URL:

https://s6.dosya.tc/server21/o2e376/IPTV_CHECKER.rar.html

Full analysis: https://app.any.run/tasks/3008bfae-e0e1-4af9-b0d4-4773bdad479e
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: April 11, 2025, 22:37:14
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
possible-phishing
waspstealer
stealer
evasion
github
Indicators:
MD5:

1D36549897685CDFB702C3751E871C79

SHA1:

8779C281C25A09B3A40ACB1F70424F13D0F1C1F8

SHA256:

51C8445605B7957E58D26A3BA715542CCAB5BA85DF5359FE5E038D6720A0E2D8

SSDEEP:

3:N8UHcVLXw+R5LXjn:2UHGLzRtn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • WASPSTEALER has been detected (SURICATA)

      • Launcher.exe (PID: 3796)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 4376)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 6960)

    • Actions looks like stealing of personal data

      • Launcher.exe (PID: 3796)

    • Changes the autorun value in the registry

      • reg.exe (PID: 5936)

    • Uses Task Scheduler to autorun other applications

      • cmd.exe (PID: 8036)

    • Create files in the Startup directory

      • Launcher.exe (PID: 3796)

    • Steals credentials from Web Browsers

      • Launcher.exe (PID: 3796)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • İPTV_CHECKER.exe (PID: 3124)

    • Executable content was dropped or overwritten

      • İPTV_CHECKER.exe (PID: 3124)
      • Launcher.exe (PID: 3796)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • İPTV_CHECKER.exe (PID: 3124)

    • Drops 7-zip archiver for unpacking

      • İPTV_CHECKER.exe (PID: 3124)

    • Process drops legitimate windows executable

      • İPTV_CHECKER.exe (PID: 3124)

    • Reads security settings of Internet Explorer

      • İPTV_CHECKER.exe (PID: 3124)
      • Launcher.exe (PID: 1184)

    • Application launched itself

      • Launcher.exe (PID: 3796)
      • cmd.exe (PID: 5112)

    • There is functionality for taking screenshot (YARA)

      • İPTV_CHECKER.exe (PID: 3124)

    • Uses WMIC.EXE to obtain data on processes

      • cmd.exe (PID: 7724)
      • cmd.exe (PID: 8108)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 6228)

    • Starts NET.EXE to display or manage information about active sessions

      • cmd.exe (PID: 6048)
      • net.exe (PID: 4608)

    • Uses WMIC.EXE to obtain operating system information

      • cmd.exe (PID: 1280)

    • Starts application with an unusual extension

      • cmd.exe (PID: 1280)
      • cmd.exe (PID: 2568)
      • cmd.exe (PID: 5728)

    • Accesses operating system name via WMI (SCRIPT)

      • WMIC.exe (PID: 7020)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 1164)

    • Starts CMD.EXE for commands execution

      • Launcher.exe (PID: 3796)
      • cmd.exe (PID: 5112)

    • Uses WMIC.EXE to obtain a list of video controllers

      • cmd.exe (PID: 2568)

    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 7880)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 5400)
      • cmd.exe (PID: 5304)
      • cmd.exe (PID: 6960)
      • cmd.exe (PID: 4212)
      • cmd.exe (PID: 3300)
      • cmd.exe (PID: 2136)
      • cmd.exe (PID: 7936)

    • Uses WMIC.EXE to obtain CPU information

      • cmd.exe (PID: 5728)

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • Launcher.exe (PID: 3796)

    • Searches for installed software

      • reg.exe (PID: 4224)
      • reg.exe (PID: 4572)
      • reg.exe (PID: 7524)
      • reg.exe (PID: 7172)
      • reg.exe (PID: 7780)
      • reg.exe (PID: 6048)
      • reg.exe (PID: 7844)
      • reg.exe (PID: 6392)
      • reg.exe (PID: 4736)
      • reg.exe (PID: 6940)
      • reg.exe (PID: 5280)
      • reg.exe (PID: 5608)
      • reg.exe (PID: 7448)
      • reg.exe (PID: 5892)
      • reg.exe (PID: 7744)
      • reg.exe (PID: 7588)
      • reg.exe (PID: 7464)
      • reg.exe (PID: 7752)
      • reg.exe (PID: 6808)
      • reg.exe (PID: 7984)
      • reg.exe (PID: 2040)
      • reg.exe (PID: 5352)
      • reg.exe (PID: 4212)
      • reg.exe (PID: 4880)
      • reg.exe (PID: 7980)
      • reg.exe (PID: 6256)
      • reg.exe (PID: 6712)
      • reg.exe (PID: 680)
      • reg.exe (PID: 6768)
      • reg.exe (PID: 2664)
      • reg.exe (PID: 4572)
      • reg.exe (PID: 6972)
      • reg.exe (PID: 1168)
      • reg.exe (PID: 4120)
      • reg.exe (PID: 7904)
      • reg.exe (PID: 8048)
      • reg.exe (PID: 8060)
      • reg.exe (PID: 8108)
      • reg.exe (PID: 7908)
      • reg.exe (PID: 7244)
      • reg.exe (PID: 664)
      • reg.exe (PID: 7812)
      • reg.exe (PID: 7528)
      • reg.exe (PID: 7720)
      • reg.exe (PID: 6108)
      • reg.exe (PID: 7832)
      • reg.exe (PID: 3364)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 5592)
      • cmd.exe (PID: 5776)

    • The process executes Powershell scripts

      • cmd.exe (PID: 6960)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 6960)

    • Uses ATTRIB.EXE to modify file attributes

      • powershell.exe (PID: 7432)

    • Uses NETSH.EXE to obtain data on the network

      • cmd.exe (PID: 7840)

    • Possible Social Engineering Attempted

      • chrome.exe (PID: 7720)

  • INFO

    • Application launched itself

      • chrome.exe (PID: 7252)
      • chrome.exe (PID: 7660)

    • Reads the software policy settings

      • slui.exe (PID: 8032)
      • slui.exe (PID: 5552)
      • Launcher.exe (PID: 1184)

    • Reads Microsoft Office registry keys

      • chrome.exe (PID: 7252)

    • Autorun file from Downloads

      • chrome.exe (PID: 4164)

    • Manual execution by a user

      • WinRAR.exe (PID: 456)
      • WinRAR.exe (PID: 4572)
      • Launcher.exe (PID: 660)
      • WinRAR.exe (PID: 7712)
      • İPTV_CHECKER.exe (PID: 3124)
      • WinRAR.exe (PID: 4980)
      • chrome.exe (PID: 7660)

    • Checks supported languages

      • İPTV_CHECKER.exe (PID: 3124)
      • Launcher.exe (PID: 3796)
      • Launcher.exe (PID: 8172)
      • Launcher.exe (PID: 4112)
      • more.com (PID: 4152)
      • more.com (PID: 7872)
      • more.com (PID: 4336)
      • Launcher.exe (PID: 1184)

    • Create files in a temporary directory

      • İPTV_CHECKER.exe (PID: 3124)
      • Launcher.exe (PID: 3796)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1116)
      • chrome.exe (PID: 4152)

    • The sample compiled with english language support

      • İPTV_CHECKER.exe (PID: 3124)
      • chrome.exe (PID: 4152)

    • Reads the computer name

      • İPTV_CHECKER.exe (PID: 3124)
      • Launcher.exe (PID: 3796)
      • Launcher.exe (PID: 8172)
      • Launcher.exe (PID: 4112)
      • Launcher.exe (PID: 1184)

    • Checks proxy server information

      • slui.exe (PID: 5552)
      • Launcher.exe (PID: 3796)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 232)
      • WMIC.exe (PID: 1164)
      • WMIC.exe (PID: 4728)
      • WMIC.exe (PID: 7880)
      • WMIC.exe (PID: 132)
      • WMIC.exe (PID: 7020)

    • Reads product name

      • Launcher.exe (PID: 3796)

    • Reads Environment values

      • Launcher.exe (PID: 3796)
      • Launcher.exe (PID: 1184)

    • Reads the machine GUID from the registry

      • Launcher.exe (PID: 3796)
      • Launcher.exe (PID: 1184)

    • Reads CPU info

      • Launcher.exe (PID: 3796)

    • Process checks computer location settings

      • Launcher.exe (PID: 3796)

    • Creates files or folders in the user directory

      • Launcher.exe (PID: 3796)
      • Launcher.exe (PID: 1184)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6252)

    • The Powershell gets current clipboard

      • powershell.exe (PID: 5600)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
442
Monitored processes
303
Malicious processes
41
Suspicious processes
6

Behavior graph

Click at the process to see the details
start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs sppextcomobj.exe no specs slui.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs winrar.exe slui.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs winrar.exe no specs chrome.exe no specs winrar.exe no specs chrome.exe no specs winrar.exe no specs launcher.exe chrome.exe no specs chrome.exe no specs i̇ptv_checker.exe #WASPSTEALER launcher.exe cmd.exe no specs conhost.exe no specs wmic.exe no specs launcher.exe no specs launcher.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs wmic.exe no specs net.exe no specs wmic.exe no specs more.com no specs net1.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs more.com no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs more.com no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs svchost.exe cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs reg.exe no specs netsh.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs reg.exe cmd.exe schtasks.exe no specs winrar.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs attrib.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs launcher.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
132wmic process where processid=3796 get ExecutablePathC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\ucrtbase.dll
132\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
208C:\WINDOWS\system32\cmd.exe /d /s /c "C:\WINDOWS\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F14FB68A-9188-4036-AD0D-D054BC9C9291}""C:\Windows\System32\cmd.exeLauncher.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
232wmic process where processid=3796 get ExecutablePathC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
240schtasks /create /sc onlogon /tn WindowsDriverSetupSe8Tij /tr \"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Launcher.exe\" /F /rl highestC:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
456"C:\Program Files\WinRAR\WinRAR.exe" a -ep1 -scul -r0 -iext -- . C:\Users\admin\Desktop\Launcher.exeC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
660"C:\Users\admin\Desktop\Launcher.exe" C:\Users\admin\Desktop\Launcher.exe
explorer.exe
User:
admin
Company:
degressive
Integrity Level:
HIGH
Description:
Launcher
Exit code:
3221225781
Version:
74.2.0
Modules
Images
c:\users\admin\desktop\launcher.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
660\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
664C:\WINDOWS\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0419-1000-0000000FF1CE}"C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
680C:\WINDOWS\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC"C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
62 235
Read events
62 042
Write events
183
Delete events
10

Modification events

(PID) Process:(7252) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(7252) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(7252) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(7252) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(7252) chrome.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:writeName:usagestats
Value:
0
(PID) Process:(4164) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:writeName:{2781761E-28E0-4109-99FE-B9D127C57AFE} {56FFCC30-D398-11D0-B2AE-00A0C908FA49} 0xFFFF
Value:
010000000000000080412F6732ABDB01
(PID) Process:(7252) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rar\OpenWithProgids
Operation:writeName:WinRAR
Value:
(PID) Process:(1116) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(1116) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(1116) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
Executable files
36
Suspicious files
654
Text files
92
Unknown types
0

Dropped files

PID
Process
Filename
Type
7252chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\LOG.old~RF10bf99.TMP
MD5:
SHA256:
7252chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old~RF10bf99.TMP
MD5:
SHA256:
7252chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
7252chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old
MD5:
SHA256:
7252chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old~RF10bf99.TMP
MD5:
SHA256:
7252chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
7252chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old~RF10bfa8.TMP
MD5:
SHA256:
7252chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RF10bfa8.TMP
MD5:
SHA256:
7252chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
7252chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
33
TCP/UDP connections
157
DNS requests
192
Threats
25

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
968
svchost.exe
GET
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/AMpg5-cnrANo_2018.8.8.0/2018.8.8.0_win64_win_third_party_module_list.crx3
unknown
whitelisted
968
svchost.exe
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ad3ohtjzc5zgixepabdjs6cqg5xq_3067/jflookgnkcckhobaglndicnbbgbonegd_3067_all_g63dbvxeh3673pkyaap44qag54.crx3
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
968
svchost.exe
HEAD
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ac6mhlwypzipnufijdvfyhdgvt4q_67/khaoiebndkojlmppeemjhbpbandiljpe_67_win_kfegpqlp6gezs4ree2ol2br2ym.crx3
unknown
whitelisted
2284
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
968
svchost.exe
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ac6mhlwypzipnufijdvfyhdgvt4q_67/khaoiebndkojlmppeemjhbpbandiljpe_67_win_kfegpqlp6gezs4ree2ol2br2ym.crx3
unknown
whitelisted
968
svchost.exe
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ac6mhlwypzipnufijdvfyhdgvt4q_67/khaoiebndkojlmppeemjhbpbandiljpe_67_win_kfegpqlp6gezs4ree2ol2br2ym.crx3
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
968
svchost.exe
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ac6mhlwypzipnufijdvfyhdgvt4q_67/khaoiebndkojlmppeemjhbpbandiljpe_67_win_kfegpqlp6gezs4ree2ol2br2ym.crx3
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
157.90.180.51:443
s6.dosya.tc
Hetzner Online GmbH
DE
whitelisted
7252
chrome.exe
239.255.255.250:1900
whitelisted
74.125.128.84:443
accounts.google.com
GOOGLE
US
whitelisted
142.250.186.66:443
pagead2.googlesyndication.com
GOOGLE
US
whitelisted
142.250.185.206:443
www.google-analytics.com
GOOGLE
US
whitelisted
142.250.185.226:443
googleads.g.doubleclick.net
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 216.58.206.46
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
s6.dosya.tc
  • 157.90.180.51
whitelisted
accounts.google.com
  • 74.125.128.84
whitelisted
pagead2.googlesyndication.com
  • 142.250.186.66
  • 142.250.186.130
whitelisted
www.google-analytics.com
  • 142.250.185.206
whitelisted
googleads.g.doubleclick.net
  • 142.250.185.226
whitelisted
fundingchoicesmessages.google.com
  • 216.58.206.78
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.248
whitelisted

Threats

PID
Process
Class
Message
7544
chrome.exe
Misc activity
ET INFO Temporary File Hosting Domain in DNS Lookup (tmpfiles .org)
7544
chrome.exe
Misc activity
ET INFO Observed Temporary File Hosting Domain (tmpfiles .org in TLS SNI)
7544
chrome.exe
Misc activity
ET INFO Observed Temporary File Hosting Domain (tmpfiles .org in TLS SNI)
7544
chrome.exe
Possible Social Engineering Attempted
SUSPICIOUS [ANY.RUN] Domain Marked as Malicious (tmpfiles .org)
7544
chrome.exe
Misc activity
ET INFO Temporary File Hosting Domain in DNS Lookup (tmpfiles .org)
7544
chrome.exe
Possible Social Engineering Attempted
SUSPICIOUS [ANY.RUN] Domain Marked as Malicious (tmpfiles .org)
7544
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
7544
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
3796
Launcher.exe
A Network Trojan was detected
STEALER [ANY.RUN] WASPstealer Gen. Connection Check
3796
Launcher.exe
Device Retrieving External IP Address Detected
ET INFO Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://s6.dosya.tc/server21/o2e376/IPTV_CHECKER.rar.html