File name:

CRACK-IDA-Pro-V-And-_JehGUtJMeN.exe

Full analysis: https://app.any.run/tasks/fe2aa088-35e0-43c0-a9de-7a6a901f97b5
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: January 31, 2024, 21:22:55
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
adware
DownloadAssistant
opendir
loader
gcleaner
neoreklami
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

627445FD5BDB8CA234E47F007B5913E7

SHA1:

7D0AD38EBD8799B54EAEF7135D1E397792F2BA75

SHA256:

77B519B40FC7F6B63D7F3810EA8BF8D661FED8DF973A64D06748A45E44B9D50C

SSDEEP:

98304:q6Pfr2YayL0m4IHkMfFuyourYEQQQGP0M1NYLiXEyh6lyQoSioc6EE0sxJt/xhpW:D2Yfir+Ab5gX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • CRACK-IDA-Pro-V-And-_JehGUtJMeN.tmp (PID: 2612)

    • Drops the executable file immediately after the start

      • CRACK-IDA-Pro-V-And-_JehGUtJMeN.exe (PID: 892)
      • CRACK-IDA-Pro-V-And-_JehGUtJMeN.exe (PID: 5756)
      • CRACK-IDA-Pro-V-And-_JehGUtJMeN.tmp (PID: 2612)
      • vbdatetimelib.exe (PID: 6236)
      • CulfhYge6mI.exe (PID: 1380)
      • qgm4TezPaoefaXcA.exe (PID: 4152)
      • CoBxAIiGFY.exe (PID: 6600)
      • dksverify.exe (PID: 1544)
      • CoBxAIiGFY.tmp (PID: 3236)
      • 4gdwn2UqDf.exe (PID: 6956)
      • setup.exe (PID: 6928)
      • WmtqAfv.exe (PID: 6228)
      • kCcYQXf.exe (PID: 6952)

    • DOWNLOADASSISTANT has been detected (SURICATA)

      • vbdatetimelib.exe (PID: 6236)

    • GCLEANER has been detected (YARA)

      • qgm4TezPaoefaXcA.exe (PID: 4152)

    • Starts CMD.EXE for self-deleting

      • qgm4TezPaoefaXcA.exe (PID: 4152)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 6108)
      • powershell.exe (PID: 6396)

    • GCLEANER has been detected (SURICATA)

      • qgm4TezPaoefaXcA.exe (PID: 4152)

    • Neoreklami has been detected

      • WmtqAfv.exe (PID: 6228)
      • kCcYQXf.exe (PID: 6952)

    • Actions looks like stealing of personal data

      • WmtqAfv.exe (PID: 6228)
      • kCcYQXf.exe (PID: 6952)

    • Creates a writable file in the system directory

      • powershell.exe (PID: 6092)

    • Uses Task Scheduler to autorun other applications

      • kCcYQXf.exe (PID: 6952)

    • Steals credentials from Web Browsers

      • kCcYQXf.exe (PID: 6952)

    • Modifies files in the Chrome extension folder

      • kCcYQXf.exe (PID: 6952)

    • Unusual connection from system programs

      • rundll32.exe (PID: 6612)

    • NEOREKLAMI has been detected (SURICATA)

      • rundll32.exe (PID: 6612)

  • SUSPICIOUS

    • Reads the date of Windows installation

      • CRACK-IDA-Pro-V-And-_JehGUtJMeN.tmp (PID: 6224)
      • qgm4TezPaoefaXcA.exe (PID: 4152)
      • 4gdwn2UqDf.exe (PID: 6956)

    • Process drops legitimate windows executable

      • CRACK-IDA-Pro-V-And-_JehGUtJMeN.tmp (PID: 2612)
      • CoBxAIiGFY.tmp (PID: 3236)
      • setup.exe (PID: 6928)

    • Executable content was dropped or overwritten

      • CRACK-IDA-Pro-V-And-_JehGUtJMeN.exe (PID: 892)
      • CRACK-IDA-Pro-V-And-_JehGUtJMeN.tmp (PID: 2612)
      • CRACK-IDA-Pro-V-And-_JehGUtJMeN.exe (PID: 5756)
      • vbdatetimelib.exe (PID: 6236)
      • CulfhYge6mI.exe (PID: 1380)
      • qgm4TezPaoefaXcA.exe (PID: 4152)
      • CoBxAIiGFY.exe (PID: 6600)
      • 4gdwn2UqDf.exe (PID: 6956)
      • CoBxAIiGFY.tmp (PID: 3236)
      • dksverify.exe (PID: 1544)
      • setup.exe (PID: 6928)
      • WmtqAfv.exe (PID: 6228)
      • kCcYQXf.exe (PID: 6952)

    • Reads the Windows owner or organization settings

      • CRACK-IDA-Pro-V-And-_JehGUtJMeN.tmp (PID: 2612)
      • CoBxAIiGFY.tmp (PID: 3236)

    • Executes application which crashes

      • vbdatetimelib.exe (PID: 6236)
      • qgm4TezPaoefaXcA.exe (PID: 4152)
      • Snetchball.exe (PID: 6608)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 6868)
      • cmd.exe (PID: 5512)
      • cmd.exe (PID: 2084)
      • cmd.exe (PID: 1244)
      • WmtqAfv.exe (PID: 6228)

    • Starts CMD.EXE for commands execution

      • vbdatetimelib.exe (PID: 6236)
      • qgm4TezPaoefaXcA.exe (PID: 4152)
      • forfiles.exe (PID: 2580)
      • forfiles.exe (PID: 6976)
      • powershell.exe (PID: 6092)
      • powershell.exe (PID: 3804)
      • kCcYQXf.exe (PID: 6952)

    • The process creates files with name similar to system file names

      • powershell.exe (PID: 4288)
      • powershell.exe (PID: 6092)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 6948)

    • Process requests binary or script from the Internet

      • vbdatetimelib.exe (PID: 6236)

    • Connects to the server without a host name

      • vbdatetimelib.exe (PID: 6236)

    • Found strings related to reading or modifying Windows Defender settings

      • forfiles.exe (PID: 2580)
      • forfiles.exe (PID: 6976)
      • powershell.exe (PID: 6092)
      • powershell.exe (PID: 3804)
      • kCcYQXf.exe (PID: 6952)

    • Reads the BIOS version

      • 4gdwn2UqDf.exe (PID: 6956)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 6792)
      • cmd.exe (PID: 6780)
      • cmd.exe (PID: 1176)
      • cmd.exe (PID: 5212)
      • powershell.exe (PID: 6092)
      • powershell.exe (PID: 3804)
      • cmd.exe (PID: 5672)
      • cmd.exe (PID: 1964)
      • cmd.exe (PID: 6388)
      • cmd.exe (PID: 6672)

    • The process executes via Task Scheduler

      • powershell.exe (PID: 6108)
      • powershell.exe (PID: 6396)
      • WmtqAfv.exe (PID: 6228)
      • kCcYQXf.exe (PID: 6952)
      • rundll32.exe (PID: 6472)

    • Application launched itself

      • Snetchball.exe (PID: 6608)

    • Checks Windows Trust Settings

      • kCcYQXf.exe (PID: 6952)

    • Connects to unusual port

      • Snetchball.exe (PID: 3284)

  • INFO

    • Create files in a temporary directory

      • CRACK-IDA-Pro-V-And-_JehGUtJMeN.exe (PID: 892)
      • CRACK-IDA-Pro-V-And-_JehGUtJMeN.tmp (PID: 2612)
      • CRACK-IDA-Pro-V-And-_JehGUtJMeN.exe (PID: 5756)
      • CulfhYge6mI.exe (PID: 1380)
      • vbdatetimelib.exe (PID: 6236)
      • qgm4TezPaoefaXcA.exe (PID: 4152)
      • CoBxAIiGFY.exe (PID: 6600)
      • CoBxAIiGFY.tmp (PID: 3236)
      • 4gdwn2UqDf.exe (PID: 6956)
      • setup.exe (PID: 6928)
      • Snetchball.exe (PID: 6608)

    • Reads the computer name

      • CRACK-IDA-Pro-V-And-_JehGUtJMeN.tmp (PID: 6224)
      • CRACK-IDA-Pro-V-And-_JehGUtJMeN.tmp (PID: 2612)
      • vbdatetimelib.exe (PID: 6236)
      • CulfhYge6mI.exe (PID: 1380)
      • qgm4TezPaoefaXcA.exe (PID: 4152)
      • 4gdwn2UqDf.exe (PID: 6956)
      • CoBxAIiGFY.tmp (PID: 3236)
      • dksverify.exe (PID: 1544)
      • setup.exe (PID: 6928)
      • Snetchball.exe (PID: 6608)
      • kCcYQXf.exe (PID: 6952)
      • Snetchball.exe (PID: 2940)
      • Snetchball.exe (PID: 4672)
      • Snetchball.exe (PID: 3284)
      • Snetchball.exe (PID: 7160)
      • Snetchball.exe (PID: 5212)
      • dksverify.exe (PID: 5400)

    • Checks supported languages

      • CRACK-IDA-Pro-V-And-_JehGUtJMeN.exe (PID: 5756)
      • CRACK-IDA-Pro-V-And-_JehGUtJMeN.exe (PID: 892)
      • CRACK-IDA-Pro-V-And-_JehGUtJMeN.tmp (PID: 6224)
      • CRACK-IDA-Pro-V-And-_JehGUtJMeN.tmp (PID: 2612)
      • vbdatetimelib.exe (PID: 6236)
      • CulfhYge6mI.exe (PID: 1380)
      • qgm4TezPaoefaXcA.exe (PID: 4152)
      • 4gdwn2UqDf.exe (PID: 6956)
      • CoBxAIiGFY.exe (PID: 6600)
      • CoBxAIiGFY.tmp (PID: 3236)
      • dksverify.exe (PID: 1544)
      • dksverify.exe (PID: 5400)
      • WmtqAfv.exe (PID: 6228)
      • setup.exe (PID: 6928)
      • Snetchball.exe (PID: 6608)
      • kCcYQXf.exe (PID: 6952)
      • Snetchball.exe (PID: 2940)
      • Snetchball.exe (PID: 7160)
      • Snetchball.exe (PID: 4672)
      • Snetchball.exe (PID: 3284)
      • Snetchball.exe (PID: 5212)

    • Creates files or folders in the user directory

      • CRACK-IDA-Pro-V-And-_JehGUtJMeN.tmp (PID: 2612)
      • WerFault.exe (PID: 7016)
      • WerFault.exe (PID: 6972)
      • WerFault.exe (PID: 1016)
      • WerFault.exe (PID: 3740)
      • WerFault.exe (PID: 6188)
      • WerFault.exe (PID: 240)
      • WerFault.exe (PID: 5440)
      • WerFault.exe (PID: 2480)
      • WerFault.exe (PID: 3800)
      • WerFault.exe (PID: 5472)
      • WerFault.exe (PID: 7120)
      • WerFault.exe (PID: 6904)
      • WerFault.exe (PID: 2636)
      • WerFault.exe (PID: 5452)
      • WerFault.exe (PID: 1120)
      • WerFault.exe (PID: 1464)
      • WerFault.exe (PID: 1560)
      • WerFault.exe (PID: 6240)
      • WerFault.exe (PID: 6452)
      • WerFault.exe (PID: 1048)
      • WerFault.exe (PID: 6156)
      • WerFault.exe (PID: 1244)
      • WerFault.exe (PID: 3876)
      • WerFault.exe (PID: 2972)
      • WerFault.exe (PID: 1908)
      • WerFault.exe (PID: 5276)
      • WerFault.exe (PID: 5256)
      • WerFault.exe (PID: 6288)
      • WerFault.exe (PID: 2544)
      • WerFault.exe (PID: 6696)
      • WerFault.exe (PID: 3656)
      • WerFault.exe (PID: 1276)
      • WerFault.exe (PID: 3080)
      • WerFault.exe (PID: 3344)
      • CulfhYge6mI.exe (PID: 1380)
      • WerFault.exe (PID: 2200)
      • WerFault.exe (PID: 5204)
      • WerFault.exe (PID: 6240)
      • WerFault.exe (PID: 2876)
      • WerFault.exe (PID: 5572)
      • WerFault.exe (PID: 2628)
      • WerFault.exe (PID: 3912)
      • WerFault.exe (PID: 6252)
      • WerFault.exe (PID: 6172)
      • WerFault.exe (PID: 4632)
      • WerFault.exe (PID: 6448)
      • WerFault.exe (PID: 3264)
      • WerFault.exe (PID: 3756)
      • WerFault.exe (PID: 984)
      • WerFault.exe (PID: 1416)
      • qgm4TezPaoefaXcA.exe (PID: 4152)
      • WerFault.exe (PID: 4288)
      • WerFault.exe (PID: 5548)
      • WerFault.exe (PID: 1004)
      • WerFault.exe (PID: 5388)
      • WerFault.exe (PID: 3868)
      • CoBxAIiGFY.tmp (PID: 3236)
      • WerFault.exe (PID: 6436)
      • WerFault.exe (PID: 6504)
      • WerFault.exe (PID: 5780)
      • WerFault.exe (PID: 6304)
      • WerFault.exe (PID: 5344)
      • setup.exe (PID: 6928)
      • Snetchball.exe (PID: 6608)
      • kCcYQXf.exe (PID: 6952)
      • WerFault.exe (PID: 5256)
      • WerFault.exe (PID: 4240)
      • WerFault.exe (PID: 6168)
      • WerFault.exe (PID: 5396)
      • WerFault.exe (PID: 6656)

    • Checks proxy server information

      • vbdatetimelib.exe (PID: 6236)
      • CulfhYge6mI.exe (PID: 1380)
      • qgm4TezPaoefaXcA.exe (PID: 4152)
      • WerFault.exe (PID: 5548)
      • Snetchball.exe (PID: 6608)
      • WerFault.exe (PID: 4240)

    • Reads the machine GUID from the registry

      • vbdatetimelib.exe (PID: 6236)
      • Snetchball.exe (PID: 6608)
      • Snetchball.exe (PID: 2940)
      • Snetchball.exe (PID: 3284)
      • kCcYQXf.exe (PID: 6952)
      • Snetchball.exe (PID: 4672)
      • Snetchball.exe (PID: 7160)
      • Snetchball.exe (PID: 5212)

    • Reads Environment values

      • CulfhYge6mI.exe (PID: 1380)
      • Snetchball.exe (PID: 6608)

    • Reads the software policy settings

      • WerFault.exe (PID: 5548)
      • vbdatetimelib.exe (PID: 6236)
      • kCcYQXf.exe (PID: 6952)
      • WerFault.exe (PID: 4240)

    • Process checks computer location settings

      • 4gdwn2UqDf.exe (PID: 6956)
      • Snetchball.exe (PID: 6608)
      • Snetchball.exe (PID: 4672)
      • Snetchball.exe (PID: 5212)
      • kCcYQXf.exe (PID: 6952)
      • Snetchball.exe (PID: 7160)

    • Creates files in the program directory

      • dksverify.exe (PID: 1544)
      • dksverify.exe (PID: 5400)
      • kCcYQXf.exe (PID: 6952)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

GCleaner

(PID) Process(4152) qgm4TezPaoefaXcA.exe
C2 (2)185.172.128.90
5.42.65.85
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:02:01 01:20:44+01:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 37888
InitializedDataSize: 17920
UninitializedDataSize: -
EntryPoint: 0x9c40
OSVersion: 1
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName:
FileDescription: VB DateTime Library Setup
FileVersion:
LegalCopyright:
ProductName: VB DateTime Library
ProductVersion:
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
449
Monitored processes
233
Malicious processes
17
Suspicious processes
3

Behavior graph

Click at the process to see the details
start crack-ida-pro-v-and-_jehgutjmen.exe crack-ida-pro-v-and-_jehgutjmen.tmp no specs crack-ida-pro-v-and-_jehgutjmen.exe crack-ida-pro-v-and-_jehgutjmen.tmp regsvr32.exe no specs #DOWNLOADASSISTANT vbdatetimelib.exe werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs rundll32.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs filecoauth.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs culfhyge6mi.exe werfault.exe no specs werfault.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs #GCLEANER qgm4tezpaoefaxca.exe werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs cmd.exe no specs conhost.exe no specs werfault.exe taskkill.exe no specs werfault.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs 4gdwn2uqdf.exe werfault.exe no specs werfault.exe no specs forfiles.exe no specs conhost.exe no specs forfiles.exe no specs conhost.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs gpupdate.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cobxaiigfy.exe cobxaiigfy.tmp werfault.exe no specs werfault.exe no specs dksverify.exe dksverify.exe werfault.exe no specs werfault.exe no specs werfault.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs #NEOREKLAMI wmtqafv.exe powershell.exe no specs conhost.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs gpupdate.exe no specs conhost.exe no specs setup.exe snetchball.exe schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs #NEOREKLAMI kccyqxf.exe schtasks.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs snetchball.exe no specs snetchball.exe snetchball.exe no specs snetchball.exe no specs schtasks.exe no specs conhost.exe no specs snetchball.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs werfault.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs rundll32.exe no specs #NEOREKLAMI rundll32.exe werfault.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe

Process information

PID
CMD
Path
Indicators
Parent process
240C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6236 -s 1056C:\Windows\SysWOW64\WerFault.exevbdatetimelib.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1081 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
360"C:\WINDOWS\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64C:\Windows\SysWOW64\reg.exepowershell.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
360\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
540schtasks /DELETE /F /TN "gjAnwQJLf"C:\Windows\SysWOW64\schtasks.exe4gdwn2UqDf.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
852"C:\WINDOWS\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32C:\Windows\SysWOW64\reg.exepowershell.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
892"C:\Users\admin\Desktop\CRACK-IDA-Pro-V-And-_JehGUtJMeN.exe" C:\Users\admin\Desktop\CRACK-IDA-Pro-V-And-_JehGUtJMeN.exe
explorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
VB DateTime Library Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\desktop\crack-ida-pro-v-and-_jehgutjmen.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
984C:\WINDOWS\SysWOW64\WerFault.exe -u -p 4152 -s 924C:\Windows\SysWOW64\WerFault.exeqgm4TezPaoefaXcA.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1081 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
984schtasks /CREATE /TN "bPPcZpNMztXmfePkur" /SC once /ST 21:28:00 /RU "SYSTEM" /TR "\"C:\Users\admin\AppData\Local\Temp\xYPcSiaUoEfDkthMH\ANhhloVNxKIOlNN\WmtqAfv.exe\" rR /WZsite_idJal 757674 /S" /V1 /FC:\Windows\SysWOW64\schtasks.exe4gdwn2UqDf.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1004C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6236 -s 2068C:\Windows\SysWOW64\WerFault.exevbdatetimelib.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1081 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1016C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6236 -s 988C:\Windows\SysWOW64\WerFault.exevbdatetimelib.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1081 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
Total events
99 271
Read events
98 771
Write events
300
Delete events
200

Modification events

(PID) Process:(6972) WerFault.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\{11517B7C-E79D-4e20-961B-75A811715ADD}
Operation:delete keyName:(default)
Value:
(PID) Process:(6972) WerFault.exeKey:\REGISTRY\A\{5b1d3a4b-93c5-ab69-b48e-fbcb995f4a36}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:delete keyName:(default)
Value:
(PID) Process:(6972) WerFault.exeKey:\REGISTRY\A\{5b1d3a4b-93c5-ab69-b48e-fbcb995f4a36}\Root\InventoryApplicationFile
Operation:writeName:WritePermissionsCheck
Value:
1
(PID) Process:(3740) WerFault.exeKey:\REGISTRY\A\{b186e80d-31b2-58d2-ae7a-8278c6f4e470}\Root\InventoryApplicationFile
Operation:writeName:WritePermissionsCheck
Value:
1
(PID) Process:(3740) WerFault.exeKey:\REGISTRY\A\{b186e80d-31b2-58d2-ae7a-8278c6f4e470}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:delete keyName:(default)
Value:
(PID) Process:(1016) WerFault.exeKey:\REGISTRY\A\{7502c29b-b1f2-f7c6-b280-36aa792cd894}\Root\InventoryApplicationFile
Operation:writeName:WritePermissionsCheck
Value:
1
(PID) Process:(1016) WerFault.exeKey:\REGISTRY\A\{7502c29b-b1f2-f7c6-b280-36aa792cd894}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:delete keyName:(default)
Value:
(PID) Process:(240) WerFault.exeKey:\REGISTRY\A\{edca080f-97ff-e08f-dc60-c60598114bcc}\Root\InventoryApplicationFile
Operation:writeName:WritePermissionsCheck
Value:
1
(PID) Process:(240) WerFault.exeKey:\REGISTRY\A\{edca080f-97ff-e08f-dc60-c60598114bcc}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:delete keyName:(default)
Value:
(PID) Process:(5440) WerFault.exeKey:\REGISTRY\A\{2f090b79-06b6-1337-6d1f-17181712b282}\Root\InventoryApplicationFile
Operation:writeName:WritePermissionsCheck
Value:
1
Executable files
82
Suspicious files
256
Text files
657
Unknown types
2

Dropped files

PID
Process
Filename
Type
2612CRACK-IDA-Pro-V-And-_JehGUtJMeN.tmpC:\Users\admin\AppData\Local\Temp\is-T5P59.tmp\_isetup\_shfoldr.dllexecutable
MD5:92DC6EF532FBB4A5C3201469A5B5EB63
SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
2612CRACK-IDA-Pro-V-And-_JehGUtJMeN.tmpC:\Users\admin\AppData\Local\VB DateTime Library\image\is-DKSTK.tmpimage
MD5:9C205EAAC846EDC120A15A338D095BB9
SHA256:7A9FFA5FA6AB6B043830211571FF3A38F0820F232332F68B21AD573D6CD61876
2612CRACK-IDA-Pro-V-And-_JehGUtJMeN.tmpC:\Users\admin\AppData\Local\VB DateTime Library\is-OCQV9.tmpexecutable
MD5:90F98B538B5C5DE8A740139548EBF286
SHA256:C8A5822CF036F366F9B486CE6D45DFD201B3A0A1EF8E901D1D7E61059EAB0033
2612CRACK-IDA-Pro-V-And-_JehGUtJMeN.tmpC:\Users\admin\AppData\Local\VB DateTime Library\image\btn_min.pngimage
MD5:9C205EAAC846EDC120A15A338D095BB9
SHA256:7A9FFA5FA6AB6B043830211571FF3A38F0820F232332F68B21AD573D6CD61876
2612CRACK-IDA-Pro-V-And-_JehGUtJMeN.tmpC:\Users\admin\AppData\Local\VB DateTime Library\unins000.exeexecutable
MD5:90F98B538B5C5DE8A740139548EBF286
SHA256:C8A5822CF036F366F9B486CE6D45DFD201B3A0A1EF8E901D1D7E61059EAB0033
2612CRACK-IDA-Pro-V-And-_JehGUtJMeN.tmpC:\Users\admin\AppData\Local\Temp\is-T5P59.tmp\_isetup\_iscrypt.dllexecutable
MD5:A69559718AB506675E907FE49DEB71E9
SHA256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
2612CRACK-IDA-Pro-V-And-_JehGUtJMeN.tmpC:\Users\admin\AppData\Local\VB DateTime Library\image\is-IPB2K.tmpimage
MD5:F21D9F4E5FD3DE18CF43A848AFEA354C
SHA256:DE2E6326DFC91D3D63C2AF1FFA47333A0C66C378EA2A3F05FA9151BB8F84E0B2
2612CRACK-IDA-Pro-V-And-_JehGUtJMeN.tmpC:\Users\admin\AppData\Local\Temp\is-T5P59.tmp\_isetup\_setup64.tmpexecutable
MD5:C8871EFD8AF2CF4D9D42D1FF8FADBF89
SHA256:E4FC574A01B272C2D0AED0EC813F6D75212E2A15A5F5C417129DD65D69768F40
892CRACK-IDA-Pro-V-And-_JehGUtJMeN.exeC:\Users\admin\AppData\Local\Temp\is-M9GBF.tmp\CRACK-IDA-Pro-V-And-_JehGUtJMeN.tmpexecutable
MD5:FAD0A2DE5BA1691C529BCF4C3E679223
SHA256:E2CF32C666191396F09815775C5D59F069AC4CC652A05C1011D099090AA15AF7
2612CRACK-IDA-Pro-V-And-_JehGUtJMeN.tmpC:\Users\admin\AppData\Local\VB DateTime Library\image\btn_size.pngimage
MD5:4AAE66ADE92F470AB559495FA9D3D749
SHA256:50D14E63802AA4EAA95C4F420BD698FBCDB7C8E58D8B9EA077DED375AC714F41
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
60
TCP/UDP connections
64
DNS requests
60
Threats
71

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6236
vbdatetimelib.exe
POST
188.114.96.3:80
http://trenininmiba.gq/new/net_api
unknown
unknown
5612
MoUsoCoreWorker.exe
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
binary
814 b
unknown
6236
vbdatetimelib.exe
HEAD
5.149.248.111:80
http://totrakto.com/CRACK-IDA-Pro-V6-8-150423-And-HEX-Rays-Decompiler-ARM-X86-X64-iDAPROl.zip
unknown
unknown
6236
vbdatetimelib.exe
POST
188.114.96.3:80
http://trenininmiba.gq/new/net_api
unknown
unknown
6492
msedge.exe
GET
302
23.218.209.163:443
https://go.microsoft.com/fwlink/?linkid=2133855&bucket=15
unknown
6236
vbdatetimelib.exe
GET
404
5.149.248.111:80
http://totrakto.com/CRACK-IDA-Pro-V6-8-150423-And-HEX-Rays-Decompiler-ARM-X86-X64-iDAPROl.zip
unknown
html
196 b
unknown
6236
vbdatetimelib.exe
POST
188.114.96.3:80
http://trenininmiba.gq/new/net_api
unknown
unknown
6236
vbdatetimelib.exe
GET
200
95.163.241.63:80
http://95.163.241.63/setup.exe
unknown
executable
6.83 Mb
unknown
6236
vbdatetimelib.exe
POST
188.114.96.3:80
http://trenininmiba.gq/new/net_api
unknown
unknown
6236
vbdatetimelib.exe
POST
188.114.96.3:80
http://trenininmiba.gq/new/net_api
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5612
MoUsoCoreWorker.exe
23.218.209.163:80
www.microsoft.com
AKAMAI-AS
DE
unknown
5612
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4188
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3720
svchost.exe
239.255.255.250:1900
unknown
6236
vbdatetimelib.exe
188.114.96.3:80
trenininmiba.gq
CLOUDFLARENET
NL
unknown
6492
msedge.exe
13.107.21.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
6492
msedge.exe
88.221.169.205:443
go.microsoft.com
AKAMAI-AS
DE
unknown
4
System
192.168.100.255:137
whitelisted
6236
vbdatetimelib.exe
5.149.248.111:80
totrakto.com
HZ Hosting Ltd
NL
unknown
2644
OfficeClickToRun.exe
20.42.65.89:443
self.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
www.microsoft.com
  • 23.218.209.163
  • 88.221.169.152
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
trenininmiba.gq
  • 188.114.96.3
  • 188.114.97.3
unknown
go.microsoft.com
  • 88.221.169.205
whitelisted
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
whitelisted
totrakto.com
  • 5.149.248.111
unknown
self.events.data.microsoft.com
  • 20.42.65.89
whitelisted
edgeassetservice.azureedge.net
  • 13.107.246.62
  • 13.107.213.62
whitelisted
bobisawinner.xyz
  • 185.117.88.231
unknown
umwatson.events.data.microsoft.com
  • 20.42.65.92
  • 52.182.143.212
whitelisted

Threats

PID
Process
Class
Message
2136
svchost.exe
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .gq Domain
6236
vbdatetimelib.exe
Potentially Bad Traffic
ET INFO HTTP POST Request to Suspicious *.gq domain
6236
vbdatetimelib.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.gq domain
6236
vbdatetimelib.exe
Misc activity
ADWARE [ANY.RUN] DownloadAssistant
6236
vbdatetimelib.exe
Misc activity
ADWARE [ANY.RUN] DownloadAssistant
6236
vbdatetimelib.exe
Potentially Bad Traffic
ET INFO HTTP POST Request to Suspicious *.gq domain
6236
vbdatetimelib.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.gq domain
6236
vbdatetimelib.exe
Potentially Bad Traffic
ET INFO HTTP POST Request to Suspicious *.gq domain
6236
vbdatetimelib.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.gq domain
6236
vbdatetimelib.exe
Misc activity
ADWARE [ANY.RUN] DownloadAssistant
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
CRACK-IDA-Pro-V-And-_JehGUtJMeN.exe