Malware analysis Download%20X-SLAYER%20Tools%20v0.2.exe Malicious activity

Add for printing

download:	Download%20X-SLAYER%20Tools%20v0.2.exe
Full analysis:	https://app.any.run/tasks/acae5645-f97f-47e7-8946-dd299cf3f73a
Verdict:	Malicious activity
Threats:	Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	February 24, 2020, 18:10:32
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	trojan
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:	CAD661F79A64CEBD4AD9D22AE1F2C3B6
SHA1:	C25BE755379079FEF53E1C54B7EC15756D127FE6
SHA256:	A0361B2A0A794F1364ED8345A1484C05D4A4EE797641FF3D0507B485EC73471F
SSDEEP:	24576:WZqqqqSqqqqqqLqq/qqAZl2Lcb24EgU1ouK0pH2iBjfz8Xq2VK4sFwpIz8:4jnQpTp2C4I

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.17843 KB3058515
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Hyphenation Parent Package English
IE Spelling Parent Package English
IE Troubleshooters Package
InternetExplorer Optional Package
InternetExplorer Package TopLevel
KB2533623
KB2534111
KB2639308
KB2729094
KB2731771
KB2786081
KB2834140
KB2882822
KB2888049
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
PlatformUpdate Win7 SRV08R2 Package TopLevel
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Application was dropped or rewritten from another process
  - Mailist & Combo SLAYER.exe (PID: 3332)
  - Proxy Grabber v0.2 By X-SLAYER.exe (PID: 2648)
- Loads dropped or rewritten executable
  - Mailist & Combo SLAYER.exe (PID: 3332)
SUSPICIOUS
- Reads Environment values
  - Mailist & Combo SLAYER.exe (PID: 3332)
- Executable content was dropped or overwritten
  - Mailist & Combo SLAYER.exe (PID: 3332)
  - WinRAR.exe (PID: 2336)
  - WinRAR.exe (PID: 3240)
- Reads internet explorer settings
  - d54216ff-de7f-4a12-8a23-dc5a0e74ae87.exe (PID: 3012)
INFO
- Manual execution by user
  - WinRAR.exe (PID: 2336)
  - WinRAR.exe (PID: 3240)
  - WinRAR.exe (PID: 848)
- Reads settings of System Certificates
  - Mailist & Combo SLAYER.exe (PID: 3332)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (55.8)
.exe	\|	Win64 Executable (generic) (21)
.scr	\|	Windows screen saver (9.9)
.dll	\|	Win32 Dynamic Link Library (generic) (5)
.exe	\|	Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2019:08:07 17:49:01+02:00
PEType:	PE32
LinkerVersion:	11
CodeSize:	1744896
InitializedDataSize:	207872
UninitializedDataSize:	-
EntryPoint:	0x1abe5e
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
FileDescription:	Download X-SLAYER Tools v0.1
FileVersion:	1.0.0.0
InternalName:	Download X-SLAYER Tools v0.1.exe
LegalCopyright:	Copyright © 2019
OriginalFileName:	Download X-SLAYER Tools v0.1.exe
ProductName:	Download X-SLAYER Tools v0.1
ProductVersion:	1.0.0.0
AssemblyVersion:	1.0.0.0

Summary

Architecture:	IMAGE_FILE_MACHINE_I386
Subsystem:	IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:	07-Aug-2019 15:49:01
Debug artifacts:	C:\Users\X-SLAYER\Documents\Visual Studio 2013\Projects\Download X-SLAYER Tools v0.1\Download X-SLAYER Tools v0.1\obj\Debug\Download X-SLAYER Tools v0.1.pdb
FileDescription:	Download X-SLAYER Tools v0.1
FileVersion:	1.0.0.0
InternalName:	Download X-SLAYER Tools v0.1.exe
LegalCopyright:	Copyright © 2019
OriginalFilename:	Download X-SLAYER Tools v0.1.exe
ProductName:	Download X-SLAYER Tools v0.1
ProductVersion:	1.0.0.0
Assembly Version:	1.0.0.0

DOS Header

Magic number:	MZ
Bytes on last page of file:	0x0090
Pages in file:	0x0003
Relocations:	0x0000
Size of header:	0x0004
Min extra paragraphs:	0x0000
Max extra paragraphs:	0xFFFF
Initial SS value:	0x0000
Initial SP value:	0x00B8
Checksum:	0x0000
Initial IP value:	0x0000
Initial CS value:	0x0000
Overlay number:	0x0000
OEM identifier:	0x0000
OEM information:	0x0000
Address of NE header:	0x00000080

