File name:

C5ax2Rm36IsCpi8f.exe

Full analysis: https://app.any.run/tasks/584ff01b-0849-42dd-b607-d85d89ee5083
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: June 07, 2025, 17:09:20
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealer
api-base64
zerotrace
arch-doc
arch-html
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

3E3321785BA9D8CF4B55104D347843F9

SHA1:

E3E960DC327CB646BE101E831842D693F2996387

SHA256:

F9D1A99C2AA67C7661B68781218083437F06770EFD78E7D4791C25D105973F47

SSDEEP:

49152:7XOlJjyULcWg4q2vX9OLQTM+acHEGSEGGVju0yxFXj0ia+CtbQRfrYIvV8ARgzDO:

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • grpconv.exe (PID: 3996)
      • grpconv.exe (PID: 7804)
      • grpconv.exe (PID: 5164)
      • grpconv.exe (PID: 2504)
      • grpconv.exe (PID: 7636)
      • grpconv.exe (PID: 2552)
      • C5ax2Rm36IsCpi8f.exe (PID: 7720)

    • Steals credentials from Web Browsers

      • grpconv.exe (PID: 3996)
      • grpconv.exe (PID: 7804)
      • grpconv.exe (PID: 5164)
      • grpconv.exe (PID: 7636)
      • grpconv.exe (PID: 2552)
      • C5ax2Rm36IsCpi8f.exe (PID: 7720)

    • Changes powershell execution policy (Bypass)

      • C5ax2Rm36IsCpi8f.exe (PID: 7720)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7924)

    • Suspicious browser debugging (Possible cookie theft)

      • chrome.exe (PID: 3300)
      • chrome.exe (PID: 7496)
      • msedge.exe (PID: 6496)
      • msedge.exe (PID: 6940)

    • ZEROTRACE has been detected

      • C5ax2Rm36IsCpi8f.exe (PID: 7720)

  • SUSPICIOUS

    • Multiple wallet extension IDs have been found

      • C5ax2Rm36IsCpi8f.exe (PID: 7720)

    • Starts POWERSHELL.EXE for commands execution

      • C5ax2Rm36IsCpi8f.exe (PID: 7720)

    • The process executes Powershell scripts

      • C5ax2Rm36IsCpi8f.exe (PID: 7720)

    • MS Edge headless start

      • msedge.exe (PID: 4408)
      • msedge.exe (PID: 6496)
      • msedge.exe (PID: 7544)
      • msedge.exe (PID: 6940)

    • Connects to unusual port

      • C5ax2Rm36IsCpi8f.exe (PID: 7720)

  • INFO

    • Reads the computer name

      • C5ax2Rm36IsCpi8f.exe (PID: 7720)
      • identity_helper.exe (PID: 2416)

    • Checks supported languages

      • C5ax2Rm36IsCpi8f.exe (PID: 7720)
      • identity_helper.exe (PID: 2416)

    • Create files in a temporary directory

      • grpconv.exe (PID: 6584)
      • grpconv.exe (PID: 7316)
      • grpconv.exe (PID: 7804)
      • grpconv.exe (PID: 2552)
      • C5ax2Rm36IsCpi8f.exe (PID: 7720)

    • Creates files or folders in the user directory

      • grpconv.exe (PID: 7492)
      • grpconv.exe (PID: 6584)
      • grpconv.exe (PID: 7316)
      • grpconv.exe (PID: 660)
      • grpconv.exe (PID: 3996)
      • grpconv.exe (PID: 7804)
      • grpconv.exe (PID: 644)
      • grpconv.exe (PID: 5164)
      • grpconv.exe (PID: 6368)
      • grpconv.exe (PID: 2504)
      • grpconv.exe (PID: 7636)
      • grpconv.exe (PID: 2244)
      • grpconv.exe (PID: 2552)

    • Reads the machine GUID from the registry

      • C5ax2Rm36IsCpi8f.exe (PID: 7720)

    • Potential remote process memory reading (Base64 Encoded 'ReadProcessMemory')

      • C5ax2Rm36IsCpi8f.exe (PID: 7720)

    • Potential dynamic function import (Base64 Encoded 'GetProcAddress')

      • C5ax2Rm36IsCpi8f.exe (PID: 7720)

    • Potential access to remote process (Base64 Encoded 'OpenProcess')

