analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://www.upload.ee/files/14438830/ItroublveTSC.v6.Fix.7.2.rar.html.https://discord.com/api/webhooks/1091802354430525503/bDem94QCZ2RFPegT4yKa8zb01Q0l0tZqQArD8efKr7x2fH33Eqn-5eRhDCCJmChxkhRs

Full analysis: https://app.any.run/tasks/b37eb4dd-910b-402c-b31c-8afc5cc782f5
Verdict: Malicious activity
Threats:

njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world.

Malware Trends Tracker     >>>
Analysis date: April 01, 2023, 19:18:53
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
njrat
bladabindi
Indicators:
MD5:

89EE91F913DE12DA5443EC8A4F21974C

SHA1:

45BD1C9605580B4DBE6A0AF331E76AA185B65816

SHA256:

62927F9DA0053901EC5AEB072A83115C74D2830FDB95F743693C157605C5F9F8

SSDEEP:

3:N8DSLr7MJmUDKizdU2QLWSjLzP6U8XkTFztfiQXQzQ2T1nXcLh7UpZCVD7A3apNm:2OLr0nrvQLBLzSUzUzh1Xsh7UvCW3eW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • ItroublveTSC.exe (PID: 1584)
      • RUN.exe (PID: 3036)
      • ItroublveTSC.exe (PID: 1764)
      • RealtekAudio.exe (PID: 3816)
      • CLI.exe (PID: 2408)
      • fsdfdsfds.exe (PID: 1808)
      • fsdfdsfds.exe (PID: 1648)
      • RtkBtManServ.exe (PID: 3580)

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 1936)

    • Create files in the Startup directory

      • RealtekAudio.exe (PID: 3816)

    • NJRAT detected by memory dumps

      • RealtekAudio.exe (PID: 3816)

    • Starts Visual C# compiler

      • MSBuild.exe (PID: 1068)

    • Changes the autorun value in the registry

      • RealtekAudio.exe (PID: 3816)

    • NjRAT is detected

      • RealtekAudio.exe (PID: 3816)

    • Actions looks like stealing of personal data

      • RtkBtManServ.exe (PID: 3580)

  • SUSPICIOUS

    • Reads the Internet Settings

      • ItroublveTSC.exe (PID: 1584)
      • ItroublveTSC.exe (PID: 1764)
      • RUN.exe (PID: 3036)
      • wscript.exe (PID: 2640)
      • CLI.exe (PID: 2408)
      • RtkBtManServ.exe (PID: 3580)
      • fsdfdsfds.exe (PID: 1808)

    • Executable content was dropped or overwritten

      • ItroublveTSC.exe (PID: 1584)
      • RUN.exe (PID: 3036)
      • RealtekAudio.exe (PID: 3816)
      • ItroublveTSC.exe (PID: 1764)
      • cmd.exe (PID: 1504)
      • MSBuild.exe (PID: 1068)
      • csc.exe (PID: 4084)
      • fsdfdsfds.exe (PID: 1648)
      • RtkBtManServ.exe (PID: 3580)

    • Starts itself from another location

      • RUN.exe (PID: 3036)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • RealtekAudio.exe (PID: 3816)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 2640)

    • The process executes VB scripts

      • ItroublveTSC.exe (PID: 1764)

    • Executing commands from a ".bat" file

      • wscript.exe (PID: 2640)

    • Reads browser cookies

      • RtkBtManServ.exe (PID: 3580)

    • Reads settings of System Certificates

      • RtkBtManServ.exe (PID: 3580)

  • INFO

    • The process checks LSA protection

      • explorer.exe (PID: 3896)
      • ItroublveTSC.exe (PID: 1584)
      • ItroublveTSC.exe (PID: 1764)
      • RUN.exe (PID: 3036)
      • netsh.exe (PID: 3248)
      • RealtekAudio.exe (PID: 3816)
      • MSBuild.exe (PID: 1068)
      • csc.exe (PID: 4084)
      • cvtres.exe (PID: 2900)
      • CLI.exe (PID: 2408)
      • fsdfdsfds.exe (PID: 1808)
      • fsdfdsfds.exe (PID: 1648)
      • RtkBtManServ.exe (PID: 3580)

    • Manual execution by a user

      • explorer.exe (PID: 3896)
      • WinRAR.exe (PID: 2644)
      • ItroublveTSC.exe (PID: 1584)
      • fsdfdsfds.exe (PID: 1808)
      • fsdfdsfds.exe (PID: 1648)

    • The process uses the downloaded file

      • chrome.exe (PID: 2348)
      • WinRAR.exe (PID: 2644)

    • Create files in a temporary directory

      • chrome.exe (PID: 1900)
      • ItroublveTSC.exe (PID: 1584)
      • MSBuild.exe (PID: 1068)
      • cvtres.exe (PID: 2900)
      • csc.exe (PID: 4084)
      • ItroublveTSC.exe (PID: 1764)
      • CLI.exe (PID: 2408)
      • fsdfdsfds.exe (PID: 1808)
      • fsdfdsfds.exe (PID: 1648)
      • RtkBtManServ.exe (PID: 3580)

    • Application launched itself

      • chrome.exe (PID: 1900)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2644)

    • Checks supported languages

      • ItroublveTSC.exe (PID: 1584)
      • RUN.exe (PID: 3036)
      • ItroublveTSC.exe (PID: 1764)
      • RealtekAudio.exe (PID: 3816)
      • MSBuild.exe (PID: 1068)
      • csc.exe (PID: 4084)
      • cvtres.exe (PID: 2900)
      • CLI.exe (PID: 2408)
      • fsdfdsfds.exe (PID: 1808)
      • fsdfdsfds.exe (PID: 1648)
      • RtkBtManServ.exe (PID: 3580)

    • Reads the computer name

      • ItroublveTSC.exe (PID: 1584)
      • ItroublveTSC.exe (PID: 1764)
      • RUN.exe (PID: 3036)
      • RealtekAudio.exe (PID: 3816)
      • MSBuild.exe (PID: 1068)
      • CLI.exe (PID: 2408)
      • fsdfdsfds.exe (PID: 1808)
      • fsdfdsfds.exe (PID: 1648)
      • RtkBtManServ.exe (PID: 3580)

    • Reads Environment values

      • ItroublveTSC.exe (PID: 1764)
      • RealtekAudio.exe (PID: 3816)
      • RtkBtManServ.exe (PID: 3580)

    • Reads the machine GUID from the registry

      • ItroublveTSC.exe (PID: 1764)
      • RUN.exe (PID: 3036)
      • RealtekAudio.exe (PID: 3816)
      • MSBuild.exe (PID: 1068)
      • csc.exe (PID: 4084)
      • cvtres.exe (PID: 2900)
      • CLI.exe (PID: 2408)
      • fsdfdsfds.exe (PID: 1808)
      • fsdfdsfds.exe (PID: 1648)
      • RtkBtManServ.exe (PID: 3580)

    • Creates files or folders in the user directory

      • RUN.exe (PID: 3036)
      • RealtekAudio.exe (PID: 3816)

    • [YARA] Firewall manipulation strings were found

      • RealtekAudio.exe (PID: 3816)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

NjRat

(PID) Process(3816) RealtekAudio.exe
Versionim523
Options
Splitter|'|'|
Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\15d7b7890e8fe50c4b0c800e4196a491
BotnetHacKed
Ports1194
C2unrealconnection.ddns.net
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
83
Monitored processes
38
Malicious processes
13
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs explorer.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs winrar.exe searchprotocolhost.exe no specs itroublvetsc.exe run.exe itroublvetsc.exe chrome.exe no specs #NJRAT realtekaudio.exe chrome.exe no specs netsh.exe no specs chrome.exe no specs wscript.exe no specs cmd.exe msbuild.exe csc.exe cvtres.exe no specs cli.exe no specs chrome.exe no specs chrome.exe no specs fsdfdsfds.exe no specs fsdfdsfds.exe rtkbtmanserv.exe chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1900"C:\Program Files\Google\Chrome\Application\chrome.exe" --disk-cache-dir=null --disk-cache-size=1 --media-cache-size=1 --disable-gpu-shader-disk-cache --disable-background-networking "https://www.upload.ee/files/14438830/ItroublveTSC.v6.Fix.7.2.rar.html.https://discord.com/api/webhooks/1091802354430525503/bDem94QCZ2RFPegT4yKa8zb01Q0l0tZqQArD8efKr7x2fH33Eqn-5eRhDCCJmChxkhRs"C:\Program Files\Google\Chrome\Application\chrome.exeexplorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
86.0.4240.198
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
2456"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=86.0.4240.198 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd4,0x6f3dd988,0x6f3dd998,0x6f3dd9a4C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
86.0.4240.198
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
3368"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1032,15243313652361588440,6038570522072725167,131072 --enable-features=PasswordImport --gpu-preferences=MAAAAAAAAADgACAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1076 /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
86.0.4240.198
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\shell32.dll
3344"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1032,15243313652361588440,6038570522072725167,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1228 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
86.0.4240.198
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\version.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\shlwapi.dll
3892"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,15243313652361588440,6038570522072725167,131072 --enable-features=PasswordImport --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1748 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
86.0.4240.198
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\shell32.dll
3728"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,15243313652361588440,6038570522072725167,131072 --enable-features=PasswordImport --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1832 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
86.0.4240.198
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\shell32.dll
2584"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,15243313652361588440,6038570522072725167,131072 --enable-features=PasswordImport --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2124 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
86.0.4240.198
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\shell32.dll
3528"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1032,15243313652361588440,6038570522072725167,131072 --enable-features=PasswordImport --gpu-preferences=MAAAAAAAAADgACAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1064 /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
86.0.4240.198
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\shlwapi.dll
2328"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,15243313652361588440,6038570522072725167,131072 --enable-features=PasswordImport --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1372 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
86.0.4240.198
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\shell32.dll
2644"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,15243313652361588440,6038570522072725167,131072 --enable-features=PasswordImport --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
86.0.4240.198
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\shlwapi.dll
Total events
54 874
Read events
54 042
Write events
788
Delete events
44