PE Headers

Signature:	PE
Machine:	IMAGE_FILE_MACHINE_I386
Number of sections:	4
Time date stamp:	07-Aug-2019 15:49:01
Pointer to Symbol Table:	0x00000000
Number of symbols:	0
Size of Optional Header:	0x00E0
Characteristics:	IMAGE_FILE_32BIT_MACHINE IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name	Virtual Address	Virtual Size	Raw Size	Charateristics	Entropy
.text	0x00002000	0x001A9E64	0x001AA000	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.05685
.sdata	0x001AC000	0x00000138	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	2.99924
.rsrc	0x001AE000	0x000327D0	0x00032800	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	4.62292
.reloc	0x001E2000	0x0000000C	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	0.10191

Resources

Title	Entropy	Size	Codepage	Language	Type
1	5.00112	490	UNKNOWN	UNKNOWN	RT_MANIFEST
2	7.96073	42899	UNKNOWN	UNKNOWN	RT_ICON
3	3.19634	67624	UNKNOWN	UNKNOWN	RT_ICON
4	3.32117	38056	UNKNOWN	UNKNOWN	RT_ICON
5	3.37629	21640	UNKNOWN	UNKNOWN	RT_ICON
6	3.40732	16936	UNKNOWN	UNKNOWN	RT_ICON
7	3.43002	9640	UNKNOWN	UNKNOWN	RT_ICON
8	3.68584	4264	UNKNOWN	UNKNOWN	RT_ICON
9	3.86768	2440	UNKNOWN	UNKNOWN	RT_ICON
10	4.02343	1128	UNKNOWN	UNKNOWN	RT_ICON

Imports


mscoree.dll

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

848

"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Instagram Valid Email Checker.rar"

C:\Program Files\WinRAR\WinRAR.exe

—

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.60.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll

2336

"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Mailist & Combo SLAYER.rar"

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.60.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll

2648

"C:\Users\admin\AppData\Local\Temp\Rar$EXa3240.2597\Proxy Grabber\Proxy Grabber v0.2 By X-SLAYER.exe"

C:\Users\admin\AppData\Local\Temp\Rar$EXa3240.2597\Proxy Grabber\Proxy Grabber v0.2 By X-SLAYER.exe

WinRAR.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Proxy Grabber v0.1

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\appdata\local\temp\rar$exa3240.2597\proxy grabber\proxy grabber v0.2 by x-slayer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

3012

"C:\Users\admin\AppData\Local\Temp\d54216ff-de7f-4a12-8a23-dc5a0e74ae87.exe"

C:\Users\admin\AppData\Local\Temp\d54216ff-de7f-4a12-8a23-dc5a0e74ae87.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Download X-SLAYER Tools v0.1

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\appdata\local\temp\d54216ff-de7f-4a12-8a23-dc5a0e74ae87.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

3240

"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Proxy Grabber.rar"

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.60.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll

3332

"C:\Users\admin\AppData\Local\Temp\Rar$EXa2336.48311\Mailist & Combo SLAYER\Mailist & Combo SLAYER.exe"

C:\Users\admin\AppData\Local\Temp\Rar$EXa2336.48311\Mailist & Combo SLAYER\Mailist & Combo SLAYER.exe

WinRAR.exe

User:

admin

Integrity Level:

MEDIUM

Description:

SLAYER Combo Searcher v 0.4

Exit code:

Version:

0.4

Modules

Images
c:\users\admin\appdata\local\temp\rar$exa2336.48311\mailist & combo slayer\mailist & combo slayer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

Add for printing

Total events

1 550

Read events

1 426

Write events

124

Delete events

Modification events


(PID) Process:	(3012) d54216ff-de7f-4a12-8a23-dc5a0e74ae87.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\d54216ff-de7f-4a12-8a23-dc5a0e74ae87_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(3012) d54216ff-de7f-4a12-8a23-dc5a0e74ae87.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\d54216ff-de7f-4a12-8a23-dc5a0e74ae87_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(3012) d54216ff-de7f-4a12-8a23-dc5a0e74ae87.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\d54216ff-de7f-4a12-8a23-dc5a0e74ae87_RASAPI32
Operation:	write	Name:	FileTracingMask
Value: 4294901760
(PID) Process:	(3012) d54216ff-de7f-4a12-8a23-dc5a0e74ae87.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\d54216ff-de7f-4a12-8a23-dc5a0e74ae87_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value: 4294901760
(PID) Process:	(3012) d54216ff-de7f-4a12-8a23-dc5a0e74ae87.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\d54216ff-de7f-4a12-8a23-dc5a0e74ae87_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(3012) d54216ff-de7f-4a12-8a23-dc5a0e74ae87.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\d54216ff-de7f-4a12-8a23-dc5a0e74ae87_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(3012) d54216ff-de7f-4a12-8a23-dc5a0e74ae87.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\d54216ff-de7f-4a12-8a23-dc5a0e74ae87_RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(3012) d54216ff-de7f-4a12-8a23-dc5a0e74ae87.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\d54216ff-de7f-4a12-8a23-dc5a0e74ae87_RASMANCS
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(3012) d54216ff-de7f-4a12-8a23-dc5a0e74ae87.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\d54216ff-de7f-4a12-8a23-dc5a0e74ae87_RASMANCS
Operation:	write	Name:	FileTracingMask
Value: 4294901760
(PID) Process:	(3012) d54216ff-de7f-4a12-8a23-dc5a0e74ae87.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\d54216ff-de7f-4a12-8a23-dc5a0e74ae87_RASMANCS
Operation:	write	Name:	ConsoleTracingMask
Value: 4294901760

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3012	d54216ff-de7f-4a12-8a23-dc5a0e74ae87.exe	C:\Users\admin\Desktop\Proxy Grabber.rar		compressed
		MD5:—	SHA256:—
3012	d54216ff-de7f-4a12-8a23-dc5a0e74ae87.exe	C:\Users\admin\Desktop\Proxy Checker v0.1 By X-SLAYER.rar		compressed
		MD5:—	SHA256:—
3012	d54216ff-de7f-4a12-8a23-dc5a0e74ae87.exe	C:\Users\admin\Desktop\Mailist & Combo SLAYER.rar		compressed
		MD5:—	SHA256:—
3240	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa3240.2597\Proxy Grabber\TXT Files MERGE by X-SLAYER.exe		executable
		MD5:—	SHA256:—
3240	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa3240.2597\Proxy Grabber\Proxy Grabber v0.2 By X-SLAYER.exe		executable
		MD5:—	SHA256:—
3012	d54216ff-de7f-4a12-8a23-dc5a0e74ae87.exe	C:\Users\admin\Desktop\Instagram Valid Email Checker.rar		compressed
		MD5:—	SHA256:—
2336	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa2336.48311\Mailist & Combo SLAYER\SkinSoft.VisualStyler.dll		executable
		MD5:2D84A619D4BD339F860CB48AF0C9B6C8	SHA256:365FFDE7DF914840EB21C96F34C39912A4B031E3814B8E902B67ACEE6DFF65A1
3332	Mailist & Combo SLAYER.exe	C:\Users\admin\AppData\Local\SkinSoft\VisualStyler\2.3.5.0\x86\ssapihook.dll		executable
		MD5:D7F644C06B4CDE60651D02AED6B4174D	SHA256:A99EA2F5759B34859B484AFA3A58CE82A7F3BF792886A6C838DB852D517D9C0D
2336	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa2336.48311\Mailist & Combo SLAYER\Mailist & Combo SLAYER.exe		executable
		MD5:915C0A762D1996D97788DCA49E05004D	SHA256:20D770AD94FADF7E6F20E69124EE181863AE17D59EB2444AE32DE56CD825A771

