File name:

3d9cf227ef3c29b9ca22c66359fdd61d9b3d3f2bb197ec3df42d49ff22b989a4

Full analysis: https://app.any.run/tasks/07609bb0-4685-4351-8374-0f438ab2584b
Verdict: Malicious activity
Threats:

Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.

Malware Trends Tracker     >>>
Analysis date: December 02, 2023, 13:57:08
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
arkei
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

37B6AAB56A0F770CE58A670322361A1C

SHA1:

87606604CDAA89B93D4D1B5E3E12F5EC24F60016

SHA256:

3D9CF227EF3C29B9CA22C66359FDD61D9B3D3F2BB197EC3DF42D49FF22B989A4

SSDEEP:

6144:Z75e2xvLAzYv1zvvnLFcQYhKzAMq4Y3eaXyf3h5tJwJlYEqRCXq9lBSwF:x0zG5vnaQY7Mq+55EkEqOqnBSE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ARKEI has been detected (YARA)

      • 3d9cf227ef3c29b9ca22c66359fdd61d9b3d3f2bb197ec3df42d49ff22b989a4.exe (PID: 564)

  • SUSPICIOUS

    • Reads the Internet Settings

      • 3d9cf227ef3c29b9ca22c66359fdd61d9b3d3f2bb197ec3df42d49ff22b989a4.exe (PID: 564)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • 3d9cf227ef3c29b9ca22c66359fdd61d9b3d3f2bb197ec3df42d49ff22b989a4.exe (PID: 564)

    • Application launched itself

      • 3d9cf227ef3c29b9ca22c66359fdd61d9b3d3f2bb197ec3df42d49ff22b989a4.exe (PID: 844)

  • INFO

    • Reads the computer name

      • 3d9cf227ef3c29b9ca22c66359fdd61d9b3d3f2bb197ec3df42d49ff22b989a4.exe (PID: 564)

    • Checks supported languages

      • 3d9cf227ef3c29b9ca22c66359fdd61d9b3d3f2bb197ec3df42d49ff22b989a4.exe (PID: 844)
      • 3d9cf227ef3c29b9ca22c66359fdd61d9b3d3f2bb197ec3df42d49ff22b989a4.exe (PID: 564)

    • Reads the machine GUID from the registry

      • 3d9cf227ef3c29b9ca22c66359fdd61d9b3d3f2bb197ec3df42d49ff22b989a4.exe (PID: 564)

    • Checks proxy server information

      • 3d9cf227ef3c29b9ca22c66359fdd61d9b3d3f2bb197ec3df42d49ff22b989a4.exe (PID: 564)

    • Manual execution by a user

      • WINWORD.EXE (PID: 3028)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Arkei

(PID) Process(564) 3d9cf227ef3c29b9ca22c66359fdd61d9b3d3f2bb197ec3df42d49ff22b989a4.exe
C2 (2)https://t.me/cybehost
https://steamcommunity.com/profiles/76561199263069598
Keys
RC499300253170289931416
Strings (541)kernel32.dll
GetUserNameA
advapi32.dll
GetComputerNameA
LocalAlloc
lstrcmpiW
VirtualFree
VirtualAlloc
VirtualAllocExNuma
GetCurrentProcess
ExitProcess
GetSystemTime
Sleep
GetProcAddress
lstrcatA
LoadLibraryA
JohnDoe
HAL9TH
Ledger Live
\Raven\
Raven Core
\Dogecoin\
Dogecoin
*wallet*.dat
wallet.dat
\Bitcoin\
Bitcoin Core Old
\Bitcoin\wallets\
Bitcoin Core
.finger-print.fp
simple-storage.json
Binance Desktop
loginusers.vdf
libraryfolders.vdf
DialogConfigOverlay*.vdf
DialogConfig.vdf
config.vdf
ssfn*
SteamPath
Software\Valve\Steam
C:\\\Windows\
C:\\Windows\
C:\Windows\
*%DRIVE_REMOVABLE%*
*%DRIVE_FIXED%*
*%RECENT%*
%DRIVE_REMOVABLE%
%DRIVE_FIXED%
%RECENT%
%PROGRAMFILES_86%
%PROGRAMFILES%
%DOCUMENTS%
%DESKTOP%
%USERPROFILE%
%LOCALAPPDATA%
%APPDATA%
\information.txt
[Software]
[Processes]
VideoCard:
RAM:
CPU Count:
Processor:
[Hardware]
TimeZone:
Local Time:
Keyboard Languages:
Display Language:
Display Resolution:
User Name:
Computer Name:
Windows:
Work Dir: In memory
Path:
HWID:
GUID:
MachineID:
Date:
Version:
sqlite3.dll
RoninWalletEdge
kjmoohlgokccodicjjfebfomlbljgfhk
IndexedDB
Sync Extension Settings
Local Extension Settings
UseMasterPassword
Security
Password
UserName
PortNumber
HostName
Soft: WinSCP
\Soft\Authy Desktop\
\Authy Desktop\Local torage\leveldb\
\Soft\Authy Desktop Old\
\Authy Desktop\Local torage\
*.localstorage
places.sqlite
formhistory.sqlite
cookies.sqlite
History
SELECT fieldname, value FROM moz_formhistory
SELECT url FROM moz_places
SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Network
Password:
Login:
Host:
Soft:
\"os_crypt\":{\"encrypted_key\":\"
\passwords.txt
\Soft\Telegram\
F8806DD0C461824F*
A92DAA6EA6F891F2*
A7FDF864FBC10B77*
D877F783D5D3EF8C*
map*
key_datas
\Telegram Desktop\
Thunderbird
\Thunderbird\Profiles\
Brave
\BraveSoftware\Brave-Browser\User Daa\
CryptoTab Browser
\CryptoTab Browser\User Data\
\Opera GX Stable\
\Opera Stable\
\Opera Software\
sqlite3_column_blob
sqlite3_column_bytes
sqlite3_close
sqlite3_finalize
sqlite3_column_text
sqlite3_step
sqlite3_prepare_v2
sqlite3_open
GdipFree
GdipDisposeImage
GdipSaveImageToStream
GdiplusShutdown
GdiplusStartup
GdipCreateBitmapFromHBITMAP
GdipGetImageEncoders
GdipGetImageEncodersSize
SymMatchString
PathFindFileNameA
StrStrA
StrCmpCW
StrCmpCA
PathMatchSpecA
PathMatchSpecW
SHGetFolderPathA
SHFileOperationA
ShellExecuteExA
CloseWindow
GetWindowDC
GetWindowRect
GetHGlobalFromStream
CreateStreamOnHGlobal
CoInitialize
InternetCrackUrlA
AccessCheck
MapGenericMask
DuplicateToken
OpenProcessToken
GetFileSecurityA
RegEnumValueA
CryptBinaryToStringA
gdiplus.dll
dbghelp.dll
shlwapi.dll
shell32.dll
GetVolumeInformationA
GetWindowsDirectoryA
Process32Next
Process32First
CreateToolhelp32Snapshot
CreateEventA
OpenEventA
GetTickCount
SetEnvironmentariableA
GetEnvironmentariableA
GetFileInformationByHandle
CreateFileMappingA
FileTimeToSystemTime
UnmapViewOfFile
MapViewOfFile
LocalFileTimeToFileTime
GetFileAttributesW
GetFileAttributesA
WriteFile
SetFileTime
GetLocalTime
SystemTimeToFileTime
HeapFree
SetFilePointer
GetCurrentDirectoryA
DeleteFileA
CopyFileA
TzSpecificLocalTimeToystemTime
GetTimeZoneInformation
GetFileSizeEx
OpenProcess
GetCurrentProcessId
GetLocaleInfoA
FreeLibrary
GlobalSize
GlobalLock
lstrcpynA
GetLastError
FindClose
FindNextFileA
FindFirstFileA
MultiByteToWideChar
lstrcpyA
GetDriveTypeA
lstrlenA
GetLogicalDriveStringsA
CloseHandle
ReadFile
GetFileSize
CreateFileA
GetProcessHeap
HeapAlloc
LocalFree
WideCharToMultiByte
GetSystemInfo
GetUserDefaultLocaleName
IsWow64Process
GlobalMemoryStatusEx
CreateThread
Discord Token:
dQw4w9WgXcQ:
\Soft\Discord\discord_tokens.txt
Session Storage
leveldb
Local Storage
Discord
\discord\
Wasabi Wallet
\WalletWasabi\Client\Wallets\
Blockstream Green
\Blockstream\Green\wallets\
she*.sqlite
Daedalus Mainnet
\Daedalus Mainnet\wallets\
Jaxx_Desktop
\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
GAuth Authenticator
ilgcnhelpchnceeipipijaljkblbcobl
EOS Authenticator
oeljdldpnmdbchonielidgobddffflal
Authy
gaedmjdfmmahhbjefcbgaolhhanlaolb
Authenticator
bhghoamapcdpbohphigoooaddinpkbai
Goby
jnkelfanjkeadonecabehalmbgpfodjm
Temple
ookjlbkiijinhpmnjffcofjonbfbgaoc
TezBox
mnfifefkajgofkcjkemidiaecocnkjeh
KHC
hcflpincpppdclinealmandijcmnkbgn
CyanoWallet
dkdedlpgdmmkkfjabffeganieamfklkm
Solflare
bhhhlbepdkbapadjdnnojkbgioiodbic
WavesKeeper
lpilbniiabackdjcionkobglmddfbcjo
MaiarDeFiWallet
dngmlblcodfobpdpecaadgfbcggfjfnm
NamiWallet
lpfcbjknijpeeillifnkikgncikgfhdo
XdefiWallet
hmeobnfnfcmdkdcmlblgagmfpfboieaf
BoltX
aodkkagnadcbobfpggfnjeongemjbjca
PaliWallet
mgffkfbidihjpoaomajlbgchddlicgpn
Oxygen (Atomic)
fhilaheimglignddkjgofkcbgekhenbh
BraveWallet
odbfpeeihdkbihmopkbjmoonfanlbfcl
ejbalbakoplchlghecdalmeeeajnimhm
Phantom
bfnaelmomeimhlpmgjnjophhpkkoljpa
Rabby
acmacodkjbdgmoleebolmdjonilkdbch
Trezor Password Manager
imloifkgjagghnncjkhggdhalmcnfklk
KardiaChain
pdadjkfkgcafgbceimcpbkalnfnepbnk
EVER Wallet
cgeeodpfagjceefieflmdfphplkenlfk
Coin98
aeachknmefphepccionboohckonoeemg
Harmony
fnnegphlobjdpkhecapkijjdkgcjhkib
ICONex
flpiciilemghbmfalicajoolhkkenfel
PolymeshWallet
jojhfeoedkpkglbfimdfabpdfjaoolaf
AuroWallet
cnmamaachppnkjgnildpdmkaakejnhae
Sollet
fhmfendgdocmcbmfikdcogofphimnkno
Keplr
dmkamcknogkgcdfhhbddcghachkejeap
Terra_Station
aiifbnbfobpmeekipheeijimdpnlpgpp
LiqualityWallet
kpfopkelmapcoipemfendmdcghnegimn
CloverWallet
nhnkbkgjikgcigadomkphalanndcapjk
NeoLine
cphhlgmgameodnhkjdmkpanlelnlohao
RoninWallet
fnjhmkhhmkbjkkabndcnnogagogbneec
GuildWallet
nanjmdknhkinifnkgdcggcfnhdaammmj
MewCx
nlbmnnijcnlegkjjpcfjclmcfggfefdm
Wombat
amkmjjmmflddogmhpjloimipbofnfjih
iWallet
kncchdigobghenbbaddojjnnaogfppfj
BitAppWallet
fihkakfobkmkjojpchpfgcmhfjnmnfpi
JaxxLiberty
cjelfplplebdjjenllpjcblmjkfcffne
EQUALWallet
blnieiiffboillknjnepogjhkgnoapac
Guarda
hpglfhgfnhbgpjdenjgmdgoeiappafln
Coinbase
hnfanknocfeofbddgcijnmhnfnkdnaad
MathWallet
afbcbjpbpfadlkmhmclhkeeodmamcflc
NiftyWallet
jbdaocneiiinmjbjlgalhcelgbejmnid
Yoroi
ffnbelfdoeiohenkjibnmadjiehjhajb
BinanceChainWallet
fhbohimaelbohpjbbldcngcnapndodjp
MetaMask
nkbihfbeogaeaoehlefnkodbefgpgknn
TronLink
ibnejdfjmmkpcnlpebklmnkoeoihofec
