File name:

1f7553701ef80138d6fd387a8a5919bd34684600b8c81e45102d2a4c720786c1.zip

Full analysis: https://app.any.run/tasks/f6b42d19-a720-4e42-b80d-722c772110da
Verdict: Malicious activity
Threats:

HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses.

Malware Trends Tracker     >>>
Analysis date: June 15, 2024, 12:11:15
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
hijackloader
loader
vidar
telegram
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

142B855D560838F934E48FD1CC796822

SHA1:

94B2A4A1693B2F64D3263A30AFAA4B74464B8D3A

SHA256:

1F7553701EF80138D6FD387A8A5919BD34684600B8C81E45102D2A4C720786C1

SSDEEP:

98304:1r2b/poVp3h14HIcqh0V2cP5XDgRJTsaemX6mQwyXc/RL+mEs+68g0aRLB6yK/Uu:xGqC+W1pKLo4GBdf3YpXLmClqi3eePC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 6320)
      • Setup.exe (PID: 6952)

    • HIJACKLOADER has been detected (YARA)

      • netsh.exe (PID: 7120)
      • coml.au3 (PID: 4916)
      • netsh.exe (PID: 6972)
      • netsh.exe (PID: 4360)

    • VIDAR has been detected (YARA)

      • coml.au3 (PID: 4916)

    • Actions looks like stealing of personal data

      • coml.au3 (PID: 4916)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • Setup.exe (PID: 6952)
      • WinRAR.exe (PID: 6832)

    • The process drops C-runtime libraries

      • Setup.exe (PID: 6952)

    • Suspicious use of NETSH.EXE

      • Setup.exe (PID: 6952)
      • Setup.exe (PID: 7088)
      • Setup.exe (PID: 5380)

    • Executable content was dropped or overwritten

      • Setup.exe (PID: 6952)
      • netsh.exe (PID: 6972)

    • Starts application with an unusual extension

      • netsh.exe (PID: 6972)
      • netsh.exe (PID: 7120)

    • Reads security settings of Internet Explorer

      • coml.au3 (PID: 4916)

    • Checks Windows Trust Settings

      • coml.au3 (PID: 4916)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • coml.au3 (PID: 4916)

    • Connects to unusual port

      • coml.au3 (PID: 4916)

    • Searches for installed software

      • coml.au3 (PID: 4916)

  • INFO

    • Manual execution by a user

      • WinRAR.exe (PID: 6832)
      • Setup.exe (PID: 7088)
      • Setup.exe (PID: 6952)
      • Setup.exe (PID: 5380)

    • Create files in a temporary directory

      • Setup.exe (PID: 6952)
      • Setup.exe (PID: 7088)
      • netsh.exe (PID: 6972)
      • netsh.exe (PID: 7120)
      • Setup.exe (PID: 5380)
      • netsh.exe (PID: 4360)

    • Checks supported languages

      • Setup.exe (PID: 7088)
      • Setup.exe (PID: 6952)
      • coml.au3 (PID: 4916)
      • coml.au3 (PID: 4428)
      • Setup.exe (PID: 5380)

    • Reads the computer name

      • Setup.exe (PID: 7088)
      • Setup.exe (PID: 6952)
      • coml.au3 (PID: 4916)
      • coml.au3 (PID: 4428)
      • Setup.exe (PID: 5380)

    • Creates files or folders in the user directory

      • Setup.exe (PID: 6952)
      • coml.au3 (PID: 4916)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6832)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 6832)
      • netsh.exe (PID: 6972)

    • Creates files in the program directory

      • coml.au3 (PID: 4916)

    • Checks proxy server information

      • coml.au3 (PID: 4916)

    • Reads the software policy settings

      • coml.au3 (PID: 4916)

    • Reads the machine GUID from the registry

      • coml.au3 (PID: 4916)

    • Reads Environment values

      • coml.au3 (PID: 4916)

    • Reads product name

      • coml.au3 (PID: 4916)

    • Reads CPU info

      • coml.au3 (PID: 4916)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Vidar

(PID) Process(4916) coml.au3
C2https://t.me/memve4erin
URLhttps://steamcommunity.com/profiles/76561199699680841
RC42910114286690104117195131148
Strings (316)GetProcAddress
LoadLibraryA
lstrcatA
OpenEventA
CreateEventA
CloseHandle
Sleep
GetUserDefaultLangID
VirtualAllocExNuma
VirtualFree
GetSystemInfo
VirtualAlloc
HeapAlloc
GetComputerNameA
lstrcpyA
GetProcessHeap
GetCurrentProcess
lstrlenA
ExitProcess
GlobalMemoryStatusEx
GetSystemTime
SystemTimeoFileTime
advapi32.dll
gdi32.dll
user32.dll
crypt32.dll
ntdll.dll
GetUserNameA
CreateDCA
GetDeviceCaps
ReleaseDC
CryptStringToBinaryA
sscanf
NtQueryInformationProcess
VMwareVMware
HAL9TH
JohnDoe
DISPLAY
%hu/%hu/%hu
GetEnvironmentVaribleA
GetFileAttributesA
GlobalLock
HeapFree
GetFileSize
GlobalSize
CreateToolhelp32Snpshot
IsWow64Process
Process32Next
GetLocalTime
FreeLibrary
GetTimeZoneInformation
GetSystemPowerStatus
GetVolumeInformationA
GetWindowsDirectoryA
Process32First
GetLocaleInfoA
GetUserDefaultLocaleName
GetModuleFileNameA
DeleteFileA
FindNextFileA
LocalFree
FindClose
SetEnvironmentVaribleA
LocalAlloc
GetFileSizeEx
ReadFile
SetFilePointer
WriteFile
CreateFileA
FindFirstFileA
CopyFileA
VirtualProtect
GetLogicalProcessorInformaionEx
GetLastError
lstrcpynA
MultiByteToWideChar
GlobalFree
WideCharToMultiByte
GlobalAlloc
OpenProcess
TerminateProcess
GetCurrentProcessId
gdiplus.dll
ole32.dll
bcrypt.dll
wininet.dll
shlwapi.dll
shell32.dll
psapi.dll
rstrtmgr.dll
CreateCompatibleBitmap
SelectObject
BitBlt
DeleteObject
CreateCompatibleDC
GdipGetImageEncodersSize
GdipGetImageEncoders
GdipCreateBitmapFromHBITMAP
GdiplusStartup
GdiplusShutdown
GdipSaveImageToStream
GdipDisposeImage
GdipFree
GetHGlobalFromStrem
CreateStreamOnHGlobal
CoUninitialize
CoInitialize
CoCreateInstance
BCryptGenerateSymmetricKey
BCryptCloseAlgorithmProvider
BCryptDecrypt
BCryptSetProperty
BCryptDestroyKey
BCryptOpenAlgorithmProvider
GetWindowRect
GetDesktopWindow
GetDC
CloseWindow
wsprintfA
EnumDisplayDevicesA
GetKeyboardLayoutList
CharToOemW
wsprintfW
RegQueryValueExA
RegEnumKeyExA
RegOpenKeyExA
RegCloseKey
RegEnumValueA
CryptBinaryToStringA
CryptUnprotectData
SHGetFolderPathA
ShellExecuteExA
InternetOpenUrlA
InternetConnectA
InternetCloseHandle
InternetOpenA
HttpSendRequestA
HttpOpenRequestA
InternetReadFile
InternetCrackUrA
StrCmpCA
StrStrA
StrCmpCW
PathMatchSpecA
GetModuleFileNameExA
RmStartSession
RmRegisterResources
RmGetList
RmEndSession
sqlite3_open
sqlite3_prepare_v2
sqlite3_step
sqlite3_column_text
sqlite3_finalize
sqlite3_close
sqlite3_column_bytes
sqlite3_column_blob
encrypted_key
PATH
C:\\ProgramData\\nss3.dll
NSS_Init
NSS_Shutdown
PK11_GetInternaKeySlot
PK11_FreeSlot
PK11_Authenticate
PK11SDR_Decrypt
C:\\ProgramData\\
SELECT origin_url, username_value, password_value FROM logins
Soft:
profile:
Host:
Login:
Password:
Opera
OperaGX
Network
Cookies
.txt
TRUE
SELECT HOS_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
FALSE
Autofill
SELECT name, vaue FROM auofill
History
SELECT url FROM urls LIMIT 1000
CC
Name:
SELECT name_on_card, expiration_month, expirtion_year, card_number_encrypted FROM credit_cards
Month:
Year:
Card:
Cookies
Login Data
Web Data
History
logins.json
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
guid
SELECT host, isHttpOnly, path, isSecur, expiry, name, value FROM moz_cookies
SELECT fieldname, value FROM moz_formhistory
SELECT url FROM moz_places LIMIT 1000
cookies.sqlite
formhistory.sqlite
places.sqlite
Plugins
Local Extension Settings
Sync Extension Settings
IndexedDB
Opera Stable
Opera GX Stable
CURRENT
chrome-extension_
_0.indexeddb.leveldb
Local State
profiles.ini
chrome
opera
firefox
Wallets
%08lX%04lX%lu
SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion
ProductName
x32
x64
%d/%d/%d %d:%d:%d
DisplayName
HARDWARE\\DESCRIPTION\\Sysem\\CentralProcessor\\0
ProcessorNameString
SOFTWARE\\Microsoft\\Windows\\CurrentVrsion\\Uninstall
DisplayVersion
freebl3.dll
mozglue.dll
msvcp140.dll
nss3.dll
softokn3.dll
vcruntime140.dl
\\Temp\\
.exe
runas
open
/c start
%DESKTOP%
%APPDATA%
%LOCALAPPDATA%
%USERPROFILE%
%DOCUMENTS%
%PROGRAMFILES%
%PROGRAMFILES_86%
%RECENT%
*.lnk
Files
\\discord\\
\\Local Storage\\leveldb\\CURRENT
\\Local Storage\\leveldb
\\Telegram Desktop\\
key_datas
D877F783D5D3EF8C*
map*
A7FDF864FBC10B77*
A92DAA6EA6F891F2*
F8806DD0C461824F*
Telegram
Tox
*.tox
*.ini
Password
\\Outlook\\accounts.txt
Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\
Pidgin
Software\\Microsoft\\Office\\13.\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\
Software\\Microsoft\\Office\\14.\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\
Software\\Microsoft\\Office\15.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\
\\.purple\\
Software\\Microsoft\\Office\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\
accounts.xml
Software\\Microsoft\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676\\
00000001
00000002
00000003
00000004
dQw4w9WgXcQ
token:
Software\\Valve\\Steam
SteamPath
\\config\\
ssfn*
config.vdf
DialogConfig.vdf
DialogConfigOverlay*.vdf
libraryfolders.vdf
loginusers.vdf
\\Steam\\
sqlite3.dll
browsers
done
Soft
\\Discord\\tokens.txt
/c timeout /t 5 & del /f /q "
" & del "C:\\ProgrmData\\*.dll"" & xit
C:\\Windows\\system32\\cmd.exe
https
Content-Type: multipart/form-data; boundary=----
POST
HTTP/1.1
Content-Disposition: form-data; name="
hwid
build
token
file_name
file
message
ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
screenshot.jpg
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2024:06:14 16:12:22
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: #!~#0Pen_9898_P@$SW0rd~!!$/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
131
Monitored processes
14
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs winrar.exe rundll32.exe no specs setup.exe #HIJACKLOADER netsh.exe conhost.exe no specs setup.exe #HIJACKLOADER netsh.exe no specs conhost.exe no specs #VIDAR coml.au3 coml.au3 no specs setup.exe no specs #HIJACKLOADER netsh.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
4360C:\WINDOWS\SysWOW64\netsh.exeC:\Windows\SysWOW64\netsh.exe
Setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
4428C:\Users\admin\AppData\Local\Temp\coml.au3C:\Users\admin\AppData\Local\Temp\coml.au3netsh.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
HIGH
Description:
AutoIt v3 Script
Exit code:
0
Version:
3, 3, 14, 5
Modules
Images
c:\users\admin\appdata\local\temp\shkpaako
c:\users\admin\appdata\local\temp\coml.au3
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
4916C:\Users\admin\AppData\Local\Temp\coml.au3C:\Users\admin\AppData\Local\Temp\coml.au3
netsh.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script
Exit code:
0
Version:
3, 3, 14, 5
Modules
Images
c:\users\admin\appdata\local\temp\pwxfjflvenko
c:\users\admin\appdata\local\temp\coml.au3
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
Vidar
(PID) Process(4916) coml.au3
C2https://t.me/memve4erin
URLhttps://steamcommunity.com/profiles/76561199699680841
RC42910114286690104117195131148
Strings (316)GetProcAddress
LoadLibraryA
lstrcatA
OpenEventA
CreateEventA
CloseHandle
Sleep
GetUserDefaultLangID
VirtualAllocExNuma
VirtualFree
GetSystemInfo
VirtualAlloc
HeapAlloc
GetComputerNameA
lstrcpyA
GetProcessHeap
GetCurrentProcess
lstrlenA
ExitProcess
GlobalMemoryStatusEx
GetSystemTime
SystemTimeoFileTime
advapi32.dll
gdi32.dll
user32.dll
crypt32.dll
ntdll.dll
GetUserNameA
CreateDCA
GetDeviceCaps
ReleaseDC
CryptStringToBinaryA
sscanf
NtQueryInformationProcess
VMwareVMware
HAL9TH
JohnDoe
DISPLAY
%hu/%hu/%hu
GetEnvironmentVaribleA
GetFileAttributesA
GlobalLock
HeapFree
GetFileSize
GlobalSize
CreateToolhelp32Snpshot
IsWow64Process
Process32Next
GetLocalTime
FreeLibrary
GetTimeZoneInformation
GetSystemPowerStatus
GetVolumeInformationA
GetWindowsDirectoryA
Process32First
GetLocaleInfoA
GetUserDefaultLocaleName
GetModuleFileNameA
DeleteFileA
FindNextFileA
LocalFree
FindClose
SetEnvironmentVaribleA
LocalAlloc
GetFileSizeEx
ReadFile
SetFilePointer
WriteFile
CreateFileA
FindFirstFileA
CopyFileA
VirtualProtect
GetLogicalProcessorInformaionEx
GetLastError
lstrcpynA
MultiByteToWideChar
GlobalFree
WideCharToMultiByte
GlobalAlloc
OpenProcess
TerminateProcess
GetCurrentProcessId
gdiplus.dll
ole32.dll
bcrypt.dll
wininet.dll
shlwapi.dll
shell32.dll
psapi.dll
rstrtmgr.dll
CreateCompatibleBitmap
SelectObject
BitBlt
DeleteObject
CreateCompatibleDC
GdipGetImageEncodersSize
GdipGetImageEncoders
GdipCreateBitmapFromHBITMAP
GdiplusStartup
GdiplusShutdown
GdipSaveImageToStream
GdipDisposeImage
GdipFree
GetHGlobalFromStrem
CreateStreamOnHGlobal
CoUninitialize
CoInitialize
CoCreateInstance
BCryptGenerateSymmetricKey
BCryptCloseAlgorithmProvider
BCryptDecrypt
BCryptSetProperty
BCryptDestroyKey
BCryptOpenAlgorithmProvider
GetWindowRect
GetDesktopWindow
GetDC
CloseWindow
wsprintfA
EnumDisplayDevicesA
GetKeyboardLayoutList
CharToOemW
wsprintfW
RegQueryValueExA
RegEnumKeyExA
RegOpenKeyExA
RegCloseKey
RegEnumValueA
CryptBinaryToStringA
CryptUnprotectData
SHGetFolderPathA
ShellExecuteExA
InternetOpenUrlA
InternetConnectA
InternetCloseHandle
InternetOpenA
HttpSendRequestA
HttpOpenRequestA
InternetReadFile
InternetCrackUrA
StrCmpCA
StrStrA
StrCmpCW
PathMatchSpecA
GetModuleFileNameExA
RmStartSession
RmRegisterResources
RmGetList
RmEndSession
sqlite3_open
sqlite3_prepare_v2
sqlite3_step
sqlite3_column_text
sqlite3_finalize
sqlite3_close
sqlite3_column_bytes
sqlite3_column_blob
encrypted_key
PATH
C:\\ProgramData\\nss3.dll
NSS_Init
NSS_Shutdown
PK11_GetInternaKeySlot
PK11_FreeSlot
PK11_Authenticate
PK11SDR_Decrypt
C:\\ProgramData\\
SELECT origin_url, username_value, password_value FROM logins
Soft:
profile:
Host:
Login:
Password:
Opera
OperaGX
Network
Cookies
.txt
TRUE
SELECT HOS_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
FALSE
Autofill
SELECT name, vaue FROM auofill
History
SELECT url FROM urls LIMIT 1000
CC
Name:
SELECT name_on_card, expiration_month, expirtion_year, card_number_encrypted FROM credit_cards
Month:
Year:
Card:
Cookies
Login Data
Web Data
History
logins.json
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
guid
SELECT host, isHttpOnly, path, isSecur, expiry, name, value FROM moz_cookies
SELECT fieldname, value FROM moz_formhistory
SELECT url FROM moz_places LIMIT 1000
cookies.sqlite
formhistory.sqlite
places.sqlite
Plugins
Local Extension Settings
Sync Extension Settings
IndexedDB
Opera Stable
Opera GX Stable
CURRENT
chrome-extension_
_0.indexeddb.leveldb
Local State
profiles.ini
chrome
opera
firefox
Wallets
%08lX%04lX%lu
SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion
ProductName
x32
x64
%d/%d/%d %d:%d:%d
DisplayName
HARDWARE\\DESCRIPTION\\Sysem\\CentralProcessor\\0
ProcessorNameString
SOFTWARE\\Microsoft\\Windows\\CurrentVrsion\\Uninstall
DisplayVersion
freebl3.dll
mozglue.dll
msvcp140.dll
nss3.dll
softokn3.dll
vcruntime140.dl
\\Temp\\
.exe
runas
open
/c start
%DESKTOP%
%APPDATA%
%LOCALAPPDATA%
%USERPROFILE%
%DOCUMENTS%
%PROGRAMFILES%
%PROGRAMFILES_86%
%RECENT%
*.lnk
Files
\\discord\\
\\Local Storage\\leveldb\\CURRENT
\\Local Storage\\leveldb
\\Telegram Desktop\\
key_datas
D877F783D5D3EF8C*
map*
A7FDF864FBC10B77*
A92DAA6EA6F891F2*
F8806DD0C461824F*
Telegram
Tox
*.tox
*.ini
Password
\\Outlook\\accounts.txt
Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\