      • C5ax2Rm36IsCpi8f.exe (PID: 7720)

    • Potential library load (Base64 Encoded 'LoadLibrary')

      • C5ax2Rm36IsCpi8f.exe (PID: 7720)

    • Reads Microsoft Office registry keys

      • grpconv.exe (PID: 6368)

    • Reads Windows Product ID

      • grpconv.exe (PID: 6368)

    • Checks proxy server information

      • powershell.exe (PID: 7924)

    • Application launched itself

      • chrome.exe (PID: 3300)
      • chrome.exe (PID: 7496)
      • msedge.exe (PID: 6940)
      • msedge.exe (PID: 6496)
      • msedge.exe (PID: 6404)

    • Disables trace logs

      • powershell.exe (PID: 7924)

    • Reads CPU info

      • C5ax2Rm36IsCpi8f.exe (PID: 7720)

    • Manual execution by a user

      • notepad.exe (PID: 6156)
      • notepad.exe (PID: 4192)
      • notepad.exe (PID: 7832)
      • notepad.exe (PID: 4164)
      • notepad.exe (PID: 2644)
      • notepad.exe (PID: 5596)
      • notepad.exe (PID: 7780)
      • notepad.exe (PID: 7860)
      • notepad.exe (PID: 924)
      • iexplore.exe (PID: 8024)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 7832)
      • notepad.exe (PID: 4192)
      • notepad.exe (PID: 4164)
      • notepad.exe (PID: 2644)
      • notepad.exe (PID: 5596)
      • notepad.exe (PID: 7780)
      • notepad.exe (PID: 7860)
      • notepad.exe (PID: 924)
      • notepad.exe (PID: 6156)

    • Reads Environment values

      • identity_helper.exe (PID: 2416)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2102:03:16 01:25:54+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 11233280
InitializedDataSize: 2560
UninitializedDataSize: -
EntryPoint: 0xab864e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: ZeroTraceOfficialStub
FileVersion: 1.0.0.0
InternalName: ZeroTraceOfficialStub.exe
LegalCopyright: Copyright © 2025
LegalTrademarks: -
OriginalFileName: ZeroTraceOfficialStub.exe
ProductName: ZeroTraceOfficialStub
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
226
Monitored processes
100
Malicious processes
12
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZEROTRACE c5ax2rm36iscpi8f.exe grpconv.exe no specs grpconv.exe no specs grpconv.exe no specs grpconv.exe no specs grpconv.exe no specs grpconv.exe grpconv.exe grpconv.exe no specs grpconv.exe no specs grpconv.exe grpconv.exe no specs grpconv.exe no specs grpconv.exe no specs grpconv.exe grpconv.exe no specs grpconv.exe grpconv.exe no specs grpconv.exe no specs grpconv.exe powershell.exe no specs conhost.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs slui.exe msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs svchost.exe notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs iexplore.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
540"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --disable-quic --onnx-enabled-for-ee --no-appcompat-clear --mojo-platform-channel-handle=4404 --field-trial-handle=2364,i,9638112480042850957,538469164872214200,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
644"C:\Windows\SysWOW64\grpconv.exe" /stext "C:\Users\admin\AppData\Roaming\WorkingTasks-output_20250607170934.txt"C:\Windows\SysWOW64\grpconv.exeC5ax2Rm36IsCpi8f.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Progman Group Converter
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\grpconv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
660"C:\Windows\SysWOW64\grpconv.exe" /stext "C:\Users\admin\AppData\Roaming\InstalledApps-output_20250607170934.txt"C:\Windows\SysWOW64\grpconv.exeC5ax2Rm36IsCpi8f.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Progman Group Converter
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\grpconv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
672"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=2472 --field-trial-handle=2364,i,9638112480042850957,538469164872214200,262144 --variations-seed-version /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
872"C:\Windows\SysWOW64\grpconv.exe" /stext "C:\Users\admin\AppData\Roaming\ProductKeys-output_20250607170934.txt"C:\Windows\SysWOW64\grpconv.exeC5ax2Rm36IsCpi8f.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Progman Group Converter
Exit code:
4294967295
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\grpconv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
924"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\GetDefenderLogs.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
1452"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --disable-quic --noerrdialogs --user-data-dir="C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" --no-appcompat-clear --mojo-platform-channel-handle=2180 --field-trial-handle=2352,i,1366369328578940796,5637755844142734079,262144 --disable-features=PaintHolding --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
4294967295
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1472"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=5208 --field-trial-handle=2364,i,9638112480042850957,538469164872214200,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1696"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --no-sandbox --remote-debugging-port=9222 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2896 --field-trial-handle=1976,i,3952883452235441922,3727537768059412166,262144 --disable-features=PaintHolding --variations-seed-version /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
4294967295
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
2040"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=4900 --field-trial-handle=2364,i,9638112480042850957,538469164872214200,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
27 837
Read events
27 782
Write events
55
Delete events
0

