File name:

WinNc.bin.zip

Full analysis: https://app.any.run/tasks/97097beb-620a-4a94-9c31-46d0898e273f
Verdict: Malicious activity
Threats:

HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses.

Malware Trends Tracker     >>>
Analysis date: June 01, 2024, 23:21:43
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
hijackloader
loader
lumma
stealer
vidar
Indicators:
MIME: application/zip
File info: Zip archive data, at least v5.1 to extract, compression method=AES Encrypted
MD5:

865E04AE970AD0B32E789DE9E67BF418

SHA1:

36B4E01A547FEE5D572B58A8C70CF90125392DBA

SHA256:

720DFD587B2ACF5A3AC40185ADBB49FBAB4F1F18004E57AF6D5A6980C0B8CCCE

SSDEEP:

48:KTVGNetCag25rnnRu1eHtD+BOwS1u07MxHK:wOO5bnRuQD+gE0oI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses AES cipher (POWERSHELL)

      • powershell.exe (PID: 5520)

    • Drops the executable file immediately after the start

      • powershell.exe (PID: 3872)
      • WinNc.exe (PID: 2916)
      • cmd.exe (PID: 5776)
      • FOP_Authv3.au3 (PID: 6412)

    • HIJACKLOADER has been detected (YARA)

      • cmd.exe (PID: 5776)
      • FOP_Authv3.au3 (PID: 6412)

    • LUMMA has been detected (YARA)

      • cmd.exe (PID: 5776)
      • FOP_Authv3.au3 (PID: 6412)

    • Changes the autorun value in the registry

      • F94VZ40HFCQ5OECU20D4MT4.exe (PID: 2108)

    • VIDAR has been detected (YARA)

      • cmd.exe (PID: 5716)
      • calc.exe (PID: 6864)
      • notepad.exe (PID: 6872)
      • svchost.exe (PID: 6868)

    • Starts Visual C# compiler

      • PK0ARMU7G4EO44UDAR57PN3U2.exe (PID: 5984)

    • Actions looks like stealing of personal data

      • FOP_Authv3.au3 (PID: 6412)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • TextInputHost.exe (PID: 1684)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 6968)
      • powershell.exe (PID: 5520)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 5520)
      • powershell.exe (PID: 3872)

    • Process uses IPCONFIG to clear DNS cache

      • powershell.exe (PID: 5520)

    • Converts a specified value to a byte (POWERSHELL)

      • powershell.exe (PID: 5520)

    • Starts a new process with hidden mode (POWERSHELL)

      • powershell.exe (PID: 5520)

    • Base64-obfuscated command line is found

      • powershell.exe (PID: 5520)

    • Application launched itself

      • powershell.exe (PID: 5520)

    • BASE64 encoded PowerShell command has been detected

      • powershell.exe (PID: 5520)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 3872)

    • Converts a string into array of characters (POWERSHELL)

      • powershell.exe (PID: 3872)

    • Gets file extension (POWERSHELL)

      • powershell.exe (PID: 3872)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 3872)
      • WinNc.exe (PID: 2916)
      • cmd.exe (PID: 5776)
      • FOP_Authv3.au3 (PID: 6412)

    • Drops 7-zip archiver for unpacking

      • powershell.exe (PID: 3872)
      • WinNc.exe (PID: 2916)

    • Starts CMD.EXE for commands execution

      • WinNc.exe (PID: 2588)
      • PK0ARMU7G4EO44UDAR57PN3U2.exe (PID: 5984)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 3872)

    • Extracts files to a directory (POWERSHELL)

      • powershell.exe (PID: 3872)

    • The executable file from the user directory is run by the CMD process

      • FOP_Authv3.au3 (PID: 6412)

    • Starts application with an unusual extension

      • cmd.exe (PID: 5776)

    • Starts itself from another location

      • WinNc.exe (PID: 2916)

    • Searches for installed software

      • FOP_Authv3.au3 (PID: 6412)

    • The process executes VB scripts

      • PK0ARMU7G4EO44UDAR57PN3U2.exe (PID: 5984)

    • Start notepad (likely ransomware note)

      • PK0ARMU7G4EO44UDAR57PN3U2.exe (PID: 5984)

    • The process executes via Task Scheduler

      • UCPDMgr.exe (PID: 5828)

  • INFO

    • Reads the computer name

      • TextInputHost.exe (PID: 1684)
      • WinNc.exe (PID: 2916)
      • WinNc.exe (PID: 2588)
      • FOP_Authv3.au3 (PID: 6412)
      • F94VZ40HFCQ5OECU20D4MT4.exe (PID: 2108)

    • Checks supported languages

      • TextInputHost.exe (PID: 1684)
      • WinNc.exe (PID: 2916)
      • WinNc.exe (PID: 2588)
      • FOP_Authv3.au3 (PID: 6412)
      • F94VZ40HFCQ5OECU20D4MT4.exe (PID: 2108)
      • MSBuild.exe (PID: 3568)
      • PK0ARMU7G4EO44UDAR57PN3U2.exe (PID: 5984)

    • Manual execution by a user

      • cmd.exe (PID: 6968)

    • Create files in a temporary directory

      • powershell.exe (PID: 5520)
      • WinNc.exe (PID: 2588)
      • FOP_Authv3.au3 (PID: 6412)

    • Reads the software policy settings

      • powershell.exe (PID: 5520)
      • FOP_Authv3.au3 (PID: 6412)

    • Reads security settings of Internet Explorer

      • powershell.exe (PID: 5520)

    • Checks current location (POWERSHELL)

      • powershell.exe (PID: 5520)

    • Creates files or folders in the user directory

      • powershell.exe (PID: 5520)
      • WinNc.exe (PID: 2916)
      • F94VZ40HFCQ5OECU20D4MT4.exe (PID: 2108)

    • Disables trace logs

      • powershell.exe (PID: 5520)
      • powershell.exe (PID: 3872)

    • Checks proxy server information

      • powershell.exe (PID: 5520)
      • powershell.exe (PID: 3872)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 5520)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 3872)
      • powershell.exe (PID: 3872)

    • The executable file from the user directory is run by the Powershell process

      • WinNc.exe (PID: 2916)

    • Gets a random number, or selects objects randomly from a collection (POWERSHELL)

      • powershell.exe (PID: 3872)

    • Reads the machine GUID from the registry

      • FOP_Authv3.au3 (PID: 6412)
      • F94VZ40HFCQ5OECU20D4MT4.exe (PID: 2108)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Lumma

(PID) Process(5776) cmd.exe
C2 (9)patternapplauderw.shop
deprivedrinkyfaiir.shop
considerrycurrentyws.shop
relaxtionflouwerwi.shop
understanndtytonyguw.shop
horsedwollfedrwos.shop
messtimetabledkolvk.shop
grazeinnocenttyyek.shop
detailbaconroollyws.shop
(PID) Process(6412) FOP_Authv3.au3
C2 (9)patternapplauderw.shop
deprivedrinkyfaiir.shop
considerrycurrentyws.shop
relaxtionflouwerwi.shop
understanndtytonyguw.shop
horsedwollfedrwos.shop
messtimetabledkolvk.shop
grazeinnocenttyyek.shop
detailbaconroollyws.shop

Vidar

(PID) Process(5716) cmd.exe
C2https://t.me/ta904ek
URLhttps://steamcommunity.com/profiles/76561199695752269
RC42910114286690104117195131148
Strings (316)GetProcAddress
LoadLibraryA
lstrcatA
OpenEventA
CreateEventA
CloseHandle
Sleep
GetUserDefaultLangID
VirtualAllocExNuma
VirtualFree
GetSystemInfo
VirtualAlloc
HeapAlloc
GetComputerNameA
lstrcpyA
GetProcessHeap
GetCurrentProcess
lstrlenA
ExitProcess
GlobalMemoryStatusEx
GetSystemTime
SystemTimeoFileTime
advapi32.dll
gdi32.dll
user32.dll
crypt32.dll
ntdll.dll
GetUserNameA
CreateDCA
GetDeviceCaps
ReleaseDC
CryptStringToBinaryA
sscanf
NtQueryInformationProcess
VMwareVMware
HAL9TH
JohnDoe
DISPLAY
%hu/%hu/%hu
GetEnvironmentVaribleA
GetFileAttributesA
GlobalLock
HeapFree
GetFileSize
GlobalSize
CreateToolhelp32Snpshot
IsWow64Process
Process32Next
GetLocalTime
FreeLibrary
GetTimeZoneInformation
GetSystemPowerStatus
GetVolumeInformationA
GetWindowsDirectoryA
Process32First
GetLocaleInfoA
GetUserDefaultLocaleName
GetModuleFileNameA
DeleteFileA
FindNextFileA
LocalFree
FindClose
SetEnvironmentVaribleA
LocalAlloc
GetFileSizeEx
ReadFile
SetFilePointer
WriteFile
CreateFileA
FindFirstFileA
CopyFileA
VirtualProtect
GetLogicalProcessorInformaionEx
GetLastError
lstrcpynA
MultiByteToWideChar
GlobalFree
WideCharToMultiByte
GlobalAlloc
OpenProcess
TerminateProcess
GetCurrentProcessId
gdiplus.dll
ole32.dll
bcrypt.dll
wininet.dll
shlwapi.dll
shell32.dll
psapi.dll
rstrtmgr.dll
CreateCompatibleBitmap
SelectObject
BitBlt
DeleteObject
CreateCompatibleDC
GdipGetImageEncodersSize
GdipGetImageEncoders
GdipCreateBitmapFromHBITMAP
GdiplusStartup
GdiplusShutdown
GdipSaveImageToStream
GdipDisposeImage
GdipFree
GetHGlobalFromStrem
CreateStreamOnHGlobal
CoUninitialize
CoInitialize
CoCreateInstance
BCryptGenerateSymmetricKey
BCryptCloseAlgorithmProvider
BCryptDecrypt
BCryptSetProperty
BCryptDestroyKey
BCryptOpenAlgorithmProvider
GetWindowRect
GetDesktopWindow
GetDC
CloseWindow
wsprintfA
EnumDisplayDevicesA
GetKeyboardLayoutList
CharToOemW
wsprintfW
RegQueryValueExA
RegEnumKeyExA
RegOpenKeyExA
RegCloseKey
RegEnumValueA
CryptBinaryToStringA
CryptUnprotectData
SHGetFolderPathA
ShellExecuteExA
InternetOpenUrlA
InternetConnectA
InternetCloseHandle
InternetOpenA
HttpSendRequestA
HttpOpenRequestA
InternetReadFile
InternetCrackUrA
StrCmpCA
StrStrA
StrCmpCW
PathMatchSpecA
GetModuleFileNameExA
RmStartSession
RmRegisterResources
RmGetList
RmEndSession
sqlite3_open
sqlite3_prepare_v2
sqlite3_step
sqlite3_column_text
sqlite3_finalize
sqlite3_close
sqlite3_column_bytes
sqlite3_column_blob
encrypted_key
PATH
C:\\ProgramData\\nss3.dll
NSS_Init
NSS_Shutdown
PK11_GetInternaKeySlot
PK11_FreeSlot
PK11_Authenticate
PK11SDR_Decrypt
C:\\ProgramData\\
Soft:
SELECT origin_url, username_value, password_value FROM logins
profile:
Host:
Login:
Password:
Opera
OperaGX
Network
Cookies
.txt
SELECT HOS_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
TRUE
FALSE
Autofill
SELECT name, vaue FROM auofill
History
SELECT url FROM urls LIMIT 1000
CC
SELECT name_on_card, expiration_month, expirtion_year, card_number_encrypted FROM credit_cards
Name:
Month:
Year:
Card:
Cookies
Login Data
Web Data
History
logins.json
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
guid
formhistory.sqlite
SELECT host, isHttpOnly, path, isSecur, expiry, name, value FROM moz_cookies
SELECT fieldname, value FROM moz_formhistory
SELECT url FROM moz_places LIMIT 1000
cookies.sqlite
places.sqlite
Plugins
Local Extension Settings
Sync Extension Settings
IndexedDB
Opera Stable
Opera GX Stable
CURRENT
chrome-extension_
_0.indexeddb.leveldb
Local State
profiles.ini
chrome
opera
firefox
Wallets
%08lX%04lX%lu
ProductName
SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion
x32
x64
%d/%d/%d %d:%d:%d
HARDWARE\\DESCRIPTION\\Sysem\\CentralProcessor\\0
ProcessorNameString
SOFTWARE\\Microsoft\\Windows\\CurrentVrsion\\Uninstall
DisplayName
DisplayVersion
freebl3.dll
mozglue.dll
msvcp140.dll
nss3.dll
softokn3.dll
vcruntime140.dl
\\Temp\\
.exe
runas
open
/c start
%DESKTOP%
%APPDATA%
%LOCALAPPDATA%
%USERPROFILE%
%DOCUMENTS%
%PROGRAMFILES%
%PROGRAMFILES_86%
%RECENT%
*.lnk
Files
\\discord\\
\\Local Storage\\leveldb\\CURRENT
\\Local Storage\\leveldb
\\Telegram Desktop\\
key_datas
D877F783D5D3EF8C*
map*
A7FDF864FBC10B77*
A92DAA6EA6F891F2*
F8806DD0C461824F*
Telegram
Tox
*.tox
*.ini
Password
Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\
\\Outlook\\accounts.txt
Software\\Microsoft\\Office\\13.\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\
Software\\Microsoft\\Office\\14.\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\
Software\\Microsoft\\Office\15.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\
Pidgin
Software\\Microsoft\\Office\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\
\\.purple\\
Software\\Microsoft\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676\\
00000001
00000002
00000003
00000004
accounts.xml
dQw4w9WgXcQ
token:
Software\\Valve\\Steam
SteamPath
\\config\\
ssfn*
config.vdf
DialogConfig.vdf
DialogConfigOverlay*.vdf
libraryfolders.vdf
loginusers.vdf
\\Steam\\
sqlite3.dll
browsers
done
Soft
\\Discord\\tokens.txt
/c timeout /t 5 & del /f /q "
" & del "C:\\ProgrmData\\*.dll"" & xit
C:\\Windows\\system32\\cmd.exe
https
POST
Content-Type: multipart/form-data; boundary=----
HTTP/1.1
Content-Disposition: form-data; name="
hwid
build
token
file_name
file
message
ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
screenshot.jpg
(PID) Process(6864) calc.exe
C2https://t.me/ta904ek
URLhttps://steamcommunity.com/profiles/76561199695752269
RC42910114286690104117195131148
Strings (316)GetProcAddress
LoadLibraryA
lstrcatA
OpenEventA
CreateEventA
CloseHandle
Sleep
GetUserDefaultLangID
VirtualAllocExNuma
VirtualFree
GetSystemInfo
VirtualAlloc
HeapAlloc
GetComputerNameA
lstrcpyA
GetProcessHeap
GetCurrentProcess
lstrlenA
ExitProcess
GlobalMemoryStatusEx
GetSystemTime
SystemTimeoFileTime
advapi32.dll
gdi32.dll
user32.dll
crypt32.dll
ntdll.dll
GetUserNameA
CreateDCA
GetDeviceCaps
ReleaseDC
CryptStringToBinaryA
sscanf
NtQueryInformationProcess
VMwareVMware
HAL9TH
JohnDoe
DISPLAY
%hu/%hu/%hu
GetEnvironmentVaribleA
GetFileAttributesA
GlobalLock
HeapFree
GetFileSize
GlobalSize
CreateToolhelp32Snpshot
IsWow64Process
Process32Next
GetLocalTime
FreeLibrary
GetTimeZoneInformation
GetSystemPowerStatus
GetVolumeInformationA
GetWindowsDirectoryA
Process32First
GetLocaleInfoA
GetUserDefaultLocaleName
GetModuleFileNameA
DeleteFileA
FindNextFileA
LocalFree
FindClose
SetEnvironmentVaribleA
LocalAlloc
GetFileSizeEx
ReadFile
SetFilePointer
WriteFile
CreateFileA
FindFirstFileA
CopyFileA
VirtualProtect
GetLogicalProcessorInformaionEx
GetLastError
lstrcpynA
MultiByteToWideChar
GlobalFree
WideCharToMultiByte
GlobalAlloc
OpenProcess
TerminateProcess
GetCurrentProcessId
gdiplus.dll
ole32.dll
bcrypt.dll
wininet.dll
shlwapi.dll
shell32.dll
psapi.dll
rstrtmgr.dll
CreateCompatibleBitmap
SelectObject
BitBlt
DeleteObject
CreateCompatibleDC
GdipGetImageEncodersSize
GdipGetImageEncoders
GdipCreateBitmapFromHBITMAP
GdiplusStartup
GdiplusShutdown
GdipSaveImageToStream
GdipDisposeImage
GdipFree
GetHGlobalFromStrem
CreateStreamOnHGlobal
CoUninitialize
CoInitialize
CoCreateInstance
BCryptGenerateSymmetricKey
BCryptCloseAlgorithmProvider
BCryptDecrypt
BCryptSetProperty
BCryptDestroyKey
BCryptOpenAlgorithmProvider
GetWindowRect
GetDesktopWindow
GetDC
CloseWindow
wsprintfA
EnumDisplayDevicesA
GetKeyboardLayoutList
CharToOemW
wsprintfW
RegQueryValueExA
RegEnumKeyExA
RegOpenKeyExA
RegCloseKey
RegEnumValueA
CryptBinaryToStringA
CryptUnprotectData
SHGetFolderPathA
ShellExecuteExA
InternetOpenUrlA
InternetConnectA
InternetCloseHandle
InternetOpenA
HttpSendRequestA
HttpOpenRequestA
InternetReadFile
InternetCrackUrA
StrCmpCA
StrStrA
StrCmpCW
PathMatchSpecA
GetModuleFileNameExA
RmStartSession
RmRegisterResources
RmGetList
RmEndSession
sqlite3_open
sqlite3_prepare_v2
sqlite3_step
sqlite3_column_text
sqlite3_finalize
sqlite3_close
sqlite3_column_bytes
sqlite3_column_blob
encrypted_key
PATH
C:\\ProgramData\\nss3.dll
NSS_Init
NSS_Shutdown
PK11_GetInternaKeySlot
PK11_FreeSlot
PK11_Authenticate
PK11SDR_Decrypt
C:\\ProgramData\\
Soft:
SELECT origin_url, username_value, password_value FROM logins
profile:
Host:
Login:
Password:
Opera
OperaGX
Network
Cookies
.txt
SELECT HOS_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
TRUE
FALSE
Autofill
SELECT name, vaue FROM auofill
History
SELECT url FROM urls LIMIT 1000
CC
SELECT name_on_card, expiration_month, expirtion_year, card_number_encrypted FROM credit_cards
Name:
Month:
Year:
Card:
Cookies
Login Data
Web Data
History
logins.json
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
guid
formhistory.sqlite
SELECT host, isHttpOnly, path, isSecur, expiry, name, value FROM moz_cookies
SELECT fieldname, value FROM moz_formhistory
SELECT url FROM moz_places LIMIT 1000
cookies.sqlite
places.sqlite
Plugins
Local Extension Settings
Sync Extension Settings
IndexedDB
Opera Stable
Opera GX Stable
CURRENT
chrome-extension_
_0.indexeddb.leveldb
Local State
profiles.ini
chrome
opera
firefox
Wallets
%08lX%04lX%lu
ProductName
SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion
x32
x64
%d/%d/%d %d:%d:%d
HARDWARE\\DESCRIPTION\\Sysem\\CentralProcessor\\0
ProcessorNameString
SOFTWARE\\Microsoft\\Windows\\CurrentVrsion\\Uninstall
DisplayName
DisplayVersion
freebl3.dll
mozglue.dll
msvcp140.dll
nss3.dll
softokn3.dll
vcruntime140.dl
\\Temp\\
.exe
runas
open
/c start
%DESKTOP%
%APPDATA%
%LOCALAPPDATA%
%USERPROFILE%
%DOCUMENTS%
%PROGRAMFILES%
%PROGRAMFILES_86%
%RECENT%
*.lnk
Files
\\discord\\
\\Local Storage\\leveldb\\CURRENT
\\Local Storage\\leveldb
\\Telegram Desktop\\
key_datas
D877F783D5D3EF8C*
map*
A7FDF864FBC10B77*
A92DAA6EA6F891F2*
F8806DD0C461824F*
Telegram
Tox
*.tox
*.ini
Password
Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\
\\Outlook\\accounts.txt
Software\\Microsoft\\Office\\13.\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\
Software\\Microsoft\\Office\\14.\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\
Software\\Microsoft\\Office\15.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\
Pidgin
Software\\Microsoft\\Office\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\
\\.purple\\
Software\\Microsoft\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676\\
00000001
00000002
00000003
00000004
accounts.xml
dQw4w9WgXcQ
token:
Software\\Valve\\Steam
SteamPath
\\config\\
ssfn*
config.vdf
DialogConfig.vdf
DialogConfigOverlay*.vdf
libraryfolders.vdf
loginusers.vdf
\\Steam\\
sqlite3.dll
browsers
done
Soft
\\Discord\\tokens.txt
/c timeout /t 5 & del /f /q "
" & del "C:\\ProgrmData\\*.dll"" & xit
C:\\Windows\\system32\\cmd.exe
https
POST
Content-Type: multipart/form-data; boundary=----
HTTP/1.1
Content-Disposition: form-data; name="
hwid
build
token
file_name
file
message
ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
screenshot.jpg
(PID) Process(6872) notepad.exe
C2https://t.me/ta904ek
URLhttps://steamcommunity.com/profiles/76561199695752269
RC42910114286690104117195131148
Strings (316)GetProcAddress
LoadLibraryA
lstrcatA
OpenEventA
CreateEventA
CloseHandle
Sleep
GetUserDefaultLangID
VirtualAllocExNuma
VirtualFree
GetSystemInfo
VirtualAlloc
HeapAlloc
GetComputerNameA
lstrcpyA
GetProcessHeap
GetCurrentProcess
lstrlenA
ExitProcess
GlobalMemoryStatusEx
GetSystemTime
SystemTimeoFileTime
advapi32.dll
gdi32.dll
user32.dll
crypt32.dll
ntdll.dll
GetUserNameA
CreateDCA
GetDeviceCaps
ReleaseDC
CryptStringToBinaryA
sscanf
NtQueryInformationProcess
VMwareVMware
HAL9TH
JohnDoe
DISPLAY
%hu/%hu/%hu
GetEnvironmentVaribleA
GetFileAttributesA
GlobalLock
HeapFree
GetFileSize
GlobalSize
CreateToolhelp32Snpshot
IsWow64Process
Process32Next
GetLocalTime
FreeLibrary
GetTimeZoneInformation
GetSystemPowerStatus
GetVolumeInformationA
GetWindowsDirectoryA
Process32First
GetLocaleInfoA
GetUserDefaultLocaleName
GetModuleFileNameA
DeleteFileA
FindNextFileA
LocalFree
FindClose
SetEnvironmentVaribleA
LocalAlloc
GetFileSizeEx
ReadFile
SetFilePointer
WriteFile
CreateFileA
FindFirstFileA
CopyFileA
VirtualProtect
GetLogicalProcessorInformaionEx
GetLastError
lstrcpynA
MultiByteToWideChar
GlobalFree
WideCharToMultiByte
GlobalAlloc
OpenProcess
TerminateProcess
GetCurrentProcessId
gdiplus.dll
ole32.dll
bcrypt.dll
wininet.dll
shlwapi.dll
shell32.dll
psapi.dll
rstrtmgr.dll
CreateCompatibleBitmap
SelectObject
BitBlt
DeleteObject
CreateCompatibleDC
GdipGetImageEncodersSize
GdipGetImageEncoders
GdipCreateBitmapFromHBITMAP
GdiplusStartup
GdiplusShutdown
GdipSaveImageToStream
GdipDisposeImage
GdipFree
GetHGlobalFromStrem
CreateStreamOnHGlobal
CoUninitialize
CoInitialize
CoCreateInstance
BCryptGenerateSymmetricKey
BCryptCloseAlgorithmProvider
BCryptDecrypt
BCryptSetProperty
BCryptDestroyKey
BCryptOpenAlgorithmProvider
GetWindowRect
GetDesktopWindow
GetDC
CloseWindow
wsprintfA
EnumDisplayDevicesA
GetKeyboardLayoutList
CharToOemW
wsprintfW
RegQueryValueExA
RegEnumKeyExA
RegOpenKeyExA
RegCloseKey
RegEnumValueA
CryptBinaryToStringA
CryptUnprotectData
SHGetFolderPathA
ShellExecuteExA
InternetOpenUrlA
InternetConnectA
InternetCloseHandle
InternetOpenA
HttpSendRequestA
HttpOpenRequestA
InternetReadFile
InternetCrackUrA
StrCmpCA
StrStrA
StrCmpCW
PathMatchSpecA
GetModuleFileNameExA
RmStartSession
RmRegisterResources
RmGetList
RmEndSession
sqlite3_open
sqlite3_prepare_v2
sqlite3_step
sqlite3_column_text
sqlite3_finalize
sqlite3_close
sqlite3_column_bytes
sqlite3_column_blob
encrypted_key
PATH
C:\\ProgramData\\nss3.dll
NSS_Init
NSS_Shutdown
PK11_GetInternaKeySlot
PK11_FreeSlot
PK11_Authenticate
PK11SDR_Decrypt
C:\\ProgramData\\
Soft:
SELECT origin_url, username_value, password_value FROM logins
profile:
Host:
Login:
Password:
Opera
OperaGX
Network
Cookies
.txt
SELECT HOS_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
TRUE
FALSE
Autofill
SELECT name, vaue FROM auofill
History
SELECT url FROM urls LIMIT 1000
CC
SELECT name_on_card, expiration_month, expirtion_year, card_number_encrypted FROM credit_cards
Name:
Month:
Year:
Card:
Cookies
Login Data
Web Data
History
logins.json
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
guid
formhistory.sqlite
SELECT host, isHttpOnly, path, isSecur, expiry, name, value FROM moz_cookies
SELECT fieldname, value FROM moz_formhistory
SELECT url FROM moz_places LIMIT 1000
cookies.sqlite
places.sqlite
Plugins
Local Extension Settings
Sync Extension Settings
IndexedDB
Opera Stable
Opera GX Stable
CURRENT
chrome-extension_
_0.indexeddb.leveldb
Local State
profiles.ini
chrome
opera
firefox
Wallets
%08lX%04lX%lu
ProductName
SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion
x32
x64
%d/%d/%d %d:%d:%d
HARDWARE\\DESCRIPTION\\Sysem\\CentralProcessor\\0
ProcessorNameString
SOFTWARE\\Microsoft\\Windows\\CurrentVrsion\\Uninstall
DisplayName
DisplayVersion
freebl3.dll
mozglue.dll
msvcp140.dll
nss3.dll
softokn3.dll
vcruntime140.dl
\\Temp\\
.exe
runas
open
/c start
%DESKTOP%
%APPDATA%
%LOCALAPPDATA%
%USERPROFILE%
%DOCUMENTS%
%PROGRAMFILES%
%PROGRAMFILES_86%
%RECENT%
*.lnk
Files
\\discord\\
\\Local Storage\\leveldb\\CURRENT
\\Local Storage\\leveldb
\\Telegram Desktop\\
key_datas
D877F783D5D3EF8C*
map*
A7FDF864FBC10B77*
A92DAA6EA6F891F2*
F8806DD0C461824F*
Telegram
Tox
*.tox
*.ini
Password
Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\
\\Outlook\\accounts.txt
Software\\Microsoft\\Office\\13.\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\
Software\\Microsoft\\Office\\14.\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\
Software\\Microsoft\\Office\15.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\
Pidgin
Software\\Microsoft\\Office\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\
\\.purple\\
Software\\Microsoft\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676\\
00000001
00000002
00000003
00000004
accounts.xml
dQw4w9WgXcQ
token:
Software\\Valve\\Steam
SteamPath
\\config\\
ssfn*
config.vdf
DialogConfig.vdf
DialogConfigOverlay*.vdf
libraryfolders.vdf
loginusers.vdf
\\Steam\\
sqlite3.dll
browsers
done
Soft
\\Discord\\tokens.txt
/c timeout /t 5 & del /f /q "
" & del "C:\\ProgrmData\\*.dll"" & xit
C:\\Windows\\system32\\cmd.exe
https
POST
Content-Type: multipart/form-data; boundary=----
HTTP/1.1
Content-Disposition: form-data; name="
hwid
build
token
file_name
file
message
ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
screenshot.jpg
(PID) Process(6868) svchost.exe
C2https://t.me/ta904ek
URLhttps://steamcommunity.com/profiles/76561199695752269
RC42910114286690104117195131148
Strings (316)GetProcAddress
LoadLibraryA
lstrcatA
OpenEventA
CreateEventA
CloseHandle
Sleep
GetUserDefaultLangID
VirtualAllocExNuma
VirtualFree
GetSystemInfo
VirtualAlloc
HeapAlloc
GetComputerNameA
lstrcpyA
GetProcessHeap
GetCurrentProcess
lstrlenA
ExitProcess
GlobalMemoryStatusEx
GetSystemTime
SystemTimeoFileTime
advapi32.dll
gdi32.dll
user32.dll
crypt32.dll
ntdll.dll
GetUserNameA
CreateDCA
GetDeviceCaps
ReleaseDC
CryptStringToBinaryA
sscanf
NtQueryInformationProcess
VMwareVMware
HAL9TH
JohnDoe
DISPLAY
%hu/%hu/%hu
GetEnvironmentVaribleA
GetFileAttributesA
GlobalLock
HeapFree
GetFileSize
GlobalSize
CreateToolhelp32Snpshot
IsWow64Process
Process32Next
GetLocalTime
FreeLibrary
GetTimeZoneInformation
GetSystemPowerStatus
GetVolumeInformationA
GetWindowsDirectoryA
Process32First
GetLocaleInfoA
GetUserDefaultLocaleName
GetModuleFileNameA
DeleteFileA
FindNextFileA
LocalFree
FindClose
SetEnvironmentVaribleA
LocalAlloc
GetFileSizeEx
ReadFile
SetFilePointer
WriteFile
CreateFileA
FindFirstFileA
CopyFileA
VirtualProtect
GetLogicalProcessorInformaionEx
GetLastError
lstrcpynA
MultiByteToWideChar
GlobalFree
WideCharToMultiByte
GlobalAlloc
OpenProcess
TerminateProcess
GetCurrentProcessId
gdiplus.dll
ole32.dll
bcrypt.dll
wininet.dll
shlwapi.dll
shell32.dll
psapi.dll
rstrtmgr.dll
CreateCompatibleBitmap
SelectObject
BitBlt
DeleteObject
CreateCompatibleDC
GdipGetImageEncodersSize
GdipGetImageEncoders
GdipCreateBitmapFromHBITMAP
GdiplusStartup
GdiplusShutdown
GdipSaveImageToStream
GdipDisposeImage
GdipFree
GetHGlobalFromStrem
CreateStreamOnHGlobal
CoUninitialize
CoInitialize
CoCreateInstance
BCryptGenerateSymmetricKey
BCryptCloseAlgorithmProvider
BCryptDecrypt
BCryptSetProperty
BCryptDestroyKey
BCryptOpenAlgorithmProvider
GetWindowRect
GetDesktopWindow
GetDC
CloseWindow
wsprintfA
EnumDisplayDevicesA
GetKeyboardLayoutList
CharToOemW
wsprintfW
RegQueryValueExA
RegEnumKeyExA
RegOpenKeyExA
RegCloseKey
RegEnumValueA
CryptBinaryToStringA
CryptUnprotectData
SHGetFolderPathA
ShellExecuteExA
InternetOpenUrlA
InternetConnectA
InternetCloseHandle
InternetOpenA
HttpSendRequestA
HttpOpenRequestA
InternetReadFile
InternetCrackUrA
StrCmpCA
StrStrA
StrCmpCW
PathMatchSpecA
GetModuleFileNameExA
RmStartSession
RmRegisterResources
RmGetList
RmEndSession
sqlite3_open
sqlite3_prepare_v2
sqlite3_step
sqlite3_column_text
sqlite3_finalize
sqlite3_close
sqlite3_column_bytes
sqlite3_column_blob
encrypted_key
PATH
C:\\ProgramData\\nss3.dll
NSS_Init
NSS_Shutdown
PK11_GetInternaKeySlot
PK11_FreeSlot
PK11_Authenticate
PK11SDR_Decrypt
C:\\ProgramData\\
Soft:
SELECT origin_url, username_value, password_value FROM logins
profile:
Host:
Login:
Password:
Opera
OperaGX
Network
Cookies
.txt
SELECT HOS_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
TRUE
FALSE
Autofill
SELECT name, vaue FROM auofill
History
SELECT url FROM urls LIMIT 1000
CC
SELECT name_on_card, expiration_month, expirtion_year, card_number_encrypted FROM credit_cards
Name:
Month:
Year:
Card:
Cookies
Login Data
Web Data
History
logins.json
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
guid
formhistory.sqlite
SELECT host, isHttpOnly, path, isSecur, expiry, name, value FROM moz_cookies
SELECT fieldname, value FROM moz_formhistory
SELECT url FROM moz_places LIMIT 1000
cookies.sqlite
places.sqlite
Plugins
Local Extension Settings
Sync Extension Settings
IndexedDB
Opera Stable
Opera GX Stable
CURRENT
chrome-extension_
_0.indexeddb.leveldb
Local State
profiles.ini
chrome
opera
firefox
Wallets
%08lX%04lX%lu
ProductName
SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion
x32
x64
%d/%d/%d %d:%d:%d
HARDWARE\\DESCRIPTION\\Sysem\\CentralProcessor\\0
ProcessorNameString
SOFTWARE\\Microsoft\\Windows\\CurrentVrsion\\Uninstall
DisplayName
DisplayVersion
freebl3.dll
mozglue.dll
msvcp140.dll
nss3.dll
softokn3.dll
vcruntime140.dl
\\Temp\\
.exe
runas
open
/c start
%DESKTOP%
%APPDATA%
%LOCALAPPDATA%
%USERPROFILE%
%DOCUMENTS%
%PROGRAMFILES%
%PROGRAMFILES_86%
%RECENT%
*.lnk
Files
\\discord\\
\\Local Storage\\leveldb\\CURRENT
\\Local Storage\\leveldb
\\Telegram Desktop\\
key_datas
D877F783D5D3EF8C*
map*
A7FDF864FBC10B77*
A92DAA6EA6F891F2*
F8806DD0C461824F*
Telegram
Tox
*.tox
*.ini
Password
Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\
\\Outlook\\accounts.txt
Software\\Microsoft\\Office\\13.\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\
Software\\Microsoft\\Office\\14.\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\
Software\\Microsoft\\Office\15.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\
Pidgin
Software\\Microsoft\\Office\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\
\\.purple\\
Software\\Microsoft\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676\\
00000001
00000002
00000003
00000004
accounts.xml
dQw4w9WgXcQ
token:
Software\\Valve\\Steam
SteamPath
\\config\\
ssfn*
config.vdf
DialogConfig.vdf
DialogConfigOverlay*.vdf
libraryfolders.vdf
loginusers.vdf
\\Steam\\
sqlite3.dll
browsers
done
Soft
\\Discord\\tokens.txt
/c timeout /t 5 & del /f /q "
" & del "C:\\ProgrmData\\*.dll"" & xit
C:\\Windows\\system32\\cmd.exe
https
POST
Content-Type: multipart/form-data; boundary=----
HTTP/1.1
Content-Disposition: form-data; name="
hwid
build
token
file_name
file
message
ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
screenshot.jpg
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 51
ZipBitFlag: 0x0009
ZipCompression: Unknown (99)
ZipModifyDate: 2024:06:01 23:21:34
ZipCRC: 0x8b1bec57
ZipCompressedSize: 935
ZipUncompressedSize: 1470
ZipFileName: WinNc.bin
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
152
Monitored processes
32
Malicious processes
12
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs textinputhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe ipconfig.exe no specs powershell.exe conhost.exe no specs winnc.exe winnc.exe no specs #LUMMA cmd.exe conhost.exe no specs #LUMMA fop_authv3.au3 f94vz40hfcq5oecu20d4mt4.exe msbuild.exe no specs pk0armu7g4eo44udar57pn3u2.exe no specs conhost.exe no specs wmplayer.exe no specs #VIDAR cmd.exe no specs ngen.exe no specs regedit.exe no specs iexplore.exe no specs vbc.exe no specs #VIDAR calc.exe no specs wab.exe no specs #VIDAR notepad.exe no specs #VIDAR svchost.exe no specs csc.exe no specs aspnet_wp.exe no specs ilasm.exe no specs ucpdmgr.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1608"C:\WINDOWS\system32\ipconfig.exe" /flushdnsC:\Windows\System32\ipconfig.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
IP Configuration Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ipconfig.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\nsi.dll
1684"C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mcaC:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Version:
123.26505.0.0
Modules
Images
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\textinputhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\vcruntime140_app.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
2084\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2108"C:\Users\admin\AppData\Local\Temp\F94VZ40HFCQ5OECU20D4MT4.exe"C:\Users\admin\AppData\Local\Temp\F94VZ40HFCQ5OECU20D4MT4.exe
FOP_Authv3.au3
User:
admin
Company:
SEIKO EPSON CORPORATION
Integrity Level:
MEDIUM
Description:
EPSON Status Monitor 3
Exit code:
0
Version:
8.00
Modules
Images
c:\users\admin\appdata\local\temp\f94vz40hfcq5oecu20d4mt4.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
2128"C:\Windows\regedit.exe"C:\Windows\regedit.exePK0ARMU7G4EO44UDAR57PN3U2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Editor
Exit code:
3221226540
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\regedit.exe
c:\windows\system32\ntdll.dll
2588C:\Users\admin\AppData\Roaming\Fj_update_v5\WinNc.exeC:\Users\admin\AppData\Roaming\Fj_update_v5\WinNc.exeWinNc.exe
User:
admin
Company:
Dunes MultiMedia
Integrity Level:
MEDIUM
Description:
WinNc
Exit code:
1
Version:
10.7.0.0
Modules
Images
c:\users\admin\appdata\roaming\fj_update_v5\winnc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
2620\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeUCPDMgr.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2800\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2916"C:\Users\admin\AppData\Local\Temp\Y2kdkL5JyPgcaA\WinNc.exe" C:\Users\admin\AppData\Local\Temp\Y2kdkL5JyPgcaA\WinNc.exe
powershell.exe
User:
admin
Company:
Dunes MultiMedia
Integrity Level:
MEDIUM
Description:
WinNc
Exit code:
0
Version:
10.7.0.0
Modules
Images
c:\users\admin\appdata\local\temp\y2kdkl5jypgcaa\winnc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
3172"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exePK0ARMU7G4EO44UDAR57PN3U2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player
Version:
12.0.19041.1 (WinBuild.160101.0800)
Total events
40 176
Read events
40 125
Write events
51
Delete events
0

Modification events

(PID) Process:(6176) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(6176) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(6176) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(6176) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\WinNc.bin.zip
(PID) Process:(6176) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6176) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6176) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6176) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6176) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(6176) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3301000032000000F30400001B020000
Executable files
13
Suspicious files
8
Text files
74
Unknown types
0

Dropped files

PID
Process
Filename
Type
5520powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_uuibkgum.dax.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6176WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb6176.43390\WinNc.bintext
MD5:322D6110A033D0AADFC40C14B8668FC7
SHA256:22B607CBA20413CD4363DD69D04D7ECDA694CE3CF514F965A74C3605C7793248
5520powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txttext
MD5:C724B9CE5CF28FD6C2B69A10150F4285
SHA256:4AB22328F37446CC87EA47A2743BB277E51CD564544494AB3D5115388E661438
3872powershell.exeC:\Users\admin\AppData\Local\Temp\Y2kdkL5JyPgcaA\7z.dllexecutable
MD5:23A37370F275AA63255DFCC703951C37
SHA256:15B10608AFFD4442D0E2DDB9B2FEA847CD15D5405928D78AB73D81DAE66DB9E4
3872powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_cdtqzout.gvb.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3872powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_nekyyh43.epl.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3872powershell.exeC:\Users\admin\AppData\Local\Temp\Y2kdkL5JyPgcaA\brunch.debbinary
MD5:E81E7ADAC987DADBD653A16331E02895
SHA256:110B0E28CB142108DE5FA7FF5952B74032626F1AAEEB207A2E61CF62BBC6FE46
5520powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCachebinary
MD5:6F819CA6490ECDB446D7D2C901B32898
SHA256:252FC8375720891EE4092B6DD5AC35866A12F7FA73A937DB2CCD99BCAB79E23D
3872powershell.exeC:\Users\admin\AppData\Local\Temp\Y2kdkL5JyPgcaA\burn.icoimage
MD5:6081D810D4F371DB5DCDAF5A0E8BE787
SHA256:11F189A24DD872D2D8407F5DFD0AE589377AD798DFFF30B1C5CC13DA914EC0E7
3872powershell.exeC:\Users\admin\AppData\Local\Temp\Y2kdkL5JyPgcaA\chalcocite.accdbbinary
MD5:AEA915BF91AA0B18111C81B81ACC6872
SHA256:DB8EC7C974DA75643D00A3F733298E0C0243F8AC72EEA691F4F944A0039659CE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
82
TCP/UDP connections
42
DNS requests
21
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
404
104.126.37.145:443
https://www.bing.com/PPRelatedSearch?query=Classic_%7BE6243488-3449-4D4D-98AA-FFC14E3FF0F8%7D&lang=en-US
unknown
GET
200
104.126.37.139:443
https://www.bing.com/AS/API/WindowsCortanaPane/V2/Suggestions?qry=c&setlang=en-US&cc=DE&nohs=1&qfm=1&cp=1&cvid=4762dc15be7c4a9cbe4ec4a6d7372b99&ig=4c147a85b5d949e6ab6da87500138f12
unknown
4.95 Kb
GET
200
104.126.37.171:443
https://r.bing.com/rb/1a/cir3,ortl,cc,nc/oT6Um3bDKq3bSDJ4e0e-YJ5MXCI.css?bu=B68CP54ChwFZWbkC&or=w
unknown
5.88 Kb
GET
200
104.126.37.170:443
https://www.bing.com/AS/API/WindowsCortanaPane/V2/Suggestions?qry=cmd&setlang=en-US&cc=DE&nohs=1&qfm=1&cp=3&cvid=4762dc15be7c4a9cbe4ec4a6d7372b99&ig=9f707b937bc84bb48d37d541f73e4cdb
unknown
6.74 Kb
GET
200
104.126.37.177:443
https://r.bing.com/rb/1a/cir3,ortl,cc,nc/uANxnX_BheDjd2-cdR8N9DEWlds.css?bu=C8QIhQP7A5wJhQjvB6QGWVlZWQ&or=w
unknown
19.9 Kb
GET
200
104.126.37.185:443
https://r.bing.com/rp/0nR7eWJmb5WaOaa0qBDpNhO-odM.br.js
unknown
62.0 Kb
GET
200
104.126.37.161:443
https://www.bing.com/AS/API/WindowsCortanaPane/V2/Suggestions?qry=c&setlang=en-US&cc=DE&nohs=1&qfm=1&cp=1&cvid=4762dc15be7c4a9cbe4ec4a6d7372b99&ig=0f005bbb6d954472b43d78dfb907d6e6
unknown
binary
4.93 Kb
POST
204
104.126.37.171:443
https://www.bing.com/threshold/xls.aspx
unknown
GET
200
104.126.37.171:443
https://www.bing.com/AS/API/WindowsCortanaPane/V2/Suggestions?qry=cd&setlang=en-US&cc=DE&nohs=1&qfm=1&cp=2&cvid=4762dc15be7c4a9cbe4ec4a6d7372b99&ig=a72e213c63c64aacb1d863581cd780da
unknown
binary
5.89 Kb
GET
200
104.126.37.170:443
https://www.bing.com/AS/API/WindowsCortanaPane/V2/Suggestions?qry=cm&setlang=en-US&cc=DE&nohs=1&qfm=1&cp=2&cvid=4762dc15be7c4a9cbe4ec4a6d7372b99&ig=360851cc0802452fb8eb7a748c2375b8
unknown
binary
6.49 Kb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
unknown
4
System
192.168.100.255:138
unknown
4680
SearchApp.exe
104.126.37.139:443
www.bing.com
Akamai International B.V.
DE
unknown
4680
SearchApp.exe
104.126.37.178:443
www.bing.com
Akamai International B.V.
DE
unknown
4680
SearchApp.exe
204.79.197.222:443
fp.msedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
4680
SearchApp.exe
13.107.6.254:443
b-ring.msedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
4680
SearchApp.exe
52.123.128.254:443
dual-s-ring.msedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
4680
SearchApp.exe
13.107.138.254:443
spo-ring.msedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
5520
powershell.exe
188.114.96.3:443
stats.drinkresources.rest
CLOUDFLARENET
NL
unknown
5520
powershell.exe
188.114.97.3:443
stats.drinkresources.rest
CLOUDFLARENET
NL
unknown

DNS requests

Domain
IP
Reputation
www.bing.com
  • 104.126.37.178
  • 104.126.37.137
  • 104.126.37.128
  • 104.126.37.123
  • 104.126.37.185
  • 104.126.37.131
  • 104.126.37.145
  • 104.126.37.146
  • 104.126.37.139
unknown
r.bing.com
  • 104.126.37.139
  • 104.126.37.145
  • 104.126.37.146
  • 104.126.37.178
  • 104.126.37.185
  • 104.126.37.128
  • 104.126.37.137
  • 104.126.37.131
  • 104.126.37.123
unknown
fp.msedge.net
  • 204.79.197.222
unknown
b-ring.msedge.net
  • 13.107.6.254
unknown
dual-s-ring.msedge.net
  • 52.123.128.254
  • 52.123.129.254
unknown
spo-ring.msedge.net
  • 13.107.138.254
  • 13.107.136.254
unknown
stats.drinkresources.rest
  • 188.114.96.3
  • 188.114.97.3
unknown
drinkresources.rest
  • 188.114.97.3
  • 188.114.96.3
unknown
self.events.data.microsoft.com
  • 13.89.179.8
unknown
www.google.com
  • 172.217.18.100
unknown

Threats

PID
Process
Class
Message
A Network Trojan was detected
STEALER [ANY.RUN] Lumma Stealer TLS Connection
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
WinNc.bin.zip