Pidgin
Software\\Microsoft\\Office\\13.\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\
Software\\Microsoft\\Office\\14.\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\
Software\\Microsoft\\Office\15.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\
\\.purple\\
Software\\Microsoft\\Office\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\
accounts.xml
Software\\Microsoft\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676\\
00000001
00000002
00000003
00000004
dQw4w9WgXcQ
token:
Software\\Valve\\Steam
SteamPath
\\config\\
ssfn*
config.vdf
DialogConfig.vdf
DialogConfigOverlay*.vdf
libraryfolders.vdf
loginusers.vdf
\\Steam\\
sqlite3.dll
browsers
done
Soft
\\Discord\\tokens.txt
/c timeout /t 5 & del /f /q "
" & del "C:\\ProgrmData\\*.dll"" & xit
C:\\Windows\\system32\\cmd.exe
https
Content-Type: multipart/form-data; boundary=----
POST
HTTP/1.1
Content-Disposition: form-data; name="
hwid
build
token
file_name
file
message
ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
screenshot.jpg
5380"C:\Users\admin\Desktop\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe" C:\Users\admin\Desktop\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exeexplorer.exe
User:
admin
Company:
Electronic Arts
Integrity Level:
MEDIUM
Description:
EA
Exit code:
1
Version:
13, 162, 0, 5675
Modules
Images
c:\users\admin\desktop\#!~#0pen_9898_p@$sw0rd~!!$\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\users\admin\desktop\#!~#0pen_9898_p@$sw0rd~!!$\qt5core.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
c:\users\admin\desktop\#!~#0pen_9898_p@$sw0rd~!!$\steam_api64.dll
5860\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenetsh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6320"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\1f7553701ef80138d6fd387a8a5919bd34684600b8c81e45102d2a4c720786c1.zipC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6832"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\1f7553701ef80138d6fd387a8a5919bd34684600b8c81e45102d2a4c720786c1.zip" C:\Users\admin\Desktop\C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6916C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
6952"C:\Users\admin\Desktop\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe" C:\Users\admin\Desktop\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe
explorer.exe
User:
admin
Company:
Electronic Arts
Integrity Level:
MEDIUM
Description:
EA
Exit code:
1
Version:
13, 162, 0, 5675
Modules
Images
c:\users\admin\desktop\#!~#0pen_9898_p@$sw0rd~!!$\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ole32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\windows\system32\gdi32.dll
6972C:\WINDOWS\SysWOW64\netsh.exeC:\Windows\SysWOW64\netsh.exe
Setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
10 564
Read events
10 460
Write events
104
Delete events
0

Modification events

(PID) Process:(6320) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(6320) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(6320) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(6320) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\1f7553701ef80138d6fd387a8a5919bd34684600b8c81e45102d2a4c720786c1.zip
(PID) Process:(6320) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6320) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6320) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6320) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6320) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:name
Value:
256
(PID) Process:(6320) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:size
Value:
80
Executable files
43
Suspicious files
5
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
6832WinRAR.exeC:\Users\admin\Desktop\#!~#0Pen_9898_P@$SW0rd~!!$\amphipod.tiff
MD5:
SHA256:
6832WinRAR.exeC:\Users\admin\Desktop\#!~#0Pen_9898_P@$SW0rd~!!$\hogg.pptxbinary
MD5:4A1BB50A70821601F854CB93681F57A1
SHA256:4DB21E4665018A3E6CD03EC1B65F42A1C6C8F8046B3F451A1E025A2013E8203F
6832WinRAR.exeC:\Users\admin\Desktop\#!~#0Pen_9898_P@$SW0rd~!!$\libcrypto-1_1-x64.dllexecutable
MD5:28DEA3E780552EB5C53B3B9B1F556628
SHA256:52415829D85C06DF8724A3D3D00C98F12BEABF5D6F3CBAD919EC8000841A86E8
6832WinRAR.exeC:\Users\admin\Desktop\#!~#0Pen_9898_P@$SW0rd~!!$\msvcp140.dllexecutable
MD5:1BA6D1CF0508775096F9E121A24E5863
SHA256:74892D9B4028C05DEBAF0B9B5D9DC6D22F7956FA7D7EEE00C681318C26792823
6832WinRAR.exeC:\Users\admin\Desktop\#!~#0Pen_9898_P@$SW0rd~!!$\Qt5Core.dllexecutable
MD5:1CCC90E7AAC237B45A75292BC9145CB9
SHA256:2E33FE29145A2F13DCB56635EB292F6C25C116E1E14FA081EB728EE04071AE25
6832WinRAR.exeC:\Users\admin\Desktop\#!~#0Pen_9898_P@$SW0rd~!!$\libssl-1_1-x64.dllexecutable
MD5:4AD03043A32E9A1EF64115FC1ACE5787
SHA256:A0E43CBC4A2D8D39F225ABD91980001B7B2B5001E8B2B8292537AE39B17B85D1
6832WinRAR.exeC:\Users\admin\Desktop\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exeexecutable
MD5:AD2735F096925010A53450CB4178C89E
SHA256:4E775B5FAFB4E6D89A4694F8694D2B8B540534BD4A52FF42F70095F1C929160E
6832WinRAR.exeC:\Users\admin\Desktop\#!~#0Pen_9898_P@$SW0rd~!!$\Qt5Network.dllexecutable
MD5:C24C89879410889DF656E3A961C59BCC
SHA256:739BEDCFC8EB860927EB2057474BE5B39518AAAA6703F9F85307A432FA1F236E
6832WinRAR.exeC:\Users\admin\Desktop\#!~#0Pen_9898_P@$SW0rd~!!$\msvcp140_1.dllexecutable
MD5:69D96E09A54FBC5CF92A0E084AB33856
SHA256:A3A1199DE32BBBC8318EC33E2E1CE556247D012851E4B367FE853A51E74CE4EE
6832WinRAR.exeC:\Users\admin\Desktop\#!~#0Pen_9898_P@$SW0rd~!!$\steam_api64.dllexecutable
MD5:6B4AB6E60364C55F18A56A39021B74A6
SHA256:1DB3FD414039D3E5815A5721925DD2E0A3A9F2549603C6CAB7C49B84966A1AF3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
31
DNS requests
6
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4080
svchost.exe
GET
200
2.19.117.22:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5140
MoUsoCoreWorker.exe
GET
200
2.19.117.22:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5524
RUXIMICS.exe
GET
200
2.19.117.22:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5140
MoUsoCoreWorker.exe
GET
200
95.101.172.129:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
5524
RUXIMICS.exe
GET
200
95.101.172.129:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
4080
svchost.exe
GET
200
95.101.172.129:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
GET
172.67.133.78:443
https://feeldog.xyz/
unknown
GET
200
149.154.167.99:443
https://t.me/memve4erin
unknown
html
12.0 Kb
POST
200
51.104.15.252:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4080
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5524
RUXIMICS.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5140
MoUsoCoreWorker.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
239.255.255.250:1900
unknown
4080
svchost.exe
2.19.117.22:80
crl.microsoft.com
Akamai International B.V.
GB
unknown
5140
MoUsoCoreWorker.exe
2.19.117.22:80
crl.microsoft.com
Akamai International B.V.
GB
unknown
5524
RUXIMICS.exe
2.19.117.22:80
crl.microsoft.com
Akamai International B.V.
GB
unknown
4
System
192.168.100.255:137
whitelisted
5140
MoUsoCoreWorker.exe
95.101.172.129:80
www.microsoft.com
AKAMAI-AS
SE
unknown

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 2.19.117.22
  • 2.19.117.18
whitelisted
www.microsoft.com
  • 95.101.172.129
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
feeldog.xyz
  • 104.21.13.222
  • 172.67.133.78
unknown
t.me
  • 149.154.167.99
whitelisted
self.events.data.microsoft.com
  • 52.168.112.67
whitelisted

Threats

PID
Process
Class
Message
4916
coml.au3
Misc activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
1f7553701ef80138d6fd387a8a5919bd34684600b8c81e45102d2a4c720786c1.zip