File name:

Proxy.Grabber.and.Checker.exe

Full analysis: https://app.any.run/tasks/126e7fae-77e5-475e-a53b-fa1ade23fb56
Verdict: Malicious activity
Analysis date: March 21, 2024, 11:09:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

A6EFCD6A68716471CCF82A6370D68182

SHA1:

DEAC40EAC148FF5132A05B9005B196ED8EB22908

SHA256:

3743F014B4EEFCA85496DAA65A32AB21F84DCEBB7C45158750275C40BE7FF143

SSDEEP:

49152:e0Dqzp0GnH+GXV18sP1RJTdvjhpbgfRXX53LTH9shst:e0DqzqyeGXHPfJTxjbbgfR53LBiQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Proxy.Grabber.and.Checker.exe (PID: 4008)

  • SUSPICIOUS

    • Reads settings of System Certificates

      • Proxy.Grabber.and.Checker.exe (PID: 4008)
      • Proxy.Grabber.and.Checker.exe (PID: 2792)

    • Application launched itself

      • Proxy.Grabber.and.Checker.exe (PID: 4008)

    • Reads security settings of Internet Explorer

      • Proxy.Grabber.and.Checker.exe (PID: 4008)

    • Reads the Internet Settings

      • Proxy.Grabber.and.Checker.exe (PID: 4008)
      • Proxy.Grabber.and.Checker.exe (PID: 2792)

  • INFO

    • Creates files or folders in the user directory

      • Proxy.Grabber.and.Checker.exe (PID: 4008)

    • Reads the computer name

      • Proxy.Grabber.and.Checker.exe (PID: 4008)
      • Proxy.Grabber.and.Checker.exe (PID: 2792)

    • Reads the machine GUID from the registry

      • Proxy.Grabber.and.Checker.exe (PID: 4008)
      • Proxy.Grabber.and.Checker.exe (PID: 2792)

    • Checks supported languages

      • Proxy.Grabber.and.Checker.exe (PID: 4008)
      • Proxy.Grabber.and.Checker.exe (PID: 2792)

    • Reads Environment values

      • Proxy.Grabber.and.Checker.exe (PID: 4008)
      • Proxy.Grabber.and.Checker.exe (PID: 2792)

    • Reads the software policy settings

      • Proxy.Grabber.and.Checker.exe (PID: 4008)
      • Proxy.Grabber.and.Checker.exe (PID: 2792)

    • Create files in a temporary directory

      • Proxy.Grabber.and.Checker.exe (PID: 4008)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2081:03:18 21:20:22+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 842752
InitializedDataSize: 70144
UninitializedDataSize: -
EntryPoint: 0xcfbce
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 5.0.6.1
ProductVersionNumber: 5.0.6.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: Proxy Grabber and Checker by wDude
CompanyName: wDude
FileDescription: Proxy Grabber and Checker by wDude
FileVersion: 5.0.6.1
InternalName: Proxy Grabber and Checker.exe
LegalCopyright: БатькаВсеяРашн © 2020
LegalTrademarks: wDude (LZT: БатькаВсеяРашн)
OriginalFileName: Proxy Grabber and Checker.exe
ProductName: PGC
ProductVersion: 5.0.6.1
AssemblyVersion: 5.0.6.1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start proxy.grabber.and.checker.exe proxy.grabber.and.checker.exe

Process information

PID
CMD
Path
Indicators
Parent process
2792"C:\Users\admin\AppData\Local\Temp\Proxy.Grabber.and.Checker.exe" C:\Users\admin\AppData\Local\Temp\Proxy.Grabber.and.Checker.exe
Proxy.Grabber.and.Checker.exe
User:
admin
Company:
wDude
Integrity Level:
MEDIUM
Description:
Proxy Grabber and Checker by wDude
Exit code:
0
Version:
5.0.6.1
Modules
Images
c:\users\admin\appdata\local\temp\proxy.grabber.and.checker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
4008"C:\Users\admin\AppData\Local\Temp\Proxy.Grabber.and.Checker.exe" C:\Users\admin\AppData\Local\Temp\Proxy.Grabber.and.Checker.exe
explorer.exe
User:
admin
Company:
wDude
Integrity Level:
MEDIUM
Description:
Proxy Grabber and Checker by wDude
Exit code:
0
Version:
5.0.6.1
Modules
Images
c:\users\admin\appdata\local\temp\proxy.grabber.and.checker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
23 496
Read events
23 445
Write events
51
Delete events
0

Modification events

(PID) Process:(4008) Proxy.Grabber.and.Checker.exeKey:HKEY_CURRENT_USER\ProxyGrabberAndChecker
Operation:writeName:autoUpdateProxy
Value:
0
(PID) Process:(4008) Proxy.Grabber.and.Checker.exeKey:HKEY_CURRENT_USER\ProxyGrabberAndChecker
Operation:writeName:lolzteamInfoShown
Value:
0
(PID) Process:(4008) Proxy.Grabber.and.Checker.exeKey:HKEY_CURRENT_USER\ProxyGrabberAndChecker
Operation:writeName:autoGrabProxy
Value:
1
(PID) Process:(4008) Proxy.Grabber.and.Checker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Proxy_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(4008) Proxy.Grabber.and.Checker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Proxy_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(4008) Proxy.Grabber.and.Checker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Proxy_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(4008) Proxy.Grabber.and.Checker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Proxy_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(4008) Proxy.Grabber.and.Checker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Proxy_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(4008) Proxy.Grabber.and.Checker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Proxy_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(4008) Proxy.Grabber.and.Checker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Proxy_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
Executable files
0
Suspicious files
4
Text files
6
Unknown types
2

Dropped files

PID
Process
Filename
Type
4008Proxy.Grabber.and.Checker.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:753DF6889FD7410A2E9FE333DA83A429
SHA256:B42DC237E44CBC9A43400E7D3F9CBD406DBDEFD62BFE87328F8663897D69DF78
4008Proxy.Grabber.and.Checker.exeC:\Users\admin\AppData\Roaming\PGC\urlsHTTP.txttext
MD5:977DAC55DAAB50E52D1BF957F3339665
SHA256:8E279274A0226D3120473A47F7238EF5CBE24EBDEAB48B9F3AE8BCB3AA46E962
4008Proxy.Grabber.and.Checker.exeC:\Users\admin\AppData\Roaming\PGC\urlsSOCKS4.txttext
MD5:2F9B0356AE5E008C2EF3F042E03BB68E
SHA256:1AADFAB2A6B3382AC1146098779326596AB6C918AA69437C463F0017681D1F2F
4008Proxy.Grabber.and.Checker.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:1EA094C2FCC177C6556735D78827FF5D
SHA256:F46E2066B46A23644A2CF507A20675D48B692D409CD9A2A23A642F7F47FE26F4
4008Proxy.Grabber.and.Checker.exeC:\Users\admin\AppData\Local\Temp\Tar22B7.tmpcat
MD5:DD73CEAD4B93366CF3465C8CD32E2796
SHA256:A6752B7851B591550E4625B832A393AABCC428DE18D83E8593CD540F7D7CAE22
4008Proxy.Grabber.and.Checker.exeC:\Users\admin\AppData\Local\Temp\Cab22C7.tmpcompressed
MD5:753DF6889FD7410A2E9FE333DA83A429
SHA256:B42DC237E44CBC9A43400E7D3F9CBD406DBDEFD62BFE87328F8663897D69DF78
4008Proxy.Grabber.and.Checker.exeC:\Users\admin\AppData\Roaming\PGC\urlsSOCKS5.txttext
MD5:A782A0FDAFEC670F77F0EBC94E9F151D
SHA256:216C945CD5A00DC06177D37E9050D7D9EC4E2C094A63AB0B8939043126270142
4008Proxy.Grabber.and.Checker.exeC:\Users\admin\AppData\Local\Temp\Tar22C8.tmpcat
MD5:DD73CEAD4B93366CF3465C8CD32E2796
SHA256:A6752B7851B591550E4625B832A393AABCC428DE18D83E8593CD540F7D7CAE22
4008Proxy.Grabber.and.Checker.exeC:\Users\admin\AppData\Local\Temp\Cab22B6.tmpcompressed
MD5:753DF6889FD7410A2E9FE333DA83A429
SHA256:B42DC237E44CBC9A43400E7D3F9CBD406DBDEFD62BFE87328F8663897D69DF78
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
17
DNS requests
8
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4008
Proxy.Grabber.and.Checker.exe
GET
200
2.19.11.136:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?0d45a3ebc56b6f21
unknown
compressed
67.5 Kb
4008
Proxy.Grabber.and.Checker.exe
GET
200
2.19.11.154:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?f298ca30347c3779
unknown
compressed
67.5 Kb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
unknown
4
System
192.168.100.255:137
unknown
1080
svchost.exe
224.0.0.252:5355
unknown
4008
Proxy.Grabber.and.Checker.exe
185.199.109.133:443
raw.githubusercontent.com
FASTLY
US
unknown
4008
Proxy.Grabber.and.Checker.exe
185.199.110.133:443
raw.githubusercontent.com
FASTLY
US
unknown
4008
Proxy.Grabber.and.Checker.exe
104.18.11.5:443
api.proxyscrape.com
CLOUDFLARENET
unknown
4008
Proxy.Grabber.and.Checker.exe
104.18.10.5:443
api.proxyscrape.com
CLOUDFLARENET
unknown
4008
Proxy.Grabber.and.Checker.exe
188.114.97.3:443
www.proxy-list.download
CLOUDFLARENET
NL
unknown
4008
Proxy.Grabber.and.Checker.exe
188.114.96.3:443
www.proxy-list.download
CLOUDFLARENET
NL
unknown
4008
Proxy.Grabber.and.Checker.exe
2.19.11.154:80
ctldl.windowsupdate.com
Elisa Oyj
NL
unknown

DNS requests

Domain
IP
Reputation
raw.githubusercontent.com
  • 185.199.109.133
  • 185.199.108.133
  • 185.199.111.133
  • 185.199.110.133
unknown
api.proxyscrape.com
  • 104.18.11.5
  • 104.18.10.5
unknown
www.proxy-list.download
  • 188.114.97.3
  • 188.114.96.3
unknown
ctldl.windowsupdate.com
  • 2.19.11.136
  • 2.19.11.155
  • 2.19.11.138
  • 2.19.11.141
  • 2.19.11.154
  • 2.19.11.137
unknown

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO Public Proxy Service Domain in DNS Lookup (api .proxyscrape .com)
Potentially Bad Traffic
ET INFO Public Proxy Service Domain in DNS Lookup (api .proxyscrape .com)
Potentially Bad Traffic
ET INFO Observed Public Proxy Service Domain (api .proxyscrape .com in TLS SNI)
Potentially Bad Traffic
ET INFO Observed Public Proxy Service Domain (api .proxyscrape .com in TLS SNI)
Potentially Bad Traffic
ET INFO Observed Public Proxy Service Domain (api .proxyscrape .com in TLS SNI)
Potentially Bad Traffic
ET INFO Observed Public Proxy Service Domain (api .proxyscrape .com in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Proxy.Grabber.and.Checker.exe