URL:

https://tmpfiles.org/25594117/260222-vmhgmsaz5a_pw_infected.zip

Full analysis: https://app.any.run/tasks/344cbdaf-b5f6-40d6-99d4-482eac360699
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: February 22, 2026, 17:18:18
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
fingerprinting
python
stealer
nuitka
telegram
pyinstaller
httpdebugger
tool
ip-check
rust
ims-api
generic
Indicators:
MD5:

1757534F9FA1945E5B9B3C3B3A225098

SHA1:

40F2C5E004E25A58B2C38562F59401143B51A03C

SHA256:

D071BDDF5CEBC43271DD1A54BBE530C3980757F9EEB43AC7F921916F7EFB0ADE

SSDEEP:

3:N8ApQJZXZ39D08PVn:2ApQJK8PV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes Windows Defender settings

      • 798.exe (PID: 2940)

    • Adds path to the Windows Defender exclusion list

      • 798.exe (PID: 2940)

    • Actions looks like stealing of personal data

      • AvastBrowserInstaller.exe (PID: 8188)

    • Uses Task Scheduler to autorun other applications

      • 798.exe (PID: 2940)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • explorer.exe (PID: 4696)

    • Script adds exclusion path to Windows Defender

      • 798.exe (PID: 2940)

    • Lists all scheduled tasks

      • schtasks.exe (PID: 7788)

    • Process drops python dynamic module

      • 798.exe (PID: 5812)
      • SysSettingSvc.exe (PID: 6816)
      • InformerUpdate.exe (PID: 8140)
      • 798.exe (PID: 4352)

    • Application launched itself

      • 798.exe (PID: 5812)
      • InformerUpdate.exe (PID: 8140)
      • SysSettingSvc.exe (PID: 6816)
      • 798.exe (PID: 4352)

    • Loads Python modules

      • 798.exe (PID: 2940)
      • InformerUpdate.exe (PID: 5384)
      • SysSettingSvc.exe (PID: 7788)
      • 798.exe (PID: 2428)

    • Starts POWERSHELL.EXE for commands execution

      • 798.exe (PID: 2940)

    • Creates scheduled task with highest privileges

      • schtasks.exe (PID: 3152)

    • The process verifies whether the antivirus software is installed

      • AvastBrowserInstaller.exe (PID: 8188)

    • NUITKA compiler has been detected

      • SysSettingSvc.exe (PID: 6816)

    • There is functionality for capture public ip (YARA)

      • SysSettingSvc.exe (PID: 7788)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • SysSettingSvc.exe (PID: 7788)

    • Executes as Windows Service

      • VSSVC.exe (PID: 4712)

    • Using the short paths format

      • SysSettingSvc.exe (PID: 7788)

  • INFO

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 4696)
      • AvastBrowserInstaller.exe (PID: 8188)
      • msiexec.exe (PID: 4396)

    • Drops script file

      • chrome.exe (PID: 3996)
      • powershell.exe (PID: 3084)
      • 798.exe (PID: 2940)
      • AvastBrowserInstaller.exe (PID: 8188)
      • SysSettingSvc.exe (PID: 7788)
      • 798.exe (PID: 2428)

    • Manual execution by a user

      • WinRAR.exe (PID: 7464)

    • Launching a file from the Downloads directory

      • chrome.exe (PID: 3996)

    • Application launched itself

      • chrome.exe (PID: 3996)

    • Reads Microsoft Office registry keys

      • explorer.exe (PID: 4696)

    • Checks proxy server information

      • explorer.exe (PID: 4696)
      • AvastBrowserInstaller.exe (PID: 8188)

    • Creates files or folders in the user directory

      • explorer.exe (PID: 4696)
      • 798.exe (PID: 2940)
      • InformerUpdate.exe (PID: 5384)

