analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Only_for_fans.zip

Full analysis: https://app.any.run/tasks/4a5b92e9-7d92-46da-9d28-b1502a5ea1bc
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: December 11, 2023, 08:53:12
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
loader
albumstealer
stealer
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

C0C3F403C9087589A67E1BA97282D989

SHA1:

653A26FD0AE4595EBCA56EAC73412E69E58D39A1

SHA256:

62C9872A186C19CE6BF1A4BB8FECFE7E5F02CBF6BFA34A23B9D07165B4ECF085

SSDEEP:

98304:hKbehFf5L1WpUvXo8suvrZhRzaGX5Jo3aOVF6AtCQXKqAqE943GhtvvIahAkQUH9:ldJMFRZG2LlLn+CU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • The DLL Hijacking

      • cmd.exe (PID: 1420)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 1716)
      • powershell.exe (PID: 2556)
      • powershell.exe (PID: 1168)

    • Drops the executable file immediately after the start

      • powershell.exe (PID: 2556)
      • php.exe (PID: 1776)
      • php.exe (PID: 2520)
      • Onlyfans Leak (Photos & Videos).exe (PID: 712)
      • php.exe (PID: 2204)
      • php.exe (PID: 1476)
      • avast_64.exe (PID: 2456)
      • chromium_32.exe (PID: 4920)
      • chromium_32.exe (PID: 3124)
      • powershell.exe (PID: 568)

    • ALBUMSTEALER has been detected (SURICATA)

      • php.exe (PID: 1476)

    • Starts PowerShell from an unusual location

      • cmd.exe (PID: 308)

    • Request from PowerShell which ran from CMD.EXE

      • powershell.exe (PID: 568)

    • Steals credentials

      • powershell.exe (PID: 568)
      • avast_64.exe (PID: 2456)

    • Actions looks like stealing of personal data

      • worker.exe (PID: 3004)
      • chromium_32.exe (PID: 3124)
      • avast_64.exe (PID: 2456)
      • powershell.exe (PID: 568)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • Onlyfans Leak (Photos & Videos).exe (PID: 712)
      • WinRAR.exe (PID: 3028)
      • php.exe (PID: 1776)
      • php.exe (PID: 2204)
      • php.exe (PID: 1476)
      • powershell.exe (PID: 568)
      • avast_64.exe (PID: 2456)

    • The process drops C-runtime libraries

      • Onlyfans Leak (Photos & Videos).exe (PID: 712)
      • php.exe (PID: 1776)
      • php.exe (PID: 2204)

    • Starts CMD.EXE for commands execution

      • php.exe (PID: 1776)
      • php.exe (PID: 2520)
      • rhc.exe (PID: 2964)
      • cmd.exe (PID: 3048)
      • php.exe (PID: 636)
      • php.exe (PID: 2204)
      • php.exe (PID: 1308)
      • php.exe (PID: 1476)

    • Executing commands from a ".bat" file

      • cmd.exe (PID: 3048)
      • rhc.exe (PID: 2964)
      • php.exe (PID: 1776)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 1284)
      • cmd.exe (PID: 2692)
      • powershell.exe (PID: 1716)
      • powershell.exe (PID: 2556)
      • cmd.exe (PID: 2188)
      • cmd.exe (PID: 2528)
      • cmd.exe (PID: 2724)

    • Application launched itself

      • cmd.exe (PID: 3048)
      • powershell.exe (PID: 1716)
      • powershell.exe (PID: 2556)
      • worker.exe (PID: 3004)
      • chromium_32.exe (PID: 3124)

    • Probably obfuscated PowerShell command line is found

      • cmd.exe (PID: 2692)
      • powershell.exe (PID: 2556)

    • The process executes via Task Scheduler

      • rhc.exe (PID: 2204)
      • rhc.exe (PID: 752)
      • rhc.exe (PID: 3760)
      • rhc.exe (PID: 3988)
      • rhc.exe (PID: 4132)

    • Process requests binary or script from the Internet

      • php.exe (PID: 2520)
      • php.exe (PID: 1308)
      • php.exe (PID: 1476)
      • powershell.exe (PID: 568)
      • avast_64.exe (PID: 2456)

