 172.211.123.250
whitelisted
login.live.com
  • 20.190.160.64
  • 20.190.160.65
  • 40.126.32.138
  • 20.190.160.132
  • 20.190.160.3
  • 20.190.160.128
  • 20.190.160.4
  • 20.190.160.131
  • 20.190.160.66
  • 20.190.160.130
  • 20.190.160.2
  • 20.190.160.5
  • 20.190.160.67
  • 40.126.32.72
whitelisted
detectportal.firefox.com
  • 34.107.221.82
whitelisted
prod.detectportal.prod.cloudops.mozgcp.net
  • 34.107.221.82
  • 2600:1901:0:38d7::
whitelisted
example.org
  • 96.7.128.192
  • 96.7.128.186
  • 23.215.0.133
  • 23.215.0.132
whitelisted
ipv4only.arpa
  • 192.0.0.170
  • 192.0.0.171
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
  • 4.231.128.59
whitelisted
link.storjshare.io
  • 185.244.226.2
malicious
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted

Threats

PID
Process
Class
Message
7988
chrome.PIF
Potentially Bad Traffic
ET INFO Observed File Sharing Service Domain (link .storjshare .io in TLS SNI)
2196
svchost.exe
Potentially Bad Traffic
ET FILE_SHARING File Sharing Service Domain in DNS Lookup (link .storjshare .io)
2196
svchost.exe
Misc activity
ET TA_ABUSED_SERVICES Commonly Actor Abused Online Service Domain (storjshare .io)
7988
chrome.PIF
Misc activity
ET TA_ABUSED_SERVICES Observed Commonly Actor Abused Online Service Domain (storjshare .io in TLS SNI)
6272
chrome.PIF
Potentially Bad Traffic
ET INFO Observed File Sharing Service Domain (link .storjshare .io in TLS SNI)
6272
chrome.PIF
Misc activity
ET TA_ABUSED_SERVICES Observed Commonly Actor Abused Online Service Domain (storjshare .io in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SPAM.zip