analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://anonfiles.com/70Ucgcabp5/ProtonVPN_Cracked_vX_rar

Full analysis: https://app.any.run/tasks/d35065d2-271f-4e88-b61c-21ea7420d806
Verdict: Malicious activity
Analysis date: September 30, 2020, 09:05:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

A0DD71B5C4C74440C58402925F654991

SHA1:

CC1092ACB645C67CCAC0053333CB0B6DD4CA0EE5

SHA256:

277B33E3B1121EF61B139B1C1A5D251D1684AF7CA7F0675A4B495F7858C48CF9

SSDEEP:

3:N8M2bzofzhQwUX:2M2b0KwO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • ProtonVPN.exe (PID: 3828)
      • ProtonVPN.exe (PID: 2424)
      • vpn wrapper.exe (PID: 3528)
      • vpn wrapper.exe (PID: 3036)
      • ProtonVPN.exe (PID: 3172)

    • Loads dropped or rewritten executable

      • ProtonVPN.exe (PID: 3828)

    • Changes settings of System certificates

      • ProtonVPN.exe (PID: 3828)

    • Loads the Task Scheduler DLL interface

      • MsiExec.exe (PID: 3208)
      • ProtonVPN.exe (PID: 3828)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3424)
      • ProtonVPN.exe (PID: 3828)

    • Adds / modifies Windows certificates

      • ProtonVPN.exe (PID: 3828)

    • Reads Environment values

      • MsiExec.exe (PID: 3208)

    • Uses WMIC.EXE to obtain a system information

      • cmd.exe (PID: 3008)
      • cmd.exe (PID: 3428)

    • Starts CMD.EXE for commands execution

      • ProtonVPN.exe (PID: 3828)

  • INFO

    • Manual execution by user

      • WinRAR.exe (PID: 3424)
      • ProtonVPN.exe (PID: 2424)
      • ProtonVPN.exe (PID: 3828)
      • vpn wrapper.exe (PID: 3528)
      • vpn wrapper.exe (PID: 3036)
      • ProtonVPN.exe (PID: 3172)

    • Reads the hosts file

      • chrome.exe (PID: 2400)
      • chrome.exe (PID: 2408)

    • Reads Internet Cache Settings

      • chrome.exe (PID: 2408)

    • Application launched itself

      • chrome.exe (PID: 2408)
      • msiexec.exe (PID: 2616)

    • Dropped object may contain Bitcoin addresses

      • WinRAR.exe (PID: 3424)

    • Reads settings of System Certificates

      • ProtonVPN.exe (PID: 3828)

    • Loads dropped or rewritten executable

      • MsiExec.exe (PID: 3208)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
89
Monitored processes
36
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs winrar.exe protonvpn.exe no specs protonvpn.exe msiexec.exe no specs msiexec.exe no specs cmd.exe no specs wmic.exe no specs findstr.exe no specs cmd.exe no specs wmic.exe no specs findstr.exe no specs vpn wrapper.exe no specs vpn wrapper.exe protonvpn.exe

Process information

PID
CMD
Path
Indicators
Parent process
2408"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://anonfiles.com/70Ucgcabp5/ProtonVPN_Cracked_vX_rar"C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
3221225547
Version:
75.0.3770.100
3328"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6f4aa9d0,0x6f4aa9e0,0x6f4aa9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
960"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=1856 --on-initialized-event-handle=324 --parent-handle=328 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
916"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1036,14180777060144869701,17544777938815243426,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=7755361088232678721 --mojo-platform-channel-handle=1052 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2400"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1036,14180777060144869701,17544777938815243426,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=17083291645752353843 --mojo-platform-channel-handle=1536 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2104"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1036,14180777060144869701,17544777938815243426,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=15370672278048759922 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2244 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
3168"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1036,14180777060144869701,17544777938815243426,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=12534636300910111064 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2140 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
1896"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1036,14180777060144869701,17544777938815243426,131072 --enable-features=PasswordImport --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=2934647022524411427 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2496 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
3392"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1036,14180777060144869701,17544777938815243426,131072 --enable-features=PasswordImport --disable-gpu-compositing --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=18051433133902983254 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2820"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1036,14180777060144869701,17544777938815243426,131072 --enable-features=PasswordImport --lang=en-US --no-sandbox --service-request-channel-token=17146658598442996598 --mojo-platform-channel-handle=3820 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Total events
1 546
Read events
1 405
Write events
0
Delete events
0

Modification events

No data
Executable files
10
Suspicious files
48
Text files
119
Unknown types
9

Dropped files

PID
Process
Filename
Type
2408chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-5F744A4D-968.pma
MD5:
SHA256:
2408chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\5af4aef4-c16a-4140-8392-1a4b9a2f54d2.tmp
MD5:
SHA256:
2408chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000046.dbtmp
MD5:
SHA256:
2408chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old~RF2279af.TMPtext
MD5:4AFC066387D33D5264F8E796393B223B
SHA256:BB3E0F925E883318FB09FC498CACEA57F0F71548C9D42FF07634DC30D87F2D86
2408chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old~RF227980.TMPtext
MD5:D33038DC70A58F2AC0EA1823980691AE
SHA256:6EE5DB5588EB879D13CE5A0DB3CA1744079C1BE3F73959A3B900684C56061D97
2408chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.oldtext
MD5:4AFC066387D33D5264F8E796393B223B
SHA256:BB3E0F925E883318FB09FC498CACEA57F0F71548C9D42FF07634DC30D87F2D86
2408chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.oldtext
MD5:D33038DC70A58F2AC0EA1823980691AE
SHA256:6EE5DB5588EB879D13CE5A0DB3CA1744079C1BE3F73959A3B900684C56061D97
2408chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old~RF22799f.TMPtext
MD5:D55489ED6031D8B188E37B0B59F5CED3
SHA256:365B01D1B3333E366EEA50106551AAC8721156CB2572C173E2F501D8255093F4
2408chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\LOG.oldtext
MD5:3401B14F6B2624E5E44EB20FB8735443
SHA256:E32F20AE6528B8952EE2FF112DACEE4E9005868B7DAF85D3533B6F0135403875
2408chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.oldtext
MD5:745FF98D6EB320D6A946D4C43E8D3317
SHA256:558AE8B06570B9C63A72F515E6CD288BCA67368A23E349B625D8B1B7E42E9918
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
33
DNS requests
16
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2400
chrome.exe
172.217.22.99:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
2400
chrome.exe
13.225.84.188:443
djv99sxoqpv11.cloudfront.net
US
suspicious
2400
chrome.exe
151.101.2.217:443
vjs.zencdn.net
Fastly
US
suspicious
2400
chrome.exe
172.64.139.6:443
anonfiles.com
Cloudflare Inc
US
suspicious
2400
chrome.exe
172.217.16.205:443
accounts.google.com
Google Inc.
US
whitelisted
2400
chrome.exe
34.196.151.230:443
baconaces.pro
Amazon.com, Inc.
US
malicious
2400
chrome.exe
216.58.206.3:443
ssl.gstatic.com
Google Inc.
US
whitelisted
2400
chrome.exe
217.64.149.25:443
cdn-113.anonfiles.com
IR
unknown
2400
chrome.exe
216.58.210.14:443
clients2.google.com
Google Inc.
US
whitelisted
2400
chrome.exe
172.217.23.163:443
www.gstatic.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
anonfiles.com
  • 172.64.139.6
  • 172.64.138.6
shared
clientservices.googleapis.com
  • 172.217.22.99
whitelisted
accounts.google.com
  • 172.217.16.205
shared
vjs.zencdn.net
  • 151.101.2.217
  • 151.101.66.217
  • 151.101.130.217
  • 151.101.194.217
whitelisted
djv99sxoqpv11.cloudfront.net
  • 13.225.84.188
  • 13.225.84.103
  • 13.225.84.11
  • 13.225.84.96
shared
baconaces.pro
  • 34.196.151.230
  • 52.206.71.220
  • 52.86.219.129
  • 54.144.3.29
  • 54.237.125.12
shared
counterry.club
  • 13.226.155.124
  • 13.226.155.119
  • 13.226.155.98
  • 13.226.155.14
whitelisted
leneshedhous.club
  • 13.225.73.12
  • 13.225.73.39
  • 13.225.73.78
  • 13.225.73.100
suspicious
providentsopport.site
  • 143.204.94.127
  • 143.204.94.35
  • 143.204.94.75
  • 143.204.94.118
whitelisted
cdn-113.anonfiles.com
  • 217.64.149.25
unknown

Threats

PID
Process
Class
Message
2400
chrome.exe
Generic Protocol Command Decode
SURICATA STREAM CLOSEWAIT FIN out of window
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://anonfiles.com/70Ucgcabp5/ProtonVPN_Cracked_vX_rar