Modification events

(PID) Process:(1900) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(1900) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(1900) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
Operation:writeName:StatusCodes
Value:
01000000
(PID) Process:(1900) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(1900) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:writeName:dr
Value:
1
(PID) Process:(1900) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome
Operation:writeName:UsageStatsInSample
Value:
0
(PID) Process:(1900) chrome.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:writeName:usagestats
Value:
0
(PID) Process:(1900) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:writeName:metricsid_installdate
Value:
0
(PID) Process:(1900) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:writeName:metricsid_enableddate
Value:
0
(PID) Process:(1900) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
1
Executable files
116
Suspicious files
116
Text files
382
Unknown types
26

Dropped files

PID
Process
Filename
Type
1900chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-642883A2-76C.pma
MD5:
SHA256:
1900chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\dcb7453d-6896-4870-a951-ca96fdfbca45.tmptext
MD5:A97B6D449E8C5802E12F26E66981F895
SHA256:ABB8110FF4DD2FB5203D380CF69607152D537CDC735837E466FB64250EE85439
1900chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.oldtext
MD5:8FF312A95D60ED89857FEB720D80D4E1
SHA256:946A57FAFDD28C3164D5AB8AB4971B21BD5EC5BFFF7554DBF832CB58CC37700B
1900chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Last Versiontext
MD5:00046F773EFDD3C8F8F6D0F87A2B93DC
SHA256:593EDE11D17AF7F016828068BCA2E93CF240417563FB06DC8A579110AEF81731
1900chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.oldtext
MD5:7721CDA9F5B73CE8A135471EB53B4E0E
SHA256:DD730C576766A46FFC84E682123248ECE1FF1887EC0ACAB22A5CE93A450F4500
1900chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG.old~RF24f4b1.TMPtext
MD5:B628564B8042F6E2CC2F53710AAECDC0
SHA256:1D3B022BDEE9F48D79E3EC1E93F519036003642D3D72D10B05CFD47F43EFBF13
1900chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old~RF24f2fc.TMPtext
MD5:64AD8ED3E666540337BA541C549F72F7
SHA256:BECBDB08B5B37D203A85F2E974407334053BB1D2270F0B3C9A4DB963896F2206
2456chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pmabinary
MD5:03C4F648043A88675A920425D824E1B3
SHA256:F91DBB7C64B4582F529C968C480D2DCE1C8727390482F31E4355A27BB3D9B450
1900chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old~RF24f2fc.TMPtext
MD5:936EB7280DA791E6DD28EF3A9B46D39C
SHA256:CBAF2AFD831B32F6D1C12337EE5D2F090D6AE1F4DCB40B08BEF49BF52AD9721F
1900chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.datbinary
MD5:9C016064A1F864C8140915D77CF3389A
SHA256:0E7265D4A8C16223538EDD8CD620B8820611C74538E420A88E333BE7F62AC787
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
38
DNS requests
29
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
860
svchost.exe
HEAD
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/YGkwa4MXjfWSuERyWQYP_A_4/aapLKTSZ439A-0g3nqJr3Q
US
whitelisted
860
svchost.exe
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dl6iudcrkm7tlleep5b7sio2si_2937/jflookgnkcckhobaglndicnbbgbonegd_2937_all_n6dma56ie7wmbezc4aw6zyp2jq.crx3
US
binary
5.55 Kb
whitelisted
860
svchost.exe
HEAD
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ac5q25btpqhkjhcekqoslcldvuya_1.3.36.141/ihnlcenocehgdaegdmhbidjhnhdchfmm_1.3.36.141_win_ehzjmd5kjmert7jdgsrj4xqxj4.crx3
US
binary
5.89 Kb
whitelisted
860
svchost.exe
