File name:

f6ce71cf5fac208a2d6e36c9fb475d815784ea2dd08ac3608d0f7c9cec2e299b.zip

Full analysis: https://app.any.run/tasks/573f7764-b06a-4a3e-94b4-f5217c41be2e
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: May 03, 2025, 07:49:54
OS: Windows 11 Professional (build: 22000, 64 bit)
Tags:
stealer
grmsk
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

DD1A124AA9E9215B81DB99ABC0F923D3

SHA1:

8E6D1544336FDE403F31ADD1D816FCB9E8C2F0C5

SHA256:

7292EBCE755988BEC310A4569857C5667196BA86EEB8558DDA0F59C795E34346

SSDEEP:

393216:JhkA7YChvkh1cYX9yFqfi2JkdAMytyGqdHut:8A7ZhsEiw29tyGqdOt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • a.exe (PID: 1508)

    • GRMSK has been detected (YARA)

      • RarExt32.tif.exe (PID: 2624)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • a.exe (PID: 1508)
      • a.tmp (PID: 4832)
      • identity_helper.exe (PID: 5976)
      • cmd.exe (PID: 5952)

    • Reads the Windows owner or organization settings

      • a.tmp (PID: 4832)

    • Process drops legitimate windows executable

      • a.tmp (PID: 4832)
      • identity_helper.exe (PID: 5976)

    • Starts a Microsoft application from unusual location

      • identity_helper.exe (PID: 5976)

    • Starts itself from another location

      • identity_helper.exe (PID: 5976)

    • There is functionality for taking screenshot (YARA)

      • dllhost.exe (PID: 6136)

    • Starts CMD.EXE for commands execution

      • identity_helper.exe (PID: 2188)

    • The executable file from the user directory is run by the CMD process

      • RarExt32.tif.exe (PID: 2624)

    • Multiple wallet extension IDs have been found

      • RarExt32.tif.exe (PID: 2624)

    • Reads the Internet Settings

      • RarExt32.tif.exe (PID: 2624)

    • Reads security settings of Internet Explorer

      • RarExt32.tif.exe (PID: 2624)

    • Executes application which crashes

      • RarExt32.tif.exe (PID: 2624)

    • Connects to the server without a host name

      • RarExt32.tif.exe (PID: 2624)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 868)

    • Create files in a temporary directory

      • a.exe (PID: 1508)
      • a.tmp (PID: 4832)
      • identity_helper.exe (PID: 2188)

    • Manual execution by a user

      • a.exe (PID: 1508)

    • Checks supported languages

      • a.exe (PID: 1508)
      • a.tmp (PID: 4832)
      • identity_helper.exe (PID: 5976)
      • identity_helper.exe (PID: 2188)
      • RarExt32.tif.exe (PID: 2624)

    • Reads the computer name

      • a.tmp (PID: 4832)
      • identity_helper.exe (PID: 5976)
      • identity_helper.exe (PID: 2188)
      • RarExt32.tif.exe (PID: 2624)

    • The sample compiled with english language support

      • a.tmp (PID: 4832)
      • identity_helper.exe (PID: 5976)
      • cmd.exe (PID: 5952)

    • Creates files or folders in the user directory

      • identity_helper.exe (PID: 5976)
      • WerFault.exe (PID: 1408)

    • Checks proxy server information

      • RarExt32.tif.exe (PID: 2624)
      • WerFault.exe (PID: 1408)

    • Reads the Internet Settings

      • WerFault.exe (PID: 1408)

    • Reads the software policy settings

      • WerFault.exe (PID: 1408)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0001
ZipCompression: Deflated
ZipModifyDate: 2025:05:03 07:49:28
ZipCRC: 0xea3c7a0a
ZipCompressedSize: 31992747
ZipUncompressedSize: 32586144
ZipFileName: f6ce71cf5fac208a2d6e36c9fb475d815784ea2dd08ac3608d0f7c9cec2e299b
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
113
Monitored processes
10
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe dllhost.exe no specs a.exe a.tmp identity_helper.exe identity_helper.exe no specs cmd.exe conhost.exe no specs #GRMSK rarext32.tif.exe werfault.exe

Process information

PID
CMD
Path
Indicators
Parent process
868"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\f6ce71cf5fac208a2d6e36c9fb475d815784ea2dd08ac3608d0f7c9cec2e299b.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1408C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 3604C:\Windows\SysWOW64\WerFault.exe
RarExt32.tif.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.22000.653 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
1508"C:\Users\admin\Desktop\a.exe" C:\Users\admin\Desktop\a.exe
explorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
ShellExtension_1.0.0.2_x64__hh5nTBxii8HRi Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\desktop\a.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
1984\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
2188"C:\Users\admin\AppData\Roaming\efsadu\identity_helper.exe"C:\Users\admin\AppData\Roaming\efsadu\identity_helper.exeidentity_helper.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
PWA Identity Proxy Host
Exit code:
1
Version:
120.0.2210.61
Modules
Images
c:\users\admin\appdata\roaming\efsadu\identity_helper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
2624C:\Users\admin\AppData\Local\Temp\RarExt32.tif.exeC:\Users\admin\AppData\Local\Temp\RarExt32.tif.exe
cmd.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
Command line RAR
Exit code:
3221225477
Version:
6.24.0
Modules
Images
c:\users\admin\appdata\local\temp\tqehgxnpkjbq
c:\users\admin\appdata\local\temp\rarext32.tif.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
4832"C:\Users\admin\AppData\Local\Temp\is-R1GV8.tmp\a.tmp" /SL5="$502F6,14826194,1111552,C:\Users\admin\Desktop\a.exe" C:\Users\admin\AppData\Local\Temp\is-R1GV8.tmp\a.tmp
a.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-r1gv8.tmp\a.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
5952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe
identity_helper.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
5976"C:\Users\admin\AppData\Local\Temp\is-FS17F.tmp_3A9D\\Microsoft\\Windows\\CurrentVersion\\ShellExtension_1.0.1.2_x64__rj9z5rmr8n9t5\identity_helper.exe" /SILENT /SUPPRESSMSGBOXES /NOCANCEL /FORCECLOSEAPPLICATIONS /portable=1C:\Users\admin\AppData\Local\Temp\is-FS17F.tmp_3A9D\Microsoft\Windows\CurrentVersion\ShellExtension_1.0.1.2_x64__rj9z5rmr8n9t5\identity_helper.exe
a.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
PWA Identity Proxy Host
Exit code:
0
Version:
120.0.2210.61
Modules
Images
c:\users\admin\appdata\local\temp\is-fs17f.tmp_3a9d\microsoft\windows\currentversion\shellextension_1.0.1.2_x64__rj9z5rmr8n9t5\identity_helper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
6136"C:\Windows\system32\DllHost.exe" /Processid:{B41DB860-64E4-11D2-9906-E49FADC173CA}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
Total events
5 011
Read events
4 966
Write events
39
Delete events
6

Modification events

(PID) Process:(868) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(868) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(868) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(868) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(868) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\f6ce71cf5fac208a2d6e36c9fb475d815784ea2dd08ac3608d0f7c9cec2e299b.zip
(PID) Process:(868) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(868) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(868) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(868) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(868) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
Executable files
38
Suspicious files
7
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
4832a.tmpC:\Users\admin\AppData\Local\Temp\is-FS17F.tmp\_isetup\_iscrypt.dllexecutable
MD5:A69559718AB506675E907FE49DEB71E9
SHA256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
868WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb868.42549\f6ce71cf5fac208a2d6e36c9fb475d815784ea2dd08ac3608d0f7c9cec2e299bexecutable
MD5:FAE8D451CA87B0EBD8BAE2B3CDCED8D7
SHA256:F6CE71CF5FAC208A2D6E36C9FB475D815784EA2DD08AC3608D0F7C9CEC2E299B
4832a.tmpC:\Users\admin\AppData\Local\Temp\is-FS17F.tmp\innocallback.dllexecutable
MD5:1C55AE5EF9980E3B1028447DA6105C75
SHA256:6AFA2D104BE6EFE3D9A2AB96DBB75DB31565DAD64DD0B791E402ECC25529809F
4832a.tmpC:\Users\admin\AppData\Local\Temp\is-FS17F.tmp_3A9D\Microsoft\Windows\CurrentVersion\ShellExtension_1.0.1.2_x64__rj9z5rmr8n9t5\is-LJM44.tmpexecutable
MD5:6A021B290D913525F2F7225462172690
SHA256:7DD57F8763664A593C8BF2A0A86D9D70E8EFE427E1474223642B5D541B51642E
4832a.tmpC:\Users\admin\AppData\Local\Temp\is-FS17F.tmp_3A9D\Microsoft\Windows\CurrentVersion\ShellExtension_1.0.1.2_x64__rj9z5rmr8n9t5\comcat.dllexecutable
MD5:3B180DA2B50B954A55FE37AFBA58D428
SHA256:96D04CDFAF4F4D7B8722B139A15074975D4C244302F78034B7BE65DF1A92FD03
4832a.tmpC:\Users\admin\AppData\Local\Temp\is-FS17F.tmp_3A9D\Microsoft\Windows\CurrentVersion\ShellExtension_1.0.1.2_x64__rj9z5rmr8n9t5\is-MB2F1.tmpexecutable
MD5:C89E401800DE62E5702E085D898EED20
SHA256:DE83C9D9203050B40C098E4143EF8F577AA90016C7A64D4F2931B57A4C43E566
4832a.tmpC:\Users\admin\AppData\Local\Temp\is-FS17F.tmp_3A9D\Microsoft\Windows\CurrentVersion\ShellExtension_1.0.1.2_x64__rj9z5rmr8n9t5\asycfilt.dllexecutable
MD5:C89E401800DE62E5702E085D898EED20
SHA256:DE83C9D9203050B40C098E4143EF8F577AA90016C7A64D4F2931B57A4C43E566
4832a.tmpC:\Users\admin\AppData\Local\Temp\is-FS17F.tmp_3A9D\Microsoft\Windows\CurrentVersion\ShellExtension_1.0.1.2_x64__rj9z5rmr8n9t5\is-T93PS.tmpexecutable
MD5:3B180DA2B50B954A55FE37AFBA58D428
SHA256:96D04CDFAF4F4D7B8722B139A15074975D4C244302F78034B7BE65DF1A92FD03
1508a.exeC:\Users\admin\AppData\Local\Temp\is-R1GV8.tmp\a.tmpexecutable
MD5:0E91C3135EE6C3AD92E316AB428E8197
SHA256:26D0BA627E1FF0E234E2DE83F3037346AF460BA1F6437F237181346FBD412E77
4832a.tmpC:\Users\admin\AppData\Local\Temp\is-FS17F.tmp_3A9D\Microsoft\Windows\CurrentVersion\ShellExtension_1.0.1.2_x64__rj9z5rmr8n9t5\identity_helper.exeexecutable
MD5:F975A2D83D63A473FA2FC5206B66BB79
SHA256:6A2D3876003F6C68F824DF4F0033564D8C230716908BA2E6C06EA1DD6D5F98E8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
727
TCP/UDP connections
21
DNS requests
13
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2064
smartscreen.exe
GET
200
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?3d36956c6f6d082e
unknown
whitelisted
2064
smartscreen.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
3640
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1352
svchost.exe
GET
200
23.53.42.64:80
http://www.msftconnecttest.com/connecttest.txt
unknown
whitelisted
2768
svchost.exe
GET
200
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?7ffa61214c1c53e3
unknown
whitelisted
2624
RarExt32.tif.exe
POST
403
185.106.92.104:80
http://185.106.92.104/Up
unknown
unknown
2624
RarExt32.tif.exe
POST
403
185.106.92.104:80
http://185.106.92.104/Up
unknown
unknown
2768
svchost.exe
GET
200
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?6fdd1136c0f80710
unknown
whitelisted
2624
RarExt32.tif.exe
POST
403
185.106.92.104:80
http://185.106.92.104/Up
unknown
unknown
2624
RarExt32.tif.exe
POST
403
185.106.92.104:80
http://185.106.92.104/Up
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1352
svchost.exe
23.53.42.66:80
Akamai International B.V.
DE
unknown
2064
smartscreen.exe
4.175.223.124:443
checkappexec.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2064
smartscreen.exe
199.232.214.172:80
ctldl.windowsupdate.com
FASTLY
US
whitelisted
2064
smartscreen.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:137
whitelisted
1188
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3640
svchost.exe
40.126.31.131:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3640
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
1352
svchost.exe
23.53.42.64:80
Akamai International B.V.
DE
unknown
3952
svchost.exe
239.255.255.250:1900
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.110
whitelisted
checkappexec.microsoft.com
  • 4.175.223.124
whitelisted
ctldl.windowsupdate.com
  • 199.232.214.172
  • 199.232.210.172
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
login.live.com
  • 40.126.31.131
  • 20.190.159.4
  • 20.190.159.129
  • 40.126.31.71
  • 20.190.159.71
  • 20.190.159.73
  • 40.126.31.2
  • 40.126.31.3
whitelisted
fs.microsoft.com
  • 23.60.203.209
whitelisted
self.events.data.microsoft.com
  • 51.116.246.104
whitelisted
umwatson.events.data.microsoft.com
  • 52.182.143.212
whitelisted

Threats

PID
Process
Class
Message
1352
svchost.exe
Misc activity
ET INFO Microsoft Connection Test
Process
Message
RarExt32.tif.exe
<html> <head><title>403 Forbidden</title></head> <body> <center><h1>403 Forbidden</h1></center> <hr><center>nginx/1.24.0 (Ubuntu)</center> </body> </html> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page -->
RarExt32.tif.exe
<html> <head><title>403 Forbidden</title></head> <body> <center><h1>403 Forbidden</h1></center> <hr><center>nginx/1.24.0 (Ubuntu)</center> </body> </html> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page -->
RarExt32.tif.exe
<html> <head><title>403 Forbidden</title></head> <body> <center><h1>403 Forbidden</h1></center> <hr><center>nginx/1.24.0 (Ubuntu)</center> </body> </html> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page -->
RarExt32.tif.exe
<html> <head><title>403 Forbidden</title></head> <body> <center><h1>403 Forbidden</h1></center> <hr><center>nginx/1.24.0 (Ubuntu)</center> </body> </html> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page -->
RarExt32.tif.exe
<html> <head><title>403 Forbidden</title></head> <body> <center><h1>403 Forbidden</h1></center> <hr><center>nginx/1.24.0 (Ubuntu)</center> </body> </html> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page -->
RarExt32.tif.exe
<html> <head><title>403 Forbidden</title></head> <body> <center><h1>403 Forbidden</h1></center> <hr><center>nginx/1.24.0 (Ubuntu)</center> </body> </html> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page -->
RarExt32.tif.exe
<html> <head><title>403 Forbidden</title></head> <body> <center><h1>403 Forbidden</h1></center> <hr><center>nginx/1.24.0 (Ubuntu)</center> </body> </html> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page -->
RarExt32.tif.exe
<html> <head><title>403 Forbidden</title></head> <body> <center><h1>403 Forbidden</h1></center> <hr><center>nginx/1.24.0 (Ubuntu)</center> </body> </html> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page -->
RarExt32.tif.exe
<html> <head><title>403 Forbidden</title></head> <body> <center><h1>403 Forbidden</h1></center> <hr><center>nginx/1.24.0 (Ubuntu)</center> </body> </html> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page -->
RarExt32.tif.exe
<html> <head><title>403 Forbidden</title></head> <body> <center><h1>403 Forbidden</h1></center> <hr><center>nginx/1.24.0 (Ubuntu)</center> </body> </html> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page -->
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
f6ce71cf5fac208a2d6e36c9fb475d815784ea2dd08ac3608d0f7c9cec2e299b.zip