| File name: | File_pass1234.7z.7z |
| Full analysis: | https://app.any.run/tasks/342847f8-0ed2-40a8-9f0e-2fc63180d6ae |
| Verdict: | Malicious activity |
| Threats: | PrivateLoader is a malware family that is specifically created to infect computer systems and drop additional malicious programs. It operates using a pay-per-install business model, which means that the individuals behind it are paid for each instance of successful deployment of different types of harmful programs, including trojans, stealers, and other ransomware. |
| Analysis date: | May 16, 2023, 07:36:19 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-7z-compressed |
| File info: | 7-zip archive data, version 0.4 |
| MD5: | 38EFC6C8E0E71D25E4AA90A4CE84A8BD |
| SHA1: | 540A21F1B9186C77FAD22506B8124B3EE0A53721 |
| SHA256: | 2947FA95E12153464839C21A25CA644A6194F08AAD73701A801FA109675D8EDF |
| SSDEEP: | 98304:W9RsgBevCjMVnlyw1dEXdpegleaRd7yKsz6AV1Ht7NmHu8cNjYMBVKU0DLt:WjjoyMd2dpeYea3lArH9NmHV6M8N0D |
MALICIOUS
PRIVATELOADER was detected
- Install.exe (PID: 4048)
Connects to the CnC server
- Install.exe (PID: 4048)
PRIVATELOADER detected by memory dumps
- Install.exe (PID: 4048)
SUSPICIOUS
Application launched itself
- WinRAR.exe (PID: 3924)
Connects to the server without a host name
- Install.exe (PID: 4048)
Reads settings of System Certificates
- Install.exe (PID: 4048)
Checks for external IP
- Install.exe (PID: 4048)
INFO
Checks supported languages
- Install.exe (PID: 4048)
Reads the computer name
- Install.exe (PID: 4048)
The process checks LSA protection
- Install.exe (PID: 4048)
Reads the machine GUID from the registry
- Install.exe (PID: 4048)
Manual execution by a user
- chrome.exe (PID: 3200)
- firefox.exe (PID: 4044)
Application launched itself
- chrome.exe (PID: 3200)
- firefox.exe (PID: 4044)
- firefox.exe (PID: 3316)
Create files in a temporary directory
- firefox.exe (PID: 3316)
- chrome.exe (PID: 3200)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
PrivateLoader
(PID) Process(4048) Install.exe
C2 (9)http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
45.15.156.229
85.208.136.10
94.131.106.196
5.181.80.133
94.142.138.131
94.142.138.113
208.67.104.60
Attributes
Payload (36)https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
https://vk.com/doc746114504_647280734?hash=Doz4iot4bg0WOvZC8ZMInERV5U1fmjrKZZhl7jf6wBE&dl=G42DMMJRGQ2TANA:1661413506:vGfIf9YivGqE9gd11wvm9KZLzv9DMwdM9Wp0LmcsAhz&api=1&no_preview=1
https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://193.56.146.76/Proxytest.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://privacy-tools-for-you-780.com/downloads/toolspab3.exe
http://luminati-china.xyz/aman/casper2.exe
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe
http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe
https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp
http://185.215.113.208/ferrari.exe
https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp
https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp
https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp
http://mnbuiy.pw/adsli/note8876.exe
https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe
http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe
https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp
https://iplogger.org/2BTmf7
https://iplogger.org/2BAmf7
https://iplogger.org/2BDmf7
https://iplogger.org/2BFmf7
https://iplogger.org/2s2pg6
https://iplogger.org/2s3pg6
https://iplogger.org/2s4pg6
https://iplogger.org/2s5pg6
https://iplogger.org/2s6pg6
https://iplogger.org/2s7pg6
Strings (824)Snowman+under_a_sn0wdrift_forgot_the_Snow_Maiden
iplogger.org/1nhuM4.js
SOFTWARE\LilFreske
Installed
SOFTWARE\LilFreskeUS
IsWow64Process
GetModuleHandleA
LoadLibraryA
SetPriorityClass
Sleep
GetTempPathA
CreateProcessA
GetFileAttributesA
CreateDirectoryA
CreateThread
CloseHandle
VirtualAlloc
VirtualFree
OpenProcess
TerminateProcess
GetUserGeoID
ntdll.dll
NtQuerySystemInformation
RtlGetVersion
Shell32.dll
ShellExecuteA
SHGetFolderPathA
Advapi32.dll
RegOpenKeyExA
RegSetValueExA
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegDeleteValueA
RegQueryValueExA
RegEnumKeyExA
ConvertSidToStringSidA
LookupAccountNameA
WINHTTP.dll
wininet.dll
GetComputerNameA
VerSetConditionMask
VerifyVersionInfoW
GetGeoInfoA
GetCurrentProcess
GetVersionExA
MultiByteToWideChar
WideCharToMultiByte
GetCurrentProcessId
CreateToolhelp32Snapshot
Process32First
Process32Next
Wow64DisableWow64FsRedirection
Wow64RevertWow64FsRedirection
User32.dll
CharToOemA
//Minor Policy
SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions
Exclusions_Extensions
SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions
SOFTWARE\Policies\Microsoft\Windows Defender
DisableAntiSpyware
DisableRoutinelyTakingAction
SOFTWARE\Policies\Microsoft\Windows\System
EnableSmartScreen
SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
DisableBehaviorMonitoring
DisableOnAccessProtection
DisableScanOnRealtimeEnable
DisableRealtimeMonitoring
DisableIOAVProtection
DisableRawWriteNotification
Windows Server 2016
Windows Server 2012 R2
Windows Server 2012
Windows Server 2008 R2
Windows Server 2008
Windows Server
Windows 10
Windows 8.1
Windows 8
Windows 7
Windows Vista
Windows XP
(x64)
(x32)
explorer.exe
current
children
SOFTWARE\Classes\ms-settings\Shell\Open\command
DelegateExecute
\ComputerDefaults.exe
SOFTWARE\Classes
ms-settings\Shell\Open\command
ms-settings\Shell\Open
ms-settings\Shell
ms-settings
data=
/api/firegate.php
Error!
onlyType
ext_url
cfg_url
ipinfo.io/widget
country
company
Google LLC
db-ip.com
data-api-key="
/self
countryCode
organization
www.maxmind.com/geoip/v2.1/city/me
iso_code
traits
GetIP
api.ipgeolocation.io/ipgeo?include=hostname&ip=
country_code2
/api/tracemap.php
http://
15.5pnp.10.lock
Guest Profile
System Profile
\Google\Chrome\Application
(x86)\Google\Chrome\Application
SOFTWARE\Google\Chrome\BLBeacon
version
\resources.pak
SOFTWARE\Google\Chrome\PreferenceMACs
\Google\Chrome\User Data\
\Secure Preferences
filter_browsers
chrome
browser
use_open_browser
extensions
settings
install_time
\Extensions\
\u003C
protection
extensions.settings.
super_mac
chrome.exe
ChromeRegistryHashStoreValidationSeed
\extensions.settings
SOFTWARE\Google\Chrome\PreferenceMACs\
\chrome.exe
\Microsoft\Edge\Application
(x86)\Microsoft\Edge\Application
SOFTWARE\Microsoft\Edge\BLBeacon
SOFTWARE\Microsoft\Edge\PreferenceMACs
\Microsoft\Edge\User Data\
msedge.exe
SOFTWARE\Microsoft\Edge\PreferenceMACs\
\msedge.exe
\Roaming
\atomic
\Atomic Wallet
\com.liberty.jaxx
\Electrum
\Exodus
\MultiDoge
\Monero
\binance.chain
\Binance
\Metamask
\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbh
\Local Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpn
\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjca
\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
\Local Extension Settings\fmblappgoiilbgafhjklehhfifbdocee
\Local Extension Settings\hmeobnfnfcmdkdcmlblgagmfpfboieaf
\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
sorare.com
yobit.net
zb.com
binance.com
huobi.com
okex.com
hitbtc.com
bitfinex.com
kraken.com
bitstamp.net
payoneer.com
bittrex.com
bittrex.zendesk.com
gate.io
exmo.com
yobit.io
bitflyer.com
poloniex.com
kucoin.com
coinone.co.kr
localbitcoins.com
korbit.co.kr
cex.io
luno.com
bitkonan.com
jubi.com
koinex.in
koineks.com
kuna.io
koinim.com
kiwi-coin.com
leoxchange.com
lykke.com
localtrade.cc
magnr.com
lbank.info
itbit.com
gemini.com
gdax.com
gatehub.net
satoshitango.com
foxbit.com.br
flowbtc.com.br
exx.com
exrates.me
excambriorex.com
ezbtc.ca
infinitycoin.exchange
tdax.com
stex.com
vbtc.exchange
coinmarketcap.com
vwlpro.com
nocks.com
nlexch.com
novaexchange.com
mynxt.info
nzbcx.com
nevbit.com
mixcoins.com
mr.exchange
neraex.pro
dsx.uk
okcoin.com
liquid.com
quoine.com
quadrigacx.com
rightbtc.com
rippex.net
ripplefox.com
qryptos.com
ore.bz
openledger.info
omnidex.io
paribu.com
paymium.com
dcexchange.ru
dcexe.com
bitmex.com
funpay.ru
bitmaszyna.pl
bitonic.nl
bitpanda.com
bitsblockchain.net
bitmarket.net
bitlish.com
bitfex.trade
blockchain.com
blockchain.info
cryptofresh.com
btcmarkets.net
braziliex.com
btc-trade.com.ua
btc-alpha.com
bitspark.io
bitso.com
bittylicious.com
altcointrader.co.za
arenabitcoin.com
allcoin.com
796.com
abucoins.com
aidosmarket.com
bitcointrade.com
bitcointoyou.com
bitbanktrade.jp
big.one
bcex.ca
bitconnect.co
coinsbank.com
coinsecure.in
coinsquare.com
coinspot.io
coinsmarkets.com
crypto-bridge.org
dcex.com
dabtc.com
decentrex.com
deribit.com
dgtmarket.com
btcturk.com
btcxindia.com
bt.cx
bitstarcoin.com
coincheck.com
coinmate.io
coingi.com
coinnest.co.kr
coinrail.co.kr
coinpit.io
coingather.com
coinfloor.co.uk
coinegg.com
coincorner.com
coinexchange.io
pancakeswap.finance
coinbase.com
livecoin.net
mercatox.com
cryptobridge.freshdesk.com
volabit.com
tradeogre.com
bitkub.com
uphold.com
wallet.uphold.com
login.blockchain.com
tidex.com
coinome.com
coinpayments.net
bitmax.io
bitbank.cc
independentreserve.com
bitmart.com
cryptopia.co.nz
cryptonator.com
advcash.com
my.dogechain.info
spectrocoin.com
exir.io
exir.tech
coinbene.com
bitforex.com
gopax.co.kr
catex.io
vindax.com
coineal.com
maicoin.com
finexbox.com
etherflyer.com
bx.in.th
bitopro.com
citex.co.kr
coinzo.com
atomars.com
coinfinit.com
bitker.com
dobitrade.com
btcexa.com
satowallet.com
cpdax.com
trade.io
btcnext.io
exmarkets.com
btc-exchange.com
chaoex.com
jex.com
therocktrading.com
gdac.com
southxchange.com
tokens.net
fexpro.net
btcbox.co.jp
coinmex.com
cryptology.com
cointiger.com
cashierest.com
coinbit.co.kr
mxc.com
bilaxy.com
coinall.com
coindeal.com
omgfin.com
oceanex.pro
bithumb.com
ftx.com
shortex.net
coin.z.com
fcoin.com
fatbtc.com
tokenize.exchange
simex.global
instantbitex.com
\Login Data
SOFTWARE\BraveSoftware\Brave-Browser\PreferenceMACs
\BraveSoftware\Brave-Browser\User Data\
SOFTWARE\CryptoTab Browser\PreferenceMACs
\CryptoTab Browser\User Data\
\Opera Software\Opera Stable
ascendex.com
crypto.com
coins.ph
coins.th
dogechain.info
miningpoolhub.com
/vpn/index.html
portal/webclient
remote/login
/vpn/tmindex.html
/LogonPoint/tmindex.html
XenApp1/auth/login.aspx
auth/silentDetection.aspx
/citrix/
/RDWeb/
/+CSCOE+/
/global-protect/
sslvpn.
/dana-na/
/my.policy
ncsecu.org
penfed.org
becu.org
schoolsfirstfcu.org
firsttechfed.com
golden1.com
alliantcreditunion.org
americafirst.com
suncoastcreditunion.com
secumd.org
safecu.org
missionfed.com
greendot.com
rbfcu.org
macu.com
dcu.org
ssfcu.org
bethpagefcu.com
starone.org
alaskausa.org
sdccu.com
aacreditunion.org
lmcu.org
teachersfcu.org
patelco.org
esl.org
onpointcu.com
logixbanking.com
psecu.com
deltacommunitycu.com
ent.com
cefcu.com
greenstate.org
unfcu.org
pffcu.org
wingsfinancial.com
iccu.comdesertfinancial.com
iccu.com
desertfinancial.com
hvfcu.org
wpcu.coop
redwoodcu.org
tcunet.com
wsecu.org
joviafinancial.com
coastal24.com
myeecu.org
gecreditunion.org
nymcu.org
affinityfcu.com
towerfcu.org
ccu.com
communityamerica.com
langleyfcu.org
credithuman.com
techcu.com
gecu.com
kfcu.org
applefcu.org
nasafcu.com
sfcu.org
genisyscu.org
unifyfcu.com
apcocu.org
firstcommunity.com
unitedfcu.com
fairwinds.org
ufcu.org
wescom.org
bcu.org
vacu.org
citadelbanking.com
servicecu.org
summitcreditunion.com
gesa.com
chevronfcu.org
traviscu.org
uwcu.org
communityfirstcu.org
ecu.org
sccu.com
bfsfcu.org
bellco.org
dfcufinancial.com
msufcu.org
members1st.org
landmarkcu.com
kinecta.org
midflorida.com
visionsfcu.org
veridiancu.org
statefarmfcu.com
tinkerfcu.org
sefcu.com
americanheritagecu.org
robinsfcu.org
canvas.org
growfinancial.org
truliantfcu.org
ascend.org
foundersfcu.com
calcoastcu.org
ucu.org
connexuscu.org
slfcu.org
numericacu.com
eecu.org
georgiasown.org
nusenda.org
tvacreditunion.com
pcu.org
msgcu.org
nuvisionfederal.com
trumarkonline.org
navigantcu.org
ornlfcu.com
jscfcu.org
lgfcu.org
elevationscu.com
gtefinancial.org
chartway.com
ecu.com
sdfcu.org
apcu.com
schools.org
metrocu.org
campuscu.com
adviacu.org
psfcu.com
andrewsfcu.org
eglinfcu.org
imcu.com
americaneagle.org
ttcu.com
vantagewest.org
empowerfcu.com
rfcu.com
capcomfcu.org
arizonafederal.org
csecreditunion.com
communityfirstfl.org
bayportcu.org
gwcu.org
wecu.com
stgeorge.com.au
imb.com.au
ing.com.au
bankofmelbourne.com.au
regionalaustraliabank.com
suncorp.com.au
regionalaustraliabank.com.au
bmo.com
cwbank.com
royalbank.com
vancity.com
servus.ca
coastcapitalsavings.com
alterna.ca
interiorsavings.com
synergycu.ca
mainstreetcu.ca
cu.com
fcu.com
robinhood.com
navyfederal.org
tboholidays.com
24x7rooms.com
adonis.com
abreuonline.com
almundo.com.ar
bonotel.com
bookohotel.com
didatravel.com
dotwconnect.com
eetglobal.com
escalabeds.com
fastpayhotels.com
getaroom.com
goglobal.travel
hoteldo.com.mx
hotelspro.com
jumbonline.com
kaluahtours.com
lci-euro.com
lotsofhotels.com
mikinet.co.uk
misterroom.com
nexustours.com
olympiaeurope.com
paximum.com
restel.es
rezserver.com
rezlive.com
sunhotels.com
totalstay.com
travco.co.uk
travellanda.com
smyrooms.com
welcomebeds.com
yalago.com
hotelbeds.com
mercadolibre.com.mx
hsbc.com.mx
bbvanetcash.mx
scotiabank.com.mx
santander.com.mx
bbva.mx
opensea.io
plantvsundead.com
axieinfinity.com
cryptocars.me
bombcrypto.io
cryptoplanes.me
cryptozoon.io
bankalhabib.com
correosprepago.es
orangebank.es
amazon.it
amazon.ca
amazon.de
amazon.com
netspend.com
online.citi.com
cloud.ibm.com
ca.ovh.com
account.alibabacloud.com
cloud.huawei.com
cloud.tencent.com
vultr.com
aws.amazon.com
portal.azure.com
digitalocean.com
console.scaleway.com
hetzner.com
linode.com
oracle.com
rackspace.com
phoenixnap.com
leaseweb.com
sso.ctl.io
ctl.io
lumen.com
paypal.com
WW_P_7
WW_P_8
https://
WW_P_
WW_P_1
links
ezstat.ru/1BfPg7
USA_1
iplis.ru/1BX4j7.png
iplis.ru/1BV4j7.mp4
USA_2
iplogger.org/1nkuM4.jpeg
iplis.ru/1BNhx7.mp3
iplis.ru/1pRXr7.txt
SetIncrement|ww_starts
false
iplis.ru/1S2Qs7.mp3
iplis.ru/1S3fd7.mp3
iplis.ru/17VHv7.mp3
iplis.ru/1GLDc7.mp3
iplis.ru/1xDsk7.mp3
iplis.ru/1xFsk7.mp3
WW_OPERA
iplis.ru/1GCuv7.pdf
iplis.ru/1lmex.mp3
iplis.ru/1Gemv7.mp3
WW_10
iplis.ru/1Gymv7.mp3
WW_11
iplis.ru/1tqHh7.mp3
WW_12
iplis.ru/1aFYp7.mp3
WW_13
iplis.ru/1cC8u7.mp3
WW_14
iplis.ru/1cN8u7.mp3
WW_15
iplis.ru/1kicy7.mp3
iplis.ru/1BMhx7.mp3
WW_16
iplis.ru/1edLy7.png
WW_17
iplis.ru/1nGPt7.png
WW_P_2
iplis.ru/1Bshv7.mp3
WW_P_3
iplis.ru/1Lgnh7.mp3
WW_P_4
iplis.ru/1vt8c7.mp3
WW_P_5
iplis.ru/1IcfD.mp3
WW_P_6
iplis.ru/1eXqs7.mp3
iplis.ru/1Unzy7.mp3
WW_18
iplis.ru/12hYs7.mp3
WW_19
iplis.ru/12d8d7.mp3
WW_20
iplis.ru/1Uvgu7.mp3
WW_21
iplis.ru/1jvTz7.mp3
browsers
Chrome:
Edge:
os_country_code
ip_country
AddExtensionStat|
net_country_code
https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
https://vk.com/doc746114504_647280734?hash=Doz4iot4bg0WOvZC8ZMInERV5U1fmjrKZZhl7jf6wBE&dl=G42DMMJRGQ2TANA:1661413506:vGfIf9YivGqE9gd11wvm9KZLzv9DMwdM9Wp0LmcsAhz&api=1&no_preview=1
https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://193.56.146.76/Proxytest.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://91.241.19.125/pub.php?pub=one
http://privacy-tools-for-you-780.com/downloads/toolspab3.exe
http://luminati-china.xyz/aman/casper2.exe
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe
http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe
https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp
http://185.215.113.208/ferrari.exe
https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp
https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp
https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp
http://mnbuiy.pw/adsli/note8876.exe
http://sarfoods.com/index.php
https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe
http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe
https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp
https://iplogger.org/2BTmf7
https://iplogger.org/2BAmf7
https://iplogger.org/2BDmf7
https://iplogger.org/2BFmf7
https://iplogger.org/2s2pg6
https://iplogger.org/2s3pg6
https://iplogger.org/2s4pg6
https://iplogger.org/2s5pg6
https://iplogger.org/2s6pg6
https://iplogger.org/2s7pg6
crypto_wallets
domain
bank_wallets
cu_bank_wallets
shop_wallets
bank_au_wallets
amazon_eu
webhosts
paypal
bank_ca_wallets
browser_vbmt
GetCryptoSleeping
45.15.156.229
85.208.136.10
94.131.106.196
5.181.80.133
94.142.138.131
94.142.138.113
208.67.104.60
cryptoWallets
status
bankWallets
cuBankWallets
shops
bankAUWallets
bankCAWallets
cryptoWallets_part1
cryptoWallets_part2
bankWallets_part1
bankWallets_part2
bankMXWallets
cryptoGames
bankPKWallets
bankESWallets
SetLoaderAnalyze|
SetIncrement|not_elevated
WinHttpConnect
WinHttpQueryHeaders
WinHttpOpen
WinHttpOpenRequest
WinHttpQueryDataAvailable
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpReadData
WinHttpCloseHandle
WinHttpSetTimeouts
InternetOpenA
InternetSetOptionA
HttpOpenRequestA
InternetConnectA
InternetOpenUrlA
HttpQueryInfoA
InternetQueryOptionA
HttpSendRequestA
InternetReadFile
InternetCloseHandle
TRiD
| .7z | | | 7-Zip compressed archive (v0.4) (57.1) |
|---|---|---|
| .7z | | | 7-Zip compressed archive (gen) (42.8) |
Total processes
75
Monitored processes
34
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1140 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Rar$DIb3924.7387\File_pass1234.7z | C:\Program Files\WinRAR\WinRAR.exe | — | WinRAR.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 1188 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1116,7800048299241676724,10115153170656650276,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3748 /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 86.0.4240.198 Modules
| |||||||||||||||
| 1248 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1116,7800048299241676724,10115153170656650276,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3540 /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 86.0.4240.198 Modules