Modification events

(PID) Process:(3300) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(3300) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(3300) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(3300) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(3300) chrome.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:writeName:usagestats
Value:
0
(PID) Process:(7924) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7924) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7924) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(7924) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(7924) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
Executable files
19
Suspicious files
255
Text files
110
Unknown types
0

Dropped files

PID
Process
Filename
Type
6584grpconv.exeC:\Users\admin\AppData\Local\Temp\ecvEBD.tmp
MD5:
SHA256:
7804grpconv.exeC:\Users\admin\AppData\Local\Temp\bhv3699.tmp
MD5:
SHA256:
7804grpconv.exeC:\Users\admin\AppData\Local\Temp\sqp3811.tmp
MD5:
SHA256:
2552grpconv.exeC:\Users\admin\AppData\Local\Temp\bhv6E62.tmp
MD5:
SHA256:
7316grpconv.exeC:\Users\admin\AppData\Local\Temp\cke170A.tmpbinary
MD5:19BA68C3ECBCA72C2B90AFADDE745DC6
SHA256:8B3758EE2D2C0A07EE7003F902F0667ABE5D9667941F8617EDA3CDF94C78E7B8
7804grpconv.exeC:\Users\admin\AppData\Roaming\BrowserHistory-output_20250607170934.txttext
MD5:F3B25701FE362EC84616A93A45CE9998
SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
2244grpconv.exeC:\Users\admin\AppData\Roaming\DefenderLogs-output_20250607170934.txttext
MD5:A38EEA6BB322ECDED4D6B83D08779CF4
SHA256:FD4F6B7CFCF67A85A057161CFCBE8FD29E8DAAEF2B6342AB21B9D738C59E8186
644grpconv.exeC:\Users\admin\AppData\Roaming\WorkingTasks-output_20250607170934.txttext
MD5:0BDCA7A199DB05BBAB14B07B54516C30
SHA256:699076E27C20E4B6CEDFBF6A7229892C237BBFB4501654DBA891A9DC39E7C63D
7804grpconv.exeC:\Users\admin\AppData\Local\Temp\sqp3811.tmp-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
5164grpconv.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\places.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
89
TCP/UDP connections
129
DNS requests
107
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7564
svchost.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7232
RUXIMICS.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7564
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
216.58.206.35:443
https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=122
unknown
compressed
98.4 Kb
whitelisted
POST
200
74.125.71.84:443
https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard
unknown
text
17 b
whitelisted
7232
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
172.217.18.100:443
https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw
unknown
text
167 b
whitelisted
GET
172.217.18.100:443
https://www.google.com/async/ddljson?async=ntp:2
unknown
GET
200
172.217.18.100:443
https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0
unknown
binary
127 Kb
whitelisted
GET
172.217.18.100:443
https://www.google.com/async/newtab_promos
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
7564
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
7232
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
7564
svchost.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
7232
RUXIMICS.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
7564
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7564
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
  • 51.104.136.2
whitelisted
google.com
  • 172.217.18.14
whitelisted
crl.microsoft.com
  • 2.16.168.114
  • 2.16.168.124
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
clientservices.googleapis.com
  • 216.58.206.35
whitelisted
accounts.google.com
  • 142.251.168.84
whitelisted
www.google.com
  • 172.217.18.100
whitelisted
update.googleapis.com
  • 216.58.206.67
whitelisted
www.gstatic.com
  • 216.58.206.67
whitelisted
ogads-pa.clients6.google.com
  • 216.58.212.170
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DNS Query to DynDNS Domain *.ddns .net
Potentially Bad Traffic
ET INFO Possible Chrome Plugin install
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
C5ax2Rm36IsCpi8f.exe