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dl6iudcrkm7tlleep5b7sio2si_2937/jflookgnkcckhobaglndicnbbgbonegd_2937_all_n6dma56ie7wmbezc4aw6zyp2jq.crx3
US
binary
10.3 Kb
whitelisted
860
svchost.exe
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ac5q25btpqhkjhcekqoslcldvuya_1.3.36.141/ihnlcenocehgdaegdmhbidjhnhdchfmm_1.3.36.141_win_ehzjmd5kjmert7jdgsrj4xqxj4.crx3
US
binary
48.5 Kb
whitelisted
860
svchost.exe
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ac5q25btpqhkjhcekqoslcldvuya_1.3.36.141/ihnlcenocehgdaegdmhbidjhnhdchfmm_1.3.36.141_win_ehzjmd5kjmert7jdgsrj4xqxj4.crx3
US
binary
8.50 Kb
whitelisted
860
svchost.exe
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ac5q25btpqhkjhcekqoslcldvuya_1.3.36.141/ihnlcenocehgdaegdmhbidjhnhdchfmm_1.3.36.141_win_ehzjmd5kjmert7jdgsrj4xqxj4.crx3
US
binary
88.0 Kb
whitelisted
860
svchost.exe
HEAD
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dl6iudcrkm7tlleep5b7sio2si_2937/jflookgnkcckhobaglndicnbbgbonegd_2937_all_n6dma56ie7wmbezc4aw6zyp2jq.crx3
US
crx
3.72 Kb
whitelisted
860
svchost.exe
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dl6iudcrkm7tlleep5b7sio2si_2937/jflookgnkcckhobaglndicnbbgbonegd_2937_all_n6dma56ie7wmbezc4aw6zyp2jq.crx3
US
binary
5.89 Kb
whitelisted
860
svchost.exe
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dl6iudcrkm7tlleep5b7sio2si_2937/jflookgnkcckhobaglndicnbbgbonegd_2937_all_n6dma56ie7wmbezc4aw6zyp2jq.crx3
US
ini
21.1 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3344
chrome.exe
142.250.186.46:443
clients2.google.com
GOOGLE
US
whitelisted
3344
chrome.exe
51.91.30.159:443
www.upload.ee
OVH SAS
FR
suspicious
3344
chrome.exe
142.250.181.225:443
clients2.googleusercontent.com
GOOGLE
US
whitelisted
3344
chrome.exe
172.217.16.130:443
pagead2.googlesyndication.com
GOOGLE
US
whitelisted
3344
chrome.exe
142.250.185.77:443
accounts.google.com
GOOGLE
US
suspicious
3344
chrome.exe
142.250.186.104:443
www.googletagmanager.com
GOOGLE
US
suspicious
3344
chrome.exe
142.250.184.234:443
content-autofill.googleapis.com
GOOGLE
US
whitelisted
3344
chrome.exe
172.217.23.98:443
googleads.g.doubleclick.net
GOOGLE
US
whitelisted
3344
chrome.exe
172.217.16.206:443
www.google-analytics.com
GOOGLE
US
whitelisted
3344
chrome.exe
142.250.186.68:443
www.google.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
accounts.google.com
  • 142.250.185.77
shared
clients2.google.com
  • 142.250.186.46
whitelisted
www.upload.ee
  • 51.91.30.159
whitelisted
clients2.googleusercontent.com
  • 142.250.181.225
whitelisted
www.googletagmanager.com
  • 142.250.186.104
whitelisted
pagead2.googlesyndication.com
  • 172.217.16.130
whitelisted
content-autofill.googleapis.com
  • 142.250.184.234
  • 172.217.16.202
  • 142.250.186.170
  • 172.217.18.10
  • 142.250.186.74
  • 142.250.184.202
  • 172.217.16.138
  • 142.250.186.106
  • 142.250.181.234
  • 142.250.186.42
  • 142.250.186.138
  • 142.250.185.234
  • 142.250.185.202
  • 142.250.185.170
  • 142.250.185.138
  • 142.250.185.106
whitelisted
googleads.g.doubleclick.net
  • 172.217.23.98
whitelisted
www.google-analytics.com
  • 172.217.16.206
whitelisted
www.google.com
  • 142.250.186.68
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .gq Domain
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
3580
RtkBtManServ.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
3580
RtkBtManServ.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.upload.ee/files/14438830/ItroublveTSC.v6.Fix.7.2.rar.html.https://discord.com/api/webhooks/1091802354430525503/bDem94QCZ2RFPegT4yKa8zb01Q0l0tZqQArD8efKr7x2fH33Eqn-5eRhDCCJmChxkhRs