analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://cdn-141.anonfiles.com/T6i9u8ibz6/f2ee03fb-1680371123/syn.zip

Full analysis: https://app.any.run/tasks/a31f82e0-bbb4-47a1-8ad5-b6922a4628b7
Verdict: Malicious activity
Analysis date: April 01, 2023, 17:38:24
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

26BBEF885DE9A4A55A402B842E1B7FB1

SHA1:

6D1ADE9F3C505723E8216A8284372E8631B53FB1

SHA256:

96BCEB018F7185D27FB6C850144D9439987AEA1CC7E7B752A24057355BFE953C

SSDEEP:

3:N8cFROLD026xbY/WbIUKC4:2cFQLQ269IH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • launch.exe (PID: 3352)
      • RobloxPlayerLauncher.exe (PID: 2180)
      • RobloxPlayerLauncher.exe (PID: 4092)
      • RobloxPlayerLauncher.exe (PID: 3148)
      • RobloxPlayerLauncher.exe (PID: 2844)
      • RobloxPlayerLauncher.exe (PID: 3820)
      • RobloxPlayerLauncher.exe (PID: 3956)
      • launch.exe (PID: 1416)
      • launch.exe (PID: 3384)
      • launch.exe (PID: 3392)
      • launch.exe (PID: 3480)
      • launch.exe (PID: 2560)

    • Actions looks like stealing of personal data

      • RobloxPlayerLauncher.exe (PID: 2180)

  • SUSPICIOUS

    • Reads the Internet Settings

      • RobloxPlayerLauncher.exe (PID: 2180)
      • RobloxPlayerLauncher.exe (PID: 4092)
      • RobloxPlayerLauncher.exe (PID: 2844)
      • RobloxPlayerLauncher.exe (PID: 3148)
      • RobloxPlayerLauncher.exe (PID: 3820)
      • RobloxPlayerLauncher.exe (PID: 3956)
      • RobloxPlayerBeta.exe (PID: 2436)

    • Reads settings of System Certificates

      • RobloxPlayerLauncher.exe (PID: 2180)
      • RobloxPlayerLauncher.exe (PID: 4092)
      • RobloxPlayerLauncher.exe (PID: 2844)
      • RobloxPlayerLauncher.exe (PID: 3148)
      • RobloxPlayerLauncher.exe (PID: 3820)
      • RobloxPlayerLauncher.exe (PID: 3956)

    • Application launched itself

      • RobloxPlayerLauncher.exe (PID: 2180)
      • RobloxPlayerLauncher.exe (PID: 2844)
      • RobloxPlayerLauncher.exe (PID: 3820)

    • Checks Windows Trust Settings

      • RobloxPlayerLauncher.exe (PID: 2180)
      • RobloxPlayerLauncher.exe (PID: 4092)
      • RobloxPlayerLauncher.exe (PID: 2844)
      • RobloxPlayerLauncher.exe (PID: 3148)
      • RobloxPlayerLauncher.exe (PID: 3820)
      • RobloxPlayerLauncher.exe (PID: 3956)

    • Reads security settings of Internet Explorer

      • RobloxPlayerLauncher.exe (PID: 2180)
      • RobloxPlayerLauncher.exe (PID: 4092)
      • RobloxPlayerLauncher.exe (PID: 2844)
      • RobloxPlayerLauncher.exe (PID: 3148)
      • RobloxPlayerLauncher.exe (PID: 3820)
      • RobloxPlayerLauncher.exe (PID: 3956)

    • Cleans NTFS data stream (Zone Identifier)

      • RobloxPlayerLauncher.exe (PID: 2180)

    • Executable content was dropped or overwritten

      • RobloxPlayerLauncher.exe (PID: 2180)

  • INFO

    • Checks supported languages

      • launch.exe (PID: 3352)
      • RobloxPlayerLauncher.exe (PID: 2180)
      • RobloxPlayerLauncher.exe (PID: 4092)
      • RobloxPlayerLauncher.exe (PID: 2844)
      • RobloxPlayerLauncher.exe (PID: 3148)
      • RobloxPlayerBeta.exe (PID: 2436)
      • RobloxPlayerLauncher.exe (PID: 3820)
      • RobloxPlayerLauncher.exe (PID: 3956)
      • RobloxPlayerBeta.exe (PID: 2756)
      • launch.exe (PID: 1416)
      • launch.exe (PID: 3384)
      • launch.exe (PID: 3392)
      • launch.exe (PID: 3480)
      • launch.exe (PID: 2560)

    • Manual execution by a user

      • chrome.exe (PID: 3680)

    • The process uses the downloaded file

      • iexplore.exe (PID: 2672)
      • WinRAR.exe (PID: 1272)
      • chrome.exe (PID: 3024)
      • chrome.exe (PID: 3680)
      • RobloxPlayerLauncher.exe (PID: 2180)

    • Application launched itself

      • iexplore.exe (PID: 2672)
      • chrome.exe (PID: 3680)

    • Executable content was dropped or overwritten

      • chrome.exe (PID: 3680)
      • WinRAR.exe (PID: 1272)

    • Create files in a temporary directory

      • iexplore.exe (PID: 3112)
      • iexplore.exe (PID: 2672)
      • RobloxPlayerLauncher.exe (PID: 2180)
      • chrome.exe (PID: 3680)
      • RobloxPlayerLauncher.exe (PID: 4092)
      • RobloxPlayerLauncher.exe (PID: 2844)
      • RobloxPlayerLauncher.exe (PID: 3148)
      • RobloxPlayerLauncher.exe (PID: 3956)
      • RobloxPlayerLauncher.exe (PID: 3820)

    • The process checks LSA protection

      • RobloxPlayerLauncher.exe (PID: 2180)
      • RobloxPlayerLauncher.exe (PID: 4092)
      • RobloxPlayerLauncher.exe (PID: 2844)
      • RobloxPlayerLauncher.exe (PID: 3148)
      • RobloxPlayerBeta.exe (PID: 2436)
      • RobloxPlayerLauncher.exe (PID: 3820)
      • RobloxPlayerLauncher.exe (PID: 3956)
      • RobloxPlayerBeta.exe (PID: 2756)

    • Reads the machine GUID from the registry

      • RobloxPlayerLauncher.exe (PID: 2180)
      • RobloxPlayerLauncher.exe (PID: 4092)
      • RobloxPlayerLauncher.exe (PID: 2844)
      • RobloxPlayerLauncher.exe (PID: 3148)
      • RobloxPlayerBeta.exe (PID: 2436)
      • RobloxPlayerLauncher.exe (PID: 3820)
      • RobloxPlayerLauncher.exe (PID: 3956)
      • RobloxPlayerBeta.exe (PID: 2756)

    • Reads the computer name

      • RobloxPlayerLauncher.exe (PID: 2180)
      • RobloxPlayerLauncher.exe (PID: 4092)
      • RobloxPlayerLauncher.exe (PID: 2844)
      • RobloxPlayerLauncher.exe (PID: 3148)
      • RobloxPlayerBeta.exe (PID: 2436)
      • RobloxPlayerLauncher.exe (PID: 3820)
      • RobloxPlayerLauncher.exe (PID: 3956)
      • RobloxPlayerBeta.exe (PID: 2756)

    • Checks proxy server information

      • RobloxPlayerLauncher.exe (PID: 2180)
      • RobloxPlayerLauncher.exe (PID: 4092)
      • RobloxPlayerLauncher.exe (PID: 2844)
      • RobloxPlayerLauncher.exe (PID: 3148)
      • RobloxPlayerLauncher.exe (PID: 3820)
      • RobloxPlayerLauncher.exe (PID: 3956)
      • RobloxPlayerBeta.exe (PID: 2436)

    • Creates files or folders in the user directory

      • RobloxPlayerLauncher.exe (PID: 4092)
      • RobloxPlayerLauncher.exe (PID: 3148)
      • RobloxPlayerBeta.exe (PID: 2436)
      • RobloxPlayerLauncher.exe (PID: 2844)
      • RobloxPlayerLauncher.exe (PID: 3820)
      • RobloxPlayerLauncher.exe (PID: 3956)
      • RobloxPlayerBeta.exe (PID: 2756)
      • RobloxPlayerLauncher.exe (PID: 2180)

