File name:

Find Wallet v3.2-Crack.exe (1).zip

Full analysis: https://app.any.run/tasks/34824dca-c46a-42dc-a25f-93e1a08673cc
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: March 24, 2025, 17:13:58
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
neshta
evasion
stealer
telegram
autorun-download
ims-api
generic
Indicators:
MIME: application/zip
File info: Zip archive data, at least v5.1 to extract, compression method=AES Encrypted
MD5:

A120ED61743037749D09523F8FC3BFE8

SHA1:

7CAB5C95D64A3FEB7D28497062E787B31C3BAEE7

SHA256:

43C503336E9AE2118E61467181BF97D14094E1345F25B9DFD15A1B5FF5F75514

SSDEEP:

49152:NIHju7djxY/PhLHrciIIPu7Z7FL83WPk1nnNFWSxjm/CkBmBv3Y9S5njnMXZ00FG:xBNYnhXIIm7Zx5CnnN0SxjMCkBm9dQB+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • NESHTA mutex has been found

      • Find Wallet v3.2-Crack.exe (PID: 7432)
      • Find Wallet v3.2-Crack.exe (PID: 6752)

    • Steals credentials from Web Browsers

      • Client.exe (PID: 7292)

    • Actions looks like stealing of personal data

      • Find Wallet v3.2-Crack.exe (PID: 7432)
      • Client.exe (PID: 7292)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • Find Wallet v3.2-Crack.exe (PID: 7432)
      • Find Wallet v3.2-Crack.exe (PID: 6752)
      • Find Wallet v3.2-Crack.exe (PID: 7952)
      • Find Wallet v3.2-Crack.exe (PID: 7328)
      • GetHelp.exe (PID: 1348)

    • Executable content was dropped or overwritten

      • Find Wallet v3.2-Crack.exe (PID: 7432)
      • Find Wallet v3.2-Crack.exe (PID: 7952)
      • MegaDumper.exe (PID: 7480)

    • Mutex name with non-standard characters

      • Find Wallet v3.2-Crack.exe (PID: 7432)
      • Find Wallet v3.2-Crack.exe (PID: 6752)

    • Reads the date of Windows installation

      • dw20.exe (PID: 5244)

    • Write to the desktop.ini file (may be used to cloak folders)

      • Client.exe (PID: 7292)

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • Client.exe (PID: 7292)

    • Process drops legitimate windows executable

      • MegaDumper.exe (PID: 7480)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • Client.exe (PID: 7292)

    • There is functionality for taking screenshot (YARA)

      • Find Wallet v3.2-Crack.exe (PID: 7432)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • Client.exe (PID: 7292)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6620)
      • chrome.exe (PID: 2152)
      • chrome.exe (PID: 2240)
      • chrome.exe (PID: 5572)

    • Manual execution by a user

      • chrome.exe (PID: 2240)
      • Find Wallet v3.2-Crack.exe (PID: 7432)
      • Find Wallet v3.2-Crack.exe (PID: 6752)
      • WinRAR.exe (PID: 4740)
      • WinRAR.exe (PID: 2552)
      • Find-Wallet.exe (PID: 5952)
      • Find-Wallet.exe (PID: 4348)
      • Find-Wallet.exe (PID: 6044)
      • Find-Wallet.exe (PID: 6032)
      • Find-Wallet.exe (PID: 5344)

    • Autorun file from Downloads

      • chrome.exe (PID: 7592)
      • chrome.exe (PID: 2240)

    • Checks supported languages

      • MegaDumper.exe (PID: 7480)
      • Find Wallet v3.2-Crack.exe (PID: 7432)
      • Find Wallet v3.2-Crack.exe (PID: 7360)
      • Find Wallet v3.2-Crack.exe (PID: 6752)
      • Find Wallet v3.2-Crack.exe (PID: 7952)
      • Client.exe (PID: 7292)
      • Find Wallet v3.2-Crack.exe (PID: 7328)
      • dw20.exe (PID: 5244)
      • Find-Wallet.exe (PID: 5344)
      • GetHelp.exe (PID: 1348)
      • Find-Wallet.exe (PID: 6044)

    • Reads the software policy settings

      • slui.exe (PID: 2852)
      • dw20.exe (PID: 5244)
      • Client.exe (PID: 7292)
      • GetHelp.exe (PID: 1348)

    • Reads the computer name

      • MegaDumper.exe (PID: 7480)
      • Find Wallet v3.2-Crack.exe (PID: 7432)
      • Find Wallet v3.2-Crack.exe (PID: 6752)
      • dw20.exe (PID: 5244)
      • Find Wallet v3.2-Crack.exe (PID: 7952)
      • Client.exe (PID: 7292)
      • Find Wallet v3.2-Crack.exe (PID: 7328)

    • Reads the machine GUID from the registry

      • MegaDumper.exe (PID: 7480)
      • Client.exe (PID: 7292)
      • Find Wallet v3.2-Crack.exe (PID: 7328)
      • dw20.exe (PID: 5244)
      • Find-Wallet.exe (PID: 5344)
      • GetHelp.exe (PID: 1348)

    • Process checks computer location settings

      • Find Wallet v3.2-Crack.exe (PID: 7432)
      • Find Wallet v3.2-Crack.exe (PID: 6752)
      • Find Wallet v3.2-Crack.exe (PID: 7952)
      • dw20.exe (PID: 5244)

    • Create files in a temporary directory

      • Find Wallet v3.2-Crack.exe (PID: 7432)
      • Client.exe (PID: 7292)

    • Creates files or folders in the user directory

      • Find Wallet v3.2-Crack.exe (PID: 7952)
      • dw20.exe (PID: 5244)
      • MegaDumper.exe (PID: 7480)

    • Creates files in the program directory

      • dw20.exe (PID: 5244)
      • Client.exe (PID: 7292)

    • Application launched itself

      • chrome.exe (PID: 2240)

    • Reads product name

      • dw20.exe (PID: 5244)

    • Reads CPU info

      • dw20.exe (PID: 5244)
      • Client.exe (PID: 7292)

    • Checks proxy server information

      • dw20.exe (PID: 5244)
      • Find Wallet v3.2-Crack.exe (PID: 7328)
      • Client.exe (PID: 7292)
      • GetHelp.exe (PID: 1348)

    • Disables trace logs

      • Client.exe (PID: 7292)

    • Reads Environment values

      • dw20.exe (PID: 5244)

    • The sample compiled with english language support

      • MegaDumper.exe (PID: 7480)
      • chrome.exe (PID: 5572)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(7292) Client.exe
Telegram-Tokens (1)7382635608:AAH72k3AVhMfbaRzEcdg26C7uJVMHPOHjiE
Telegram-Info-Links
7382635608:AAH72k3AVhMfbaRzEcdg26C7uJVMHPOHjiE
Get info about bothttps://api.telegram.org/bot7382635608:AAH72k3AVhMfbaRzEcdg26C7uJVMHPOHjiE/getMe
Get incoming updateshttps://api.telegram.org/bot7382635608:AAH72k3AVhMfbaRzEcdg26C7uJVMHPOHjiE/getUpdates
Get webhookhttps://api.telegram.org/bot7382635608:AAH72k3AVhMfbaRzEcdg26C7uJVMHPOHjiE/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7382635608:AAH72k3AVhMfbaRzEcdg26C7uJVMHPOHjiE/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7382635608:AAH72k3AVhMfbaRzEcdg26C7uJVMHPOHjiE/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token7382635608:AAH72k3AVhMfbaRzEcdg26C7uJVMHPOHjiE
End-PointsendDocument
Args
chat_id (1)6022885401
caption (1)==== RL STEALER ==== ⏰ Date => 03/24/2025 5:15 💻System => Windows 10 Pro (64 Bit) 👤 User =%3
Token7382635608:AAH72k3AVhMfbaRzEcdg26C7uJVMHPOHjiE
End-PointsendDocument
Args
Token7382635608:AAH72k3AVhMfbaRzEcdg26C7uJVMHPOHjiE
End-PointsendDocument
Args
chat_id (1)6022885401
caption (1)==== RL STEALER ====
Token7382635608:AAH72k3AVhMfbaRzEcdg26C7uJVMHPOHjiE
End-PointsendDocument
Args
chat_id (1)6022885401
caption (1)==== RL STEALER ==== ⏰ Date => 03/24/2025 5:15 💻System => Windows 10 Pro (64 Bit) 👤 User => admin 🆔 PC => DESKTOP-JGLLJLD 🏴 Country => [United Kingdom] 🔍 IP => 185.192.71.35 📝 Language => 🇺🇸 en-US 🔓 Antivirus => W
Telegram-Responses
oktrue
result
message_id4804
from
id7382635608
is_bottrue
first_nameNew Wallet Finder
usernameWallet_finder_0_1_bot
chat
id6022885401
first_nameJznif.jixz
last_nameOfficial
usernameUnknown_lutin
typeprivate
date1742836531
document
file_nameC ProgramDataDESKTOP-JGLLJLD@[United Kingdom].zip
mime_typeapplication/zip
file_idBQACAgUAAxkDAAISxGfhkzMG4g5IgZ5u4Z1VZ4zwhCV5AAIsFgACwwYIV96LebyItSxLNgQ
file_unique_idAgADLBYAAsMGCFc
file_size124980
caption==== RL STEALER ==== ⏰ Date => 03/24/2025 5:15 💻System => Windows 10 Pro (64 Bit) 👤 User => admin 🆔 PC => DESKTOP-JGLLJLD 🏴 Country => [United Kingdom] 🔍 IP => 185.192.71.35 📝 Language => 🇺🇸 en-US 🔓 Antivirus => Windows Defender. ===={ User Data }==== 📂 FileGrabber => 38 📦 Telegram => ❌...
caption_entities
offset166
length13
typeurl
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 51
ZipBitFlag: 0x0009
ZipCompression: Unknown (99)
ZipModifyDate: 2025:03:24 17:00:32
ZipCRC: 0xf3d22a7a
ZipCompressedSize: 1578798
ZipUncompressedSize: 3742208
ZipFileName: Find Wallet v3.2-Crack.exe.bin
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
216
Monitored processes
66
Malicious processes
5
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winrar.exe sppextcomobj.exe no specs slui.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs megadumper.exe #NESHTA find wallet v3.2-crack.exe find wallet v3.2-crack.exe #NESHTA find wallet v3.2-crack.exe no specs find wallet v3.2-crack.exe dw20.exe client.exe find wallet v3.2-crack.exe no specs slui.exe svchost.exe rundll32.exe no specs winrar.exe no specs winrar.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs find-wallet.exe no specs find-wallet.exe no specs find-wallet.exe no specs find-wallet.exe no specs find-wallet.exe chrome.exe no specs gethelp.exe

Process information

PID
CMD
Path
Indicators
Parent process
232"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=3344 --field-trial-handle=1972,i,1495196984897527586,11607932837610089406,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
680"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=2404 --field-trial-handle=1972,i,1495196984897527586,11607932837610089406,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
872"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=6284 --field-trial-handle=1972,i,1495196984897527586,11607932837610089406,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1088"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3176 --field-trial-handle=1972,i,1495196984897527586,11607932837610089406,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1184"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.3636 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=6412 --field-trial-handle=1972,i,1495196984897527586,11607932837610089406,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1348"C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\GetHelp.exe" -ServerName:App.AppXc53jt7x72yk6zj4f70fb3gxetfvdh22w.mcaC:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\GetHelp.exe
svchost.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\program files\windowsapps\microsoft.gethelp_10.1706.13331.0_x64__8wekyb3d8bbwe\gethelp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\windowsapps\microsoft.gethelp_10.1706.13331.0_x64__8wekyb3d8bbwe\gethelp.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
1616"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=6880 --field-trial-handle=1972,i,1495196984897527586,11607932837610089406,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1852"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=6428 --field-trial-handle=1972,i,1495196984897527586,11607932837610089406,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
2152"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=2104 --field-trial-handle=1972,i,1495196984897527586,11607932837610089406,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:3C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
Total events
24 817
Read events
24 744
Write events
66
Delete events
7

Modification events

(PID) Process:(6620) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(6620) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(6620) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(6620) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Find Wallet v3.2-Crack.exe (1).zip
(PID) Process:(6620) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6620) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6620) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6620) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6620) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(2240) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
Executable files
72
Suspicious files
480
Text files
83
Unknown types
0

Dropped files

PID
Process
Filename
Type
2240chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old~RF112131.TMP
MD5:
SHA256:
2240chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
2240chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old~RF112150.TMP
MD5:
SHA256:
2240chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old~RF112150.TMP
MD5:
SHA256:
2240chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG.old~RF112141.TMP
MD5:
SHA256:
2240chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
2240chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\LOG.old~RF112141.TMP
MD5:
SHA256:
2240chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old
MD5:
SHA256:
2240chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
2240chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RF112150.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
37
TCP/UDP connections
169
DNS requests
151
Threats
28

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5800
backgroundTaskHost.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
2924
SearchApp.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
2924
SearchApp.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
4188
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4188
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6544
svchost.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2924
SearchApp.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
7292
Client.exe
GET
200
208.95.112.1:80
http://ip-api.com/xml
unknown
whitelisted
7292
Client.exe
GET
200
208.95.112.1:80
http://ip-api.com/xml
unknown
whitelisted
5244
dw20.exe
GET
200
184.24.77.37:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
3216
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
40.126.31.1:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
23.54.109.203:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2112
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5800
backgroundTaskHost.exe
20.199.58.43:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
5800
backgroundTaskHost.exe
23.54.109.203:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
client.wns.windows.com
  • 40.113.110.67
whitelisted
login.live.com
  • 40.126.31.1
  • 20.190.159.68
  • 40.126.31.73
  • 40.126.31.3
  • 40.126.31.2
  • 20.190.159.128
  • 40.126.31.67
  • 40.126.31.130
  • 20.190.159.71
  • 20.190.159.131
  • 40.126.31.0
  • 40.126.31.128
  • 20.190.159.129
  • 20.190.159.2
  • 20.190.159.130
  • 40.126.31.71
  • 40.126.31.69
  • 20.190.159.0
whitelisted
ocsp.digicert.com
  • 23.54.109.203
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
arc.msn.com
  • 20.199.58.43
whitelisted
www.bing.com
  • 104.126.37.160
  • 104.126.37.177
  • 104.126.37.185
  • 104.126.37.178
  • 104.126.37.123
  • 104.126.37.130
  • 104.126.37.171
  • 104.126.37.128
  • 104.126.37.153
whitelisted
fp.msedge.net
  • 204.79.197.222
whitelisted
dual-s-ring.msedge.net
  • 52.123.129.254
  • 52.123.128.254
whitelisted
ax-ring.msedge.net
  • 150.171.27.254
  • 150.171.28.254
unknown
d725cbf2c96f626bc0ba3c324da834ef.azr.footprintdns.com
  • 20.115.155.233
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Checker Domain (freegeoip .app)
7292
Client.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] SNI External IP Domain Lookup (freegeoip .app)
2196
svchost.exe
Potentially Bad Traffic
ET INFO External IP Lookup Domain Domain in DNS Lookup (ipbase .com)
7292
Client.exe
Potentially Bad Traffic
ET INFO Observed External IP Lookup Domain (ipbase .com in TLS SNI)
7292
Client.exe
Misc activity
ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)
7292
Client.exe
Misc activity
ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)
7292
Client.exe
Misc activity
ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)
7292
Client.exe
Misc activity
ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)
7292
Client.exe
Misc activity
ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)
7292
Client.exe
Misc activity
ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Find Wallet v3.2-Crack.exe (1).zip