| |||||||||||||||
| 1352 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1116,7800048299241676724,10115153170656650276,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2956 /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 86.0.4240.198 Modules
| |||||||||||||||
| 1644 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1116,7800048299241676724,10115153170656650276,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3644 /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 86.0.4240.198 Modules
| |||||||||||||||
| 1928 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1116,7800048299241676724,10115153170656650276,131072 --enable-features=PasswordImport --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 86.0.4240.198 Modules
| |||||||||||||||
| 1960 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1116,7800048299241676724,10115153170656650276,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3580 /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 86.0.4240.198 Modules
| |||||||||||||||
| 2116 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3316.0.1660184909\544422197" -parentBuildID 20201112153044 -prefsHandle 1100 -prefMapHandle 1092 -prefsLen 1 -prefMapSize 238726 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3316 "\\.\pipe\gecko-crash-server-pipe.3316" 1184 gpu | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 1 Version: 83.0 Modules
| |||||||||||||||
| 2476 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1116,7800048299241676724,10115153170656650276,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1300 /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | chrome.exe | ||||||||||||
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 86.0.4240.198 Modules
| |||||||||||||||
| 2488 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1116,7800048299241676724,10115153170656650276,131072 --enable-features=PasswordImport --lang=en-US --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1940 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 86.0.4240.198 Modules
| |||||||||||||||
Total events
18 776
Read events
18 632
Write events
121
Delete events
23
Modification events
| (PID) Process: | (3924) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3924) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
| (PID) Process: | (3924) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (3924) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (3924) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3924) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3924) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (3924) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (3924) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (3924) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
Executable files
2
Suspicious files
214
Text files
134
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3924 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIb3924.7387\File_pass1234.7z | — | |
MD5:— | SHA256:— | |||
| 1140 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb1140.8408\Install.exe | — | |
MD5:— | SHA256:— | |||
| 3200 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-646332EE-C80.pma | — | |
MD5:— | SHA256:— | |||
| 2912 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma | binary | |
MD5:03C4F648043A88675A920425D824E1B3 | SHA256:F91DBB7C64B4582F529C968C480D2DCE1C8727390482F31E4355A27BB3D9B450 | |||
| 3200 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Last Version | text | |
MD5:00046F773EFDD3C8F8F6D0F87A2B93DC | SHA256:593EDE11D17AF7F016828068BCA2E93CF240417563FB06DC8A579110AEF81731 | |||
| 4048 | Install.exe | C:\Windows\System32\GroupPolicy\gpt.ini | text | |
MD5:FED929AE34422010496B5B4A1827A501 | SHA256:2DDA40A266ECA9DDD736701EFA24C6FE186EDD6737DB7BF52BFFE32D614667ED | |||
| 3200 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\991e62ac-3286-4fb7-91fd-d612dc98572c.tmp | binary | |
MD5:5058F1AF8388633F609CADB75A75DC9D | SHA256:— | |||
| 4048 | Install.exe | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | binary | |
MD5:CB74C9519D11B70696475FC269EC1815 | SHA256:0192DC85F901F57C4A346C1F77CE2D5E5193A0B4BBCB6CA51F9F676E95CD87A4 | |||
| 3200 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat | binary | |
MD5:9C016064A1F864C8140915D77CF3389A | SHA256:0E7265D4A8C16223538EDD8CD620B8820611C74538E420A88E333BE7F62AC787 | |||
| 3200 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old~RF128b8f.TMP | text | |
MD5:81F483F77EE490F35306A4F94DB2286B | SHA256:82434CE3C9D13F509EBEEBE3A7A1A1DE9AB4557629D9FC855761E0CFA45E8BCE | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
18
TCP/UDP connections
87
DNS requests
76
Threats
5
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
4048 | Install.exe | GET | — | 94.142.138.131:80 | http://94.142.138.131/api/tracemap.php | RU | — | — | malicious |
4048 | Install.exe | GET | 301 | 104.17.215.67:80 | http://www.maxmind.com/geoip/v2.1/city/me | US | — | — | whitelisted |
4048 | Install.exe | GET | 404 | 5.181.80.133:80 | http://5.181.80.133/api/tracemap.php | BG | text | 70 b | malicious |
2476 | chrome.exe | GET | 200 | 34.104.35.123:80 | http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUwyMERESEZGVmJnQQ/1.0.0.6_nmmhkkegccagdldgiimedpiccmgmieda.crx | US | binary | 242 Kb | whitelisted |
3316 | firefox.exe | POST | 200 | 2.16.186.10:80 | http://r3.o.lencr.org/ | unknown | der | 503 b | shared |
3316 | firefox.exe | POST | 200 | 2.16.186.10:80 | http://r3.o.lencr.org/ | unknown | der | 503 b | shared |
3316 | firefox.exe | POST | 200 | 2.16.186.10:80 | http://r3.o.lencr.org/ | unknown | binary | 503 b | shared |
4048 | Install.exe | GET | 200 | 208.67.104.60:80 | http://208.67.104.60/api/tracemap.php | US | text | 15 b | malicious |
3316 | firefox.exe | POST | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/ | US | binary | 471 b | whitelisted |
3316 | firefox.exe | POST | 200 | 2.16.186.10:80 | http://r3.o.lencr.org/ | unknown | binary | 503 b | shared |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4048 | Install.exe | 94.131.106.196:80 | — | Stark Industries Solutions Ltd | NL | malicious |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1076 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
3412 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
4048 | Install.exe | 5.181.80.133:80 | — | Tamatiya EOOD | BG | malicious |
4048 | Install.exe | 172.67.75.166:443 | db-ip.com | CLOUDFLARENET | US | malicious |
4048 | Install.exe | 104.17.215.67:80 | www.maxmind.com | CLOUDFLARENET | — | shared |
2612 | WerFault.exe | 104.208.16.93:443 | watson.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | suspicious |
4048 | Install.exe | 104.17.215.67:443 | www.maxmind.com | CLOUDFLARENET | — | shared |
DNS requests
Domain | IP | Reputation |
|---|---|---|
ipinfo.io |
| shared |
db-ip.com |
| whitelisted |
api.db-ip.com |
| shared |
www.maxmind.com |
| whitelisted |
watson.microsoft.com |
| whitelisted |
clients2.google.com |
| whitelisted |
www.google.com |
| malicious |
accounts.google.com |
| shared |
clients2.googleusercontent.com |
| whitelisted |
clientservices.googleapis.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
4048 | Install.exe | Misc Attack | ET DROP Spamhaus DROP Listed Traffic Inbound group 39 |
4048 | Install.exe | Device Retrieving External IP Address Detected | ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) |
3 ETPRO signatures available at the full report