    • Process checks computer location settings

      • RobloxPlayerLauncher.exe (PID: 2180)
      • RobloxPlayerBeta.exe (PID: 2436)
      • RobloxPlayerLauncher.exe (PID: 2844)
      • RobloxPlayerLauncher.exe (PID: 3820)
      • RobloxPlayerBeta.exe (PID: 2756)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
114
Monitored processes
68
Malicious processes
8
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start iexplore.exe iexplore.exe winrar.exe launch.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs robloxplayerlauncher.exe robloxplayerlauncher.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs robloxplayerlauncher.exe robloxplayerlauncher.exe robloxplayerbeta.exe chrome.exe no specs robloxplayerlauncher.exe robloxplayerlauncher.exe robloxplayerbeta.exe launch.exe no specs launch.exe no specs launch.exe no specs launch.exe no specs launch.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2672"C:\Program Files\Internet Explorer\iexplore.exe" "https://cdn-141.anonfiles.com/T6i9u8ibz6/f2ee03fb-1680371123/syn.zip"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\iertutil.dll
3112"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2672 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
1272"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\syn.zip"C:\Program Files\WinRAR\WinRAR.exe
iexplore.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3352"C:\Users\admin\AppData\Local\Temp\Rar$EXa1272.21425\launch.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa1272.21425\launch.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa1272.21425\launch.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\vcruntime140.dll
3680"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
86.0.4240.198
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3856"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=86.0.4240.198 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd4,0x6b35d988,0x6b35d998,0x6b35d9a4C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
86.0.4240.198
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\shlwapi.dll
1620"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1072,248820016686747480,5825033914899944025,131072 --enable-features=PasswordImport --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1052 /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
86.0.4240.198
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\shell32.dll
2128"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1072,248820016686747480,5825033914899944025,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1400 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
86.0.4240.198
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\shell32.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
3052"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1072,248820016686747480,5825033914899944025,131072 --enable-features=PasswordImport --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1472 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
86.0.4240.198
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
3140"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1072,248820016686747480,5825033914899944025,131072 --enable-features=PasswordImport --lang=en-US --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1952 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
86.0.4240.198
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
Total events
124 346
Read events
123 312
Write events
1 012
Delete events
22

Modification events

(PID) Process:(2672) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
0
(PID) Process:(2672) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
30847387
(PID) Process:(2672) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30847437
(PID) Process:(2672) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2672) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2672) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2672) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2672) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2672) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2672) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
38
Suspicious files
950
Text files
820
Unknown types
56

Dropped files

PID
Process
Filename
Type
3680chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-64286C32-E60.pma
MD5:
SHA256:
3112iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\syn[1].zipcompressed
MD5:B6502C98D47C15AD96FD1C67398FC88A
SHA256:36892BAE028A7D128E0541E4A8BFCD71E70BF62BD3FF7B8061D2769745D73FFF
3112iexplore.exeC:\Users\admin\Downloads\syn.zip.ou2lfpy.partialcompressed
MD5:B6502C98D47C15AD96FD1C67398FC88A
SHA256:36892BAE028A7D128E0541E4A8BFCD71E70BF62BD3FF7B8061D2769745D73FFF
2672iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF6538CE4411208967.TMPgmc
MD5:224490ED284C6213C07156E1CFB3C89E
SHA256:F9795894559F72377BAC33F6DEAFCFED55F63CB87C1034ADE5B23F21DAF5367A
3112iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:90F8B240D79AC4DF2FBF214DEB1D6FC4
SHA256:CEA8C2D8B55BFA2B5FE60475A21638139B93468AB2681E766AC48018ADB05148
3112iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:066D84E4ED30B6C7723B1FB4FA393FAD
SHA256:53A82288F127534FBCB4F9AB369F50A641C90952F14020B4A8C441E411A830CF
3112iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751binary
MD5:6EEDA42A92EF500266799504171E1731
SHA256:56CD7BD88EF70A9FC627AD03D7F26A85066727B8FD290C1022465AAA22170181
2672iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{03286CAB-D0B4-11ED-94DF-12A9866C77DE}.datbinary
MD5:CF021B3730CDA1ECD32DEEA1F4729ADD
SHA256:ABB14E45754D37338DE2278324F84333C9FDCAF0F24AB08FF12C489099C9A671
1272WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1272.21425\homojews.binexecutable
MD5:FF0939406343584AB3DFDEED97CA5FD6
SHA256:158E0629654B5313121DF404C3FEE8CD387BA841DC50C586BEA209241A07D40F
2672iexplore.exeC:\Users\admin\Downloads\syn.zipcompressed
MD5:B6502C98D47C15AD96FD1C67398FC88A
SHA256:36892BAE028A7D128E0541E4A8BFCD71E70BF62BD3FF7B8061D2769745D73FFF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
38
TCP/UDP connections
125
DNS requests
103
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2672
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D
US
der
1.47 Kb
whitelisted
2672
iexplore.exe
GET
200
192.229.221.95:80
http://crl3.digicert.com/DigiCertGlobalRootCA.crl
US
der
779 b
whitelisted
2672
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
860
svchost.exe
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ac5q25btpqhkjhcekqoslcldvuya_1.3.36.141/ihnlcenocehgdaegdmhbidjhnhdchfmm_1.3.36.141_win_ehzjmd5kjmert7jdgsrj4xqxj4.crx3
US
binary
8.97 Kb
whitelisted
860
svchost.exe
HEAD
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvODJiQUFYYVJaZ0k5di1hUFlXS1prX2xDZw/1.0.0.13_llkgjffcdpffmhiakmfcdcblohccpfmo.crx
US
whitelisted
860
svchost.exe
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ac5q25btpqhkjhcekqoslcldvuya_1.3.36.141/ihnlcenocehgdaegdmhbidjhnhdchfmm_1.3.36.141_win_ehzjmd5kjmert7jdgsrj4xqxj4.crx3
US
binary
65.1 Kb
whitelisted
860
svchost.exe
GET
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/YGkwa4MXjfWSuERyWQYP_A_4/aapLKTSZ439A-0g3nqJr3Q
US
crx
3.72 Kb
whitelisted
3112
iexplore.exe
GET
200
23.37.41.57:80
http://x1.c.lencr.org/
NL
der
717 b
whitelisted
3112
iexplore.exe
GET
200
23.216.77.80:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ce6002017abddbbd
US
compressed
61.1 Kb
whitelisted
860
svchost.exe
HEAD
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ac5q25btpqhkjhcekqoslcldvuya_1.3.36.141/ihnlcenocehgdaegdmhbidjhnhdchfmm_1.3.36.141_win_ehzjmd5kjmert7jdgsrj4xqxj4.crx3
US
crx
3.72 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
172.217.18.3:443
clientservices.googleapis.com
GOOGLE
US
whitelisted
3112
iexplore.exe
23.216.77.80:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
suspicious
3112
iexplore.exe
23.216.77.69:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
suspicious
142.250.185.206:443
clients2.google.com
GOOGLE
US
whitelisted
2672
iexplore.exe
152.199.19.161:443
r20swj13mr.microsoft.com
EDGECAST
US
whitelisted
3112
iexplore.exe
195.96.151.34:443
cdn-141.anonfiles.com
Svea Hosting AB
SE
unknown
142.250.185.196:443
www.google.com
GOOGLE
US
whitelisted
2128
chrome.exe
142.250.185.193:443
clients2.googleusercontent.com
GOOGLE
US
whitelisted
3112
iexplore.exe
23.37.41.57:80
x1.c.lencr.org
AKAMAI-AS
DE
suspicious
142.250.185.77:443
accounts.google.com
GOOGLE
US
suspicious

