URL:

https://game3rb.com/aooni/

Full analysis: https://app.any.run/tasks/ea0291b1-e593-4e50-a40b-ed62144b8567
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: January 02, 2025, 19:22:52
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
phishing
discord
autoit
stealer
autoit-loader
lumma
Indicators:
MD5:

CA8E1952DE4B8DB74937D36E4F1EBDBC

SHA1:

4E15942AEAF429834AFE2EB51B95C6BF8C8EC2CB

SHA256:

A9BA7F79761DE328401BF60919B703A3279A968E02C1F3C9E4AEC3558E7593D1

SSDEEP:

3:N8lIyGEtLn:2mEtL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • PHISHING has been detected (SURICATA)

      • chrome.exe (PID: 6408)

    • Executing a file with an untrusted certificate

      • Set-up.exe (PID: 6736)
      • 0E0D8GQX7X5WQ5FLZ3.exe (PID: 5936)
      • Set-up.exe (PID: 4724)
      • 0E0D8GQX7X5WQ5FLZ3.exe (PID: 3364)

    • AutoIt loader has been detected (YARA)

      • Intel.com (PID: 1224)

    • Steals credentials from Web Browsers

      • Intel.com (PID: 1224)

    • Actions looks like stealing of personal data

      • Intel.com (PID: 1224)

    • LUMMA mutex has been found

      • Intel.com (PID: 1224)

    • Changes powershell execution policy (Bypass)

      • Intel.com (PID: 1224)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 3912)

    • Antivirus name has been found in the command line (generic signature)

      • cmd.exe (PID: 2712)
      • tasklist.exe (PID: 5980)
      • find.exe (PID: 6268)
      • find.exe (PID: 4392)
      • cmd.exe (PID: 7036)
      • cmd.exe (PID: 2744)
      • cmd.exe (PID: 6948)
      • tasklist.exe (PID: 5992)
      • tasklist.exe (PID: 2392)
      • tasklist.exe (PID: 876)
      • cmd.exe (PID: 1228)
      • find.exe (PID: 5304)
      • find.exe (PID: 1668)
      • tasklist.exe (PID: 5004)
      • find.exe (PID: 68)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • WinRAR.exe (PID: 1144)

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 1144)

    • Executing commands from ".cmd" file

      • Set-up.exe (PID: 6736)
      • Set-up.exe (PID: 4724)

    • Starts CMD.EXE for commands execution

      • Set-up.exe (PID: 6736)
      • cmd.exe (PID: 4540)
      • Set-up.exe (PID: 4724)
      • cmd.exe (PID: 3864)
      • 0E0D8GQX7X5WQ5FLZ3.tmp (PID: 3532)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 4540)
      • cmd.exe (PID: 3864)

    • Get information on the list of running processes

      • cmd.exe (PID: 4540)
      • 0E0D8GQX7X5WQ5FLZ3.tmp (PID: 3532)
      • cmd.exe (PID: 2712)
      • cmd.exe (PID: 3864)
      • cmd.exe (PID: 1920)
      • cmd.exe (PID: 1228)
      • cmd.exe (PID: 7036)
      • cmd.exe (PID: 2744)
      • cmd.exe (PID: 6948)

    • Reads security settings of Internet Explorer

      • Set-up.exe (PID: 6736)
      • 0E0D8GQX7X5WQ5FLZ3.tmp (PID: 6680)
      • 0E0D8GQX7X5WQ5FLZ3.tmp (PID: 3532)

    • Starts application with an unusual extension

      • cmd.exe (PID: 4540)
      • cmd.exe (PID: 3864)

    • The executable file from the user directory is run by the CMD process

      • Intel.com (PID: 1224)
      • Intel.com (PID: 6724)

    • Possibly malicious use of IEX has been detected

      • Intel.com (PID: 1224)

    • Manipulates environment variables

      • powershell.exe (PID: 3912)

    • Found IP address in command line

      • powershell.exe (PID: 3912)

    • Starts the AutoIt3 executable file

      • cmd.exe (PID: 4540)
      • cmd.exe (PID: 3864)

    • Application launched itself

      • cmd.exe (PID: 4540)
      • cmd.exe (PID: 3864)

    • Downloads file from URI via Powershell

      • powershell.exe (PID: 3912)

    • Executable content was dropped or overwritten

      • 0E0D8GQX7X5WQ5FLZ3.tmp (PID: 6680)
      • 0E0D8GQX7X5WQ5FLZ3.exe (PID: 5936)
      • Intel.com (PID: 1224)
      • 0E0D8GQX7X5WQ5FLZ3.exe (PID: 3364)
      • 0E0D8GQX7X5WQ5FLZ3.tmp (PID: 3532)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 3912)

    • Reads the Windows owner or organization settings

      • 0E0D8GQX7X5WQ5FLZ3.tmp (PID: 6680)
      • 0E0D8GQX7X5WQ5FLZ3.tmp (PID: 3532)

    • Starts POWERSHELL.EXE for commands execution

      • Intel.com (PID: 1224)

    • Uses TIMEOUT.EXE to delay execution

      • 0E0D8GQX7X5WQ5FLZ3.tmp (PID: 3532)

  • INFO

    • Manual execution by a user

      • WinRAR.exe (PID: 4020)
      • notepad++.exe (PID: 2380)
      • WinRAR.exe (PID: 1144)
      • notepad.exe (PID: 712)
      • notepad.exe (PID: 4228)
      • Set-up.exe (PID: 6736)
      • Taskmgr.exe (PID: 2456)
      • Taskmgr.exe (PID: 1348)
      • Set-up.exe (PID: 4724)

    • Sends debugging messages

      • notepad++.exe (PID: 2380)

    • The process uses the downloaded file

      • WinRAR.exe (PID: 4020)
      • chrome.exe (PID: 2212)
      • WinRAR.exe (PID: 1144)
      • Set-up.exe (PID: 4724)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 1144)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1144)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 712)
      • powershell.exe (PID: 3912)

    • Creates a new folder

      • cmd.exe (PID: 624)
      • cmd.exe (PID: 6736)

    • Creates files or folders in the user directory

      • extrac32.exe (PID: 5872)
      • Set-up.exe (PID: 6736)
      • 0E0D8GQX7X5WQ5FLZ3.tmp (PID: 3532)
      • Set-up.exe (PID: 4724)
      • extrac32.exe (PID: 2776)

    • Application launched itself

      • chrome.exe (PID: 4128)

    • Checks supported languages

      • extrac32.exe (PID: 5872)
      • Intel.com (PID: 1224)
      • 0E0D8GQX7X5WQ5FLZ3.exe (PID: 5936)
      • 0E0D8GQX7X5WQ5FLZ3.tmp (PID: 6680)
      • 0E0D8GQX7X5WQ5FLZ3.exe (PID: 3364)
      • 0E0D8GQX7X5WQ5FLZ3.tmp (PID: 3532)
      • Set-up.exe (PID: 4724)
      • extrac32.exe (PID: 2776)

    • Reads the software policy settings

      • Intel.com (PID: 1224)
      • powershell.exe (PID: 3912)

    • Create files in a temporary directory

      • powershell.exe (PID: 3912)
      • Intel.com (PID: 1224)
      • 0E0D8GQX7X5WQ5FLZ3.exe (PID: 5936)
      • 0E0D8GQX7X5WQ5FLZ3.tmp (PID: 6680)
      • 0E0D8GQX7X5WQ5FLZ3.exe (PID: 3364)

    • Reads the computer name

      • 0E0D8GQX7X5WQ5FLZ3.tmp (PID: 6680)
      • Intel.com (PID: 6724)
      • extrac32.exe (PID: 2776)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 3912)

    • Process checks computer location settings

      • Set-up.exe (PID: 4724)
      • 0E0D8GQX7X5WQ5FLZ3.tmp (PID: 6680)
      • 0E0D8GQX7X5WQ5FLZ3.tmp (PID: 3532)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
237
Monitored processes
104
Malicious processes
11
Suspicious processes
4

Behavior graph

Click at the process to see the details
start chrome.exe chrome.exe no specs chrome.exe no specs #PHISHING chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs rundll32.exe no specs notepad++.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs winrar.exe no specs chrome.exe no specs winrar.exe notepad.exe no specs notepad.exe no specs chrome.exe no specs chrome.exe no specs set-up.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs extrac32.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs #LUMMA intel.com choice.exe no specs chrome.exe no specs taskmgr.exe no specs taskmgr.exe powershell.exe no specs conhost.exe no specs 0e0d8gqx7x5wq5flz3.exe 0e0d8gqx7x5wq5flz3.tmp 0e0d8gqx7x5wq5flz3.exe 0e0d8gqx7x5wq5flz3.tmp set-up.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs extrac32.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs intel.com no specs choice.exe no specs timeout.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs find.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs find.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs find.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs find.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs find.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs find.exe no specs brightlib.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
68find /I "sophoshealth.exe"C:\Windows\System32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (grep) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
432"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=6532 --field-trial-handle=1932,i,5127470520626221837,2837375941829141030,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
448cmd /c copy /b ..\Transfer + ..\Matthew + ..\Cases + ..\Puzzle + ..\Perceived + ..\Discs O C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
624cmd /c md 797812C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
624\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
640"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.3636 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoABAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=5348 --field-trial-handle=1932,i,5127470520626221837,2837375941829141030,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
712"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Downloads\@#Pa$w0rD__9098--PC_Set-Uᴘ#\@#Pa$w0rD__9098--PC_Set-Uᴘ#\Resources\Data\Config\github.com_dmitshur-test_modtest5_v0.5.0-alpha.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
876tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH C:\Windows\System32\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
936"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=4968 --field-trial-handle=1932,i,5127470520626221837,2837375941829141030,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1144"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Downloads\@#Pa$w0rD__9098--PC_Set-Uᴘ#\@#Pa$w0rD__9098--PC_Set-Uᴘ#.7z" "?\"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
Total events
23 621
Read events
23 520
Write events
51
Delete events
50

