File name:

winlogon.exe

Full analysis: https://app.any.run/tasks/2aa2611e-0ed5-4b91-8287-c17e30a7c06b
Verdict: Malicious activity
Analysis date: April 02, 2024, 02:33:28
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
bitrat
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

E6AFEAD96EC595A4335B9655CEEC11D1

SHA1:

BE4F93F4376E1A4BB065D375C1C8AD7441C302D4

SHA256:

12F486A525AFED4B3297063EC0D77D401CB3B59E7AB5CF29772D00656A9D0B1E

SSDEEP:

49152:FckhoiscZJeqEkvE8Dp13Mp6FZyOLS0DmrLa9+28tfMStD9lVwA3ENI5YZlToDMt:Fckhoileqv8Yp13Y6Z3LOLA+2+08jQPV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • winlogon.exe (PID: 3936)

    • BITRAT has been detected (YARA)

      • winlogon.exe (PID: 3936)

  • SUSPICIOUS

    • Connects to unusual port

      • winlogon.exe (PID: 3936)

  • INFO

    • Checks supported languages

      • winlogon.exe (PID: 3936)

    • Reads the computer name

      • winlogon.exe (PID: 3936)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

BitRat

(PID) Process(3936) winlogon.exe
C245.81.39.103
Ports1234
Options
TorProcesstor
CommunicationPasswordb139aeda1c2914e3b579aafd3ceeb1bd
Version1.38
Keys
MD5ee7ebe36dd6793b5
Strings (690)
(1)
(Build:
(Last bootup:
(max:
(x64)
(x86)
* CPU
* DONATE
* POOL #1
-a "
-incognito
-l "
GiB
Hz)</val2>
KiB
MHz)</val2>
MHz</val2>
Mbit/s
TiB
[Download]
algo
"message_id":
"text":"
"update_id":
$3^(
% Available (charging)
%)</size>
%|-1
&text=
)</val1>
)</val2>
+unning
--profile-directory=Default
-2147483643/
-2147483645/
-2147483646/
-2147483647/
-2147483648/
-2147483650
.dat
.enc
.json
.xml
.zip
.ziptebrv
/cam.
/clbtart.
/dlex
/free
/pwsY
/resync /nowait
/scr.
/sendMes
/sendMessage?chat_id=
/usb
/vol8
1|-1
78hf326f87
9HSA
9onnecting...
;CK_CMD|
;HIFT
;toppe{
</block>
</cpuusage>
</date>
</dep>
</desc>
</err>
</est>
</files>
</filesystem>
</icon>
</isprc>
</issys>
</label>
</lis>
</mod>
</name>
</path>
</pb>
</pid>
</pri>
</ramload>
</ramsize>
</server>
</silent>
</sizefree>
</sizetotal>
</sizeused>
</startup>
</state>
</sz>
</sz>s>
</tcp>
</threads>
</title>
</type>
</udp>
</v>zefro
</v>|
</val2>
</xml>
<F11]
<F12]
<F1]
<F3]
<F4]
<F9]
<apptype>
<attr>
<block>
<cpuusage>
<data>
<date>
<date>N/A</date>
<dep>
<desc>
<dirs>
<disp>
<err>patS
<filesystem>
<hwnd>
<icon>
<isprc>
<letter>
<lis>
<n>N/A</n>
<name>
<path>
<path>N/A</path>
<pb>N/A</pb>
<pid>
<ramfree>
<ramsize>
<server>
<silent>
<silent>N/A</silent>
<size>
<sizefree>
<state>
<sz>D
<sz>N/A</sz>
<tcp>
<threads>
<type>
<v>N/A</v>
<val1>Antivirus</val1>
<val1>BIOS</val1>
<val1>Graphic card (
<val1>Input locale</val1>
<val1>Installed RAM</val1>
<val1>Monitor (
<val1>OS architecture</val1>
<val1>OS install date</val1>
<val1>OS version</val1>
<val1>Operating system</val1>
<val1>PC domain</val1>
<val1>PC manufacturer</val1>
<val1>PC model</val1>
<val1>Platform type</val1>
<val1>Processor</val1>
<val1>RAM slot (
<val1>System locale</val1>
<val1>System uptime</val1>
<val1>Time zone</val1>
<val1>Username</val1>
<val2>
<xml>
=li_un
=on_close
?ocks5_srv_start
?rv_start
ADD
APPACTIVATE
AT
AVE_MARIA
Action: /cam
Action: /clsbrw
Action: /klg
Action: /msg
Action: /usb
Action: /vol
Action: /web
Adapter
Alerts disabled
Alerts enabled
All in One
Armenian
Attempting to launch browser...
Automatic
BS
Basque
Boot Start
Bot ID:
BuildNumber
Bulgarian
Bus Expansion Chassis
Business
CLOSED
Capacity
Caption
ChassisTypes
Closing virtual desktop...
Connecting...
CreateDesktop API failed!
CreateProcess API failed!
Critical error control
Croatian
Czech
DEL
DELETE_TCB
Danish
Datacenter
DelegateExecute
Desktop
Disabled
Disconnected
DisplayIcon
DisplayName
DisplayVersion
Docking Station
DriverVersion
END
ESC
Enterprise
EstimatedChargeRemaining
EstimatedRunTime
EstimatedSize
Estonian
Expansion Chassis
F1
F10
F12
F13
F14
F15
F16
F2
F3
F4
F5
F6
F7
F8
F9
FAIL (invalid arguments)
FAIL (invalid log size)
FIN_WAIT1
FIN_WAIT2
Faeroese
Failed to launch browser
File system driver
Finnish
FriendlyName
Fully charged (
Georgian
Gonnecting...
Gontinuing
Greek
Gujarati
H/dep>
H/disp>
H/mod>
H/path>
H/pb>
H/status>
H/title>
Hand Held
Hblock>
Hclass>
Hdep>
Hebrew
Hidden
Hindi
Hpath>
Hpid>
Htitle>
Hudp>
Hungarian
Hxml>
IELAY
INS
Icelandic
IelegateExecute
InstallDate
InstallLocation
Interactive process
Itarting
Itopping
JF10]
JF13]
JF14]
JF2]
JF5]
JF6]
JF7]
JF8]
Kazakh
Keep-alive
Kernel driver
Keylog:
Kli_dc
Kli_off
Kli_rc
Kli_sleep
Kyrgyz
LAST_ACK
LISTENING
Laptop
Lithuanian
Low Profile Desktop
Lplg\
Lunch Box
Macedonian
Main System Chassis
Malay - Brunei Darussalam
Manual
Manufacturer
Mate
MaxClockSpeed
Maximized
Mini Tower
Mocks5_srv_start
Mrv_list
No active
No clipboard
Normal
Norwegian - Bokmal
Norwegian - Nynorsk
Notebook
OSLanguage
Oitle
P |
Peripheral Chassis
Pizza Box
Polish
Portable
Portuguese - Brazilian
Portuguese - Standard
Powrprof.dll
Publisher
QuietUninstallString
RB_ST
Rack Mount Chassis
Recognizer driver
Remote browser started!
Remote browser stopped!
Romanian
RtlGetVersion
SC_PR_ST
SC_ST
SC_ST2
SELECT * FROM Win32_Processor
SELECT * From AntiVirusProduct
SYN_RCVD
SYN_SENT
ScreenHeight
ScreenWidth
Sealed-Case PC
Select * from Win32_BIOS
Select * from Win32_Battery
Select * from Win32_TimeZone
Serbian - Latin
Service ignores error
SetThreadDesktop API failed!
Severe error control
Slovak
Slovenian
Socket was unexpectedly closed!
Sorry, Chrome was not detected!
Spanish - Argentina
Spanish - Bolivia
Spanish - Chile
Spanish - Colombia
Spanish - Costa_Rica
Spanish - Dominican Republic
Spanish - Ecuador
Spanish - El Salvador
Spanish - Guatemala
Spanish - Honduras
Spanish - Mexican
Spanish - Modern Sort
Spanish - Nicaragua
Spanish - Panama
Spanish - Paraguay
Spanish - Peru
Spanish - Puerto Rico
Spanish - Traditional Sort
Spanish - Uruguay
Spanish - Venezuela
Speed
Starter
Status:
Status: FAIL (no available cam)
Status: OK
Storage Chassis
Sub Notebook
SubChassis
Swedish - Finland
Switching to virtual desktop...
Syriac
TIME_WAIT
TLS Handshake
Tamil
Tatar
Telugu
Thai[
UCBrowser.exe
Ukrainian
Unknown
Urdu</stv
User:
Uzbek - Cyrillic
V/data>
V/dirs>
V/hwnd>
V/name>
V/path>
V/pid>
V/size>
Vblock>
Vdir>
Verr>
Version
Vietnamese
Virtual Machine
Vissys>
Vmod>
Vpath>
Vpb>
Vsize>-1</size>
Vxml>
WC_PR_ST
Web Server
Win 10
Win 11
Win 2000
Win 8.1
Win XP
Win32
Win32 process
Win32 share process
Window:
Wisconnected
WmiQueryAllDataW
Zplg\
[BACKSPACE]
[CAPSLOCK]
[CLEAR]
[CLIPBOARD_END]
[CLIPBOARD_START]
[CTRL+@]
[CTRL+A]
[CTRL+B]
[CTRL+C]
[CTRL+D]
[CTRL+E]
[CTRL+F]
[CTRL+G]
[CTRL+H]
[CTRL+I]
[CTRL+J]
[CTRL+K]
[CTRL+L]
[CTRL+M]
[CTRL+N]
[CTRL+O]
[CTRL+P]
[CTRL+Q]
[CTRL+R]
[CTRL+S]
[CTRL+T]
[CTRL+U]
[CTRL+V]
[CTRL+W]
[CTRL+X]
[CTRL+Y]
[CTRL+Z]
[CTRL+[]
[CTRL+\]
[CTRL+]]
[CTRL+^]
[CTRL+_]
[DEL]
[DOWN]
[END]
[ENTER]
[ESC]
[EXECUTE]
[F15]
[F16]>
[HELP]
[HOME]
[INS]
[LEFT]
[MENU]
[NUMLOCK]
[NUMPAD_0]
[NUMPAD_1]
[NUMPAD_2]
[NUMPAD_3]
[NUMPAD_4]
[NUMPAD_5]
[NUMPAD_6]
[NUMPAD_7]
[NUMPAD_8]
[NUMPAD_9]
[NUMPAD_ADD]
[NUMPAD_DECIMAL]
[NUMPAD_DIVIDE]
[NUMPAD_MULTIPLY]
[NUMPAD_SEPARATOR]
[NUMPAD_SUBTRACT]
[PAGEDOWN]
[PAGEUP]
[PAUSE]
[PRTSCR]
[RIGHT]
[SCROLL]
[SELECT]
[SHIFT]
[TAB]
[UP]:
[nknown
\Google\C
\Google\Chrome\User Data
\Mozilla\Firefox
\Opera\Opera
\Torch\User Data
\b\d{2}[-]\d{2}[-]\d{4}\b
\plg
\plg\
\plg\inj64.exe
\plg\pid
\setup.exe
about:blank
alert
alert|
aud_rec_list
autoruns
autoruns_del
autoruns_req
browsers_clear
chrome.exe
cli_bsod
cli_hib
cli_log
cli_off
cli_rs
cli_sleep
cli_up
clipboard_get
con_list
crd_logins
crd_logins_report
crd_logins_report_req
crd_logins_req
crd_logins_start_tg
crd_logins_tg
data
date
ddos_stop
displayName
dl_dir_obj_count
dlexec
drives_get
files_delete
files_delete_dir_normal
files_delete_dir_secure
files_delete_end
files_delete_secure
files_delete_start
files_download_resume
files_get
files_search_path
files_upload
files_zip
files_zip_end
files_zip_start
firefox.exe
g0 Hz,
h<u~~h
h\
hsz
http://api.ipify.org
http://ip
http://ipecho.net/plain
http://ipinfo.io/ip
http://ipv4.icanhazip.com
http://wtfismyip.com/text
h}p~~h
iexplore.exe
image/jpeg
image/png
injdll
kersion:
klgoff_del
klgoff_dl_all
klgoff_dl_recent
klgoff_get
klgoff_list
klgonlinestart
klgonlinestop
max
miles_delete_start
miles_new_dir
miles_upload_dir
miles_zip_dir
miles_zip_end
mnk32
monitors_refresh
msedge.exe
msgbox
notes_get
notes_set
ntdll.dll
opera.exe
prc_kill
prc_list
prc_priority
prc_restart
prc_resume
prc_suspend
productState
reg_hkeys_get
reg_keys_get
rejected
remotebrowser_error
remotebrowser_info
remotebrowser_stop
root
scr_off
scr_on
screenlive_stop
settings
shell_stop
socks4r_stats
socks4r_stop
socks5_srv_stats
soft_list
soft_uninstall
speed
speedtest
srv_control
srv_list
srv_start
srv_uninstall
task_del
tasks_list
thtml
thumb_data
torch.exe
unk32
unknown
upnp_data
usb_spread
vivaldi.exe
vol_edit
w32tm.exe
wL_DL
wL_DL_RESUME
wd_kill
webcam_devices
webcam_start
webcam_stop
website_open
wnd_list
wnd_title
xmr64_mine_ready
xmr64_mine_req
xmr_mine_log
xmr_mine_ready
xmr_mine_req
xmr_mine_stats
xmrmine
{iles_delete_end
{iles_download
{iles_exec
{iles_rename
{iles_search
{iles_search_stop
{iles_zip
/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRgNNmf9XjPAEaZ6CQ6NJlHzgU1ck3qhq0LC7ULPi97...
143ad9621bfba7ccc57c143845fa8c9c
4D5A6B65726E656C33320000504500004C01030000000000000000000000000078000F030B01000000000000000000000000000014310000000000000C00000000004000001000000002000004000000010000000400000000000000A631000014010000000000000300000000001000001000000000000000000000000000000200000000000000000000007E3100004B0000000000...
777173575a6f5852
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
e42f59efa0434852b9b6c3585fdc914a2e12ee33f16dcd5d42399f8e75c442b8bf69ff7efec342b9195c29314676d87ff5b46f20be5ba756e389a718a508f74e39cf1d8ba8c391eae66dd5df8e392790
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (76)
.exe | Win32 Executable (generic) (12.6)
.exe | Generic Win/DOS Executable (5.6)
.exe | DOS Executable Generic (5.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:06:30 02:16:18+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 1511424
InitializedDataSize: 4096
UninitializedDataSize: 2560000
EntryPoint: 0x3e2720
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #BITRAT winlogon.exe

Process information

PID
CMD
Path
Indicators
Parent process
3936"C:\Users\admin\AppData\Local\Temp\winlogon.exe" C:\Users\admin\AppData\Local\Temp\winlogon.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\winlogon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\user32.dll
BitRat
(PID) Process(3936) winlogon.exe
C245.81.39.103
Ports1234
Options
TorProcesstor
CommunicationPasswordb139aeda1c2914e3b579aafd3ceeb1bd
Version1.38
Keys
MD5ee7ebe36dd6793b5
Strings (690)
(1)
(Build:
(Last bootup:
(max:
(x64)
(x86)
* CPU
* DONATE
* POOL #1
-a "
-incognito
-l "
GiB
Hz)</val2>
KiB
MHz)</val2>
MHz</val2>
Mbit/s
TiB
[Download]
algo
"message_id":
"text":"
"update_id":
$3^(
% Available (charging)
%)</size>
%|-1
&text=
)</val1>
)</val2>
+unning
--profile-directory=Default
-2147483643/
-2147483645/
-2147483646/
-2147483647/
-2147483648/
-2147483650
.dat
.enc
.json
.xml
.zip
.ziptebrv
/cam.
/clbtart.
/dlex
/free
/pwsY
/resync /nowait
/scr.
/sendMes
/sendMessage?chat_id=
/usb
/vol8
1|-1
78hf326f87
9HSA
9onnecting...
;CK_CMD|
;HIFT
;toppe{
</block>
</cpuusage>
</date>
</dep>
</desc>
</err>
</est>
</files>
</filesystem>
</icon>
</isprc>
</issys>
</label>
</lis>
</mod>
</name>
</path>
</pb>
</pid>
</pri>
</ramload>
</ramsize>
</server>
</silent>
</sizefree>
</sizetotal>
</sizeused>
</startup>
</state>
</sz>
</sz>s>
</tcp>
</threads>
</title>
</type>
</udp>
</v>zefro
</v>|
</val2>
</xml>
<F11]
<F12]
<F1]
<F3]
<F4]
<F9]
<apptype>
<attr>
<block>
<cpuusage>
<data>
<date>
<date>N/A</date>
<dep>
<desc>
<dirs>
<disp>
<err>patS
<filesystem>
<hwnd>
<icon>
<isprc>
<letter>
<lis>
<n>N/A</n>
<name>
<path>
<path>N/A</path>
<pb>N/A</pb>
<pid>
<ramfree>
<ramsize>
<server>
<silent>
<silent>N/A</silent>
<size>
<sizefree>
<state>
<sz>D
<sz>N/A</sz>
<tcp>
<threads>
<type>
<v>N/A</v>
<val1>Antivirus</val1>
<val1>BIOS</val1>
<val1>Graphic card (
<val1>Input locale</val1>
<val1>Installed RAM</val1>
<val1>Monitor (
<val1>OS architecture</val1>
<val1>OS install date</val1>
<val1>OS version</val1>
<val1>Operating system</val1>
<val1>PC domain</val1>
<val1>PC manufacturer</val1>
<val1>PC model</val1>
<val1>Platform type</val1>
<val1>Processor</val1>
<val1>RAM slot (
<val1>System locale</val1>
<val1>System uptime</val1>
<val1>Time zone</val1>
<val1>Username</val1>
<val2>
<xml>
=li_un
=on_close
?ocks5_srv_start
?rv_start
ADD
APPACTIVATE
AT
AVE_MARIA
Action: /cam
Action: /clsbrw
Action: /klg
Action: /msg
Action: /usb
Action: /vol
Action: /web
Adapter
Alerts disabled
Alerts enabled
All in One
Armenian
Attempting to launch browser...
Automatic
BS
Basque
Boot Start
Bot ID:
BuildNumber
Bulgarian
Bus Expansion Chassis
Business
CLOSED
Capacity
Caption
ChassisTypes
Closing virtual desktop...
Connecting...
CreateDesktop API failed!
CreateProcess API failed!
Critical error control
Croatian
Czech
DEL
DELETE_TCB
Danish
Datacenter
DelegateExecute
Desktop
Disabled
Disconnected
DisplayIcon
DisplayName
DisplayVersion
Docking Station
DriverVersion
END
ESC
Enterprise
EstimatedChargeRemaining
EstimatedRunTime
EstimatedSize
Estonian
Expansion Chassis
F1
F10
F12
F13
F14
F15
F16
F2
F3
F4
F5
F6
F7
F8
F9
FAIL (invalid arguments)
FAIL (invalid log size)
FIN_WAIT1
FIN_WAIT2
Faeroese
Failed to launch browser
File system driver
Finnish
FriendlyName
Fully charged (
Georgian
Gonnecting...
Gontinuing
Greek
Gujarati
H/dep>
H/disp>
H/mod>
H/path>
H/pb>
H/status>
H/title>
Hand Held
Hblock>
Hclass>
Hdep>
Hebrew
Hidden
Hindi
Hpath>
Hpid>
Htitle>
Hudp>
Hungarian
Hxml>
IELAY
INS
Icelandic
IelegateExecute
InstallDate
InstallLocation
Interactive process
Itarting
Itopping
JF10]
JF13]
JF14]
JF2]
JF5]
JF6]
JF7]
JF8]
Kazakh
Keep-alive
Kernel driver
Keylog:
Kli_dc
Kli_off
Kli_rc
Kli_sleep
Kyrgyz
LAST_ACK
LISTENING
Laptop
Lithuanian
Low Profile Desktop
Lplg\
Lunch Box
Macedonian
Main System Chassis
Malay - Brunei Darussalam
Manual
Manufacturer
Mate
MaxClockSpeed
Maximized
Mini Tower
Mocks5_srv_start
Mrv_list
No active
No clipboard
Normal
Norwegian - Bokmal
Norwegian - Nynorsk
Notebook
OSLanguage
Oitle
P |
Peripheral Chassis
Pizza Box
Polish
Portable
Portuguese - Brazilian
Portuguese - Standard
Powrprof.dll
Publisher
QuietUninstallString
RB_ST
Rack Mount Chassis
Recognizer driver
Remote browser started!
Remote browser stopped!
Romanian
RtlGetVersion
SC_PR_ST
SC_ST
SC_ST2
SELECT * FROM Win32_Processor
SELECT * From AntiVirusProduct
SYN_RCVD
SYN_SENT
ScreenHeight
ScreenWidth
Sealed-Case PC
Select * from Win32_BIOS
Select * from Win32_Battery
Select * from Win32_TimeZone
Serbian - Latin
Service ignores error
SetThreadDesktop API failed!
Severe error control
Slovak
Slovenian
Socket was unexpectedly closed!
Sorry, Chrome was not detected!
Spanish - Argentina
Spanish - Bolivia
Spanish - Chile
Spanish - Colombia
Spanish - Costa_Rica
Spanish - Dominican Republic
Spanish - Ecuador
Spanish - El Salvador
Spanish - Guatemala
Spanish - Honduras
Spanish - Mexican
Spanish - Modern Sort
Spanish - Nicaragua
Spanish - Panama
Spanish - Paraguay
Spanish - Peru
Spanish - Puerto Rico
Spanish - Traditional Sort
Spanish - Uruguay
Spanish - Venezuela
Speed
Starter
Status:
Status: FAIL (no available cam)
Status: OK
Storage Chassis
Sub Notebook
SubChassis
Swedish - Finland
Switching to virtual desktop...
Syriac
TIME_WAIT
TLS Handshake
Tamil
Tatar
Telugu
Thai[
UCBrowser.exe
Ukrainian
Unknown
Urdu</stv
User:
Uzbek - Cyrillic
V/data>
V/dirs>
V/hwnd>
V/name>
V/path>
V/pid>
V/size>
Vblock>
Vdir>
Verr>
Version
Vietnamese
Virtual Machine
Vissys>
Vmod>
Vpath>
Vpb>
Vsize>-1</size>
Vxml>
WC_PR_ST
Web Server
Win 10
Win 11
Win 2000
Win 8.1
Win XP
Win32
Win32 process
Win32 share process
Window:
Wisconnected
WmiQueryAllDataW
Zplg\
[BACKSPACE]
[CAPSLOCK]
[CLEAR]
[CLIPBOARD_END]
[CLIPBOARD_START]
[CTRL+@]
[CTRL+A]
[CTRL+B]
[CTRL+C]
[CTRL+D]
[CTRL+E]
[CTRL+F]
[CTRL+G]
[CTRL+H]
[CTRL+I]
[CTRL+J]
[CTRL+K]
[CTRL+L]
[CTRL+M]
[CTRL+N]
[CTRL+O]
[CTRL+P]
[CTRL+Q]
[CTRL+R]
[CTRL+S]
[CTRL+T]
[CTRL+U]
[CTRL+V]
[CTRL+W]
[CTRL+X]
[CTRL+Y]
[CTRL+Z]
[CTRL+[]
[CTRL+\]
[CTRL+]]
[CTRL+^]
[CTRL+_]
[DEL]
[DOWN]
[END]
[ENTER]
[ESC]
[EXECUTE]
[F15]
[F16]>
[HELP]
[HOME]
[INS]
[LEFT]
[MENU]
[NUMLOCK]
[NUMPAD_0]
[NUMPAD_1]
[NUMPAD_2]
[NUMPAD_3]
[NUMPAD_4]
[NUMPAD_5]
[NUMPAD_6]
[NUMPAD_7]
[NUMPAD_8]
[NUMPAD_9]
[NUMPAD_ADD]
[NUMPAD_DECIMAL]
[NUMPAD_DIVIDE]
[NUMPAD_MULTIPLY]
[NUMPAD_SEPARATOR]
[NUMPAD_SUBTRACT]
[PAGEDOWN]
[PAGEUP]
[PAUSE]
[PRTSCR]
[RIGHT]
[SCROLL]
[SELECT]
[SHIFT]
[TAB]
[UP]:
[nknown
\Google\C
\Google\Chrome\User Data
\Mozilla\Firefox
\Opera\Opera
\Torch\User Data
\b\d{2}[-]\d{2}[-]\d{4}\b
\plg
\plg\
\plg\inj64.exe
\plg\pid
\setup.exe
about:blank
alert
alert|
aud_rec_list
autoruns
autoruns_del
autoruns_req
browsers_clear
chrome.exe
cli_bsod
cli_hib
cli_log
cli_off
cli_rs
cli_sleep
cli_up
clipboard_get
con_list
crd_logins
crd_logins_report
crd_logins_report_req
crd_logins_req
crd_logins_start_tg
crd_logins_tg
data
date
ddos_stop
displayName
dl_dir_obj_count
dlexec
drives_get
files_delete
files_delete_dir_normal
files_delete_dir_secure
files_delete_end
files_delete_secure
files_delete_start
files_download_resume
files_get
files_search_path
files_upload
files_zip
files_zip_end
files_zip_start
firefox.exe
g0 Hz,
h<u~~h
h\
hsz
http://api.ipify.org
http://ip
http://ipecho.net/plain
http://ipinfo.io/ip
http://ipv4.icanhazip.com
http://wtfismyip.com/text
h}p~~h
iexplore.exe
image/jpeg
image/png
injdll
kersion:
klgoff_del
klgoff_dl_all
klgoff_dl_recent
klgoff_get
klgoff_list
klgonlinestart
klgonlinestop
max
miles_delete_start
miles_new_dir
miles_upload_dir
miles_zip_dir
miles_zip_end
mnk32
monitors_refresh
msedge.exe
msgbox
notes_get
notes_set
ntdll.dll
opera.exe
prc_kill
prc_list
prc_priority
prc_restart
prc_resume
prc_suspend
productState
reg_hkeys_get
reg_keys_get
rejected
remotebrowser_error
remotebrowser_info
remotebrowser_stop
root
scr_off
scr_on
screenlive_stop
settings
shell_stop
socks4r_stats
socks4r_stop
socks5_srv_stats
soft_list
soft_uninstall
speed
speedtest
srv_control
srv_list
srv_start
srv_uninstall
task_del
tasks_list
thtml
thumb_data
torch.exe
unk32
unknown
upnp_data
usb_spread
vivaldi.exe
vol_edit
w32tm.exe
wL_DL
wL_DL_RESUME
wd_kill
webcam_devices
webcam_start
webcam_stop
website_open
wnd_list
wnd_title
xmr64_mine_ready
xmr64_mine_req
xmr_mine_log
xmr_mine_ready
xmr_mine_req
xmr_mine_stats
xmrmine
{iles_delete_end
{iles_download
{iles_exec
{iles_rename
{iles_search
{iles_search_stop
{iles_zip
/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRgNNmf9XjPAEaZ6CQ6NJlHzgU1ck3qhq0LC7ULPi97...
143ad9621bfba7ccc57c143845fa8c9c
4D5A6B65726E656C33320000504500004C01030000000000000000000000000078000F030B01000000000000000000000000000014310000000000000C00000000004000001000000002000004000000010000000400000000000000A631000014010000000000000300000000001000001000000000000000000000000000000200000000000000000000007E3100004B0000000000...
777173575a6f5852
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
e42f59efa0434852b9b6c3585fdc914a2e12ee33f16dcd5d42399f8e75c442b8bf69ff7efec342b9195c29314676d87ff5b46f20be5ba756e389a718a508f74e39cf1d8ba8c391eae66dd5df8e392790
Total events
1 355
Read events
1 355
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
29
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
unknown
4
System
192.168.100.255:138
unknown
1080
svchost.exe
224.0.0.252:5355
unknown
3936
winlogon.exe
45.81.39.103:1234
Enes Koken
US
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
winlogon.exe