File name:

проверка сотрудников от инспектора ИФНС Михайловой А.А. - Copy.rar

Full analysis: https://app.any.run/tasks/d0aaacaf-a8af-4b1a-91e6-e4ac50b2d85b
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: May 16, 2025, 04:18:51
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
everything
tool
mimic
ransomware
auto
generic
themida
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

6446F892F97CB135B5F5EEAED7153E1E

SHA1:

4466167EC339E731B483CEA95C0DF9BCCF012C1A

SHA256:

A29F767A75C38464F71D0A4D3B6472FD3C72AEF4D5728464A98818433F6C0E9F

SSDEEP:

98304:CGG/cu+u4W9yBQM9vpaB1CFPu2UVCk4dzC2+ig4kwQ63ahcyKB4pmoTAcDxBPQo8:HlFkZzx8F

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • GENERIC has been found (auto)

      • 7za.exe (PID: 3240)
      • enc-build.exe (PID: 6512)

    • Changes the autorun value in the registry

      • enc-build.exe (PID: 6512)

    • MIMIC mutex has been found

      • browser.exe (PID: 3300)
      • browser.exe (PID: 2268)
      • browser.exe (PID: 660)

    • Disables the Shutdown in the Start menu

      • browser.exe (PID: 3300)

    • Changes image file execution options

      • browser.exe (PID: 3300)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 4060)
      • powershell.exe (PID: 4940)
      • powershell.exe (PID: 4796)

    • Changes powershell execution policy (Bypass)

      • browser.exe (PID: 3300)

    • MIMIC has been detected (YARA)

      • browser.exe (PID: 3300)
      • browser.exe (PID: 2772)

    • Using BCDEDIT.EXE to modify recovery options

      • browser.exe (PID: 3300)

    • Deletes shadow copies

      • browser.exe (PID: 3300)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 6876)
      • Заявка на рассчет.exe (PID: 4008)

    • Executing commands from ".cmd" file

      • Заявка на рассчет.exe (PID: 4008)

    • Starts CMD.EXE for commands execution

      • Заявка на рассчет.exe (PID: 4008)
      • cmd.exe (PID: 664)
      • cmd.exe (PID: 672)
      • browser.exe (PID: 3300)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 664)

    • Possibly malicious use of IEX has been detected

      • cmd.exe (PID: 664)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 664)
      • browser.exe (PID: 3300)

    • Manipulates environment variables

      • powershell.exe (PID: 2560)

    • Executes script without checking the security policy

      • powershell.exe (PID: 2560)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 2560)

    • Gets content of a file (POWERSHELL)

      • powershell.exe (PID: 2560)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2560)
      • 7za.exe (PID: 1812)
      • enc-build.exe (PID: 6512)
      • 7za.exe (PID: 3240)

    • There is functionality for taking screenshot (YARA)

      • Заявка на рассчет.exe (PID: 4008)

    • Drops 7-zip archiver for unpacking

      • powershell.exe (PID: 2560)
      • enc-build.exe (PID: 6512)

    • The process verifies whether the antivirus software is installed

      • cmd.exe (PID: 664)
      • cmd.exe (PID: 7036)
      • 7za.exe (PID: 1812)
      • wsc_proxy.exe (PID: 1324)
      • find.exe (PID: 1164)
      • WerFault.exe (PID: 6828)
      • powrprof.exe (PID: 1020)

    • Writes data into a file (POWERSHELL)

      • powershell.exe (PID: 2560)

    • The executable file from the user directory is run by the CMD process

      • 7za.exe (PID: 1812)
      • 7za.exe (PID: 3240)
      • enc-build.exe (PID: 6512)

    • Application launched itself

      • cmd.exe (PID: 664)
      • browser.exe (PID: 3300)
      • cmd.exe (PID: 672)

    • Executes as Windows Service

      • wsc_proxy.exe (PID: 1324)
      • wbengine.exe (PID: 6960)
      • vds.exe (PID: 2980)
      • wsc_proxy.exe (PID: 4452)

    • Executes application which crashes

      • wsc_proxy.exe (PID: 1324)
      • wsc_proxy.exe (PID: 4452)

    • Reads the BIOS version

      • enc-build.exe (PID: 6512)
      • browser.exe (PID: 3300)
      • browser.exe (PID: 2772)
      • browser.exe (PID: 660)
      • browser.exe (PID: 2268)

    • Starts itself from another location

      • enc-build.exe (PID: 6512)

    • Creates file in the systems drive root

      • browser.exe (PID: 3300)

    • Creates or modifies Windows services

      • browser.exe (PID: 3300)

    • Uses powercfg.exe to modify the power settings

      • browser.exe (PID: 3300)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 664)

    • Start notepad (likely ransomware note)

      • browser.exe (PID: 3300)

    • Uses WEVTUTIL.EXE to cleanup log

      • browser.exe (PID: 3300)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6876)

    • Checks supported languages

      • Заявка на рассчет.exe (PID: 4008)
      • powrprof.exe (PID: 1020)
      • 7za.exe (PID: 3240)
      • wsc_proxy.exe (PID: 1324)
      • enc-build.exe (PID: 6512)
      • browser.exe (PID: 3300)
      • browser.exe (PID: 660)
      • browser.exe (PID: 2772)
      • browser.exe (PID: 2268)
      • Everything.exe (PID: 4120)
      • 7za.exe (PID: 1812)

    • Process checks computer location settings

      • Заявка на рассчет.exe (PID: 4008)

    • Create files in a temporary directory

      • Заявка на рассчет.exe (PID: 4008)
      • powershell.exe (PID: 2560)
      • 7za.exe (PID: 3240)

    • Reads the computer name

      • Заявка на рассчет.exe (PID: 4008)
      • 7za.exe (PID: 1812)
      • powrprof.exe (PID: 1020)
      • wsc_proxy.exe (PID: 1324)
      • 7za.exe (PID: 3240)
      • enc-build.exe (PID: 6512)
      • browser.exe (PID: 3300)
      • Everything.exe (PID: 4120)
      • browser.exe (PID: 660)
      • browser.exe (PID: 2268)
      • browser.exe (PID: 2772)

    • Reads security settings of Internet Explorer

      • powershell.exe (PID: 2560)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 2560)

    • Reads the software policy settings

      • powershell.exe (PID: 2560)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 2560)
      • powershell.exe (PID: 4796)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 2560)

    • The sample compiled with english language support

      • powershell.exe (PID: 2560)
      • 7za.exe (PID: 1812)
      • 7za.exe (PID: 3240)
      • enc-build.exe (PID: 6512)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 2560)
      • powershell.exe (PID: 4060)
      • powershell.exe (PID: 4940)

    • Creates files in the program directory

      • 7za.exe (PID: 1812)
      • powrprof.exe (PID: 1020)
      • wsc_proxy.exe (PID: 1324)

    • Reads the machine GUID from the registry

      • wsc_proxy.exe (PID: 1324)

    • Reads CPU info

      • wsc_proxy.exe (PID: 1324)

    • Process checks whether UAC notifications are on

      • enc-build.exe (PID: 6512)
      • browser.exe (PID: 3300)
      • browser.exe (PID: 2268)
      • browser.exe (PID: 660)
      • browser.exe (PID: 2772)

    • Creates files or folders in the user directory

      • enc-build.exe (PID: 6512)
      • browser.exe (PID: 3300)

    • EVERYTHING mutex has been found

      • Everything.exe (PID: 4120)

    • Themida protector has been detected

      • browser.exe (PID: 2772)
      • browser.exe (PID: 3300)

    • Manual execution by a user

      • WINWORD.EXE (PID: 5708)
      • notepad.exe (PID: 6512)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)

EXIF

ZIP

FileVersion: RAR v5
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
248
Monitored processes
99
Malicious processes
14
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe sppextcomobj.exe no specs slui.exe заявка на рассчет.exe no specs заявка на рассчет.exe cmd.exe no specs conhost.exe no specs powershell.exe reg.exe no specs 7za.exe cmd.exe no specs powrprof.exe no specs find.exe no specs wsc_proxy.exe werfault.exe no specs #GENERIC 7za.exe #GENERIC enc-build.exe #MIMIC browser.exe everything.exe no specs #MIMIC browser.exe no specs #MIMIC browser.exe no specs #MIMIC browser.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs systray.exe no specs systray.exe no specs systray.exe no specs timeout.exe no specs systray.exe no specs systray.exe no specs systray.exe no specs systray.exe no specs systray.exe no specs systray.exe no specs bcdedit.exe no specs bcdedit.exe no specs conhost.exe no specs conhost.exe no specs wbadmin.exe no specs wbadmin.exe no specs conhost.exe no specs conhost.exe no specs wbengine.exe no specs vdsldr.exe no specs vds.exe no specs everything.exe no specs slui.exe notepad.exe no specs wevtutil.exe no specs wevtutil.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs ping.exe no specs cmd.exe no specs powrprof.exe no specs wsc_proxy.exe werfault.exe no specs systray.exe no specs winword.exe ai.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
660"C:\Users\admin\AppData\Local\D18EE4FE-214C-FF0E-6542-D9DFD58DEE88\browser.exe" -e ul1C:\Users\admin\AppData\Local\D18EE4FE-214C-FF0E-6542-D9DFD58DEE88\browser.exe
browser.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\d18ee4fe-214c-ff0e-6542-d9dfd58dee88\browser.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
664C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\setup.cmd" "C:\Windows\SysWOW64\cmd.exeЗаявка на рассчет.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
672cmd.exe /d /c "ping 127.2 -n 10 & cd/ & echo(|"C:\Program Files\Avast Software\Avast\powrprof.exe" --disable & rd /q /s "C:\Program Files\Avast Software""C:\Windows\SysWOW64\cmd.exebrowser.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
684powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0C:\Windows\System32\powercfg.exebrowser.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Power Settings Command-Line Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\powercfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
724powercfg.exe -S e9a42b02-d5df-448d-aa00-03f14749eb61C:\Windows\System32\powercfg.exebrowser.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Power Settings Command-Line Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\powercfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
812\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowercfg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
872powercfg.exe -H offC:\Windows\System32\powercfg.exebrowser.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Power Settings Command-Line Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\powercfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
924\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exebcdedit.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1020powrprofC:\Program Files\Avast Software\Avast\powrprof.execmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\avast software\avast\powrprof.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1020\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowercfg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
38 372
Read events
37 920
Write events
403
Delete events
49

Modification events

(PID) Process:(6876) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(6876) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(6876) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(6876) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(6876) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\проверка сотрудников от инспектора ИФНС Михайловой А.А. - Copy.rar
(PID) Process:(6876) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6876) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6876) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6876) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1324) wsc_proxy.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Avast Software\Avast\Wsc
Operation:writeName:IWscASStatus
Value:
Avast Antivirus
Executable files
15
Suspicious files
284
Text files
99
Unknown types
0

Dropped files

PID
Process
Filename
Type
4008Заявка на рассчет.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\data.binbinary
MD5:7A2957F822D1BA7A1E79C9FAC26D2EF3
SHA256:9BFEEBBDC00D577431042AF8DF81FBE7C25331CB78C90031C19EAA55E34CB4DD
2560powershell.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\7za.exeexecutable
MD5:A0F4AA8668A7372E12C56BB88F5DF1E4
SHA256:915BD96E4019E0FE6ACA4D350225615820964EFDAEA1862DCE5D731FE872465A
2560powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:67359CF0F06AE7FAF280681A87F627C0
SHA256:9C95494887C2E2F482837A1D214D820DEB04F130F9B4B71AD66482A22586E39E
4008Заявка на рассчет.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\setup.cmdtext
MD5:425A42CEC8281D5B497772C6BD8C98E3
SHA256:CC385D802CAD9774A457E44E087DBB17CA82CFAE21A1297AE9C2292120C8E9E9
6828WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_wsc_proxy.exe_8f2abd6f60f384cf977b16326994fd952572ba6_34f0dcf9_30e7f94f-3c4f-48c0-9852-5acd17f9a33d\Report.wer
MD5:
SHA256:
6876WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb6876.46937\Заявка на рассчет.exeexecutable
MD5:6B6334F5ECA53435D4BC9274A5B3AE85
SHA256:4FCD3363ACEFFC3F95362DF1394AC59E0307470969BDD29085715BAD8665973E
18127za.exeC:\Program Files\Avast Software\Avast\wsc_proxy.exeexecutable
MD5:06807D8D7282959CE062F92A708D382F
SHA256:BD4635D582413F84AC83ADBB4B449B18BAC4FC87CA000D0C7BE84AD0F9CAF68E
2560powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_niygeq1q.0xg.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2560powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_00aqz1av.vgx.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1324wsc_proxy.exeC:\ProgramData\Avast Software\Avast\log\wsc.logtext
MD5:ECAA88F7FA0BF610A5A26CF545DCD3AA
SHA256:F1945CD6C19E56B3C1C78943EF5EC18116907A4CA1EFC40A57D48AB1DB7ADFC5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
33
DNS requests
25
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6544
svchost.exe
GET
200
2.22.98.7:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5708
WINWORD.EXE
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2420
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2420
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5708
WINWORD.EXE
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.159.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.22.98.7:80
ocsp.digicert.com
AKAMAI-AS
GB
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2420
SIHClient.exe
20.12.23.50:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 23.35.229.160
whitelisted
google.com
  • 172.217.16.206
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.159.2
  • 40.126.31.67
  • 40.126.31.69
  • 40.126.31.2
  • 20.190.159.23
  • 40.126.31.3
  • 40.126.31.71
  • 40.126.31.130
  • 20.190.159.129
  • 40.126.31.128
  • 20.190.159.131
  • 20.190.159.68
  • 20.190.159.64
  • 20.190.159.128
  • 20.190.159.73
whitelisted
ocsp.digicert.com
  • 2.22.98.7
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
Process
Message
wsc_proxy.exe
[2025-05-16 04:19:37.229] [error ] [crashguard ] [ 1324: 5064] [E9669F: 103] Dump path 'C:\ProgramData\Avast Software\Avast\log' does not exist. Directory should be already created.
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
проверка сотрудников от инспектора ИФНС Михайловой А.А. - Copy.rar