    • Create files in a temporary directory

      • 798.exe (PID: 5812)
      • avast_secure_browser_setup.exe (PID: 6068)
      • 798.exe (PID: 2940)
      • AvastBrowserInstaller.exe (PID: 8188)
      • InformerUpdate.exe (PID: 8140)
      • SysSettingSvc.exe (PID: 6816)
      • 798.exe (PID: 4352)
      • 798.exe (PID: 2428)

    • Reads the computer name

      • 798.exe (PID: 5812)
      • 798.exe (PID: 2940)
      • InformerUpdate.exe (PID: 8140)
      • AvastBrowserInstaller.exe (PID: 8188)
      • InformerUpdate.exe (PID: 5384)
      • SysSettingSvc.exe (PID: 7788)
      • 798.exe (PID: 2428)
      • 798.exe (PID: 4352)
      • msiexec.exe (PID: 3612)
      • msiexec.exe (PID: 7208)

    • Checks supported languages

      • 798.exe (PID: 5812)
      • avast_secure_browser_setup.exe (PID: 6068)
      • 798.exe (PID: 2940)
      • AvastBrowserInstaller.exe (PID: 8188)
      • InformerUpdate.exe (PID: 5384)
      • SysSettingSvc.exe (PID: 6816)
      • SysSettingSvc.exe (PID: 7788)
      • InformerUpdate.exe (PID: 8140)
      • 798.exe (PID: 4352)
      • 798.exe (PID: 2428)
      • msiexec.exe (PID: 3612)
      • msiexec.exe (PID: 7208)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 3084)

    • Reads the machine GUID from the registry

      • 798.exe (PID: 2940)
      • AvastBrowserInstaller.exe (PID: 8188)
      • 798.exe (PID: 2428)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 3084)

    • PyInstaller has been detected (YARA)

      • 798.exe (PID: 5812)
      • 798.exe (PID: 2940)

    • There is functionality for taking screenshot (YARA)

      • 798.exe (PID: 5812)
      • 798.exe (PID: 2940)
      • SysSettingSvc.exe (PID: 7788)

    • Process checks computer location settings

      • AvastBrowserInstaller.exe (PID: 8188)

    • Process checks whether UAC notifications are on

      • AvastBrowserInstaller.exe (PID: 8188)

    • Application based on Rust

      • SysSettingSvc.exe (PID: 7788)

    • HTTPDEBUGGER has been detected

      • msiexec.exe (PID: 4396)

    • Manages system restore points

      • SrTasks.exe (PID: 4352)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(7788) SysSettingSvc.exe
Telegram-Tokens (1)8191610254:AAHWltpaKwa4jYTTZwlFG7jw4qRcW-fmOK8
Telegram-Info-Links
8191610254:AAHWltpaKwa4jYTTZwlFG7jw4qRcW-fmOK8
Get info about bothttps://api.telegram.org/bot8191610254:AAHWltpaKwa4jYTTZwlFG7jw4qRcW-fmOK8/getMe
Get incoming updateshttps://api.telegram.org/bot8191610254:AAHWltpaKwa4jYTTZwlFG7jw4qRcW-fmOK8/getUpdates
Get webhookhttps://api.telegram.org/bot8191610254:AAHWltpaKwa4jYTTZwlFG7jw4qRcW-fmOK8/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot8191610254:AAHWltpaKwa4jYTTZwlFG7jw4qRcW-fmOK8/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot8191610254:AAHWltpaKwa4jYTTZwlFG7jw4qRcW-fmOK8/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token8191610254:AAHWltpaKwa4jYTTZwlFG7jw4qRcW-fmOK8
End-PointgetUpdates
Args
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
218
Monitored processes
71
Malicious processes
8
Suspicious processes
1

Behavior graph

Click at the process to see the details

Process information

PID
CMD
Path
Indicators
Parent process
204"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4296,i,3743355785142183444,3109614312271695980,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version=20251218-201203.402000 --mojo-platform-channel-handle=4304 /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1180"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --field-trial-handle=2252,i,3743355785142183444,3109614312271695980,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version=20251218-201203.402000 --mojo-platform-channel-handle=2272 /prefetch:3C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1268"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=42 --field-trial-handle=6780,i,3743355785142183444,3109614312271695980,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version=20251218-201203.402000 --mojo-platform-channel-handle=5724 /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1652"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --field-trial-handle=5696,i,3743355785142183444,3109614312271695980,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version=20251218-201203.402000 --mojo-platform-channel-handle=6056 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1656"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --field-trial-handle=7132,i,3743355785142183444,3109614312271695980,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version=20251218-201203.402000 --mojo-platform-channel-handle=7028 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1724\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2216"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --field-trial-handle=6740,i,3743355785142183444,3109614312271695980,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version=20251218-201203.402000 --mojo-platform-channel-handle=6624 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
2312"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --field-trial-handle=6828,i,3743355785142183444,3109614312271695980,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version=20251218-201203.402000 --mojo-platform-channel-handle=6728 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
2316"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --field-trial-handle=6460,i,3743355785142183444,3109614312271695980,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version=20251218-201203.402000 --mojo-platform-channel-handle=6744 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
2316"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --field-trial-handle=6864,i,3743355785142183444,3109614312271695980,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version=20251218-201203.402000 --mojo-platform-channel-handle=6900 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
Total events
43 402
Read events
43 185
Write events
197
Delete events
20

Modification events

(PID) Process:(4696) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000160242
Operation:writeName:VirtualDesktop
Value:
100000003030445602603FA5B72DE44882A417B3949BF781
(PID) Process:(4696) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:writeName:CheckSetting
Value:
23004100430042006C006F00620000000000000000000000010000000000000000000000
(PID) Process:(4696) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppBadgeUpdated
Operation:writeName:Chrome
Value:
11
(PID) Process:(4696) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:NodeSlots
Value:
02020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:(4696) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:MRUListEx
Value:
04000000030000000000000012000000110000000E000000100000000F0000000C0000000D0000000B000000050000000A000000090000000800000001000000070000000600000002000000FFFFFFFF
(PID) Process:(4696) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4\0
Operation:writeName:MRUListEx
Value:
0400000005000000010000000600000008000000020000000C0000000B0000000A00000009000000070000000000000003000000FFFFFFFF
(PID) Process:(4696) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4\0\4\0
Operation:writeName:MRUListEx
Value:
010000000000000002000000FFFFFFFF
(PID) Process:(4696) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Operation:writeName:ITBar7Layout
Value:
13000000000000000000000020000000100000000000000001000000010700005E01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4696) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\208\Shell
Operation:writeName:SniffedFolderType
Value:
Downloads
(PID) Process:(4696) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\208\Shell
Operation:writeName:SniffedFolderType
Value:
Pictures
Executable files
0
Suspicious files
0
Text files
2
Unknown types
552

Dropped files

PID
Process
Filename
Type
3996chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\ClientCertificates\LOG.old~RFc16c9.TMP
MD5:
SHA256:
3996chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\ClientCertificates\LOG.old
MD5:
SHA256:
3996chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\LOG.old~RFc16d9.TMP
MD5:
SHA256:
3996chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
3996chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old~RFc16d9.TMP
MD5:
SHA256:
3996chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RFc16e8.TMP
MD5:
SHA256:
3996chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old
MD5:
SHA256:
3996chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
3996chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\LOG.old~RFc16e8.TMP
MD5:
SHA256:
3996chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old~RFc16e8.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
89
TCP/UDP connections
124
DNS requests
146
Threats
26

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1180
chrome.exe
OPTIONS
200
35.190.80.1:443
https://a.nel.cloudflare.com/report/v4?s=KbBXi0iQO1FcZ1%2FITDJt%2FULb2fa2ywU%2BPM2BiC1ymAgEcQgH297FCq%2FD7GXZfhpX5sKojmsNHHqGxzNy8%2BG6gxXtsc4nBkxpjXmOQQ%3D%3D
US
unknown
GET
200
23.63.118.230:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAjTxtAB8my1oj8MfWpz%2F7Y%3D
US
binary
314 b
whitelisted
7248
svchost.exe
GET
200
23.63.118.230:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
binary
471 b
whitelisted
1180
chrome.exe
GET
204
172.67.221.165:443
https://ukentaspectsofc.org/czhRQVBcBzIybSR8OjgyN24gAjcDbhAWYDp6YC4YEXlpBwgUdXc1ORcFYHNhQAxkcHYDUTV8YVVLJSAkBktscHYaVjcubVVObHB+QAx/cmZdD3c0bUIeJTExFAVgZyAHTD18YUQPYHZoQw9hd2JKCQ
US
unknown
GET
200
204.79.197.203:80
http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQ3L3%2F%2Fa6ADK8NraY2GXzVaYrHG4AQUb6t%2B2v%2BXQ3LsO2d33oJhNYhHQoUCEzMAAAAGb6JMMcOVb6sAAAAAAAY%3D
US
binary
959 b
whitelisted
1180
chrome.exe
GET
200
142.251.37.14:80
http://clients2.google.com/time/1/current?cup2key=8:PXx6rW6Gj_TiBaDKSWxxhXYkWjqV-P1zAliQTSiGQNs&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
US
binary
107 b
whitelisted
1180
chrome.exe
GET
200
142.251.143.99:443
https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=133
US
87.1 Kb
whitelisted
1180
chrome.exe
GET
200
188.114.97.3:443
https://tmpfiles.org/25594117/260222-vmhgmsaz5a_pw_infected.zip
US
2.55 Kb
unknown
1180
chrome.exe
GET
302
142.251.127.84:443
https://accounts.google.com/ServiceLogin?passive=true&continue=https%3A%2F%2Fwww.google.com%2Ffavicon.ico&uilel=3&hl=en&service=mail
US
whitelisted
1180
chrome.exe
GET
302
142.251.127.84:443
https://accounts.google.com/ServiceLogin?passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Ffavicon.ico&uilel=3&hl=en&service=youtube
US
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
7720
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5276
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
48.192.1.64:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5532
SearchApp.exe
2.16.204.148:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
23.63.118.230:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
204.79.197.203:80
oneocsp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
20.190.159.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7248
svchost.exe
23.63.118.230:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.64
whitelisted
www.bing.com
  • 2.16.204.148
  • 2.16.204.153
  • 2.16.204.136
  • 2.16.204.138
  • 2.16.204.159
  • 2.16.204.135
  • 2.16.204.160
  • 2.16.204.151
whitelisted
ocsp.digicert.com
  • 23.63.118.230
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.250
whitelisted
google.com
  • 142.251.208.174
whitelisted
oneocsp.microsoft.com
  • 204.79.197.203
whitelisted
login.live.com
  • 20.190.159.2
  • 20.190.159.128
  • 40.126.31.0
  • 20.190.159.131
  • 20.190.159.23
  • 40.126.31.71
  • 40.126.31.2
  • 40.126.31.130
  • 40.126.31.69
  • 40.126.31.73
  • 40.126.31.1
  • 40.126.31.67
  • 40.126.31.129
  • 20.190.159.64
whitelisted
licensing.mp.microsoft.com
  • 128.251.127.23
whitelisted
self.events.data.microsoft.com
  • 104.208.16.89
whitelisted

Threats

PID
Process
Class
Message
1180
chrome.exe
Misc activity
ET INFO Temporary File Hosting Domain in DNS Lookup (tmpfiles .org)
1180
chrome.exe
Misc activity
ET INFO Observed Temporary File Hosting Domain (tmpfiles .org in TLS SNI)
1180
chrome.exe
Misc activity
INFO [ANY.RUN] Temporary File Share Service (tmpfiles .org)
1180
chrome.exe
Misc activity
INFO [ANY.RUN] Temporary File Share Service (tmpfiles .org)
1180
chrome.exe
Misc activity
ET INFO Temporary File Hosting Domain in DNS Lookup (tmpfiles .org)
1180
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
1180
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
1180
chrome.exe
Misc activity
ET INFO Observed Temporary File Hosting Domain (tmpfiles .org in TLS SNI)
1180
chrome.exe
Potentially Bad Traffic
SUSPICIOUS [ANY.RUN] Possible Domain Associated with Malware Distribution (ukankingwithea .com)
1180
chrome.exe
Potentially Bad Traffic
SUSPICIOUS [ANY.RUN] Possible Domain Associated with Malware Distribution (ghabovethec .info)
Process
Message
AvastBrowserInstaller.exe
2026-02-22T12:19:34 [installer] {00001ffc:000018f0} <2:Info> (4bbd888238eee7c1\src\jinx\Logging.cpp:167) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
AvastBrowserInstaller.exe
2026-02-22T12:19:34 [installer] {00001ffc:000018f0} <2:Info> (4bbd888238eee7c1\src\jinx\Logging.cpp:168) Jinx logging started
AvastBrowserInstaller.exe
2026-02-22T12:19:34 [installer] {00001ffc:000018f0} <2:Info> (4bbd888238eee7c1\src\jinx\Logging.cpp:169) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
AvastBrowserInstaller.exe
2026-02-22T12:19:34 [installer] {00001ffc:000018f0} <2:Info> (4bbd888238eee7c1\src\jinx\Logging.cpp:171) build date: Nov 25 2025 build number: 1804 build time: 19:47:29 build timestamp: Nov 25 2025 19:47:29 company: Gen Digital Inc. copyright: (C) 2017-2025 Gen Digital Inc. description: Secure Browser Installer file name: AvastBrowserInstaller.exe file version: 9.3.2.1804 git commit: d88e2deed6ef3bceaa97f4975153f45fa68d8cd9 internal name: jinx-installer product name: Secure Browser Installer product version: 9.3.2.1804 target system: windows
AvastBrowserInstaller.exe
2026-02-22T12:19:34 [installer] {00001ffc:000018f0} <2:Info> (4bbd888238eee7c1\src\jinx\Logging.cpp:181) Operating system: Windows Enterprise x64 10.0.19045.4046 SP0
AvastBrowserInstaller.exe
2026-02-22T12:19:34 [installer] {00001ffc:000018f0} <2:Info> (4bbd888238eee7c1\src\jinx\Logging.cpp:184) Process is not elevated.
AvastBrowserInstaller.exe
2026-02-22T12:19:34 [installer] {00001ffc:000018f0} <2:Info> (4bbd888238eee7c1\src\jinx\Logging.cpp:190) Process owner: DESKTOP-JGLLJLD\admin (logon=true, admin=true)
AvastBrowserInstaller.exe
2026-02-22T12:19:34 [installer] {00001ffc:000018f0} <2:Info> (4bbd888238eee7c1\src\jinx\Logging.cpp:106) Command line: "C:\Users\admin\AppData\Local\Temp\nsj225E.tmp\AvastBrowserInstaller.exe" "C:\Users\admin\Downloads\avast_secure_browser_setup.exe" User dotfile was used: false Global dotfile was used: false Execution arguments:
AvastBrowserInstaller.exe
2026-02-22T12:19:34 [installer] {00001ffc:000018f0} <1:Debug> (4bbd888238eee7c1\src\jinx\VmDetect.cpp:203) Starting VM Detection system
AvastBrowserInstaller.exe
2026-02-22T12:19:34 [installer] {00001ffc:000018f0} <1:Debug> (4bbd888238eee7c1\src\jinx\TagData.cpp:457) TagData: Extracting from "C:\Users\admin\Downloads\avast_secure_browser_setup.exe" using start marker '<##TAGDATA##>' and end marker '</##TAGDATA##>'
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://tmpfiles.org/25594117/260222-vmhgmsaz5a_pw_infected.zip