    • The Powershell connects to the Internet

      • powershell.exe (PID: 2556)
      • powershell.exe (PID: 568)

    • Reads the Internet Settings

      • powershell.exe (PID: 2556)
      • php.exe (PID: 636)
      • avast_64.exe (PID: 2456)
      • worker.exe (PID: 3004)
      • worker.exe (PID: 3252)
      • worker.exe (PID: 3408)
      • worker.exe (PID: 3976)
      • chromium_32.exe (PID: 3124)
      • powershell.exe (PID: 568)
      • chromium_32.exe (PID: 3740)
      • chromium_32.exe (PID: 4120)
      • chromium_32.exe (PID: 4760)

    • Unusual connection from system programs

      • powershell.exe (PID: 2556)
      • powershell.exe (PID: 568)

    • Reads settings of System Certificates

      • php.exe (PID: 636)
      • worker.exe (PID: 3004)
      • chromium_32.exe (PID: 3124)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 2176)
      • cmd.exe (PID: 3016)

    • Checks Windows Trust Settings

      • avast_64.exe (PID: 2456)

    • Reads security settings of Internet Explorer

      • avast_64.exe (PID: 2456)

  • INFO

    • Checks supported languages

      • php.exe (PID: 2520)
      • rhc.exe (PID: 572)
      • rhc.exe (PID: 2964)
      • rhc.exe (PID: 2204)
      • php.exe (PID: 2120)
      • Canon.exe (PID: 904)
      • php.exe (PID: 1776)
      • php.exe (PID: 636)
      • rhc.exe (PID: 752)
      • php.exe (PID: 2204)
      • rhc.exe (PID: 2688)
      • php.exe (PID: 1308)
      • rhc.exe (PID: 1664)
      • php.exe (PID: 1476)
      • Onlyfans Leak (Photos & Videos).exe (PID: 712)
      • avast_64.exe (PID: 2456)
      • worker.exe (PID: 2296)
      • worker.exe (PID: 3004)
      • worker.exe (PID: 3000)
      • worker.exe (PID: 2800)
      • worker.exe (PID: 2300)
      • worker.exe (PID: 2932)
      • worker.exe (PID: 3052)
      • worker.exe (PID: 2880)
      • worker.exe (PID: 2416)
      • worker.exe (PID: 2524)
      • worker.exe (PID: 2968)
      • worker.exe (PID: 2208)
      • worker.exe (PID: 3024)
      • worker.exe (PID: 1632)
      • worker.exe (PID: 1492)
      • worker.exe (PID: 2420)
      • worker.exe (PID: 304)
      • worker.exe (PID: 3252)
      • worker.exe (PID: 3384)
      • worker.exe (PID: 3344)
      • worker.exe (PID: 3408)
      • worker.exe (PID: 3416)
      • worker.exe (PID: 3592)
      • rhc.exe (PID: 3760)
      • worker.exe (PID: 3668)
      • php.exe (PID: 3768)
      • worker.exe (PID: 3976)
      • worker.exe (PID: 3828)
      • worker.exe (PID: 4048)
      • chromium_32.exe (PID: 3124)
      • chromium_32.exe (PID: 304)
      • chromium_32.exe (PID: 2628)
      • chromium_32.exe (PID: 1732)
      • chromium_32.exe (PID: 1764)
      • chromium_32.exe (PID: 3396)
      • chromium_32.exe (PID: 3764)
      • chromium_32.exe (PID: 2568)
      • chromium_32.exe (PID: 2676)
      • chromium_32.exe (PID: 3824)
      • chromium_32.exe (PID: 1200)
      • chromium_32.exe (PID: 988)
      • chromium_32.exe (PID: 1420)
      • chromium_32.exe (PID: 1764)
      • worker.exe (PID: 1652)
      • chromium_32.exe (PID: 3164)
      • chromium_32.exe (PID: 3212)
      • chromium_32.exe (PID: 3216)
      • chromium_32.exe (PID: 3764)
      • chromium_32.exe (PID: 3740)
      • chromium_32.exe (PID: 3740)
      • chromium_32.exe (PID: 3552)
      • chromium_32.exe (PID: 3632)
      • chromium_32.exe (PID: 3868)
      • chromium_32.exe (PID: 3740)
      • chromium_32.exe (PID: 4112)
      • chromium_32.exe (PID: 4120)
      • chromium_32.exe (PID: 4284)
      • chromium_32.exe (PID: 4224)
      • chromium_32.exe (PID: 4628)
      • chromium_32.exe (PID: 4364)
      • chromium_32.exe (PID: 4760)
      • worker.exe (PID: 4992)
      • worker.exe (PID: 5084)
      • chromium_32.exe (PID: 4636)
      • chromium_32.exe (PID: 3200)
      • chromium_32.exe (PID: 4032)
      • chromium_32.exe (PID: 3796)
      • chromium_32.exe (PID: 4008)
      • chromium_32.exe (PID: 4100)
      • chromium_32.exe (PID: 4448)
      • chromium_32.exe (PID: 4708)
      • chromium_32.exe (PID: 4920)
      • chromium_32.exe (PID: 4716)
      • chromium_32.exe (PID: 4760)
      • php.exe (PID: 4508)
      • rhc.exe (PID: 3988)
      • chromium_32.exe (PID: 3172)
      • worker.exe (PID: 3980)
      • chromium_32.exe (PID: 3252)
      • chromium_32.exe (PID: 4444)
      • chromium_32.exe (PID: 3508)
      • chromium_32.exe (PID: 4456)
      • chromium_32.exe (PID: 3244)
      • chromium_32.exe (PID: 1564)
      • worker.exe (PID: 4320)
      • worker.exe (PID: 4428)
      • worker.exe (PID: 4332)
      • chromium_32.exe (PID: 4572)
      • worker.exe (PID: 2060)
      • rhc.exe (PID: 4132)
      • worker.exe (PID: 4236)
      • worker.exe (PID: 2760)
      • worker.exe (PID: 2668)
      • chromium_32.exe (PID: 5080)
      • chromium_32.exe (PID: 1164)
      • chromium_32.exe (PID: 4148)
      • chromium_32.exe (PID: 3964)
      • chromium_32.exe (PID: 1460)
      • php.exe (PID: 4244)

