File name:

Virus.zip

Full analysis: https://app.any.run/tasks/3f0967f7-03f2-4610-8312-a0abc5c26a39
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: November 07, 2023, 07:18:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
winwebsec
adware
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

3CA9B55E573DCC977BB1167D5A3D6FD0

SHA1:

50AE8AFE81B62BBB170523E6A3E6404F5460C1D7

SHA256:

15016FB331CEF2F2CE4FEDA5CE61B5560E7BE4CA031D0759531C9A639229FB06

SSDEEP:

98304:/dOmsMV7Q1TpfJd5DkBhMwHeqnBHAJ0wOqwHeqnBHAJ0wORXauNeeGhmXc8KH1Zs:mdgaLJLP8PGACaLOxpJQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • WINWEBSEC has been detected (SURICATA)

      • 6F638C122B17ABE917FE28AE7B07D287.exe (PID: 3944)

    • Drops the executable file immediately after the start

      • 74BE16.EXE (PID: 3956)
      • file.exe (PID: 1612)
      • file.exe (PID: 1812)
      • FeeLCoMz CoMMuNiTy.exe (PID: 2164)
      • asr64_ldm.exe (PID: 3788)

    • Connects to the CnC server

      • asr64_ldm.exe (PID: 3788)

    • Create files in the Startup directory

      • FeeLCoMz CoMMuNiTy.exe (PID: 2164)

    • Changes the login/logoff helper path in the registry

      • FeeLCoMz CoMMuNiTy.exe (PID: 2164)

    • Actions looks like stealing of personal data

      • wuauclt.exe (PID: 2324)

    • Changes the autorun value in the registry

      • qpqpdndnn.exe (PID: 1560)
      • wuauclt.exe (PID: 2324)
      • shutdown.exe (PID: 372)
      • explorer.exe (PID: 984)
      • attrib.exe (PID: 2828)
      • 6F638C122B17ABE917FE28AE7B07D287.exe (PID: 3944)
      • regsvr32.exe (PID: 2652)
      • WinRAR.exe (PID: 2928)

    • Starts NET.EXE for service management

      • asr64_ldm.exe (PID: 3788)
      • net.exe (PID: 2392)

    • Uses NET.EXE to stop Windows Security Center service

      • asr64_ldm.exe (PID: 3788)
      • net.exe (PID: 2392)

    • Registers / Runs the DLL via REGSVR32.EXE

      • cmd.exe (PID: 3152)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 2928)

    • The process creates files with name similar to system file names

      • WinRAR.exe (PID: 2928)

    • Connects to the server without a host name

      • 6F638C122B17ABE917FE28AE7B07D287.exe (PID: 3944)
      • 74BE16.EXE (PID: 3956)

    • Creates executable files that already exist in Windows

      • WinRAR.exe (PID: 2928)

    • Reads the Internet Settings

      • 74BE16.EXE (PID: 3956)
      • asr64_ldm.exe (PID: 3788)
      • asr64_ldm.exe (PID: 1068)

    • Start notepad (likely ransomware note)

      • FeeLCoMz CoMMuNiTy.exe (PID: 2164)

    • Application launched itself

      • file.exe (PID: 1880)
      • file.exe (PID: 1612)
      • qpqpdndnn.exe (PID: 1904)
      • qpqpdndnn.exe (PID: 1560)

    • Checks Windows Trust Settings

      • asr64_ldm.exe (PID: 3788)

    • Reads security settings of Internet Explorer

      • asr64_ldm.exe (PID: 3788)

    • Reads settings of System Certificates

      • asr64_ldm.exe (PID: 3788)

    • Starts itself from another location

      • file.exe (PID: 1812)
      • asr64_ldm.exe (PID: 3788)

    • Changes internet zones settings

      • wuauclt.exe (PID: 2324)
      • cmd.exe (PID: 3148)
      • attrib.exe (PID: 2828)
      • shutdown.exe (PID: 372)
      • explorer.exe (PID: 984)
      • regsvr32.exe (PID: 2652)
      • WinRAR.exe (PID: 2928)
      • 6F638C122B17ABE917FE28AE7B07D287.exe (PID: 3944)
      • cmd.exe (PID: 3152)

    • Starts SC.EXE for service management

      • asr64_ldm.exe (PID: 3788)

    • Takes ownership (TAKEOWN.EXE)

      • cmd.exe (PID: 328)

    • Executing commands from a ".bat" file

      • asr64_ldm.exe (PID: 3788)

    • Uses ICACLS.EXE to modify access control lists

      • cmd.exe (PID: 328)

    • Reads Microsoft Outlook installation path

      • asr64_ldm.exe (PID: 1068)

    • Reads Internet Explorer settings

      • asr64_ldm.exe (PID: 1068)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 3148)

    • The system shut down or reboot

      • cmd.exe (PID: 3148)

    • Starts CMD.EXE for commands execution

      • asr64_ldm.exe (PID: 3788)

  • INFO

    • Checks supported languages

      • wmpnscfg.exe (PID: 3416)
      • 6F638C122B17ABE917FE28AE7B07D287.exe (PID: 3944)
      • 74BE16.EXE (PID: 3956)
      • 6F63A59D00099D89004AE618E56C3425.exe (PID: 3684)
      • asr64_ldm.exe (PID: 3788)
      • DisplaySwitch.exe (PID: 1436)
      • FeeLCoMz CoMMuNiTy.exe (PID: 2164)
      • file.exe (PID: 1880)
      • file.exe (PID: 1612)
      • qpqpdndnn.exe (PID: 2300)
      • qpqpdndnn.exe (PID: 1560)
      • qpqpdndnn.exe (PID: 1904)
      • file.exe (PID: 1812)
      • asr64_ldm.exe (PID: 1068)

    • Reads the machine GUID from the registry

      • wmpnscfg.exe (PID: 3416)
      • 74BE16.EXE (PID: 3956)
      • asr64_ldm.exe (PID: 3788)
      • FeeLCoMz CoMMuNiTy.exe (PID: 2164)
      • asr64_ldm.exe (PID: 1068)

    • Reads the computer name

      • wmpnscfg.exe (PID: 3416)
      • 6F638C122B17ABE917FE28AE7B07D287.exe (PID: 3944)
      • 74BE16.EXE (PID: 3956)
      • 6F63A59D00099D89004AE618E56C3425.exe (PID: 3684)
      • asr64_ldm.exe (PID: 3788)
      • qpqpdndnn.exe (PID: 2300)
      • file.exe (PID: 1812)
      • asr64_ldm.exe (PID: 1068)

    • Manual execution by a user

      • 6F638C122B17ABE917FE28AE7B07D287.exe (PID: 3944)
      • 74BE16.EXE (PID: 3956)
      • 6F63A59D00099D89004AE618E56C3425.exe (PID: 3684)
      • asr64_ldm.exe (PID: 3788)
      • cmd.exe (PID: 3820)
      • DisplaySwitch.exe (PID: 1436)
      • file.exe (PID: 1880)
      • FeeLCoMz CoMMuNiTy.exe (PID: 2164)
      • cmd.exe (PID: 3148)
      • cmd.exe (PID: 3152)

    • Checks proxy server information

      • 74BE16.EXE (PID: 3956)
      • asr64_ldm.exe (PID: 3788)
      • asr64_ldm.exe (PID: 1068)

    • Create files in a temporary directory

      • 74BE16.EXE (PID: 3956)
      • FeeLCoMz CoMMuNiTy.exe (PID: 2164)
      • file.exe (PID: 1612)
      • qpqpdndnn.exe (PID: 1560)
      • asr64_ldm.exe (PID: 3788)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 2928)

    • Creates files or folders in the user directory

      • FeeLCoMz CoMMuNiTy.exe (PID: 2164)
      • asr64_ldm.exe (PID: 3788)
      • asr64_ldm.exe (PID: 1068)

    • Reads the Internet Settings

      • explorer.exe (PID: 984)