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3332	Mailist & Combo SLAYER.exe	GET	200	172.217.21.196:80	http://www.google.com/search?q=gmail&start=30	US	html	31.3 Kb	malicious
3332	Mailist & Combo SLAYER.exe	GET	200	172.217.21.196:80	http://www.google.com/search?q=%0Ayahoo&start=30	US	html	33.0 Kb	malicious
3332	Mailist & Combo SLAYER.exe	GET	200	172.217.21.196:80	http://www.google.com/search?q=gmail&start=30	US	html	31.3 Kb	malicious
3332	Mailist & Combo SLAYER.exe	GET	200	172.217.21.196:80	http://www.google.com/search?q=%0Ayahoo&start=30	US	html	33.0 Kb	malicious
3332	Mailist & Combo SLAYER.exe	GET	200	172.217.21.196:80	http://www.google.com/search?q=%0Aaol&start=30	US	html	33.5 Kb	malicious
3332	Mailist & Combo SLAYER.exe	GET	200	172.217.21.196:80	http://www.google.com/search?q=%0Aaol&start=30	US	html	33.5 Kb	malicious
3332	Mailist & Combo SLAYER.exe	GET	200	104.23.98.190:80	http://pastebin.com/raw/TdUnEtwN	US	text	3 b	malicious
3332	Mailist & Combo SLAYER.exe	GET	200	172.217.21.196:80	http://www.google.com/search?q=%0A&start=30	US	html	18.9 Kb	malicious
3332	Mailist & Combo SLAYER.exe	GET	200	204.79.197.200:80	http://www.bing.com/search?q=%0Aaol&start=55	US	html	243 Kb	whitelisted
3332	Mailist & Combo SLAYER.exe	GET	200	204.79.197.200:80	http://www.bing.com/search?q=gmail&start=55	US	html	214 Kb	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3012	d54216ff-de7f-4a12-8a23-dc5a0e74ae87.exe	172.217.23.110:443	drive.google.com	Google Inc.	US	whitelisted
3012	d54216ff-de7f-4a12-8a23-dc5a0e74ae87.exe	216.58.205.225:443	doc-10-58-docs.googleusercontent.com	Google Inc.	US	whitelisted
3012	d54216ff-de7f-4a12-8a23-dc5a0e74ae87.exe	104.23.99.190:443	pastebin.com	Cloudflare Inc	US	malicious
3332	Mailist & Combo SLAYER.exe	172.217.21.196:80	www.google.com	Google Inc.	US	whitelisted
3332	Mailist & Combo SLAYER.exe	104.23.98.190:80	pastebin.com	Cloudflare Inc	US	malicious
3332	Mailist & Combo SLAYER.exe	172.217.21.196:443	www.google.com	Google Inc.	US	whitelisted
3332	Mailist & Combo SLAYER.exe	5.255.255.70:443	yandex.ru	YANDEX LLC	RU	whitelisted
3332	Mailist & Combo SLAYER.exe	204.79.197.200:80	www.bing.com	Microsoft Corporation	US	whitelisted
3332	Mailist & Combo SLAYER.exe	216.58.208.36:443	www.google.com	Google Inc.	US	whitelisted
2648	Proxy Grabber v0.2 By X-SLAYER.exe	104.27.148.235:443	free-proxy-list.net	Cloudflare Inc	US	shared

DNS requests

Domain	IP	Reputation
pastebin.com	104.23.99.190 104.23.98.190	malicious
drive.google.com	172.217.23.110	shared
doc-10-58-docs.googleusercontent.com	216.58.205.225	shared
doc-0c-58-docs.googleusercontent.com	216.58.205.225	shared
doc-00-58-docs.googleusercontent.com	216.58.205.225	whitelisted
doc-04-58-docs.googleusercontent.com	216.58.205.225	whitelisted
www.google.com	172.217.21.196 216.58.208.36	malicious
yandex.ru	5.255.255.70 77.88.55.60 77.88.55.66 5.255.255.60	whitelisted
www.bing.com	204.79.197.200 13.107.21.200	whitelisted
free-proxy-list.net	104.27.148.235 104.27.149.235	unknown

Threats

PID	Process	Class	Message
3332	Mailist & Combo SLAYER.exe	Misc activity	SUSPICIOUS [PTsecurity] Minimal HTTP Header for Request to Pastebin

2 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

Download%20X-SLAYER%20Tools%20v0.2.exe

CAD661F79A64CEBD4AD9D22AE1F2C3B6

C25BE755379079FEF53E1C54B7EC15756D127FE6

A0361B2A0A794F1364ED8345A1484C05D4A4EE797641FF3D0507B485EC73471F

24576:WZqqqqSqqqqqqLqq/qqAZl2Lcb24EgU1ouK0pH2iBjfz8Xq2VK4sFwpIz8:4jnQpTp2C4I

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Loads dropped or rewritten executable

SUSPICIOUS

Reads Environment values

Executable content was dropped or overwritten

Reads internet explorer settings

INFO

Manual execution by user

Reads settings of System Certificates

Malware configuration

Static information

TRiD

EXIF

EXE

Summary

DOS Header

PE Headers

Sections

Resources

Imports

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings