File name:

f6ce71cf5fac208a2d6e36c9fb475d815784ea2dd08ac3608d0f7c9cec2e299b.zip

Full analysis: https://app.any.run/tasks/573f7764-b06a-4a3e-94b4-f5217c41be2e
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: May 03, 2025, 07:49:54
OS: Windows 11 Professional (build: 22000, 64 bit)
Tags:
stealer
grmsk
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

DD1A124AA9E9215B81DB99ABC0F923D3

SHA1:

8E6D1544336FDE403F31ADD1D816FCB9E8C2F0C5

SHA256:

7292EBCE755988BEC310A4569857C5667196BA86EEB8558DDA0F59C795E34346

SSDEEP:

393216:JhkA7YChvkh1cYX9yFqfi2JkdAMytyGqdHut:8A7ZhsEiw29tyGqdOt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • a.exe (PID: 1508)

    • GRMSK has been detected (YARA)

      • RarExt32.tif.exe (PID: 2624)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • a.exe (PID: 1508)
      • a.tmp (PID: 4832)
      • identity_helper.exe (PID: 5976)
      • cmd.exe (PID: 5952)

    • Reads the Windows owner or organization settings

      • a.tmp (PID: 4832)

    • Process drops legitimate windows executable

      • a.tmp (PID: 4832)
      • identity_helper.exe (PID: 5976)

    • Starts a Microsoft application from unusual location

      • identity_helper.exe (PID: 5976)

    • Starts CMD.EXE for commands execution

      • identity_helper.exe (PID: 2188)

    • There is functionality for taking screenshot (YARA)

      • dllhost.exe (PID: 6136)

    • The executable file from the user directory is run by the CMD process

      • RarExt32.tif.exe (PID: 2624)

    • Reads the Internet Settings

      • RarExt32.tif.exe (PID: 2624)

    • Multiple wallet extension IDs have been found

      • RarExt32.tif.exe (PID: 2624)

    • Reads security settings of Internet Explorer

      • RarExt32.tif.exe (PID: 2624)

    • Starts itself from another location

      • identity_helper.exe (PID: 5976)

    • Executes application which crashes

      • RarExt32.tif.exe (PID: 2624)

    • Connects to the server without a host name

      • RarExt32.tif.exe (PID: 2624)

  • INFO

    • Manual execution by a user

      • a.exe (PID: 1508)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 868)

    • Reads the computer name

      • a.tmp (PID: 4832)
      • identity_helper.exe (PID: 5976)
      • identity_helper.exe (PID: 2188)
      • RarExt32.tif.exe (PID: 2624)

    • Checks supported languages

      • a.exe (PID: 1508)
      • a.tmp (PID: 4832)
      • identity_helper.exe (PID: 5976)
      • identity_helper.exe (PID: 2188)
      • RarExt32.tif.exe (PID: 2624)

    • Create files in a temporary directory

      • a.exe (PID: 1508)
      • a.tmp (PID: 4832)
      • identity_helper.exe (PID: 2188)

    • The sample compiled with english language support

      • a.tmp (PID: 4832)
      • identity_helper.exe (PID: 5976)
      • cmd.exe (PID: 5952)

    • Creates files or folders in the user directory

      • identity_helper.exe (PID: 5976)
      • WerFault.exe (PID: 1408)

    • Checks proxy server information

      • RarExt32.tif.exe (PID: 2624)
      • WerFault.exe (PID: 1408)

    • Reads the software policy settings

      • WerFault.exe (PID: 1408)

    • Reads the Internet Settings

      • WerFault.exe (PID: 1408)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0001
ZipCompression: Deflated
ZipModifyDate: 2025:05:03 07:49:28
ZipCRC: 0xea3c7a0a
ZipCompressedSize: 31992747
ZipUncompressedSize: 32586144
ZipFileName: f6ce71cf5fac208a2d6e36c9fb475d815784ea2dd08ac3608d0f7c9cec2e299b
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
113
Monitored processes
10
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe dllhost.exe no specs a.exe a.tmp identity_helper.exe identity_helper.exe no specs cmd.exe conhost.exe no specs #GRMSK rarext32.tif.exe werfault.exe

Process information

PID
CMD
Path
Indicators
Parent process
868"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\f6ce71cf5fac208a2d6e36c9fb475d815784ea2dd08ac3608d0f7c9cec2e299b.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1408C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 3604C:\Windows\SysWOW64\WerFault.exe
RarExt32.tif.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.22000.653 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
1508"C:\Users\admin\Desktop\a.exe" C:\Users\admin\Desktop\a.exe
explorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
ShellExtension_1.0.0.2_x64__hh5nTBxii8HRi Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\desktop\a.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
1984\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
2188"C:\Users\admin\AppData\Roaming\efsadu\identity_helper.exe"C:\Users\admin\AppData\Roaming\efsadu\identity_helper.exeidentity_helper.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
PWA Identity Proxy Host
Exit code:
1
Version:
120.0.2210.61
Modules
Images
c:\users\admin\appdata\roaming\efsadu\identity_helper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
2624C:\Users\admin\AppData\Local\Temp\RarExt32.tif.exeC:\Users\admin\AppData\Local\Temp\RarExt32.tif.exe
cmd.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
Command line RAR
Exit code:
3221225477
Version:
6.24.0
Modules
Images
c:\users\admin\appdata\local\temp\tqehgxnpkjbq
c:\users\admin\appdata\local\temp\rarext32.tif.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
4832"C:\Users\admin\AppData\Local\Temp\is-R1GV8.tmp\a.tmp" /SL5="$502F6,14826194,1111552,C:\Users\admin\Desktop\a.exe" C:\Users\admin\AppData\Local\Temp\is-R1GV8.tmp\a.tmp
a.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-r1gv8.tmp\a.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
5952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe
identity_helper.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
5976"C:\Users\admin\AppData\Local\Temp\is-FS17F.tmp_3A9D\\Microsoft\\Windows\\CurrentVersion\\ShellExtension_1.0.1.2_x64__rj9z5rmr8n9t5\identity_helper.exe" /SILENT /SUPPRESSMSGBOXES /NOCANCEL /FORCECLOSEAPPLICATIONS /portable=1C:\Users\admin\AppData\Local\Temp\is-FS17F.tmp_3A9D\Microsoft\Windows\CurrentVersion\ShellExtension_1.0.1.2_x64__rj9z5rmr8n9t5\identity_helper.exe
a.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
PWA Identity Proxy Host
Exit code:
0
Version:
120.0.2210.61
Modules
Images
c:\users\admin\appdata\local\temp\is-fs17f.tmp_3a9d\microsoft\windows\currentversion\shellextension_1.0.1.2_x64__rj9z5rmr8n9t5\identity_helper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
6136"C:\Windows\system32\DllHost.exe" /Processid:{B41DB860-64E4-11D2-9906-E49FADC173CA}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
Total events
5 011
Read events
4 966
Write events
39
Delete events
6

Modification events

(PID) Process:(868) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(868) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(868) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(868) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(868) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\f6ce71cf5fac208a2d6e36c9fb475d815784ea2dd08ac3608d0f7c9cec2e299b.zip
(PID) Process:(868) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(868) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(868) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(868) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(868) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
Executable files
38
Suspicious files
7
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
1508a.exeC:\Users\admin\AppData\Local\Temp\is-R1GV8.tmp\a.tmpexecutable
MD5:0E91C3135EE6C3AD92E316AB428E8197
SHA256:26D0BA627E1FF0E234E2DE83F3037346AF460BA1F6437F237181346FBD412E77
868WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb868.42549\f6ce71cf5fac208a2d6e36c9fb475d815784ea2dd08ac3608d0f7c9cec2e299bexecutable
MD5:FAE8D451CA87B0EBD8BAE2B3CDCED8D7
SHA256:F6CE71CF5FAC208A2D6E36C9FB475D815784EA2DD08AC3608D0F7C9CEC2E299B
4832a.tmpC:\Users\admin\AppData\Local\Temp\is-FS17F.tmp_3A9D\Microsoft\Windows\CurrentVersion\ShellExtension_1.0.1.2_x64__rj9z5rmr8n9t5\is-Q8QN0.tmpexecutable
MD5:2F5623EA47454887F73803FB46340A8F
SHA256:DB6A8A7379B226AD7742009F89D55F9F6DF383A46C89D63444B4A0E8C96B6B1C
4832a.tmpC:\Users\admin\AppData\Local\Temp\is-FS17F.tmp_3A9D\Microsoft\Windows\CurrentVersion\ShellExtension_1.0.1.2_x64__rj9z5rmr8n9t5\is-K9G7Q.tmpexecutable
MD5:F975A2D83D63A473FA2FC5206B66BB79
SHA256:6A2D3876003F6C68F824DF4F0033564D8C230716908BA2E6C06EA1DD6D5F98E8
4832a.tmpC:\Users\admin\AppData\Local\Temp\is-FS17F.tmp_3A9D\Microsoft\Windows\CurrentVersion\ShellExtension_1.0.1.2_x64__rj9z5rmr8n9t5\itss.dllexecutable
MD5:64A6FE4011D6A0756162A55AB9127311
SHA256:F0F10E4B961523742282BD3E3F1502C2734EF7B969FD60802C6E076C7321EF28
4832a.tmpC:\Users\admin\AppData\Local\Temp\is-FS17F.tmp_3A9D\Microsoft\Windows\CurrentVersion\ShellExtension_1.0.1.2_x64__rj9z5rmr8n9t5\identity_helper.exeexecutable
MD5:F975A2D83D63A473FA2FC5206B66BB79
SHA256:6A2D3876003F6C68F824DF4F0033564D8C230716908BA2E6C06EA1DD6D5F98E8
4832a.tmpC:\Users\admin\AppData\Local\Temp\is-FS17F.tmp_3A9D\Microsoft\Windows\CurrentVersion\ShellExtension_1.0.1.2_x64__rj9z5rmr8n9t5\is-NS93Q.tmpexecutable
MD5:AB412429F1E5FB9708A8CDEA07479099
SHA256:E32D8BBE8E6985726742B496520FA47827F3B428648FA1BC34ECFFDD9BDAC240
4832a.tmpC:\Users\admin\AppData\Local\Temp\is-FS17F.tmp_3A9D\Microsoft\Windows\CurrentVersion\ShellExtension_1.0.1.2_x64__rj9z5rmr8n9t5\is-T93PS.tmpexecutable
MD5:3B180DA2B50B954A55FE37AFBA58D428
SHA256:96D04CDFAF4F4D7B8722B139A15074975D4C244302F78034B7BE65DF1A92FD03
4832a.tmpC:\Users\admin\AppData\Local\Temp\is-FS17F.tmp_3A9D\Microsoft\Windows\CurrentVersion\ShellExtension_1.0.1.2_x64__rj9z5rmr8n9t5\is-QFDPC.tmpexecutable
MD5:ECC7D7F0D3446DE36045D1D9E964FAFE
SHA256:BC58D624CEEA02AB086F1CCE809C992BF5A7105E88931853317A2F5AA5AFD6E4
4832a.tmpC:\Users\admin\AppData\Local\Temp\is-FS17F.tmp_3A9D\Microsoft\Windows\CurrentVersion\ShellExtension_1.0.1.2_x64__rj9z5rmr8n9t5\itircl.dllexecutable
MD5:2F5623EA47454887F73803FB46340A8F
SHA256:DB6A8A7379B226AD7742009F89D55F9F6DF383A46C89D63444B4A0E8C96B6B1C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
727
TCP/UDP connections
21
DNS requests
13
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2064
smartscreen.exe
GET
200
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?3d36956c6f6d082e
unknown
whitelisted
2064
smartscreen.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
1352
svchost.exe
GET
200
23.53.42.64:80
http://www.msftconnecttest.com/connecttest.txt
unknown
whitelisted
3640
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2768
svchost.exe
GET
200
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?7ffa61214c1c53e3
unknown
whitelisted
2624
RarExt32.tif.exe
POST
403
185.106.92.104:80
http://185.106.92.104/Up
unknown
unknown
2624
RarExt32.tif.exe
POST
403
185.106.92.104:80
http://185.106.92.104/Up
unknown
unknown
2768
svchost.exe
GET
200
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?6fdd1136c0f80710
unknown
whitelisted
2624
RarExt32.tif.exe
POST
403
185.106.92.104:80
http://185.106.92.104/Up
unknown
unknown
2624
RarExt32.tif.exe
POST
403
185.106.92.104:80
http://185.106.92.104/Up
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1352
svchost.exe
23.53.42.66:80
Akamai International B.V.
DE
unknown
2064
smartscreen.exe
4.175.223.124:443
checkappexec.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2064
smartscreen.exe
199.232.214.172:80
ctldl.windowsupdate.com
FASTLY
US
whitelisted
2064
smartscreen.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:137
whitelisted
1188
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3640
svchost.exe
40.126.31.131:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3640
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
1352
svchost.exe
23.53.42.64:80
Akamai International B.V.
DE
unknown
3952
svchost.exe
239.255.255.250:1900
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.110
whitelisted
checkappexec.microsoft.com
  • 4.175.223.124
whitelisted
ctldl.windowsupdate.com
  • 199.232.214.172
  • 199.232.210.172
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
login.live.com
  • 40.126.31.131
  • 20.190.159.4
  • 20.190.159.129
  • 40.126.31.71
  • 20.190.159.71
  • 20.190.159.73
  • 40.126.31.2
  • 40.126.31.3
whitelisted
fs.microsoft.com
  • 23.60.203.209
whitelisted
self.events.data.microsoft.com
  • 51.116.246.104
whitelisted
umwatson.events.data.microsoft.com
  • 52.182.143.212
whitelisted

Threats

PID
Process
Class
Message
1352
svchost.exe
Misc activity
ET INFO Microsoft Connection Test
Process
Message
RarExt32.tif.exe
<html> <head><title>403 Forbidden</title></head> <body> <center><h1>403 Forbidden</h1></center> <hr><center>nginx/1.24.0 (Ubuntu)</center> </body> </html> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page -->
RarExt32.tif.exe
<html> <head><title>403 Forbidden</title></head> <body> <center><h1>403 Forbidden</h1></center> <hr><center>nginx/1.24.0 (Ubuntu)</center> </body> </html> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page -->
RarExt32.tif.exe
<html> <head><title>403 Forbidden</title></head> <body> <center><h1>403 Forbidden</h1></center> <hr><center>nginx/1.24.0 (Ubuntu)</center> </body> </html> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page -->
RarExt32.tif.exe
<html> <head><title>403 Forbidden</title></head> <body> <center><h1>403 Forbidden</h1></center> <hr><center>nginx/1.24.0 (Ubuntu)</center> </body> </html> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page -->
RarExt32.tif.exe
<html> <head><title>403 Forbidden</title></head> <body> <center><h1>403 Forbidden</h1></center> <hr><center>nginx/1.24.0 (Ubuntu)</center> </body> </html> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page -->
RarExt32.tif.exe
<html> <head><title>403 Forbidden</title></head> <body> <center><h1>403 Forbidden</h1></center> <hr><center>nginx/1.24.0 (Ubuntu)</center> </body> </html> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page -->
RarExt32.tif.exe
<html> <head><title>403 Forbidden</title></head> <body> <center><h1>403 Forbidden</h1></center> <hr><center>nginx/1.24.0 (Ubuntu)</center> </body> </html> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page -->
RarExt32.tif.exe
<html> <head><title>403 Forbidden</title></head> <body> <center><h1>403 Forbidden</h1></center> <hr><center>nginx/1.24.0 (Ubuntu)</center> </body> </html> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page -->
RarExt32.tif.exe
<html> <head><title>403 Forbidden</title></head> <body> <center><h1>403 Forbidden</h1></center> <hr><center>nginx/1.24.0 (Ubuntu)</center> </body> </html> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page -->
RarExt32.tif.exe
<html> <head><title>403 Forbidden</title></head> <body> <center><h1>403 Forbidden</h1></center> <hr><center>nginx/1.24.0 (Ubuntu)</center> </body> </html> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page -->
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
f6ce71cf5fac208a2d6e36c9fb475d815784ea2dd08ac3608d0f7c9cec2e299b.zip