URL:

http://dasmalwerk.eu/

Full analysis: https://app.any.run/tasks/a113a111-83b2-4403-a22a-2b63f4c45254
Verdict: Malicious activity
Analysis date: August 08, 2023, 06:54:40
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
Indicators:
MD5:

BFEFE9C6EB5288165D2522ED489FFE4A

SHA1:

1239B2F9266826F5B1808C0485E5822D4B336E62

SHA256:

5DB25CBA94050D458B70691903AB25FF7F5304A0669764BD06BB78945DCD2238

SSDEEP:

3:N1KaEWIEJK0f:Ca/INk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe (PID: 2324)
      • ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe (PID: 284)
      • ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe (PID: 1388)
      • ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe (PID: 1968)

    • Application was dropped or rewritten from another process

      • DjvuApp.exe (PID: 1204)
      • DjvuApp.exe (PID: 3020)
      • ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe (PID: 284)
      • DjvuApp.exe (PID: 3300)
      • ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe (PID: 1388)
      • DjvuApp.exe (PID: 620)
      • ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe (PID: 2324)
      • DjvuApp.exe (PID: 1276)
      • DjvuApp.exe (PID: 2228)
      • ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe (PID: 1968)
      • DjvuApp.exe (PID: 2948)
      • DjvuApp.exe (PID: 284)
      • a162bb9219a09b302b90bc6f908e117e3fb2c722560336d378fd76a8f22f78f8.exe (PID: 5436)
      • a162bb9219a09b302b90bc6f908e117e3fb2c722560336d378fd76a8f22f78f8.exe (PID: 5916)
      • a162bb9219a09b302b90bc6f908e117e3fb2c722560336d378fd76a8f22f78f8.exe (PID: 6064)
      • a162bb9219a09b302b90bc6f908e117e3fb2c722560336d378fd76a8f22f78f8.exe (PID: 4088)
      • a162bb9219a09b302b90bc6f908e117e3fb2c722560336d378fd76a8f22f78f8.exe (PID: 4232)
      • a162bb9219a09b302b90bc6f908e117e3fb2c722560336d378fd76a8f22f78f8.exe (PID: 5132)

    • Changes the autorun value in the registry

      • DjvuApp.exe (PID: 3300)
      • DjvuApp.exe (PID: 1276)
      • DjvuApp.exe (PID: 2948)

  • SUSPICIOUS

    • Reads the Internet Settings

      • rundll32.exe (PID: 896)
      • rundll32.exe (PID: 2588)
      • DjvuApp.exe (PID: 1276)
      • rundll32.exe (PID: 4964)

    • Uses RUNDLL32.EXE to load library

      • WinRAR.exe (PID: 1636)
      • WinRAR.exe (PID: 2912)
      • WinRAR.exe (PID: 1808)

    • Executable content was dropped or overwritten

      • ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe (PID: 2324)
      • ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe (PID: 284)
      • ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe (PID: 1388)
      • ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe (PID: 1968)
      • a162bb9219a09b302b90bc6f908e117e3fb2c722560336d378fd76a8f22f78f8.exe (PID: 5436)

    • Creates a software uninstall entry

      • ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe (PID: 284)
      • ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe (PID: 1388)
      • ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe (PID: 1968)

    • Starts itself from another location

      • a162bb9219a09b302b90bc6f908e117e3fb2c722560336d378fd76a8f22f78f8.exe (PID: 5436)

    • Checks for external IP

      • a162bb9219a09b302b90bc6f908e117e3fb2c722560336d378fd76a8f22f78f8.exe (PID: 5916)

    • The process executes via Task Scheduler

      • a162bb9219a09b302b90bc6f908e117e3fb2c722560336d378fd76a8f22f78f8.exe (PID: 4232)

  • INFO

    • Application launched itself

      • chrome.exe (PID: 2880)
      • firefox.exe (PID: 2588)
      • firefox.exe (PID: 2776)
      • firefox.exe (PID: 3128)
      • msedge.exe (PID: 2924)
      • msedge.exe (PID: 3800)
      • firefox.exe (PID: 5568)

    • Reads the computer name

      • wmpnscfg.exe (PID: 3772)
      • ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe (PID: 2324)
      • ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe (PID: 284)
      • ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe (PID: 1388)
      • ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe (PID: 1968)
      • DjvuApp.exe (PID: 1276)
      • a162bb9219a09b302b90bc6f908e117e3fb2c722560336d378fd76a8f22f78f8.exe (PID: 5436)
      • a162bb9219a09b302b90bc6f908e117e3fb2c722560336d378fd76a8f22f78f8.exe (PID: 5916)
      • a162bb9219a09b302b90bc6f908e117e3fb2c722560336d378fd76a8f22f78f8.exe (PID: 5132)
      • a162bb9219a09b302b90bc6f908e117e3fb2c722560336d378fd76a8f22f78f8.exe (PID: 4232)
      • a162bb9219a09b302b90bc6f908e117e3fb2c722560336d378fd76a8f22f78f8.exe (PID: 4088)
      • a162bb9219a09b302b90bc6f908e117e3fb2c722560336d378fd76a8f22f78f8.exe (PID: 6064)

    • Checks supported languages

      • wmpnscfg.exe (PID: 3772)
      • ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe (PID: 2324)
      • DjvuApp.exe (PID: 1204)
      • DjvuApp.exe (PID: 3020)
      • ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe (PID: 284)
      • DjvuApp.exe (PID: 3300)
      • ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe (PID: 1388)
      • DjvuApp.exe (PID: 620)
      • ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe (PID: 1968)
      • DjvuApp.exe (PID: 1276)
      • DjvuApp.exe (PID: 2228)
      • DjvuApp.exe (PID: 2948)
      • DjvuApp.exe (PID: 284)
      • a162bb9219a09b302b90bc6f908e117e3fb2c722560336d378fd76a8f22f78f8.exe (PID: 5436)
      • a162bb9219a09b302b90bc6f908e117e3fb2c722560336d378fd76a8f22f78f8.exe (PID: 5916)
      • a162bb9219a09b302b90bc6f908e117e3fb2c722560336d378fd76a8f22f78f8.exe (PID: 4088)
      • a162bb9219a09b302b90bc6f908e117e3fb2c722560336d378fd76a8f22f78f8.exe (PID: 5132)
      • a162bb9219a09b302b90bc6f908e117e3fb2c722560336d378fd76a8f22f78f8.exe (PID: 4232)
      • a162bb9219a09b302b90bc6f908e117e3fb2c722560336d378fd76a8f22f78f8.exe (PID: 6064)

    • The process checks LSA protection

      • wmpnscfg.exe (PID: 3772)
      • rundll32.exe (PID: 896)
      • ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe (PID: 2324)
      • ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe (PID: 284)
      • ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe (PID: 1388)
      • ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe (PID: 1968)
      • DjvuApp.exe (PID: 1276)
      • rundll32.exe (PID: 2588)
      • a162bb9219a09b302b90bc6f908e117e3fb2c722560336d378fd76a8f22f78f8.exe (PID: 5916)
      • rundll32.exe (PID: 4964)

    • The process uses the downloaded file

      • chrome.exe (PID: 2552)
      • chrome.exe (PID: 3900)
      • WinRAR.exe (PID: 1636)
      • chrome.exe (PID: 2596)
      • chrome.exe (PID: 2968)
      • WinRAR.exe (PID: 2912)
      • chrome.exe (PID: 2672)
      • WinRAR.exe (PID: 1808)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3772)
      • ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe (PID: 284)
      • ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe (PID: 1388)
      • ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe (PID: 2324)
      • ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe (PID: 1968)
      • msedge.exe (PID: 3800)
      • a162bb9219a09b302b90bc6f908e117e3fb2c722560336d378fd76a8f22f78f8.exe (PID: 5436)
      • WinRAR.exe (PID: 1808)
      • a162bb9219a09b302b90bc6f908e117e3fb2c722560336d378fd76a8f22f78f8.exe (PID: 4088)
      • a162bb9219a09b302b90bc6f908e117e3fb2c722560336d378fd76a8f22f78f8.exe (PID: 5132)
      • a162bb9219a09b302b90bc6f908e117e3fb2c722560336d378fd76a8f22f78f8.exe (PID: 6064)

    • Reads the machine GUID from the registry

      • wmpnscfg.exe (PID: 3772)
      • a162bb9219a09b302b90bc6f908e117e3fb2c722560336d378fd76a8f22f78f8.exe (PID: 5916)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1636)
      • firefox.exe (PID: 2776)
      • WinRAR.exe (PID: 2912)
      • WinRAR.exe (PID: 1808)

    • Create files in a temporary directory

      • ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe (PID: 2324)
      • ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe (PID: 284)
      • ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe (PID: 1388)
      • ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe (PID: 1968)

    • Creates files or folders in the user directory

      • ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe (PID: 2324)
      • a162bb9219a09b302b90bc6f908e117e3fb2c722560336d378fd76a8f22f78f8.exe (PID: 5436)
      • a162bb9219a09b302b90bc6f908e117e3fb2c722560336d378fd76a8f22f78f8.exe (PID: 5916)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
140
Monitored processes
90
Malicious processes
8
Suspicious processes
6

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start chrome.exe chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs wmpnscfg.exe no specs chrome.exe no specs winrar.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs rundll32.exe no specs chrome.exe no specs firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe djvuapp.exe no specs djvuapp.exe no specs chrome.exe no specs ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe djvuapp.exe djvuapp.exe no specs ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe djvuapp.exe djvuapp.exe no specs ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe djvuapp.exe djvuapp.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs winrar.exe rundll32.exe no specs firefox.exe no specs firefox.exe no specs chrome.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs a162bb9219a09b302b90bc6f908e117e3fb2c722560336d378fd76a8f22f78f8.exe a162bb9219a09b302b90bc6f908e117e3fb2c722560336d378fd76a8f22f78f8.exe chrome.exe no specs winrar.exe rundll32.exe no specs firefox.exe no specs firefox.exe no specs a162bb9219a09b302b90bc6f908e117e3fb2c722560336d378fd76a8f22f78f8.exe no specs msedge.exe no specs a162bb9219a09b302b90bc6f908e117e3fb2c722560336d378fd76a8f22f78f8.exe no specs a162bb9219a09b302b90bc6f908e117e3fb2c722560336d378fd76a8f22f78f8.exe no specs a162bb9219a09b302b90bc6f908e117e3fb2c722560336d378fd76a8f22f78f8.exe

Process information

PID
CMD
Path
Indicators
Parent process
188"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3804 --field-trial-handle=1124,i,14363421786305986881,13176703260167491289,131072 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptbase.dll
280"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1864 --field-trial-handle=1124,i,14363421786305986881,13176703260167491289,131072 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
284"C:\Users\admin\Downloads\ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe" C:\Users\admin\Downloads\ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe
explorer.exe
User:
admin
Company:
between him and my lord
Integrity Level:
MEDIUM
Description:
An unkind breach: but
Exit code:
0
Version:
20.32.14.1010
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\users\admin\downloads\ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
284"C:\Users\admin\AppData\Roaming\DjvuApp\DjvuApp.exe" "write_patch_str_to_reg" "C:\Users\admin\Downloads\ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe" "HKCU" "Software\DjvuApp" "intesq"C:\Users\admin\AppData\Roaming\DjvuApp\DjvuApp.exece978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe
User:
admin
Company:
Ialkiyxli Zeuvfifqyu
Integrity Level:
MEDIUM
Description:
dpaveoh rimpeypse
Exit code:
0
Version:
9.19.201.12821
Modules
Images
c:\users\admin\appdata\roaming\djvuapp\djvuapp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
448"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2960 --field-trial-handle=1124,i,14363421786305986881,13176703260167491289,131072 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\version.dll
c:\windows\system32\sechost.dll
488"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2008 --field-trial-handle=1124,i,14363421786305986881,13176703260167491289,131072 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
Modules
Images
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
620"C:\Users\admin\AppData\Roaming\DjvuApp\DjvuApp.exe" "write_patch_str_to_reg" "C:\Users\admin\Downloads\ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe" "HKCU" "Software\DjvuApp" "intesq"C:\Users\admin\AppData\Roaming\DjvuApp\DjvuApp.exece978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe
User:
admin
Company:
Ialkiyxli Zeuvfifqyu
Integrity Level:
MEDIUM
Description:
dpaveoh rimpeypse
Exit code:
0
Version:
9.19.201.12821
Modules
Images
c:\users\admin\appdata\roaming\djvuapp\djvuapp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
668"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1420 --field-trial-handle=1124,i,14363421786305986881,13176703260167491289,131072 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
896"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\Rar$DIb1636.24282\ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7dC:\Windows\System32\rundll32.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1204"C:\Users\admin\AppData\Roaming\DjvuApp\DjvuApp.exe" "first_run" "C:\Users\admin\Downloads\ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe"C:\Users\admin\AppData\Roaming\DjvuApp\DjvuApp.exece978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe
User:
admin
Company:
Ialkiyxli Zeuvfifqyu
Integrity Level:
MEDIUM
Description:
dpaveoh rimpeypse
Exit code:
0
Version:
9.19.201.12821
Modules
Images
c:\users\admin\appdata\roaming\djvuapp\djvuapp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
Total events
33 576
Read events
33 034
Write events
538
Delete events
4

Modification events

(PID) Process:(2880) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(2880) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(2880) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
Operation:writeName:StatusCodes
Value:
01000000
(PID) Process:(2880) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(2880) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:writeName:dr
Value:
1
(PID) Process:(2880) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
1
(PID) Process:(2880) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome
Operation:writeName:UsageStatsInSample
Value:
0
(PID) Process:(2880) chrome.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:writeName:usagestats
Value:
0
(PID) Process:(2880) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:writeName:metricsid_installdate
Value:
0
(PID) Process:(2880) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:writeName:metricsid_enableddate
Value:
0
Executable files
20
Suspicious files
396
Text files
182
Unknown types
19

Dropped files

PID
Process
Filename
Type
2880chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RF4672ab.TMP
MD5:
SHA256:
2880chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
2880chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Variationsbinary
MD5:961E3604F228B0D10541EBF921500C86
SHA256:F7B24F2EB3D5EB0550527490395D2F61C3D2FE74BB9CB345197DAD81B58B5FED
2880chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG.old~RF4684ac.TMP
MD5:
SHA256:
2880chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG.old
MD5:
SHA256:
2880chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old~RF4672ab.TMPtext
MD5:CDCC923CEC2CD9228330551E6946A9C2
SHA256:592F4750166BE662AA88728F9969537163FEC5C3E95E81537C8C6917F8D0929E
2880chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\LOG.oldtext
MD5:65635E713D5CFC914717D1CC4CAC6989
SHA256:4CB3EEB0369758290ABD7868DFD85D663C4AEF6C727FFF43BE693FDDBD0A6C28
2880chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\LOG.old~RF467402.TMPtext
MD5:0917C6BFC618ACD47C1F53C7E7FFFF9C
SHA256:A5CAF56982DA7AE34B201E8609610786B4730371EF0812B7D418A2F9B73547BC
2880chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.oldtext
MD5:513218482935B0D388C0A990D868387A
SHA256:8E39CBAAF4AACC3A01AFA74EA8C30FB24FE69A22B8B30728AFB1614FD68809D9
2880chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old~RF4672ab.TMPtext
MD5:D5C9ECBD2DCA29D89266782824D7AF99
SHA256:D22D1243ACC064A30823180D0E583C853E9395367C78C2AD9DE59A463904F702
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
29
TCP/UDP connections
54
DNS requests
34
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
860
svchost.exe
HEAD
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/j2hxfei2occ5siitujtlwgp6xi_3/ojhpjlocmbogdgmfpkhlaaeamibhnphh_3_all_gplutbkdljxxbjolk3siq7kive.crx3
US
whitelisted
860
svchost.exe
HEAD
209.197.3.8:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/ec243c2e-e29f-46d6-92ef-c60f8cfa76e0?P1=1692046558&P2=404&P3=2&P4=XGMGGgwZivtdSkKoNDtiovgjyTGrBS9ffdZsuwgp0iKAWFVyirkWbHj2wztvVWjKxvXi3Lz80moYhZ8WDm4C%2fA%3d%3d
US
whitelisted
3384
chrome.exe
GET
404
3.33.152.147:80
http://dasmalwerk.eu/favicon.ico
US
html
125 b
whitelisted
860
svchost.exe
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/j2hxfei2occ5siitujtlwgp6xi_3/ojhpjlocmbogdgmfpkhlaaeamibhnphh_3_all_gplutbkdljxxbjolk3siq7kive.crx3
US
binary
1.10 Mb
whitelisted
3384
chrome.exe
GET
200
3.33.152.147:80
http://dasmalwerk.eu/
US
html
334 b
whitelisted
5916
a162bb9219a09b302b90bc6f908e117e3fb2c722560336d378fd76a8f22f78f8.exe
GET
200
34.160.111.145:80
http://myexternalip.com/raw
US
text
12 b
shared
860
svchost.exe
GET
206
209.197.3.8:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/ec243c2e-e29f-46d6-92ef-c60f8cfa76e0?P1=1692046558&P2=404&P3=2&P4=XGMGGgwZivtdSkKoNDtiovgjyTGrBS9ffdZsuwgp0iKAWFVyirkWbHj2wztvVWjKxvXi3Lz80moYhZ8WDm4C%2fA%3d%3d
US
binary
10.2 Kb
whitelisted
860
svchost.exe
GET
206
209.197.3.8:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/ec243c2e-e29f-46d6-92ef-c60f8cfa76e0?P1=1692046558&P2=404&P3=2&P4=XGMGGgwZivtdSkKoNDtiovgjyTGrBS9ffdZsuwgp0iKAWFVyirkWbHj2wztvVWjKxvXi3Lz80moYhZ8WDm4C%2fA%3d%3d
US
binary
10.1 Kb
whitelisted
860
svchost.exe
GET
206
209.197.3.8:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/ec243c2e-e29f-46d6-92ef-c60f8cfa76e0?P1=1692046558&P2=404&P3=2&P4=XGMGGgwZivtdSkKoNDtiovgjyTGrBS9ffdZsuwgp0iKAWFVyirkWbHj2wztvVWjKxvXi3Lz80moYhZ8WDm4C%2fA%3d%3d
US
binary
44.8 Kb
whitelisted
860
svchost.exe
GET
206
209.197.3.8:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/ec243c2e-e29f-46d6-92ef-c60f8cfa76e0?P1=1692046558&P2=404&P3=2&P4=XGMGGgwZivtdSkKoNDtiovgjyTGrBS9ffdZsuwgp0iKAWFVyirkWbHj2wztvVWjKxvXi3Lz80moYhZ8WDm4C%2fA%3d%3d
US
binary
10.1 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2640
svchost.exe
239.255.255.250:1900
whitelisted
3384
chrome.exe
142.250.186.141:443
accounts.google.com
GOOGLE
US
whitelisted
2880
chrome.exe
239.255.255.250:1900
whitelisted
3384
chrome.exe
3.33.152.147:80
dasmalwerk.eu
AMAZON-02
US
malicious
3384
chrome.exe
54.78.134.111:443
das-malwerk.herokuapp.com
AMAZON-02
IE
suspicious
3384
chrome.exe
216.58.206.36:443
www.google.com
GOOGLE
US
whitelisted
3384
chrome.exe
104.18.11.207:443
maxcdn.bootstrapcdn.com
CLOUDFLARENET
suspicious
3384
chrome.exe
69.16.175.42:443
code.jquery.com
STACKPATH-CDN
US
malicious
3384
chrome.exe
104.17.24.14:443
cdnjs.cloudflare.com
CLOUDFLARENET
suspicious
3384
chrome.exe
216.58.212.10:443
safebrowsing.googleapis.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
dasmalwerk.eu
  • 3.33.152.147
  • 15.197.142.173
whitelisted
accounts.google.com
  • 142.250.186.141
shared
das-malwerk.herokuapp.com
  • 54.78.134.111
  • 54.228.42.199
  • 34.241.115.67
unknown
www.google.com
  • 216.58.206.36
malicious
maxcdn.bootstrapcdn.com
  • 104.18.11.207
  • 104.18.10.207
whitelisted
code.jquery.com
  • 69.16.175.42
  • 69.16.175.10
whitelisted
cdnjs.cloudflare.com
  • 104.17.24.14
  • 104.17.25.14
whitelisted
safebrowsing.googleapis.com
  • 216.58.212.10
whitelisted
fonts.googleapis.com
  • 216.58.212.42
whitelisted
fonts.gstatic.com
  • 142.250.186.99
whitelisted

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET MALWARE User-Agent (Xmaker)
5916
a162bb9219a09b302b90bc6f908e117e3fb2c722560336d378fd76a8f22f78f8.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Check myexternalip.com
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
http://dasmalwerk.eu/