Modification events

(PID) Process:(4128) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(4128) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(4128) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(4128) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(4128) chrome.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:writeName:usagestats
Value:
0
(PID) Process:(4128) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Spelling\Dictionaries
Operation:delete valueName:en-US
Value:
(PID) Process:(4128) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Spelling\Dictionaries
Operation:delete valueName:en
Value:
(PID) Process:(4128) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Spelling\Dictionaries
Operation:delete valueName:_Global_
Value:
(PID) Process:(2212) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:writeName:{2781761E-28E0-4109-99FE-B9D127C57AFE} {56FFCC30-D398-11D0-B2AE-00A0C908FA49} 0xFFFF
Value:
0100000000000000169DCBEE4B5DDB01
(PID) Process:(4128) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Common\Rlz\Events\C
Operation:writeName:C1I
Value:
1
Executable files
23
Suspicious files
439
Text files
103
Unknown types
10

Dropped files

PID
Process
Filename
Type
4128chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RF135dd3.TMP
MD5:
SHA256:
4128chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
4128chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\LOG.old~RF135dd3.TMP
MD5:
SHA256:
4128chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old~RF135de2.TMP
MD5:
SHA256:
4128chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old
MD5:
SHA256:
4128chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
4128chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old~RF135df2.TMP
MD5:
SHA256:
4128chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
4128chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old~RF135df2.TMP
MD5:
SHA256:
4128chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG.old~RF135df2.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
40
TCP/UDP connections
178
DNS requests
326
Threats
55

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2632
svchost.exe
GET
200
2.18.244.211:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.18.244.211:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4160
RUXIMICS.exe
GET
200
2.18.244.211:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
173.223.117.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4160
RUXIMICS.exe
GET
200
173.223.117.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2092
svchost.exe
HEAD
200
142.251.36.14:80
http://dl.google.com/release2/chrome_component/ads7ltfl2gw6hxwgakn3sxrkoijq_9.53.0/gcmjkmgdlgnkkcocmoeiminaijmmjnii_9.53.0_all_iky7dhj3jd5su3axccoshyd4xm.crx3
unknown
whitelisted
2092
svchost.exe
HEAD
403
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ads7ltfl2gw6hxwgakn3sxrkoijq_9.53.0/gcmjkmgdlgnkkcocmoeiminaijmmjnii_9.53.0_all_iky7dhj3jd5su3axccoshyd4xm.crx3
unknown
whitelisted
2092
svchost.exe
GET
206
142.251.36.14:80
http://dl.google.com/release2/chrome_component/ads7ltfl2gw6hxwgakn3sxrkoijq_9.53.0/gcmjkmgdlgnkkcocmoeiminaijmmjnii_9.53.0_all_iky7dhj3jd5su3axccoshyd4xm.crx3
unknown
whitelisted
2092
svchost.exe
GET
206
142.251.36.14:80
http://dl.google.com/release2/chrome_component/ads7ltfl2gw6hxwgakn3sxrkoijq_9.53.0/gcmjkmgdlgnkkcocmoeiminaijmmjnii_9.53.0_all_iky7dhj3jd5su3axccoshyd4xm.crx3
unknown
whitelisted
2092
svchost.exe
GET
206
142.251.36.14:80
http://dl.google.com/release2/chrome_component/ads7ltfl2gw6hxwgakn3sxrkoijq_9.53.0/gcmjkmgdlgnkkcocmoeiminaijmmjnii_9.53.0_all_iky7dhj3jd5su3axccoshyd4xm.crx3
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
2632
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4160
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
2.18.244.211:80
crl.microsoft.com
Akamai International B.V.
FR
whitelisted
2632
svchost.exe
2.18.244.211:80
crl.microsoft.com
Akamai International B.V.
FR
whitelisted
4160
RUXIMICS.exe
2.18.244.211:80
crl.microsoft.com
Akamai International B.V.
FR
whitelisted
4712
MoUsoCoreWorker.exe
173.223.117.131:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
4160
RUXIMICS.exe
173.223.117.131:80
www.microsoft.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
google.com
  • 142.251.39.110
whitelisted
crl.microsoft.com
  • 2.18.244.211
unknown
www.microsoft.com
  • 173.223.117.131
whitelisted
game3rb.com
  • 188.114.97.0
whitelisted
accounts.google.com
  • 142.250.102.84
whitelisted
a.nel.cloudflare.com
  • 35.190.80.1
whitelisted
challenges.cloudflare.com
  • 104.18.94.41
whitelisted
www.google.com
  • 142.251.36.36
whitelisted
fonts.googleapis.com
  • 142.251.36.10
whitelisted

Threats

PID
Process
Class
Message
6408
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
6408
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
6408
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
6408
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare turnstile CAPTCHA challenge
6408
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare turnstile CAPTCHA challenge
6408
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare turnstile CAPTCHA challenge
6408
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
6408
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
6408
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] BootstrapCDN (maxcdn .bootstrapcdn .com)
6408
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] BootstrapCDN (maxcdn .bootstrapcdn .com)
Process
Message
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
ED255D9151912E40DF048A56288E969A8D0DAFA3
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
VerifyLibrary: error while getting certificate informations
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://game3rb.com/aooni/