EnumProcessModules
GetModuleBaseNameA
GetModuleFileNameExA
GetSystemMetrics
EnumDisplayDevicesA
wsprintfA
GetDC
CharToOemA
GetKeyboardLayoutList
ReleaseDC
GetDesktopWindow
CoUninitialize
CoCreateInstance
CreateCompatibleDC
GetDeviceCaps
CreateDCA
DeleteObject
BitBlt
SelectObject
CreateCompatibleBitmap
DeleteUrlCacheEntry
InternetSetOptionA
InternetOpenUrlA
InternetSetFilePointer
HttpQueryInfoA
HttpAddRequestHeadersA
InternetOpenA
InternetConnectA
HttpOpenRequestA
HttpSendRequestA
InternetReadFile
InternetCloseHandle
wininet.dll
GetCurrentHwProfileA
RegGetValueA
RegEnumKeyExA
RegGetValueW
RegOpenKeyExW
RegCloseKey
RegQueryValueExA
RegOpenKeyExA
PK11SDR_Decrypt
PK11_Authenticate
PK11_FreeSlot
PK11_GetInternalKeySlot
NSS_Shutdown
NSS_Init
C:\ProgramData\nss3.dll
CryptStringToBinaryA
CryptUnprotectData
CRYPT32.DLL
BCryptDecrypt
BCryptGenerateSymmetricKey
BCryptSetProperty
BCryptOpenAlgorithmProvider
BCryptDestroyKey
BCryptCloseAlgorithmProvider
BCRYPT.DLL
psapi.dll
user32.dll
ole32.dll
gdi32.dll
FALSE
TRUE
Local State
\Opera Software\Opera GX Stable\
OperaGX
\Opera Software\Opera Stable\
Opera
\Tencent\QQBrowser\User Data\
QQBrowser
\360Browser\Browser\User Data\
360 Browser
\Microsoft\Edge\User Data\
Microsoft Edge
\7Star\7Star\User Data\
7Star
\brave\
Brave_Old
\Chedot\User Data\
Chedot Browser
\TorBro\Profile\
TorBro Browser
\CentBrowser\User Data\
Cent Browser
\CocCoc\Browser\User Data\
CocCoc
\Vivaldi\User Data\
Vivaldi
\Epic Privacy Browser\User Data\
Epic Privacy Browser
\Comodo\Dragon\User Data\
Comodo Dragon
\Torch\User Data\
Torch
\Amigo\User Data\
Amigo
\Chromium\User Data\
Chromium
\Google\Chrome\User Data\
Google Chrome
\Moonchild Productions\Pale Moon\Profiles\
Pale Moon
\Mozilla\Firefox\Profiles\
Mozilla Firefox
Soft: Fileilla
<Pass encoding="base64">
<User>
<Port>
<Host>
\AppData\Roaming\FileZilla\recentservers.xml
SELECT HOST_KEY, is_httponly path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
SELECT url FROM urls
SELECT target_path, tab_url from downloads
SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
SELECT name, value FROM autofill
SELECT origin_url, username_value, password_value FROM logins
guid
encryptedPassword
encryptedUsername
usernameField
formSubmitURL
logins.json
Web Data
Cookies
Login Data
netfulfilled
mnpayments
mncache
governance
banlist
mempool
peers
fee_estimates
Local\Microsoft
Roaming\WinRAR
Local\NuGet
Local\Packages
MicrosoftEdge\Cookies
Recycle.Bin
Local\Temp
Recovery
msdownld.tmp
System Volume Information
Config.Msi
RECYCLE.BIN
.exe
C:\ProgramData\
\Monero\
SOFTWARE\monero-project\monero-core
wallet_path
*.config
*.wallet
\Coinomi\Coinomi\wallets\
Coinomi
app-store.json
\Binance\
Binance
000*
MAIFEST-000001
LOG
LOCK
CURRENT
00003.log
\atomic\Local Storage\leveldb\
Atomic
file__0.localstorage
\jaxx\Local Storage\
Jaxx_Desktop_Old
multidoge.wallet
\MultiDoge\
MultiDoge
default_wallet
\ElectronCash\wallets\
ElectronCash
info.seco
seed.seco
passphrase.json
\Exodus\exodus.wallet\
window-state.json
exodus.conf.json
\Exodus\
Exodus
\Electrum-LTC\wallets\
ElectrumLTC
\Electrum\wallets\
Electrum
\Ethereum\
Ethereum"
keystore
Plugins
Wallets
No Malware configuration.

TRiD

.exe | Win32 EXE PECompact compressed (generic) (35.9)
.exe | Win32 Executable MS Visual C++ (generic) (27)
.exe | Win64 Executable (generic) (23.9)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:07:20 03:37:06+02:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 273920
InitializedDataSize: 5103104
UninitializedDataSize: -
EntryPoint: 0x74ef
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 18.0.0.0
ProductVersionNumber: 8.0.0.0
FileFlagsMask: 0x183a
FileFlags: (none)
FileOS: Unknown (0x20461)
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: Faeroese
CharacterSet: Unknown (31F6)
LegalCopyright: Copyright (C) 2023, parking
OriginalFileName: bigthing.exe
ProductsVersion: 36.47.26.15
ProductName: SolarOmir
ProductionVersion: 1.24.57.52
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 3d9cf227ef3c29b9ca22c66359fdd61d9b3d3f2bb197ec3df42d49ff22b989a4.exe no specs #ARKEI 3d9cf227ef3c29b9ca22c66359fdd61d9b3d3f2bb197ec3df42d49ff22b989a4.exe winword.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
564"C:\Users\admin\AppData\Local\Temp\3d9cf227ef3c29b9ca22c66359fdd61d9b3d3f2bb197ec3df42d49ff22b989a4.exe" C:\Users\admin\AppData\Local\Temp\3d9cf227ef3c29b9ca22c66359fdd61d9b3d3f2bb197ec3df42d49ff22b989a4.exe
3d9cf227ef3c29b9ca22c66359fdd61d9b3d3f2bb197ec3df42d49ff22b989a4.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\3d9cf227ef3c29b9ca22c66359fdd61d9b3d3f2bb197ec3df42d49ff22b989a4.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
Arkei
(PID) Process(564) 3d9cf227ef3c29b9ca22c66359fdd61d9b3d3f2bb197ec3df42d49ff22b989a4.exe
C2 (2)https://t.me/cybehost
https://steamcommunity.com/profiles/76561199263069598
Keys
RC499300253170289931416
Strings (541)kernel32.dll
GetUserNameA
advapi32.dll
GetComputerNameA
LocalAlloc
lstrcmpiW
VirtualFree
VirtualAlloc
VirtualAllocExNuma
GetCurrentProcess
ExitProcess
GetSystemTime
Sleep
GetProcAddress
lstrcatA
LoadLibraryA
JohnDoe
HAL9TH
Ledger Live
\Raven\
Raven Core
\Dogecoin\
Dogecoin
*wallet*.dat
wallet.dat
\Bitcoin\
Bitcoin Core Old
\Bitcoin\wallets\
Bitcoin Core
.finger-print.fp
simple-storage.json
Binance Desktop
loginusers.vdf
libraryfolders.vdf
DialogConfigOverlay*.vdf
DialogConfig.vdf
config.vdf
ssfn*
SteamPath
Software\Valve\Steam
C:\\\Windows\
C:\\Windows\
C:\Windows\
*%DRIVE_REMOVABLE%*
*%DRIVE_FIXED%*
*%RECENT%*
%DRIVE_REMOVABLE%
%DRIVE_FIXED%
%RECENT%
%PROGRAMFILES_86%
%PROGRAMFILES%
%DOCUMENTS%
%DESKTOP%
%USERPROFILE%
%LOCALAPPDATA%
%APPDATA%
\information.txt
[Software]
[Processes]
VideoCard:
RAM:
CPU Count:
Processor:
[Hardware]
TimeZone:
Local Time:
Keyboard Languages:
Display Language:
Display Resolution:
User Name:
Computer Name:
Windows:
Work Dir: In memory
Path:
HWID:
GUID:
MachineID:
Date:
Version:
sqlite3.dll
RoninWalletEdge
kjmoohlgokccodicjjfebfomlbljgfhk
IndexedDB
Sync Extension Settings
Local Extension Settings
UseMasterPassword
Security
Password
UserName
PortNumber
HostName
Soft: WinSCP
\Soft\Authy Desktop\
\Authy Desktop\Local torage\leveldb\
\Soft\Authy Desktop Old\
\Authy Desktop\Local torage\
*.localstorage
places.sqlite
formhistory.sqlite
cookies.sqlite
History
SELECT fieldname, value FROM moz_formhistory
SELECT url FROM moz_places
SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Network
Password:
Login:
Host:
Soft:
\"os_crypt\":{\"encrypted_key\":\"
\passwords.txt
\Soft\Telegram\
F8806DD0C461824F*
A92DAA6EA6F891F2*
A7FDF864FBC10B77*
D877F783D5D3EF8C*
map*
key_datas
\Telegram Desktop\
Thunderbird
\Thunderbird\Profiles\
Brave
\BraveSoftware\Brave-Browser\User Daa\
CryptoTab Browser
\CryptoTab Browser\User Data\
\Opera GX Stable\
\Opera Stable\
\Opera Software\
sqlite3_column_blob
sqlite3_column_bytes
sqlite3_close
sqlite3_finalize
sqlite3_column_text
sqlite3_step
sqlite3_prepare_v2
sqlite3_open
GdipFree
GdipDisposeImage
GdipSaveImageToStream
GdiplusShutdown
GdiplusStartup
GdipCreateBitmapFromHBITMAP
GdipGetImageEncoders
GdipGetImageEncodersSize
SymMatchString
PathFindFileNameA
StrStrA
StrCmpCW
StrCmpCA
PathMatchSpecA
PathMatchSpecW
SHGetFolderPathA
SHFileOperationA
ShellExecuteExA
CloseWindow
GetWindowDC
GetWindowRect
GetHGlobalFromStream
CreateStreamOnHGlobal
CoInitialize
InternetCrackUrlA
AccessCheck
MapGenericMask
DuplicateToken
OpenProcessToken
GetFileSecurityA
RegEnumValueA
CryptBinaryToStringA
gdiplus.dll
dbghelp.dll
shlwapi.dll
shell32.dll
GetVolumeInformationA
GetWindowsDirectoryA
Process32Next
Process32First
CreateToolhelp32Snapshot
CreateEventA
OpenEventA
GetTickCount
SetEnvironmentariableA
GetEnvironmentariableA
GetFileInformationByHandle
CreateFileMappingA
FileTimeToSystemTime
UnmapViewOfFile
MapViewOfFile
LocalFileTimeToFileTime
GetFileAttributesW
GetFileAttributesA
WriteFile
SetFileTime
GetLocalTime
SystemTimeToFileTime
HeapFree
SetFilePointer
GetCurrentDirectoryA
DeleteFileA
CopyFileA
TzSpecificLocalTimeToystemTime
GetTimeZoneInformation
GetFileSizeEx
OpenProcess
GetCurrentProcessId
GetLocaleInfoA
FreeLibrary
GlobalSize
GlobalLock
lstrcpynA
GetLastError
FindClose
FindNextFileA
FindFirstFileA
MultiByteToWideChar
lstrcpyA
GetDriveTypeA
lstrlenA
GetLogicalDriveStringsA
CloseHandle
ReadFile
GetFileSize
CreateFileA
GetProcessHeap
HeapAlloc
LocalFree
WideCharToMultiByte
GetSystemInfo
GetUserDefaultLocaleName
IsWow64Process
GlobalMemoryStatusEx
CreateThread
Discord Token:
dQw4w9WgXcQ:
\Soft\Discord\discord_tokens.txt
Session Storage
leveldb
Local Storage
Discord
\discord\
Wasabi Wallet
\WalletWasabi\Client\Wallets\
Blockstream Green
\Blockstream\Green\wallets\
she*.sqlite
Daedalus Mainnet
\Daedalus Mainnet\wallets\
Jaxx_Desktop
\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
GAuth Authenticator
ilgcnhelpchnceeipipijaljkblbcobl
EOS Authenticator
oeljdldpnmdbchonielidgobddffflal
Authy
gaedmjdfmmahhbjefcbgaolhhanlaolb
Authenticator
bhghoamapcdpbohphigoooaddinpkbai
Goby
jnkelfanjkeadonecabehalmbgpfodjm
Temple
ookjlbkiijinhpmnjffcofjonbfbgaoc
TezBox
mnfifefkajgofkcjkemidiaecocnkjeh
KHC
hcflpincpppdclinealmandijcmnkbgn
CyanoWallet
dkdedlpgdmmkkfjabffeganieamfklkm
Solflare
bhhhlbepdkbapadjdnnojkbgioiodbic
WavesKeeper
lpilbniiabackdjcionkobglmddfbcjo
MaiarDeFiWallet
dngmlblcodfobpdpecaadgfbcggfjfnm
NamiWallet
lpfcbjknijpeeillifnkikgncikgfhdo
XdefiWallet
hmeobnfnfcmdkdcmlblgagmfpfboieaf
BoltX
aodkkagnadcbobfpggfnjeongemjbjca
PaliWallet
mgffkfbidihjpoaomajlbgchddlicgpn
Oxygen (Atomic)
fhilaheimglignddkjgofkcbgekhenbh
BraveWallet
odbfpeeihdkbihmopkbjmoonfanlbfcl
ejbalbakoplchlghecdalmeeeajnimhm
Phantom
bfnaelmomeimhlpmgjnjophhpkkoljpa
Rabby
acmacodkjbdgmoleebolmdjonilkdbch
Trezor Password Manager
imloifkgjagghnncjkhggdhalmcnfklk
KardiaChain
pdadjkfkgcafgbceimcpbkalnfnepbnk
EVER Wallet
cgeeodpfagjceefieflmdfphplkenlfk
Coin98
aeachknmefphepccionboohckonoeemg
Harmony
fnnegphlobjdpkhecapkijjdkgcjhkib
ICONex
flpiciilemghbmfalicajoolhkkenfel
PolymeshWallet
jojhfeoedkpkglbfimdfabpdfjaoolaf
AuroWallet
cnmamaachppnkjgnildpdmkaakejnhae
Sollet
fhmfendgdocmcbmfikdcogofphimnkno
Keplr
dmkamcknogkgcdfhhbddcghachkejeap
Terra_Station
aiifbnbfobpmeekipheeijimdpnlpgpp
LiqualityWallet
kpfopkelmapcoipemfendmdcghnegimn
CloverWallet
nhnkbkgjikgcigadomkphalanndcapjk
NeoLine
cphhlgmgameodnhkjdmkpanlelnlohao
RoninWallet
fnjhmkhhmkbjkkabndcnnogagogbneec
GuildWallet
nanjmdknhkinifnkgdcggcfnhdaammmj
MewCx
nlbmnnijcnlegkjjpcfjclmcfggfefdm
Wombat
amkmjjmmflddogmhpjloimipbofnfjih
iWallet
kncchdigobghenbbaddojjnnaogfppfj
BitAppWallet
fihkakfobkmkjojpchpfgcmhfjnmnfpi
JaxxLiberty
cjelfplplebdjjenllpjcblmjkfcffne
EQUALWallet
blnieiiffboillknjnepogjhkgnoapac
Guarda
hpglfhgfnhbgpjdenjgmdgoeiappafln
Coinbase
hnfanknocfeofbddgcijnmhnfnkdnaad
MathWallet
afbcbjpbpfadlkmhmclhkeeodmamcflc
NiftyWallet
jbdaocneiiinmjbjlgalhcelgbejmnid
Yoroi
ffnbelfdoeiohenkjibnmadjiehjhajb
BinanceChainWallet
fhbohimaelbohpjbbldcngcnapndodjp
MetaMask
nkbihfbeogaeaoehlefnkodbefgpgknn
TronLink
ibnejdfjmmkpcnlpebklmnkoeoihofec
EnumProcessModules
GetModuleBaseNameA
GetModuleFileNameExA
GetSystemMetrics
EnumDisplayDevicesA
wsprintfA
GetDC
CharToOemA
GetKeyboardLayoutList
ReleaseDC
GetDesktopWindow
CoUninitialize
CoCreateInstance
CreateCompatibleDC
GetDeviceCaps
CreateDCA
DeleteObject
BitBlt
SelectObject
CreateCompatibleBitmap
DeleteUrlCacheEntry
InternetSetOptionA
InternetOpenUrlA
InternetSetFilePointer
HttpQueryInfoA
HttpAddRequestHeadersA
InternetOpenA
InternetConnectA
HttpOpenRequestA
HttpSendRequestA
InternetReadFile
InternetCloseHandle
wininet.dll
GetCurrentHwProfileA
RegGetValueA
RegEnumKeyExA
RegGetValueW
RegOpenKeyExW
RegCloseKey
RegQueryValueExA
RegOpenKeyExA
PK11SDR_Decrypt
PK11_Authenticate
PK11_FreeSlot
PK11_GetInternalKeySlot
NSS_Shutdown
NSS_Init
C:\ProgramData\nss3.dll
CryptStringToBinaryA
CryptUnprotectData
CRYPT32.DLL
BCryptDecrypt
BCryptGenerateSymmetricKey
BCryptSetProperty
BCryptOpenAlgorithmProvider
BCryptDestroyKey
BCryptCloseAlgorithmProvider
BCRYPT.DLL
psapi.dll
user32.dll
ole32.dll
gdi32.dll
FALSE
TRUE
Local State
\Opera Software\Opera GX Stable\
OperaGX
\Opera Software\Opera Stable\
Opera
\Tencent\QQBrowser\User Data\
QQBrowser
\360Browser\Browser\User Data\
360 Browser
\Microsoft\Edge\User Data\
Microsoft Edge
\7Star\7Star\User Data\
7Star
\brave\
Brave_Old
\Chedot\User Data\
Chedot Browser
\TorBro\Profile\
TorBro Browser
\CentBrowser\User Data\
Cent Browser
\CocCoc\Browser\User Data\
CocCoc
\Vivaldi\User Data\
Vivaldi
\Epic Privacy Browser\User Data\
Epic Privacy Browser
\Comodo\Dragon\User Data\
Comodo Dragon
\Torch\User Data\
Torch
\Amigo\User Data\
Amigo
\Chromium\User Data\
Chromium
\Google\Chrome\User Data\
Google Chrome
\Moonchild Productions\Pale Moon\Profiles\
Pale Moon
\Mozilla\Firefox\Profiles\
Mozilla Firefox
Soft: Fileilla
<Pass encoding="base64">
<User>
<Port>
<Host>
\AppData\Roaming\FileZilla\recentservers.xml
SELECT HOST_KEY, is_httponly path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
SELECT url FROM urls
SELECT target_path, tab_url from downloads
SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
SELECT name, value FROM autofill
SELECT origin_url, username_value, password_value FROM logins
guid
encryptedPassword
encryptedUsername
usernameField
formSubmitURL
logins.json
Web Data
Cookies
Login Data
netfulfilled
mnpayments
mncache
governance
banlist
mempool
peers
fee_estimates
Local\Microsoft
Roaming\WinRAR
Local\NuGet
Local\Packages
MicrosoftEdge\Cookies
Recycle.Bin
Local\Temp
Recovery
msdownld.tmp
System Volume Information
Config.Msi
RECYCLE.BIN
.exe
C:\ProgramData\
\Monero\
SOFTWARE\monero-project\monero-core
wallet_path
*.config
*.wallet
\Coinomi\Coinomi\wallets\
Coinomi
app-store.json
\Binance\
Binance
000*
MAIFEST-000001
LOG
LOCK
CURRENT
00003.log
\atomic\Local Storage\leveldb\
Atomic
file__0.localstorage
\jaxx\Local Storage\
Jaxx_Desktop_Old
multidoge.wallet
\MultiDoge\
MultiDoge
default_wallet
\ElectronCash\wallets\
ElectronCash
info.seco
seed.seco
passphrase.json
\Exodus\exodus.wallet\
window-state.json
exodus.conf.json
\Exodus\
Exodus
\Electrum-LTC\wallets\
ElectrumLTC
\Electrum\wallets\
Electrum
\Ethereum\
Ethereum"
keystore
Plugins
Wallets
844"C:\Users\admin\AppData\Local\Temp\3d9cf227ef3c29b9ca22c66359fdd61d9b3d3f2bb197ec3df42d49ff22b989a4.exe" C:\Users\admin\AppData\Local\Temp\3d9cf227ef3c29b9ca22c66359fdd61d9b3d3f2bb197ec3df42d49ff22b989a4.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\3d9cf227ef3c29b9ca22c66359fdd61d9b3d3f2bb197ec3df42d49ff22b989a4.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
3028"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\customersthu.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
Total events
2 805
Read events
2 611
Write events
45
Delete events
149

Modification events

(PID) Process:(564) 3d9cf227ef3c29b9ca22c66359fdd61d9b3d3f2bb197ec3df42d49ff22b989a4.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(564) 3d9cf227ef3c29b9ca22c66359fdd61d9b3d3f2bb197ec3df42d49ff22b989a4.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(564) 3d9cf227ef3c29b9ca22c66359fdd61d9b3d3f2bb197ec3df42d49ff22b989a4.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(564) 3d9cf227ef3c29b9ca22c66359fdd61d9b3d3f2bb197ec3df42d49ff22b989a4.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000005A010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(564) 3d9cf227ef3c29b9ca22c66359fdd61d9b3d3f2bb197ec3df42d49ff22b989a4.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(564) 3d9cf227ef3c29b9ca22c66359fdd61d9b3d3f2bb197ec3df42d49ff22b989a4.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(564) 3d9cf227ef3c29b9ca22c66359fdd61d9b3d3f2bb197ec3df42d49ff22b989a4.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(564) 3d9cf227ef3c29b9ca22c66359fdd61d9b3d3f2bb197ec3df42d49ff22b989a4.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3028) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(3028) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
On
Executable files
1
Suspicious files
6
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3028WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRA596.tmp.cvr
MD5:
SHA256:
3028WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmbinary
MD5:44079532CF4B235B48EA995374545419
SHA256:96CEE6D1EC5F7135BD7B4BAA7FA9B436147B37767A84B6231C98D64251EE01F1
3028WINWORD.EXEC:\Users\admin\Desktop\~$stomersthu.rtfbinary
MD5:A5B412D68C0EACB62538B5C10B154BFF
SHA256:BDA7C1EC516C0649F3ED37766EE750EAC18D2BC14670F879D1618FE186D8C5D3
3028WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{BB188C00-B9A5-4D90-8F97-9742DC181E04}.tmpbinary
MD5:5D4D94EE7E06BBB0AF9584119797B23A
SHA256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
3028WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:494BED1DD0E4A562B36118DF846C472E
SHA256:CEFB998E7CA78E17293FCFC48170ECE6DD4ABB832E85E9D3C7212559412311F3
3028WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\customersthu.rtf.LNKbinary
MD5:BC1880261EEE000614F82C9D99015586
SHA256:9C7EFCCDC65750D44599FD28B27377B286E0211F9576A67919B149CF23B0872B
3028WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{FBA5493A-1DEA-4F0D-9CD2-5708B765DB63}.tmpbinary
MD5:2BA0F77138352B5B340974C4105799B1
SHA256:FF76F6996C81096CA6521B271A1B5F0C67C8CE2F53E6AA6FB18C984A791DE790
3028WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{999D18B8-DB95-410D-8CF2-99CE0493B2F8}.tmpbinary
MD5:80D7B639F0FDB34A5F56B18E5DC85092
SHA256:AE1363A4449F759F84E0EF58D8BC506D8224046048B356419096AB2FAC3A3AC8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
7
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
564
3d9cf227ef3c29b9ca22c66359fdd61d9b3d3f2bb197ec3df42d49ff22b989a4.exe
149.154.167.99:443
t.me
Telegram Messenger Inc
GB
unknown
564
3d9cf227ef3c29b9ca22c66359fdd61d9b3d3f2bb197ec3df42d49ff22b989a4.exe
92.122.104.90:443
steamcommunity.com
AKAMAI-AS
DE
unknown

DNS requests

Domain
IP
Reputation
t.me
  • 149.154.167.99
whitelisted
steamcommunity.com
  • 92.122.104.90
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
3d9cf227ef3c29b9ca22c66359fdd61d9b3d3f2bb197ec3df42d49ff22b989a4