    • Creates files in the program directory

      • file.exe (PID: 1812)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2008:04:14 05:00:00
ZipCRC: 0x0d7438c2
ZipCompressedSize: 196
ZipUncompressedSize: 707
ZipFileName: Virus/_default.pif
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
91
Monitored processes
36
Malicious processes
19
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe #WINWEBSEC 6f638c122b17abe917fe28ae7b07d287.exe 74be16.exe 6f63a59d00099d89004ae618e56c3425.exe no specs asr64_ldm.exe cmd.exe no specs displayswitch.exe no specs svchost.exe no specs explorer.exe no specs explorer.exe feelcomz community.exe notepad.exe no specs file.exe no specs file.exe no specs file.exe no specs qpqpdndnn.exe no specs qpqpdndnn.exe qpqpdndnn.exe no specs wuauclt.exe sc.exe no specs net.exe no specs cmd.exe no specs net1.exe no specs takeown.exe no specs icacls.exe no specs takeown.exe no specs icacls.exe no specs takeown.exe no specs icacls.exe no specs asr64_ldm.exe cmd.exe no specs attrib.exe shutdown.exe cmd.exe no specs regsvr32.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
328C:\Windows\system32\cmd.exe /c C:\Users\admin\AppData\Local\Temp\test.batC:\Windows\System32\cmd.exeasr64_ldm.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1073807364
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
372shutdown -s -f -t 3 -c "niGga mUderFuker nigga, fuk llU vitCh"C:\Windows\System32\shutdown.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Shutdown and Annotation Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\shutdown.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\secur32.dll
732icacls C:\Windows\system32\wscui.cpl /grant administrators:FC:\Windows\System32\icacls.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Exit code:
5
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
984C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -EmbeddingC:\Windows\explorer.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1073807364
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1068"C:\Users\admin\AppData\Local\Temp\asr64_ldm.exe" C:\Users\admin\AppData\Local\Temp\asr64_ldm.exe
asr64_ldm.exe
User:
admin
Company:
Microsoft Corp.
Integrity Level:
HIGH
Description:
Logical Disk Manager ASR Utility
Exit code:
1073807364
Version:
2600.0.503.0
Modules
Images
c:\users\admin\appdata\local\temp\asr64_ldm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
1228takeown /f C:\Windows\system32\wscui.cplC:\Windows\System32\takeown.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Takes ownership of a file
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\takeown.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1232Notepad.exe C:\Windows\FeeLCoMz\FeeLCoMz CoMMuNiTy.txtC:\Windows\System32\notepad.exeFeeLCoMz CoMMuNiTy.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
1073807364
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1436"C:\Users\admin\Desktop\Virus\DisplaySwitch.exe" C:\Users\admin\Desktop\Virus\DisplaySwitch.exeexplorer.exe
User:
admin
Company:
Корпорация Майкрософт
Integrity Level:
MEDIUM
Description:
Конвертор групп диспетчера программ Windows
Exit code:
0
Version:
5.1.2600.5512 (xpsp.080413-2105)
Modules
Images
c:\users\admin\desktop\virus\displayswitch.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1560"C:\ProgramData\buv2ewwhkqkt1skgh60\qpqpdndnn.exe"C:\ProgramData\buv2ewwhkqkt1skgh60\qpqpdndnn.exe
qpqpdndnn.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\programdata\buv2ewwhkqkt1skgh60\qpqpdndnn.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
1608explorer C:\Users\admin\Desktop\Virus\74BE16C:\Windows\explorer.exe74BE16.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
11 061
Read events
10 890
Write events
168
Delete events
3

Modification events

(PID) Process:(3416) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{D778FB0E-B10B-4535-A09E-630BBE9CEFB4}\{857FCC3A-0568-40B3-BF83-E5A324CC6E41}
Operation:delete keyName:(default)
Value:
(PID) Process:(3416) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{D778FB0E-B10B-4535-A09E-630BBE9CEFB4}
Operation:delete keyName:(default)
Value:
(PID) Process:(3416) wmpnscfg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{CF6B7DA6-DD6D-4944-A393-9639369FCADE}
Operation:delete keyName:(default)
Value:
(PID) Process:(2928) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17A\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2928) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(2928) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2928) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(2928) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2928) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2928) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
119
Suspicious files
9
Text files
54
Unknown types
0

Dropped files

PID
Process
Filename
Type
2928WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2928.2855\Virus\Apa itu Mis imágenes.exeexecutable
MD5:6C08BD41F70D51662DF04EB4ECD2F9EE
SHA256:D24596A87B810ED934078EB7F474973FDE52DD4866C9114BE2E53E720C118750
2928WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2928.2855\Virus\74BE16.EXEexecutable
MD5:65A8F67B004575C3B3D153860BADB665
SHA256:1019A6D31B4BF33A3C93A282D42B9CD196D8F4BF77526587EA3392D35B849981
2928WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2928.2855\Virus\AAP76E5.tmp.cmdtext
MD5:B362798501E0B4332ADF19A4995AE1FA
SHA256:D1CDBDBF0BBBD85FCC81772E9C306D48E05A2E705C52B4A3C83CD91BC8AC5BFB
2928WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2928.2855\Virus\Apa itu Mi música.exeexecutable
MD5:6C08BD41F70D51662DF04EB4ECD2F9EE
SHA256:D24596A87B810ED934078EB7F474973FDE52DD4866C9114BE2E53E720C118750
2928WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2928.2855\Virus\about.Brontok.A.htmlhtml
MD5:50D9697937D20E15B585DCCDC2A188B3
SHA256:CD430DD5277A8A47860A72D4B00458E9986C63506C1A0216020B5ABD5E6516E2
2928WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2928.2855\Virus\6F638C122B17ABE917FE28AE7B07D287\6F638C122B17ABE917FE28AE7B07D287.exeexecutable
MD5:D8103D27E795B9753DF3239AB804B03E
SHA256:4315838DBAD913ADD8E05A1044CFB85D72E472FD65664F198EB841B0F831AC25
2928WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2928.2855\Virus\6F638C122B17ABE917FE28AE7B07D287\6F638C122B17ABE917FE28AE7B07D287.icoimage
MD5:EF6B46F858745A383AEAD66FBC674763
SHA256:DE6E0C84C97C14E51667447AB59B9A83DC7517DF0D48D8F72D58729107BF8BC7
2928WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2928.2855\Virus\asr64_ldm.exeexecutable
MD5:EC27DCA4E5B59C91E3291DFCDBE2F8BA
SHA256:02FA72881A596B75820BE43E9E94AE71ED1B0D8E773A507B79019F1FA41DFDF0
2928WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2928.2855\Virus\Administrador's Setting.screxecutable
MD5:483FCF432217D71544246AA760D98CDC
SHA256:70D98B736C32160617E8E272C2F5B2C10C72789FE40E27EC16F94FFA09394CD7
2928WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2928.2855\Virus\1429952535.exeexecutable
MD5:17D34AB78A0C4146046C72FA59F9245F
SHA256:AEA5837BFFCB59FD382D14F4C4A6E96CF8099A2650FDCF709E7CB9735A0275DC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
10
DNS requests
23
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3956
74BE16.EXE
GET
193.104.27.98:80
http://193.104.27.98/2krn.bin
unknown
unknown
3788
asr64_ldm.exe
GET
302
3.130.204.160:80
http://Beinahe.com/readdatagateway.php?type=stats&affid=139&subid=1&version=3.0&adwareok
unknown
unknown
3944
6F638C122B17ABE917FE28AE7B07D287.exe
GET
404
112.121.178.189:80
http://112.121.178.189/api/urls/?ts=e711e20e&affid=46200
unknown
html
146 b
unknown
3788
asr64_ldm.exe
GET
200
192.229.221.95:80
http://crl3.digicert.com/Omniroot2025.crl
unknown
binary
7.94 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
3944
6F638C122B17ABE917FE28AE7B07D287.exe
112.121.178.189:80
Netsec Limited
HK
unknown
3956
74BE16.EXE
193.104.27.98:80
MTS PJSC
RU
unknown
3788
asr64_ldm.exe
3.130.204.160:80
beinahe.com
AMAZON-02
US
unknown
3788
asr64_ldm.exe
104.26.7.37:443
www.hugedomains.com
CLOUDFLARENET
US
shared
3788
asr64_ldm.exe
192.229.221.95:80
crl3.digicert.com
EDGECAST
US
whitelisted
2324
wuauclt.exe
20.72.235.82:80
update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
fast-online.org
unknown
beinahe.com
  • 3.130.204.160
unknown
www.hugedomains.com
  • 104.26.7.37
whitelisted
ctldl.windowsupdate.com
unknown
ocsp.digicert.com
unknown
crl3.digicert.com
  • 192.229.221.95
whitelisted
update.microsoft.com
  • 20.72.235.82
whitelisted
steroids-buy-anabolic.com
unknown

Threats

PID
Process
Class
Message
3944
6F638C122B17ABE917FE28AE7B07D287.exe
Unknown Traffic
ET HUNTING Suspicious Empty User-Agent
3788
asr64_ldm.exe
A Network Trojan was detected
ET MALWARE Fake AV GET
3788
asr64_ldm.exe
Possibly Unwanted Program Detected
ET ADWARE_PUP RogueAntiSpyware.AntiVirusPro Checkin
3788
asr64_ldm.exe
A Network Trojan was detected
ET USER_AGENTS Long Fake wget 3.0 User-Agent Detected
3788
asr64_ldm.exe
Possibly Unwanted Program Detected
ET ADWARE_PUP Fake Wget User-Agent (wget 3.0) - Likely Hostile
3956
74BE16.EXE
A Network Trojan was detected
ET MALWARE Zbot Generic URI/Header Struct .bin
3956
74BE16.EXE
Potentially Bad Traffic
ET HUNTING Generic .bin download from Dotted Quad
1 ETPRO signatures available at the full report
Process
Message
asr64_ldm.exe
C:\Users\admin\AppData\Roaming\Dr. Guard\drguard.exe
asr64_ldm.exe
C:\Program Files\Dr. Guard\drguard.exe
asr64_ldm.exe
C:\Users\admin\AppData\Roaming\Dr. Guard\drguard.exe
asr64_ldm.exe
C:\Program Files\Dr. Guard\drguard.exe
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Virus.zip