    • Reads the computer name

      • php.exe (PID: 1776)
      • Onlyfans Leak (Photos & Videos).exe (PID: 712)
      • php.exe (PID: 2520)
      • php.exe (PID: 2120)
      • Canon.exe (PID: 904)
      • php.exe (PID: 636)
      • php.exe (PID: 2204)
      • php.exe (PID: 1308)
      • php.exe (PID: 1476)
      • avast_64.exe (PID: 2456)
      • worker.exe (PID: 3004)
      • worker.exe (PID: 3000)
      • worker.exe (PID: 2932)
      • worker.exe (PID: 2880)
      • worker.exe (PID: 2524)
      • worker.exe (PID: 2968)
      • worker.exe (PID: 2208)
      • worker.exe (PID: 1632)
      • worker.exe (PID: 2420)
      • worker.exe (PID: 3252)
      • worker.exe (PID: 3408)
      • php.exe (PID: 3768)
      • worker.exe (PID: 3976)
      • chromium_32.exe (PID: 3124)
      • chromium_32.exe (PID: 2628)
      • chromium_32.exe (PID: 1764)
      • chromium_32.exe (PID: 3764)
      • chromium_32.exe (PID: 1420)
      • worker.exe (PID: 1652)
      • chromium_32.exe (PID: 3164)
      • chromium_32.exe (PID: 3212)
      • chromium_32.exe (PID: 3632)
      • chromium_32.exe (PID: 3740)
      • chromium_32.exe (PID: 4120)
      • chromium_32.exe (PID: 4628)
      • chromium_32.exe (PID: 4760)
      • php.exe (PID: 4508)
      • chromium_32.exe (PID: 4100)
      • chromium_32.exe (PID: 1764)
      • php.exe (PID: 4244)

    • Manual execution by a user

      • Onlyfans Leak (Photos & Videos).exe (PID: 712)

    • Creates files in the program directory

      • Onlyfans Leak (Photos & Videos).exe (PID: 712)
      • php.exe (PID: 1776)
      • php.exe (PID: 2520)
      • php.exe (PID: 636)
      • php.exe (PID: 2204)
      • php.exe (PID: 1476)
      • php.exe (PID: 1308)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3028)