DNS requests

Domain
IP
Reputation
cdn-141.anonfiles.com
  • 195.96.151.34
suspicious
ctldl.windowsupdate.com
  • 23.216.77.80
  • 23.216.77.69
whitelisted
x1.c.lencr.org
  • 23.37.41.57
whitelisted
clientservices.googleapis.com
  • 172.217.18.3
whitelisted
clients2.google.com
  • 142.250.185.206
whitelisted
www.google.com
  • 142.250.185.196
whitelisted
accounts.google.com
  • 142.250.185.77
shared
clients2.googleusercontent.com
  • 142.250.185.193
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted

Threats

No threats detected
Process
Message
RobloxPlayerBeta.exe
2023-04-01T17:42:29.106Z,0.106972,0418,6 [FLog::ClientRunInfo] RobloxGitHash: 6867c2d3365d29f9b40f61bb5c51a4bc7df908c0
RobloxPlayerBeta.exe
RobloxPlayerBeta.exe
2023-04-01T17:42:29.106Z,0.106972,0418,6 [FLog::ClientRunInfo] The base url is http://www.roblox.com/
RobloxPlayerBeta.exe
RobloxPlayerBeta.exe
2023-04-01T17:42:29.106Z,0.106972,0418,6 [FLog::ClientRunInfo] The channel is production
RobloxPlayerBeta.exe
RobloxPlayerBeta.exe
2023-04-01T17:42:29.106Z,0.106972,0418,6 [FLog::ClientRunInfo] RobloxGitHash: 6867c2d3365d29f9b40f61bb5c51a4bc7df908c0
RobloxPlayerBeta.exe
RobloxPlayerBeta.exe
2023-04-01T17:42:29.106Z,0.106972,0418,6 [FLog::ClientRunInfo] The base url is http://www.roblox.com/
RobloxPlayerBeta.exe
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://cdn-141.anonfiles.com/T6i9u8ibz6/f2ee03fb-1680371123/syn.zip