File name:

update.zip

Full analysis: https://app.any.run/tasks/20294400-9b31-4d4b-9dfd-38a1e4a305d0
Verdict: Malicious activity
Analysis date: July 21, 2024, 17:32:00
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
telegram
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

D32F89A8A3DD360DB3FA9B838163FFA0

SHA1:

66FBE2B33E545062A1399A4962B9AF4FBBD4B356

SHA256:

96DEC6E07229201A02F538310815C695CF6147C548FF1C6A0DEF2FE38F3DCBC8

SSDEEP:

49152:wFUG/KGKxVTQ8WqwjrFkiV4sKPGsECGu32l6PB6IVhvCT93emKGjBcAgAm/3Gbk5:wFUG/STQ8Wqw/FkiJKexu3igZv6jBcAY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 6456)
      • CrowdStrike.exe (PID: 5624)
      • cmd.exe (PID: 5948)
      • Champion.pif (PID: 5108)
      • RegAsm.exe (PID: 4404)

    • Antivirus name has been found in the command line (generic signature)

      • findstr.exe (PID: 1300)
      • findstr.exe (PID: 6668)
      • findstr.exe (PID: 3668)
      • findstr.exe (PID: 480)

    • Actions looks like stealing of personal data

      • RegAsm.exe (PID: 4404)

  • SUSPICIOUS

    • Executing commands from ".cmd" file

      • CrowdStrike.exe (PID: 5624)
      • CrowdStrike.exe (PID: 7500)

    • Starts application with an unusual extension

      • cmd.exe (PID: 5948)
      • cmd.exe (PID: 2704)

    • Suspicious file concatenation

      • cmd.exe (PID: 3656)
      • cmd.exe (PID: 8148)

    • Reads security settings of Internet Explorer

      • CrowdStrike.exe (PID: 5624)
      • Champion.pif (PID: 6560)
      • CrowdStrike.exe (PID: 7500)
      • Champion.pif (PID: 7036)

    • Get information on the list of running processes

      • cmd.exe (PID: 5948)
      • cmd.exe (PID: 2704)

    • Reads the date of Windows installation

      • CrowdStrike.exe (PID: 5624)
      • Champion.pif (PID: 6560)
      • CrowdStrike.exe (PID: 7500)

    • Starts CMD.EXE for commands execution

      • CrowdStrike.exe (PID: 5624)
      • cmd.exe (PID: 5948)
      • Champion.pif (PID: 6560)
      • CrowdStrike.exe (PID: 7500)
      • cmd.exe (PID: 2704)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 5948)
      • cmd.exe (PID: 2704)

    • Application launched itself

      • cmd.exe (PID: 5948)
      • cmd.exe (PID: 2704)

    • Drops a file with a rarely used extension (PIF)

      • cmd.exe (PID: 5948)

    • Executable content was dropped or overwritten

      • cmd.exe (PID: 5948)
      • RegAsm.exe (PID: 4404)
      • Champion.pif (PID: 5108)

    • The executable file from the user directory is run by the CMD process

      • Champion.pif (PID: 6560)
      • Champion.pif (PID: 5108)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 2704)
      • cmd.exe (PID: 5948)

    • The process creates files with name similar to system file names

      • Champion.pif (PID: 5108)

    • Drops a system driver (possible attempt to evade defenses)

      • RegAsm.exe (PID: 4404)

    • Checks for external IP

      • RegAsm.exe (PID: 4404)

    • Process drops legitimate windows executable

      • Champion.pif (PID: 5108)

    • Starts a Microsoft application from unusual location

      • RegAsm.exe (PID: 4404)

    • Write to the desktop.ini file (may be used to cloak folders)

      • RegAsm.exe (PID: 4404)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • RegAsm.exe (PID: 4404)

    • Executes application which crashes

      • RegAsm.exe (PID: 4404)
      • GameBar.exe (PID: 6112)
      • Champion.pif (PID: 7036)

    • Creates file in the systems drive root

      • RegAsm.exe (PID: 4404)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6456)

    • Manual execution by a user

      • CrowdStrike.exe (PID: 5624)
      • Champion.exe.pif (PID: 7200)
      • Champion.pif (PID: 7036)
      • notepad.exe (PID: 7496)
      • WerFault.exe (PID: 6364)

    • Reads the computer name

      • CrowdStrike.exe (PID: 5624)
      • Champion.pif (PID: 6560)
      • CrowdStrike.exe (PID: 7500)
      • Champion.pif (PID: 5108)
      • RegAsm.exe (PID: 4404)
      • Champion.pif (PID: 7036)

    • Create files in a temporary directory

      • CrowdStrike.exe (PID: 5624)
      • CrowdStrike.exe (PID: 7500)
      • Champion.pif (PID: 5108)
      • RegAsm.exe (PID: 4404)

    • Checks supported languages

      • CrowdStrike.exe (PID: 5624)
      • Champion.pif (PID: 6560)
      • CrowdStrike.exe (PID: 7500)
      • Champion.pif (PID: 5108)
      • RegAsm.exe (PID: 4404)
      • Champion.pif (PID: 7036)

    • Process checks computer location settings

      • CrowdStrike.exe (PID: 5624)
      • CrowdStrike.exe (PID: 7500)
      • Champion.pif (PID: 6560)

    • Reads mouse settings

      • Champion.pif (PID: 6560)
      • Champion.pif (PID: 5108)
      • Champion.pif (PID: 7036)

    • Checks proxy server information

      • RegAsm.exe (PID: 4404)

    • Reads the machine GUID from the registry

      • RegAsm.exe (PID: 4404)

    • Reads Environment values

      • RegAsm.exe (PID: 4404)

    • Disables trace logs

      • RegAsm.exe (PID: 4404)

    • Reads the software policy settings

      • RegAsm.exe (PID: 4404)

    • Attempting to use instant messaging service

      • RegAsm.exe (PID: 4404)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2024:07:20 11:11:18
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: update/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
212
Monitored processes
46
Malicious processes
7
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe slui.exe no specs slui.exe no specs crowdstrike.exe no specs cmd.exe conhost.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs champion.pif no specs timeout.exe no specs cmd.exe conhost.exe no specs crowdstrike.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs champion.pif timeout.exe no specs regasm.exe rundll32.exe no specs champion.pif notepad.exe no specs werfault.exe no specs gamebar.exe textinputhost.exe no specs werfault.exe no specs startmenuexperiencehost.exe no specs tiworker.exe no specs searchapp.exe no specs mobsync.exe no specs rundll32.exe no specs champion.exe.pif no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
480findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1112C:\WINDOWS\SysWOW64\WerFault.exe -u -p 4404 -s 4248C:\Windows\SysWOW64\WerFault.exeRegAsm.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
1300findstr /I "wrsa.exe opssvc.exe" C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1964"C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mcaC:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Version:
123.26505.0.0
2068tasklist C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2152C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7036 -s 3252C:\Windows\SysWOW64\WerFault.exeChampion.pif
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
2704"C:\Windows\System32\cmd.exe" /k copy Carroll Carroll.cmd & Carroll.cmd & exitC:\Windows\SysWOW64\cmd.exeCrowdStrike.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
9009
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2708tasklist C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2728\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3532cmd /c md 564784C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
18 330
Read events
18 257
Write events
73
Delete events
0

Modification events

(PID) Process:(6456) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(6456) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(6456) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(6456) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\update.zip
(PID) Process:(6456) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6456) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6456) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6456) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(5624) CrowdStrike.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(5624) CrowdStrike.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
7
Suspicious files
1 058
Text files
182
Unknown types
99

Dropped files

PID
Process
Filename
Type
5624CrowdStrike.exeC:\Users\admin\AppData\Local\Temp\Wavebinary
MD5:E27F5F4215920D7C0DB01D3A07E32FAD
SHA256:C5A836D0021A235D4FC30764DFD4A2ABB33B23CA25F4DCA4A9BA7A8423F7753E
5624CrowdStrike.exeC:\Users\admin\AppData\Local\Temp\Consequencespgc
MD5:19E98CBB75F1B8BD8EFDE5FE0ABD34B2
SHA256:DF0CB092CD377DF6571BB86BB48E586E1A5012EDBE1C8A180DE8BE3FAE080356
6456WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6456.46044\update\CrowdStrike.exeexecutable
MD5:755C0350038DAEFB29B888B6F8739E81
SHA256:4491901EFF338AB52C85A77A3FBD3CE80FDA738046EE3B7DA7BE468DA5B331A3
5624CrowdStrike.exeC:\Users\admin\AppData\Local\Temp\Halobinary
MD5:E859420711C0FAFFEDF33DA17A2EB4B1
SHA256:5010762DC34EB3679AFE29CDA9C2040309D8A784BEA758F64ED4977773C20465
5624CrowdStrike.exeC:\Users\admin\AppData\Local\Temp\Lastingbinary
MD5:044E398EC410457FFD2F42DBC3EF5D70
SHA256:01F2D93D90F2F593356B9328A1225469D42186A5B664E3A05BC4E5236E9CD03F
5624CrowdStrike.exeC:\Users\admin\AppData\Local\Temp\Moreoverbinary
MD5:F335E743D9A5D72A068210A9C9F605E3
SHA256:E5DC3C6C185C46FB75C682327750A542D0A84F7C17CAA39469755EADEEF37BA7
5624CrowdStrike.exeC:\Users\admin\AppData\Local\Temp\Recipesbinary
MD5:D0808D4907E66F73A821AB6E7FC942C1
SHA256:221EEE5A84FDE75849816CDBB84F723E5C96A3E81922692DB21E7844B8537A04
5624CrowdStrike.exeC:\Users\admin\AppData\Local\Temp\Oftenabr
MD5:8C1308689913B76D47B2FEA6C94378C6
SHA256:E0055A2B04595818CDC4B3C5EDB54539E5C3EDF69E134914E6BAD45AB56D0A04
5624CrowdStrike.exeC:\Users\admin\AppData\Local\Temp\Handlebinary
MD5:4DD2539DAA375331505B81E8BAD6F6F3
SHA256:2FA5DFE0785E6E2EE3CF30277E09BDB46D2B7FC096D40D6AAF78EC27F5B6B68B
5624CrowdStrike.exeC:\Users\admin\AppData\Local\Temp\Septmp3
MD5:ED3292F153EC8B60B8F7FFB1CA9F0858
SHA256:1E8C217DF502D035EA3B1AC2212C20C9B9DA4DD6FF81D1C3C41A0AF00D8C0D5D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
51
DNS requests
24
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4404
RegAsm.exe
GET
200
104.16.185.241:80
http://icanhazip.com/
unknown
shared
4404
RegAsm.exe
GET
200
104.16.185.241:80
http://icanhazip.com/
unknown
shared
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4032
svchost.exe
239.255.255.250:1900
whitelisted
5620
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
4716
svchost.exe
40.126.31.69:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:137
whitelisted
7856
svchost.exe
4.208.221.206:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
2760
svchost.exe
40.113.110.67:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3552
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4716
svchost.exe
20.190.159.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5620
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
login.live.com
  • 40.126.31.69
  • 20.190.159.64
  • 20.190.159.23
  • 20.190.159.0
  • 20.190.159.2
  • 40.126.31.73
  • 20.190.159.73
  • 40.126.31.67
whitelisted
google.com
  • 216.58.206.46
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
www.bing.com
  • 92.122.215.60
  • 2.20.142.180
  • 92.122.215.65
  • 2.20.142.3
  • 92.122.215.53
  • 2.20.142.251
  • 2.20.142.154
  • 92.122.215.57
  • 2.23.209.182
  • 2.23.209.140
  • 2.23.209.176
  • 2.23.209.185
  • 2.23.209.189
  • 2.23.209.149
  • 2.23.209.179
whitelisted
fd.api.iris.microsoft.com
  • 20.74.47.205
whitelisted
slscr.update.microsoft.com
  • 13.85.23.86
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
XLuvBdVPcngNKMPfoEAAuT.XLuvBdVPcngNKMPfoEAAuT
unknown

Threats

PID
Process
Class
Message
4404
RegAsm.exe
Attempted Information Leak
ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
2168
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (icanhazip .com)
4404
RegAsm.exe
Device Retrieving External IP Address Detected
SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request
2168
svchost.exe
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
4404
RegAsm.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
4404
RegAsm.exe
Misc activity
ET HUNTING Telegram API Certificate Observed
4404
RegAsm.exe
Attempted Information Leak
ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
4404
RegAsm.exe
Device Retrieving External IP Address Detected
SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
update.zip