File name:

VIRUS.zip

Full analysis: https://app.any.run/tasks/f09e47cc-a866-4a5b-b7e2-a4307212adef
Verdict: Malicious activity
Threats:

DarkGate is a loader, which possesses extensive functionality, ranging from keylogging to crypto mining. Written in Delphi, this malware is known for the use of AutoIT scripts in its infection process. Thanks to this malicious software’s versatile architecture, it is widely used by established threat actors.

Malware Trends Tracker     >>>
Analysis date: May 25, 2024, 22:59:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
sinkhole
darkgate
spyware
loader
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

9BB8F303F8D5C08455DFD03017DAAC47

SHA1:

45ADA203283D0F5DF29AE339C02682D452EFCE7D

SHA256:

9EFA46EC8D9090E49066A184BB55BD03BDE76AE67455F7E213EA37AFAD5E215A

SSDEEP:

98304:DBrRdvzw+aohYmtxW8Guj9bnNOvoEHhEfdyenG8OQCnNjkFaoBUGQlt5cn0fGF4N:kgOcShl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3968)
      • VIRUS.exe (PID: 1664)
      • armsvc.exe (PID: 1616)
      • GoogleUpdate.exe (PID: 2448)
      • GoogleUpdateSetup.exe (PID: 916)
      • GoogleUpdate.exe (PID: 312)

    • Creates a writable file in the system directory

      • armsvc.exe (PID: 1616)
      • msdtc.exe (PID: 2892)

    • Connects to the CnC server

      • VIRUS.exe (PID: 1664)

    • Actions looks like stealing of personal data

      • VIRUS.exe (PID: 1664)
      • armsvc.exe (PID: 1616)
      • aspnet_state.exe (PID: 1948)
      • alg.exe (PID: 2008)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 3968)
      • VIRUS.exe (PID: 1664)
      • armsvc.exe (PID: 1616)

    • Starts a Microsoft application from unusual location

      • VIRUS.exe (PID: 1664)

    • Executes as Windows Service

      • armsvc.exe (PID: 1616)
      • alg.exe (PID: 2008)
      • aspnet_state.exe (PID: 1948)
      • MicrosoftEdgeUpdate.exe (PID: 824)
      • ehrecvr.exe (PID: 2080)
      • ehsched.exe (PID: 2512)
      • FXSSVC.exe (PID: 2472)
      • GoogleUpdate.exe (PID: 2688)
      • IEEtwCollector.exe (PID: 1240)
      • maintenanceservice.exe (PID: 2740)
      • msdtc.exe (PID: 2892)
      • OSE.EXE (PID: 2968)
      • Locator.exe (PID: 2904)
      • snmptrap.exe (PID: 3028)
      • vds.exe (PID: 3136)
      • VSSVC.exe (PID: 3060)
      • wbengine.exe (PID: 3444)
      • WmiApSrv.exe (PID: 3412)
      • wmpnetwk.exe (PID: 3536)
      • dllhost.exe (PID: 2272)
      • GoogleUpdate.exe (PID: 2448)

    • Executable content was dropped or overwritten

      • VIRUS.exe (PID: 1664)
      • armsvc.exe (PID: 1616)
      • GoogleUpdate.exe (PID: 2448)
      • GoogleUpdateSetup.exe (PID: 916)
      • GoogleUpdate.exe (PID: 312)

    • Contacting a server suspected of hosting an CnC

      • VIRUS.exe (PID: 1664)

    • Application launched itself

      • GoogleUpdate.exe (PID: 2688)
      • GoogleUpdate.exe (PID: 2380)
      • GoogleUpdate.exe (PID: 2448)

    • Reads the Internet Settings

      • GoogleUpdate.exe (PID: 2668)

    • Reads settings of System Certificates

      • GoogleUpdate.exe (PID: 2668)

    • Creates/Modifies COM task schedule object

      • GoogleUpdate.exe (PID: 3816)

    • Disables SEHOP

      • GoogleUpdate.exe (PID: 312)

  • INFO

    • Checks supported languages

      • VIRUS.exe (PID: 1664)
      • armsvc.exe (PID: 1616)
      • aspnet_state.exe (PID: 1948)
      • Setup.exe (PID: 1816)
      • MicrosoftEdgeUpdate.exe (PID: 824)
      • ehrecvr.exe (PID: 2080)
      • ehsched.exe (PID: 2512)
      • elevation_service.exe (PID: 1568)
      • ehrec.exe (PID: 2360)
      • GoogleUpdate.exe (PID: 2688)
      • ehtray.exe (PID: 2624)
      • GoogleUpdate.exe (PID: 2380)
      • elevation_service.exe (PID: 948)
      • maintenanceservice.exe (PID: 2740)
      • OSE.EXE (PID: 2968)
      • GoogleUpdate.exe (PID: 2420)
      • wmpnetwk.exe (PID: 3536)
      • msiexec.exe (PID: 2836)
      • GoogleUpdate.exe (PID: 4052)
      • wmpnscfg.exe (PID: 3508)
      • GoogleCrashHandler.exe (PID: 4032)
      • GoogleUpdate.exe (PID: 2448)
      • GoogleUpdateSetup.exe (PID: 916)
      • GoogleUpdate.exe (PID: 2668)
      • GoogleUpdate.exe (PID: 312)
      • GoogleUpdate.exe (PID: 1840)
      • GoogleUpdate.exe (PID: 3816)
      • GoogleUpdate.exe (PID: 3476)

    • Reads the computer name

      • VIRUS.exe (PID: 1664)
      • armsvc.exe (PID: 1616)
      • MicrosoftEdgeUpdate.exe (PID: 824)
      • ehrecvr.exe (PID: 2080)
      • aspnet_state.exe (PID: 1948)
      • Setup.exe (PID: 1816)
      • elevation_service.exe (PID: 1568)
      • ehrec.exe (PID: 2360)
      • GoogleUpdate.exe (PID: 2688)
      • ehsched.exe (PID: 2512)
      • ehtray.exe (PID: 2624)
      • GoogleUpdate.exe (PID: 2380)
      • elevation_service.exe (PID: 948)
      • maintenanceservice.exe (PID: 2740)
      • msiexec.exe (PID: 2836)
      • GoogleUpdate.exe (PID: 2420)
      • OSE.EXE (PID: 2968)
      • wmpnscfg.exe (PID: 3508)
      • wmpnetwk.exe (PID: 3536)
      • GoogleUpdate.exe (PID: 4052)
      • GoogleUpdate.exe (PID: 2448)
      • GoogleUpdate.exe (PID: 2668)
      • GoogleUpdate.exe (PID: 312)
      • GoogleUpdate.exe (PID: 3816)
      • GoogleUpdate.exe (PID: 3476)
      • GoogleUpdate.exe (PID: 1840)

    • Reads Environment values

      • VIRUS.exe (PID: 1664)

    • Creates files or folders in the user directory

      • VIRUS.exe (PID: 1664)
      • GoogleUpdate.exe (PID: 2420)

    • Manual execution by a user

      • VIRUS.exe (PID: 1664)
      • ehtray.exe (PID: 2624)
      • wmpnscfg.exe (PID: 3508)

    • Reads the machine GUID from the registry

      • VIRUS.exe (PID: 1664)
      • aspnet_state.exe (PID: 1948)
      • ehrecvr.exe (PID: 2080)
      • elevation_service.exe (PID: 1568)
      • ehsched.exe (PID: 2512)
      • ehtray.exe (PID: 2624)
      • ehrec.exe (PID: 2360)
      • GoogleUpdate.exe (PID: 2688)
      • msiexec.exe (PID: 2836)
      • wmpnscfg.exe (PID: 3508)
      • wmpnetwk.exe (PID: 3536)
      • GoogleUpdate.exe (PID: 2420)
      • GoogleUpdate.exe (PID: 4052)
      • GoogleUpdate.exe (PID: 2448)
      • GoogleUpdate.exe (PID: 2668)
      • GoogleUpdate.exe (PID: 3476)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3968)

    • Reads CPU info

      • Setup.exe (PID: 1816)

    • Create files in a temporary directory

      • Setup.exe (PID: 1816)

    • Creates files in the program directory

      • FXSSVC.exe (PID: 2472)
      • ehrecvr.exe (PID: 2080)
      • maintenanceservice.exe (PID: 2740)
      • ehrec.exe (PID: 2360)
      • GoogleUpdate.exe (PID: 2420)
      • GoogleUpdate.exe (PID: 2448)
      • GoogleUpdateSetup.exe (PID: 916)
      • GoogleUpdate.exe (PID: 3816)
      • GoogleUpdate.exe (PID: 312)
      • GoogleUpdate.exe (PID: 1840)
      • GoogleUpdate.exe (PID: 3476)

    • Executes as Windows Service

      • elevation_service.exe (PID: 1568)
      • elevation_service.exe (PID: 948)

    • Reads Microsoft Office registry keys

      • OSE.EXE (PID: 2968)

    • Checks transactions between databases Windows and Oracle

      • msdtc.exe (PID: 2892)
      • dllhost.exe (PID: 2272)

    • Reads the software policy settings

      • GoogleUpdate.exe (PID: 2420)
      • GoogleUpdate.exe (PID: 2448)
      • GoogleUpdate.exe (PID: 2668)
      • GoogleUpdate.exe (PID: 3476)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2024:05:25 17:56:32
ZipCRC: 0x2b89da9b
ZipCompressedSize: 6263311
ZipUncompressedSize: 6302720
ZipFileName: VIRUS.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
83
Monitored processes
40
Malicious processes
9
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe virus.exe armsvc.exe alg.exe aspnet_state.exe setup.exe microsoftedgeupdate.exe no specs ehrecvr.exe no specs ehsched.exe no specs ehtray.exe no specs fxssvc.exe no specs elevation_service.exe no specs ehrec.exe no specs googleupdate.exe no specs googleupdate.exe no specs googleupdate.exe ieetwcollector.exe no specs elevation_service.exe no specs maintenanceservice.exe no specs msdtc.exe no specs msiexec.exe no specs ose.exe no specs locator.exe no specs snmptrap.exe no specs vds.exe no specs vssvc.exe no specs wbengine.exe no specs wmiapsrv.exe no specs wmpnetwk.exe no specs wmpnscfg.exe no specs googlecrashhandler.exe no specs googleupdate.exe no specs dllhost.exe no specs googleupdate.exe googleupdatesetup.exe googleupdate.exe googleupdate.exe googleupdate.exe no specs googleupdate.exe no specs googleupdate.exe

Process information

PID
CMD
Path
Indicators
Parent process
312"C:\Program Files\Google\Temp\GUMEA1F.tmp\GoogleUpdate.exe" /update /sessionid "{96F63FE7-6F64-453F-84BF-77E04333C181}"C:\Program Files\Google\Temp\GUMEA1F.tmp\GoogleUpdate.exe
GoogleUpdateSetup.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Installer
Exit code:
0
Version:
1.3.36.371
Modules
Images
c:\program files\google\temp\gumea1f.tmp\googleupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
824"C:\Program Files\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svcC:\Program Files\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Edge Update
Exit code:
2147748608
Version:
1.3.175.29
Modules
Images
c:\program files\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
916"C:\Program Files\Google\Update\Install\{F4E41892-891B-4150-9B24-AC13DCD88433}\GoogleUpdateSetup.exe" /update /sessionid "{96F63FE7-6F64-453F-84BF-77E04333C181}"C:\Program Files\Google\Update\Install\{F4E41892-891B-4150-9B24-AC13DCD88433}\GoogleUpdateSetup.exe
GoogleUpdate.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Update Setup
Exit code:
0
Version:
1.3.36.372
Modules
Images
c:\program files\google\update\install\{f4e41892-891b-4150-9b24-ac13dcd88433}\googleupdatesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
948"C:\Program Files\Microsoft\Edge\Application\109.0.1518.115\elevation_service.exe"C:\Program Files\Microsoft\Edge\Application\109.0.1518.115\elevation_service.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Edge
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\109.0.1518.115\elevation_service.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1240C:\Windows\system32\IEEtwCollector.exe /VC:\Windows\System32\IEEtwCollector.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
IE ETW Collector Service
Exit code:
0
Version:
11.00.9600.19597 (winblue_ltsb_escrow.191216-1311)
Modules
Images
c:\windows\system32\ieetwcollector.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
1568"C:\Program Files\Google\Chrome\Application\109.0.5414.120\elevation_service.exe"C:\Program Files\Google\Chrome\Application\109.0.5414.120\elevation_service.exeservices.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Chrome
Version:
109.0.5414.120
Modules
Images
c:\program files\google\chrome\application\109.0.5414.120\elevation_service.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
1616"C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe"C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
services.exe
User:
SYSTEM
Company:
Adobe Inc.
Integrity Level:
SYSTEM
Description:
Adobe Acrobat Update Service
Version:
1.824.39.9311
Modules
Images
c:\program files\common files\adobe\arm\1.0\armsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1664"C:\Users\admin\Desktop\VIRUS.exe" C:\Users\admin\Desktop\VIRUS.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Visual C++ 2010 x64 Redistributable Setup
Exit code:
5100
Version:
10.0.30319.01
Modules
Images
c:\users\admin\desktop\virus.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1816c:\7d33a60901582d7154cfa6e9f391\Setup.exe C:\7d33a60901582d7154cfa6e9f391\Setup.exe
VIRUS.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Setup Installer
Exit code:
5100
Version:
10.0.30319.1 built by: RTMRel
Modules
Images
c:\7d33a60901582d7154cfa6e9f391\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\7d33a60901582d7154cfa6e9f391\setupengine.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
1840"C:\Program Files\Google\Update\GoogleUpdate.exe" /regsvcC:\Program Files\Google\Update\GoogleUpdate.exeGoogleUpdate.exe
User:
SYSTEM
Company:
Google Inc.
Integrity Level:
SYSTEM
Description:
Google Installer
Exit code:
0
Version:
1.3.33.23
Modules
Images
c:\program files\google\update\googleupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
Total events
23 698
Read events
22 526
Write events
1 000
Delete events
172

Modification events

(PID) Process:(3968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3968) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\VIRUS.zip
(PID) Process:(3968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
330
Suspicious files
10
Text files
51
Unknown types
0

Dropped files

PID
Process
Filename
Type
1664VIRUS.exeC:\Users\admin\AppData\Roaming\c4ba3647fd0d6918.binbinary
MD5:660CF16F87846552DAC5F3D59CEDA5A2
SHA256:2BFCCACDCC277BD7BB77DE1310370C4A807EED93E54867775740ECFB367162B0
3968WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3968.32342\VIRUS.exeexecutable
MD5:214A4C47845F4050A5EAE537E622EF80
SHA256:5137025EEB3FA3347EA7704DD2ADFB061319346B9F19C4D4CD7B1F7B9A5F0601
1664VIRUS.exeC:\7d33a60901582d7154cfa6e9f391\Strings.xmlxml
MD5:332ADF643747297B9BFA9527EAEFE084
SHA256:E49545FEEAE22198728AD04236E31E02035AF7CC4D68E10CBECFFD08669CBECA
1664VIRUS.exeC:\7d33a60901582d7154cfa6e9f391\sqmapi.dllexecutable
MD5:3F0363B40376047EFF6A9B97D633B750
SHA256:BD6395A58F55A8B1F4063E813CE7438F695B9B086BB965D8AC44E7A97D35A93C
1664VIRUS.exeC:\7d33a60901582d7154cfa6e9f391\SetupEngine.dllexecutable
MD5:84C1DAF5F30FF99895ECAB3A55354BCF
SHA256:7A0D281FA802D615EA1207BD2E9EBB98F3B74F9833BBA3CB964BA7C7E0FB67FD
1664VIRUS.exeC:\7d33a60901582d7154cfa6e9f391\DisplayIcon.icoimage
MD5:F9657D290048E169FFABBBB9C7412BE0
SHA256:B74AD253B9B8F9FCADE725336509143828EE739CC2B24782BE3ECFF26F229160
1664VIRUS.exeC:\7d33a60901582d7154cfa6e9f391\Setup.exeexecutable
MD5:006F8A615020A4A17F5E63801485DF46
SHA256:D273460AA4D42F0B5764383E2AB852AB9AF6FECB3ED866F1783869F2F155D8BE
1664VIRUS.exeC:\7d33a60901582d7154cfa6e9f391\watermark.bmpimage
MD5:1A5CAAFACFC8C7766E404D019249CF67
SHA256:2E87D5742413254DB10F7BD0762B6CDB98FF9C46CA9ACDDFD9B1C2E5418638F2
1664VIRUS.exeC:\7d33a60901582d7154cfa6e9f391\1033\LocalizedData.xmlxml
MD5:5486FF60B072102EE3231FD743B290A1
SHA256:5CA3ECAA12CA56F955D403CA93C4CB36A7D3DCDEA779FC9BDAA0CDD429DAB706
1664VIRUS.exeC:\7d33a60901582d7154cfa6e9f391\SetupUi.dllexecutable
MD5:EB881E3DDDC84B20BD92ABCEC444455F
SHA256:11565D97287C01D22AD2E46C78D8A822FA3E6524561D4C02DFC87E8D346C44E7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
24
TCP/UDP connections
36
DNS requests
18
Threats
29

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1664
VIRUS.exe
POST
200
54.244.188.177:80
http://pywolwnvd.biz/uop
unknown
unknown
1616
armsvc.exe
POST
200
54.244.188.177:80
http://pywolwnvd.biz/ilxyuojqmuxm
unknown
unknown
1664
VIRUS.exe
POST
200
18.141.10.107:80
http://ssbzmoy.biz/gsnjaxyb
unknown
unknown
1616
armsvc.exe
POST
200
18.141.10.107:80
http://ssbzmoy.biz/jiylfagauddq
unknown
unknown
1664
VIRUS.exe
POST
200
54.244.188.177:80
http://cvgrf.biz/rrwfxex
unknown
unknown
1616
armsvc.exe
POST
200
54.244.188.177:80
http://cvgrf.biz/jhgkmnwych
unknown
unknown
1664
VIRUS.exe
POST
200
44.221.84.105:80
http://npukfztj.biz/cwtjywvypbmvl
unknown
unknown
1616
armsvc.exe
POST
200
44.221.84.105:80
http://npukfztj.biz/aokdglt
unknown
unknown
1664
VIRUS.exe
POST
54.157.24.8:80
http://przvgke.biz/schnawxmj
unknown
unknown
1616
armsvc.exe
POST
54.157.24.8:80
http://przvgke.biz/fa
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
1088
svchost.exe
224.0.0.252:5355
unknown
1664
VIRUS.exe
54.244.188.177:80
pywolwnvd.biz
AMAZON-02
US
unknown
1616
armsvc.exe
54.244.188.177:80
pywolwnvd.biz
AMAZON-02
US
unknown
1664
VIRUS.exe
18.141.10.107:80
ssbzmoy.biz
AMAZON-02
SG
unknown
1616
armsvc.exe
18.141.10.107:80
ssbzmoy.biz
AMAZON-02
SG
unknown
1012
svchost.exe
239.255.255.250:1900
unknown
1664
VIRUS.exe
44.221.84.105:80
npukfztj.biz
AMAZON-AES
US
unknown

DNS requests

Domain
IP
Reputation
pywolwnvd.biz
  • 54.244.188.177
unknown
ssbzmoy.biz
  • 18.141.10.107
unknown
cvgrf.biz
  • 54.244.188.177
malicious
npukfztj.biz
  • 44.221.84.105
unknown
przvgke.biz
  • 54.157.24.8
unknown
zlenh.biz
  • 49.13.77.253
unknown
clients2.google.com
  • 142.250.185.174
whitelisted
update.googleapis.com
  • 142.250.185.195
unknown
edgedl.me.gvt1.com
  • 34.104.35.123
whitelisted
knjghuig.biz
  • 18.141.10.107
unknown

Threats

PID
Process
Class
Message
1088
svchost.exe
Potentially Bad Traffic
ET INFO Observed DNS Query to .biz TLD
1088
svchost.exe
Potentially Bad Traffic
ET INFO Observed DNS Query to .biz TLD
1088
svchost.exe
Potentially Bad Traffic
ET INFO Observed DNS Query to .biz TLD
1088
svchost.exe
Potentially Bad Traffic
ET INFO Observed DNS Query to .biz TLD
1664
VIRUS.exe
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
1664
VIRUS.exe
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
1088
svchost.exe
Potentially Bad Traffic
ET INFO Observed DNS Query to .biz TLD
1088
svchost.exe
Potentially Bad Traffic
ET INFO Observed DNS Query to .biz TLD
1088
svchost.exe
Potentially Bad Traffic
ET INFO Observed DNS Query to .biz TLD
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
2 ETPRO signatures available at the full report
Process
Message
Setup.exe
A StopBlock was hit or a System Requirement was not met.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
VIRUS.zip