Malware analysis 29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe Malicious activity

Add for printing

File name:	29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe
Full analysis:	https://app.any.run/tasks/1b9a6d10-7342-4eca-88b8-d11ae3482cd7
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. PrivateLoader is a malware family that is specifically created to infect computer systems and drop additional malicious programs. It operates using a pay-per-install business model, which means that the individuals behind it are paid for each instance of successful deployment of different types of harmful programs, including trojans, stealers, and other ransomware. Malware Trends Tracker >>>
Analysis date:	February 09, 2024, 15:26:08
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	evasion privateloader loader
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	22BCDFC5882494840B272828FE2267E9
SHA1:	6F24B49C7E1D9B1D9BC34BCCB121584517A1D8D1
SHA256:	29F973EB617A2D99D19379F7045FB468AE275DCC82E07FBEF840483A65C3BC9D
SSDEEP:	98304:ggl4dbSf9QzDi12gmTKRXToaaqIplnK5MdBEBMobn2U0RN5TK4/5PbTuY8t5HrV6:fjq00sl4C9qp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.18860 KB4052978
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.177.11)
Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.4763.1000)
Microsoft Office Proof (French) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Single Image 2010 (14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (64-bit x64) (7.5.1)
PowerShell 7-x64 (7.2.11.0)
Skype version 8.100 (8.100)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (2.2.6)
WinRAR 5.60 (64-bit) (5.60.0)

Add for printing

MALICIOUS
- Creates a writable file in the system directory
  - 29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe (PID: 2804)
- Drops the executable file immediately after the start
  - 29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe (PID: 2804)
- PRIVATELOADER has been detected (YARA)
  - 29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe (PID: 2804)
- PRIVATELOADER has been detected (SURICATA)
  - 29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe (PID: 2804)
- Connects to the CnC server
  - 29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe (PID: 2804)
- Actions looks like stealing of personal data
  - 29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe (PID: 2804)
- Modifies files in the Chrome extension folder
  - 29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe (PID: 2804)
SUSPICIOUS
- Reads settings of System Certificates
  - 29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe (PID: 2804)
- Adds/modifies Windows certificates
  - 29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe (PID: 2804)
- Reads the Internet Settings
  - 29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe (PID: 2804)
- Executes as Windows Service
  - raserver.exe (PID: 2204)
- Reads security settings of Internet Explorer
  - 29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe (PID: 2804)
- Checks for external IP
  - 29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe (PID: 2804)
- Connects to the server without a host name
  - 29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe (PID: 2804)
INFO
- Checks supported languages
  - 29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe (PID: 2804)
- Reads the computer name
  - 29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe (PID: 2804)
- Reads the machine GUID from the registry
  - 29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe (PID: 2804)
- Create files in a temporary directory
  - 29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe (PID: 2804)
- Process checks computer location settings
  - 29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe (PID: 2804)
- Application launched itself
  - chrome.exe (PID: 2528)
- Checks proxy server information
  - 29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe (PID: 2804)
- Creates files or folders in the user directory
  - 29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe (PID: 2804)
- Creates files in the program directory
  - chrome.exe (PID: 2528)
- The process uses the downloaded file
  - chrome.exe (PID: 2524)
  - chrome.exe (PID: 776)
  - chrome.exe (PID: 2600)
- Drops the executable file immediately after the start
  - chrome.exe (PID: 2968)
- Executable content was dropped or overwritten
  - chrome.exe (PID: 2968)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.dll	\|	Win32 Dynamic Link Library (generic) (43.5)
.exe	\|	Win32 Executable (generic) (29.8)
.exe	\|	Generic Win/DOS Executable (13.2)
.exe	\|	DOS Executable Generic (13.2)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2023:12:20 09:49:25+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.34
CodeSize:	1377280
InitializedDataSize:	2857472
UninitializedDataSize:	-
EntryPoint:	0xbb1136
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	2.8.0.0
ProductVersionNumber:	2.8.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Dynamic link library
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	Terse syntax C# command line parser for .NET. For FSharp support see CommandLineParser.FSharp. The Command Line Parser Library offers to CLR applications a clean and concise API for manipulating command line arguments and related tasks.
CompanyName:	gsscoder;nemec;ericnewton76;moh-hassan
FileDescription:	CommandLine
FileVersion:	2.8.0.0
InternalName:	CommandLine.dll
LegalCopyright:	Copyright (c) 2005 - 2020 Giacomo Stelluti Scala & Contributors
OriginalFileName:	CommandLine.dll
ProductName:	CommandLine
ProductVersion:	2.8.0
AssemblyVersion:	2.8.0.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

756

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2120 --field-trial-handle=1220,i,8825101961539977716,11707596226205558654,131072 /prefetch:1

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

109.0.5414.120

Modules

Images
c:\program files (x86)\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

776

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --disable-quic --mojo-platform-channel-handle=4080 --field-trial-handle=1220,i,8825101961539977716,11707596226205558654,131072 /prefetch:8

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

HIGH

Description:

Google Chrome

Exit code:

Version:

109.0.5414.120

Modules

Images
c:\program files (x86)\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

980

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --mojo-platform-channel-handle=1592 --field-trial-handle=1220,i,8825101961539977716,11707596226205558654,131072 /prefetch:8

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

109.0.5414.120

Modules

Images
c:\program files (x86)\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

1360

"C:\Users\admin\AppData\Local\Temp\29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe"

C:\Users\admin\AppData\Local\Temp\29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe

—

explorer.exe

User:

admin

Company:

gsscoder;nemec;ericnewton76;moh-hassan

Integrity Level:

MEDIUM

Description:

CommandLine

Exit code:

3221226540

Version:

2.8.0.0

Modules

Images
c:\users\admin\appdata\local\temp\29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

1496

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=109.0.5414.120 --initial-client-data=0xcc,0xd0,0xd4,0xa0,0xd8,0x7fef2136b58,0x7fef2136b68,0x7fef2136b78

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

HIGH

Description:

Google Chrome

Exit code:

Version:

109.0.5414.120

Modules

Images
c:\program files (x86)\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

1500

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --mojo-platform-channel-handle=4120 --field-trial-handle=1220,i,8825101961539977716,11707596226205558654,131072 /prefetch:8

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

109.0.5414.120

Modules

Images
c:\program files (x86)\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

1664

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --disable-quic --mojo-platform-channel-handle=4024 --field-trial-handle=1220,i,8825101961539977716,11707596226205558654,131072 /prefetch:8

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

HIGH

Description:

Google Chrome

Exit code:

Version:

109.0.5414.120

Modules

Images
c:\program files (x86)\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

1716

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2148 --field-trial-handle=1220,i,8825101961539977716,11707596226205558654,131072 /prefetch:1

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

109.0.5414.120

Modules

Images
c:\program files (x86)\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

1848

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --mojo-platform-channel-handle=2840 --field-trial-handle=1220,i,8825101961539977716,11707596226205558654,131072 /prefetch:8

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

109.0.5414.120

Modules

Images
c:\program files (x86)\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

1904

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --disable-quic --mojo-platform-channel-handle=1020 --field-trial-handle=1220,i,8825101961539977716,11707596226205558654,131072 /prefetch:8

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

HIGH

Description:

Google Chrome

Exit code:

Version:

109.0.5414.120

Modules

Images
c:\program files (x86)\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

Add for printing

Total events

8 513

Read events

8 320

Write events

151

Delete events

Modification events


(PID) Process:	(2804) 29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{57ED3175-3CC8-4BFE-9A73-26ACCDC3A92F}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions
Operation:	write	Name:	Exclusions_Extensions
Value: 1
(PID) Process:	(2804) 29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{57ED3175-3CC8-4BFE-9A73-26ACCDC3A92F}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions
Operation:	write	Name:	exe
Value:
(PID) Process:	(2804) 29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{57ED3175-3CC8-4BFE-9A73-26ACCDC3A92F}Machine\SOFTWARE\Policies\Microsoft\Windows Defender
Operation:	write	Name:	DisableAntiSpyware
Value: 1
(PID) Process:	(2804) 29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{57ED3175-3CC8-4BFE-9A73-26ACCDC3A92F}Machine\SOFTWARE\Policies\Microsoft\Windows Defender
Operation:	write	Name:	DisableRoutinelyTakingAction
Value: 1
(PID) Process:	(2804) 29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{57ED3175-3CC8-4BFE-9A73-26ACCDC3A92F}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
Operation:	write	Name:	DisableBehaviorMonitoring
Value: 1
(PID) Process:	(2804) 29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{57ED3175-3CC8-4BFE-9A73-26ACCDC3A92F}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
Operation:	write	Name:	DisableOnAccessProtection
Value: 1
(PID) Process:	(2804) 29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{57ED3175-3CC8-4BFE-9A73-26ACCDC3A92F}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
Operation:	write	Name:	DisableScanOnRealtimeEnable
Value: 1
(PID) Process:	(2804) 29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{57ED3175-3CC8-4BFE-9A73-26ACCDC3A92F}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
Operation:	write	Name:	DisableRealtimeMonitoring
Value: 1
(PID) Process:	(2804) 29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{57ED3175-3CC8-4BFE-9A73-26ACCDC3A92F}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
Operation:	write	Name:	DisableIOAVProtection
Value: 1
(PID) Process:	(2804) 29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{57ED3175-3CC8-4BFE-9A73-26ACCDC3A92F}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
Operation:	write	Name:	DisableRawWriteNotification
Value: 1

Add for printing

Executable files

Suspicious files

Text files

255

Unknown types

Dropped files

PID	Process	Filename		Type
2804	29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe	C:\Windows\SysWOW64\GroupPolicy\gpt.ini		text
		MD5:39DFFC602ED934569F26BE44EC645814	SHA256:B57A88E5B1ACF3A784BE88B87FA3EE1F0991CB7C1C66DA423F3595FFC6E0C5C2
2804	29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe	C:\Users\admin\AppData\Local\Temp\TarA354.tmp		binary
		MD5:9C0C641C06238516F27941AA1166D427	SHA256:4276AF3669A141A59388BC56A87F6614D9A9BDDDF560636C264219A7EB11256F
2804	29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506		compressed
		MD5:AC05D27423A85ADC1622C714F2CB6184	SHA256:C6456E12E5E53287A547AF4103E0397CB9697E466CF75844312DC296D43D144D
2804	29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K78MRVB5\askusdaily[1].jpg		binary
		MD5:1591238C9E07BDE402EC5EB1C1DFA7D8	SHA256:7A4A455395E0C276F8BFC9E03E6DDBA9130347825A0AB64E66DDFFD4BCDE725B
2804	29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506		binary
		MD5:487FCB48A8EC53E3294D279B56BB15A1	SHA256:B752C4FD00C0DAA90CC4509EA0A77328469D94BF860D63D7E560F3081269170B
2804	29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe	C:\Windows\System32\GroupPolicy\GPT.INI		text
		MD5:6B1144EF80B8337DADC7B971ABA4BBD2	SHA256:6C757A49EC3A1F7EB74669E53A86A50D5CFE2E34218D4B3324D20EB1FDB026E2
2804	29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe	C:\Users\admin\Documents\GuardFox\pN3PFNG7fUrwQZosTQiSeoO2		binary
		MD5:1591238C9E07BDE402EC5EB1C1DFA7D8	SHA256:7A4A455395E0C276F8BFC9E03E6DDBA9130347825A0AB64E66DDFFD4BCDE725B
2804	29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\enlkbjlfeiapjjhhmdggmadklnbehdlg\1.5.4_0\index.html		html
		MD5:902B93B58A95C8E6EC2292721DF36B79	SHA256:70DA1C44F172BE619853837E77D3188D48E39D7923A308E9B0CD55C2479D821F
2804	29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\enlkbjlfeiapjjhhmdggmadklnbehdlg\1.5.4_0\public\app_icon\icon.svg		text
		MD5:30832AA6BBFA258F92C676DEBE9D3E5B	SHA256:EB1FBE6C9DBEC7129C0782C47EDEC9C535CBE328A366DAC7A569C783ABD18787
2804	29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\enlkbjlfeiapjjhhmdggmadklnbehdlg\1.5.4_0\public\app_icon\icon_24.png		image
		MD5:5C102F0C7FD76A51C4A486B108F0E233	SHA256:CA42DCDDAB081AC0F31193FEF543E244CCECEA2C9AC349C7F72D88511CCD0F64