    • Reads the machine GUID from the registry

      • php.exe (PID: 2120)
      • php.exe (PID: 636)
      • php.exe (PID: 2204)
      • avast_64.exe (PID: 2456)
      • worker.exe (PID: 3004)
      • worker.exe (PID: 2968)
      • php.exe (PID: 3768)
      • chromium_32.exe (PID: 3124)
      • worker.exe (PID: 1652)
      • chromium_32.exe (PID: 3164)
      • chromium_32.exe (PID: 4100)
      • php.exe (PID: 4508)
      • php.exe (PID: 4244)

    • Creates files or folders in the user directory

      • php.exe (PID: 636)
      • avast_64.exe (PID: 2456)
      • worker.exe (PID: 3004)
      • worker.exe (PID: 3000)
      • worker.exe (PID: 3252)
      • worker.exe (PID: 3408)
      • worker.exe (PID: 3976)
      • chromium_32.exe (PID: 3124)
      • chromium_32.exe (PID: 2628)
      • chromium_32.exe (PID: 3740)
      • chromium_32.exe (PID: 4120)
      • chromium_32.exe (PID: 4760)

    • Reads Environment values

      • avast_64.exe (PID: 2456)

    • Create files in a temporary directory

      • avast_64.exe (PID: 2456)
      • worker.exe (PID: 3004)
      • chromium_32.exe (PID: 3124)

    • The executable file from the user directory is run by the Powershell process

      • worker.exe (PID: 3004)

    • Dropped object may contain TOR URL's

      • powershell.exe (PID: 568)
      • avast_64.exe (PID: 2456)
      • worker.exe (PID: 4992)
      • worker.exe (PID: 3004)
      • chromium_32.exe (PID: 3252)
      • chromium_32.exe (PID: 3124)

    • Process checks computer location settings

      • worker.exe (PID: 3004)
      • worker.exe (PID: 2300)
      • worker.exe (PID: 3052)
      • worker.exe (PID: 2416)
      • worker.exe (PID: 3024)
      • worker.exe (PID: 3384)
      • worker.exe (PID: 3416)
      • worker.exe (PID: 1492)
      • worker.exe (PID: 3668)
      • worker.exe (PID: 3828)
      • chromium_32.exe (PID: 2568)
      • chromium_32.exe (PID: 3396)
      • chromium_32.exe (PID: 2676)
      • chromium_32.exe (PID: 3124)
      • chromium_32.exe (PID: 1200)
      • chromium_32.exe (PID: 3824)
      • chromium_32.exe (PID: 3216)
      • chromium_32.exe (PID: 3868)
      • chromium_32.exe (PID: 4284)
      • chromium_32.exe (PID: 4456)
      • chromium_32.exe (PID: 4364)
      • worker.exe (PID: 5084)
      • chromium_32.exe (PID: 3200)
      • chromium_32.exe (PID: 4032)
      • chromium_32.exe (PID: 3796)
      • chromium_32.exe (PID: 4448)
      • chromium_32.exe (PID: 3508)
      • chromium_32.exe (PID: 4708)
      • chromium_32.exe (PID: 4716)
      • chromium_32.exe (PID: 4760)
      • chromium_32.exe (PID: 1564)
      • chromium_32.exe (PID: 3172)
      • chromium_32.exe (PID: 4572)
      • chromium_32.exe (PID: 3244)
      • chromium_32.exe (PID: 1460)
      • worker.exe (PID: 2760)
      • worker.exe (PID: 4236)
      • worker.exe (PID: 2060)
      • chromium_32.exe (PID: 1164)
      • chromium_32.exe (PID: 4148)
      • chromium_32.exe (PID: 3964)
      • chromium_32.exe (PID: 5080)

    • Checks proxy server information

      • worker.exe (PID: 3252)
      • worker.exe (PID: 3408)
      • worker.exe (PID: 3976)
      • chromium_32.exe (PID: 3740)
      • chromium_32.exe (PID: 4120)
      • chromium_32.exe (PID: 4760)

    • The process uses the downloaded file

      • worker.exe (PID: 3252)
      • worker.exe (PID: 3408)
      • worker.exe (PID: 3976)
      • chromium_32.exe (PID: 3740)
      • chromium_32.exe (PID: 4120)
      • chromium_32.exe (PID: 4760)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (36.3)

EXIF

ZIP

ZipFileName: Only_for_fans/
ZipUncompressedSize: -
ZipCompressedSize: -
ZipCRC: 0x00000000
ZipModifyDate: 2023:12:11 07:59:46
ZipCompression: None
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
236
Monitored processes
142
Malicious processes
22
Suspicious processes
4

Behavior graph

Click at the process to see the details
start winrar.exe no specs onlyfans leak (photos & videos).exe no specs php.exe no specs cmd.exe no specs PhotoViewer.dll no specs cmd.exe no specs rhc.exe no specs php.exe cmd.exe no specs rhc.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs rhc.exe no specs php.exe powershell.exe powershell.exe no specs cmd.exe no specs canon.exe no specs rhc.exe no specs php.exe cmd.exe no specs php.exe cmd.exe no specs rhc.exe no specs php.exe cmd.exe no specs rhc.exe no specs #ALBUMSTEALER php.exe cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs avast_64.exe cmd.exe no specs powershell.exe worker.exe worker.exe no specs worker.exe no specs worker.exe worker.exe no specs worker.exe no specs worker.exe no specs worker.exe no specs worker.exe no specs worker.exe no specs worker.exe no specs worker.exe no specs worker.exe no specs worker.exe no specs worker.exe no specs worker.exe no specs worker.exe no specs worker.exe no specs worker.exe no specs worker.exe no specs worker.exe no specs worker.exe no specs worker.exe no specs worker.exe no specs rhc.exe no specs php.exe worker.exe no specs worker.exe no specs worker.exe no specs chromium_32.exe chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs worker.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs worker.exe no specs worker.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs rhc.exe no specs php.exe worker.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs chromium_32.exe no specs worker.exe no specs worker.exe no specs worker.exe no specs worker.exe no specs chromium_32.exe no specs chromium_32.exe no specs worker.exe no specs worker.exe no specs worker.exe no specs rhc.exe no specs php.exe chromium_32.exe no specs chromium_32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3028"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Only_for_fans.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
712"C:\Users\admin\Desktop\Only_for_fans\Onlyfans Leak (Photos & Videos).exe" C:\Users\admin\Desktop\Only_for_fans\Onlyfans Leak (Photos & Videos).exeexplorer.exe
User:
admin
Company:
Western Digital Technologies, Inc.
Integrity Level:
MEDIUM
Description:
WD Sync Service
Exit code:
0
Version:
1.0.6698.8728
Modules
Images
c:\users\admin\desktop\only_for_fans\onlyfans leak (photos & videos).exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework64\v4.0.30319\mscoreei.dll
1776"C:\ProgramData\ContentData\php.exe" "C:\ProgramData\ContentData\test.php" "Onlyfans Leak (Photos & Videos)"C:\ProgramData\ContentData\php.exeOnlyfans Leak (Photos & Videos).exe
User:
admin
Company:
The PHP Group
Integrity Level:
MEDIUM
Description:
CLI
Exit code:
0
Version:
5.6.9
Modules
Images
c:\programdata\contentdata\php.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
1420cmd.exe /c start "" "C:\ProgramData\ContentData\img/1.jpg"C:\Windows\SysWOW64\cmd.exephp.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
1616C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}C:\Windows\SysWOW64\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\syswow64\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2404cmd.exe /c ""C:\ProgramData\CloudContent\rhc.exe" "C:\ProgramData\CloudContent\php.exe" "C:\ProgramData\CloudContent\include.php""C:\Windows\SysWOW64\cmd.exephp.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
572"C:\ProgramData\CloudContent\rhc.exe" "C:\ProgramData\CloudContent\php.exe" "C:\ProgramData\CloudContent\include.php"C:\ProgramData\CloudContent\rhc.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\programdata\cloudcontent\rhc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2520"C:\ProgramData\CloudContent\php.exe" "C:\ProgramData\CloudContent\include.php"C:\ProgramData\CloudContent\php.exe
rhc.exe
User:
admin
Company:
The PHP Group
Integrity Level:
MEDIUM
Description:
CLI
Exit code:
0
Version:
5.6.9
Modules
Images
c:\programdata\cloudcontent\php.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
908cmd.exe /c ""C:\ProgramData\CloudContent\rhc.exe" "C:\ProgramData\install.bat""C:\Windows\SysWOW64\cmd.exephp.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2964"C:\ProgramData\CloudContent\rhc.exe" "C:\ProgramData\install.bat"C:\ProgramData\CloudContent\rhc.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\programdata\cloudcontent\rhc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
Total events
23 006
Read events
22 733
Write events
244
Delete events
29

Modification events

(PID) Process:(3028) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\15A\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3028) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3028) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7AndW2K8R2-KB3191566-x64.zip
(PID) Process:(3028) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3028) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3028) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3028) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3028) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3028) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF1600000016000000D60300000B020000
(PID) Process:(3028) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\Desktop
Executable files
158
Suspicious files
1 968
Text files
463
Unknown types
21

Dropped files

PID
Process
Filename
Type
3028WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3028.29502\Only_for_fans\__MACOSX\ext\php_ioncube.dllexecutable
MD5:C57D5F4EC2992E6B06E891D09DCC3E32
SHA256:4B6F679AB3DA317EE310D5BD482B41A77F5EBF1FC0D514D3595C3D16DB6E7327
3028WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3028.29502\Only_for_fans\Onlyfans Leak (Photos & Videos).exeexecutable
MD5:37932FD952D6D845927F25F42CB3C628
SHA256:CB807472BB6D4D1113FCBC209D6A08FA80FF9E53C83B1AA37F9D6F549AFFD68C
3028WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3028.29502\Only_for_fans\__MACOSX\ext\php_fileinfo.dllexecutable
MD5:F53C9423BD798BE924215B6D50DD57E1
SHA256:1132E7E1CD973F0D44DA001BC64AC36A061B69192C9D8EA175CD73E94100BCC0
3028WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3028.29502\Only_for_fans\__MACOSX\ext\php_mbstring.dllexecutable
MD5:91E97C0EBBE5A7053B9396B1E376283D
SHA256:6653E52F3A7D12AFC5E1D5922A73D56A9D914864A1F882004E986EA210005B61
3028WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3028.29502\Only_for_fans\__MACOSX\ext\php_curl.dllexecutable
MD5:C8CCE26E1F5C4EBCAF7D4F6F9CF6F994
SHA256:05C99429E208BC9F345C791E16DD3F68EC628186D64E2ACBC7F2F6DCC877BF11
3028WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3028.29502\Only_for_fans\__MACOSX\ext\php_com_dotnet.dllexecutable
MD5:E6356BB0442E22F4C833C8F3FAA12E54
SHA256:E7ACC59480842E662351C2026F08AB67971EE33C34C663CE509A4C9473E643FA
3028WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3028.29502\Only_for_fans\__MACOSX\php.exeexecutable
MD5:A1FE2FE70B38F91230CB5F4CA22B2C0C
SHA256:702D09E982E2AF6BF5D828BB1D27BD3A48EFCAB7CF8837B023953354C4026550
3028WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3028.29502\Only_for_fans\__MACOSX\ext\php_pdo_sqlite.dllexecutable
MD5:233FA83055777DFC5602C15E049E381B
SHA256:8B46AB99DAD214F30FF11DAF08D6B77041165875A04B3D4DC16CDFCFE73CA625
3028WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3028.29502\Only_for_fans\__MACOSX\libeay32.dllexecutable
MD5:D02143376CDEA15B313A398A4CAF3735
SHA256:FE5CEEFEDCEC83D40BD63A7CC2D4AE4012B3F59F1098638056FDC1A477D405F7
3028WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3028.29502\Only_for_fans\__MACOSX\php.initext
MD5:DC20E139CCDCF3AB7037A18E52A00755
SHA256:9D2ACEC331A9E21AC406C8C469F68D943BCA1503F9034A1BDD81664C993A9235
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
74
TCP/UDP connections
150
DNS requests
164
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
636
php.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/E1C950E6EF22F84C5645728B922060D7D5A7A3E8.crt?1ca642cfdbc1f31c
unknown
binary
1.34 Kb
unknown
636
php.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?8d9505767529154a
unknown
compressed
4.66 Kb
unknown
636
php.exe
GET
200
216.239.32.29:80
http://pki.goog/repo/certs/gtsr1.der
unknown
binary
1.34 Kb
unknown
1308
php.exe
GET
200
172.67.153.74:80
http://albumphotography.top/version.txt?ran=1702284888
unknown
text
5 b
unknown
636
php.exe
GET
200
142.250.186.131:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
unknown
binary
724 b
unknown
2456
avast_64.exe
GET
200
172.67.153.74:80
http://albumphotography.top/AviraLib/Ionic.Zip.dll
unknown
executable
451 Kb
unknown
1476
php.exe
GET
200
172.67.153.74:80
http://albumphotography.top/cm10044.json
unknown
text
39.6 Kb
unknown
636
php.exe
GET
200
142.250.186.131:80
http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEA1uFYrLabZxEtE2U5X5DGM%3D
unknown
binary
471 b
unknown
1476
php.exe
GET
200
172.67.153.74:80
http://albumphotography.top/version4.txt?ran=1702284888
unknown
text
5 b
unknown
2556
powershell.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d4475c344eafb8bb
unknown
compressed
65.2 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1956
svchost.exe
239.255.255.250:1900
whitelisted
324
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
2520
php.exe
104.21.1.252:80
videox-hamster.top
CLOUDFLARENET
unknown
2120
php.exe
188.114.96.3:443
1bilionupdated.top
CLOUDFLARENET
NL
unknown
2556
powershell.exe
64.185.227.156:443
api.ipify.org
WEBNX
US
unknown
2556
powershell.exe
172.67.188.111:443
10minions.top
CLOUDFLARENET
US
unknown
2556
powershell.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
636
php.exe
172.67.134.197:443
1bilionupdates.top
CLOUDFLARENET
US
unknown

DNS requests

Domain
IP
Reputation
videox-hamster.top
  • 104.21.1.252
  • 172.67.128.110
malicious
1bilionupdated.top
  • 188.114.96.3
  • 188.114.97.3
  • 188.114.96.9
  • 188.114.97.9
malicious
api.ipify.org
  • 64.185.227.156
  • 104.237.62.212
  • 173.231.16.77
shared
10minions.top
  • 172.67.188.111
  • 104.21.8.109
malicious
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
1bilionupdates.top
  • 172.67.134.197
  • 104.21.6.116
unknown
firebasestorage.googleapis.com
  • 142.250.186.74
  • 142.250.186.106
  • 142.250.181.234
  • 172.217.16.138
  • 142.250.184.202
  • 142.250.184.234
  • 142.250.186.138
  • 142.250.74.202
  • 142.250.186.42
  • 172.217.18.10
  • 172.217.16.202
  • 142.250.186.170
  • 216.58.206.42
  • 172.217.18.106
  • 172.217.23.106
  • 216.58.212.138
whitelisted
pki.goog
  • 216.239.32.29
whitelisted
ocsp.pki.goog
  • 142.250.186.131
whitelisted
albumphotography.top
  • 172.67.153.74
  • 104.21.80.190
malicious

Threats

PID
Process
Class
Message
324
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
2520
php.exe
A Network Trojan was detected
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
2520
php.exe
Potential Corporate Privacy Violation
AV POLICY HTTP request for .exe file with no User-Agent
2520
php.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
324
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
2556
powershell.exe
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
2520
php.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2520
php.exe
Misc activity
ET HUNTING Possible EXE Download From Suspicious TLD
2520
php.exe
Potential Corporate Privacy Violation
AV POLICY HTTP request for .dll file with no User-Agent
2520
php.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Process
Message
powershell.exe
Native library pre-loader is trying to load native SQLite library "C:\Users\admin\AppData\Roaming\AviraLib\x86\SQLite.Interop.dll"...
worker.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Roaming\imageclass\User directory exists )
avast_64.exe
Native library pre-loader is trying to load native SQLite library "C:\Users\admin\AppData\Roaming\AviraLib\x86\SQLite.Interop.dll"...
chromium_32.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Roaming\imageclass2\User directory exists )
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Only_for_fans.zip