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2804	29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe	POST	200	77.105.147.130:80	http://77.105.147.130/api/flash.php	unknown	text	108 b	unknown
2804	29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe	GET	200	195.20.16.46:80	http://195.20.16.46/ext/videodown.png	unknown	binary	6.29 Kb	unknown
2804	29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe	POST	200	77.105.147.130:80	http://77.105.147.130/api/flash.php	unknown	text	128 b	unknown
2804	29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe	GET	200	2.23.154.65:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?cdf40e4f89dc6d91	unknown	compressed	65.2 Kb	unknown
2804	29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe	GET	200	77.105.147.130:80	http://77.105.147.130/api/bing_release.php	unknown	text	8 b	unknown
2804	29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe	POST	200	77.105.147.130:80	http://77.105.147.130/api/flash.php	unknown	text	920 b	unknown
2804	29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe	HEAD	200	195.20.16.46:80	http://195.20.16.46/ext/askusdaily.jpeg	unknown	—	—	unknown
2804	29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe	GET	200	195.20.16.46:80	http://195.20.16.46/ext/askusdaily.jpeg	unknown	binary	1.58 Mb	unknown
2804	29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe	GET	200	195.20.16.46:80	http://195.20.16.46/ext/askusdaily.png	unknown	binary	4.45 Kb	unknown
2804	29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe	HEAD	200	195.20.16.46:80	http://195.20.16.46/ext/horizontimez.jpeg	unknown	binary	1.58 Mb	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
1220	svchost.exe	239.255.255.250:3702	—	—	—	unknown
352	svchost.exe	224.0.0.252:5355	—	—	—	unknown
2804	29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe	77.105.147.130:80	—	Plus Telecom LLC	RU	unknown
2804	29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe	104.26.9.59:443	api.myip.com	CLOUDFLARENET	US	unknown
2804	29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe	34.117.186.192:443	ipinfo.io	GOOGLE-CLOUD-PLATFORM	US	unknown
2804	29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe	2.23.154.65:80	ctldl.windowsupdate.com	Akamai International B.V.	AT	unknown
2804	29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe	195.20.16.46:80	—	—	—	unknown
3032	chrome.exe	142.250.186.131:443	clientservices.googleapis.com	GOOGLE	US	whitelisted
3032	chrome.exe	142.250.185.202:443	www.googleapis.com	GOOGLE	US	whitelisted

DNS requests

Domain	IP	Reputation
api.myip.com	104.26.9.59 172.67.75.163 104.26.8.59	malicious
ipinfo.io	34.117.186.192	shared
ctldl.windowsupdate.com	2.23.154.65 104.103.72.59	whitelisted
teredo.ipv6.microsoft.com	—	unknown
clientservices.googleapis.com	142.250.186.131	whitelisted
www.googleapis.com	142.250.185.202 142.250.185.234 142.250.184.234 142.250.184.202 142.250.181.234 142.250.186.170 142.250.186.74 172.217.16.138 142.250.186.138 142.250.74.202 142.250.186.42 172.217.18.10 142.250.186.106 172.217.16.202 216.58.206.42 216.58.212.170	whitelisted
accounts.google.com	64.233.166.84	shared
iplis.ru	172.67.147.32 104.21.63.150	malicious
iplogger.org	172.67.132.113 104.21.4.208	shared
www.google.com	142.250.185.132	whitelisted

Threats

PID	Process	Class	Message
2804	29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe	Device Retrieving External IP Address Detected	ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
2804	29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe	Device Retrieving External IP Address Detected	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
2804	29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup SSL Cert Observed (ipinfo .io)
2804	29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe	A Network Trojan was detected	ET MALWARE Suspected PrivateLoader Activity (POST)
2804	29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe	A Network Trojan was detected	LOADER [ANY.RUN] PrivateLoader Check-in
2804	29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe	A Network Trojan was detected	ET MALWARE Suspected PrivateLoader Activity (POST)
2804	29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe	A Network Trojan was detected	ET MALWARE Suspected PrivateLoader Activity (POST)
2804	29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe	A Network Trojan was detected	LOADER [ANY.RUN] PrivateLoader Check-in
2804	29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe	A Network Trojan was detected	ET MALWARE Suspected PrivateLoader Activity (POST)
2804	29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe	A Network Trojan was detected	ET MALWARE Suspected PrivateLoader Activity (POST)

Add for printing

No debug info

General Info

29f973eb617a2d99d19379f7045fb468ae275dcc82e07fbef840483a65c3bc9d.exe

22BCDFC5882494840B272828FE2267E9

6F24B49C7E1D9B1D9BC34BCCB121584517A1D8D1

29F973EB617A2D99D19379F7045FB468AE275DCC82E07FBEF840483A65C3BC9D

98304:ggl4dbSf9QzDi12gmTKRXToaaqIplnK5MdBEBMobn2U0RN5TK4/5PbTuY8t5HrV6:fjq00sl4C9qp

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Creates a writable file in the system directory

Drops the executable file immediately after the start

PRIVATELOADER has been detected (YARA)

PRIVATELOADER has been detected (SURICATA)

Connects to the CnC server

Actions looks like stealing of personal data

Modifies files in the Chrome extension folder

SUSPICIOUS

Reads settings of System Certificates

Adds/modifies Windows certificates

Reads the Internet Settings

Executes as Windows Service

Reads security settings of Internet Explorer

Checks for external IP

Connects to the server without a host name

INFO

Checks supported languages

Reads the computer name

Reads the machine GUID from the registry

Create files in a temporary directory

Process checks computer location settings

Application launched itself

Checks proxy server information

Creates files or folders in the user directory

Creates files in the program directory

The process uses the downloaded file

Drops the executable file immediately after the start

Executable content was dropped or overwritten

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings