download:

VPN.exe

Full analysis: https://app.any.run/tasks/d55e2294-5377-4a45-b393-f5a8b20f7d44
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: September 23, 2023, 23:17:17
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
stealc
stealer
loader
oski
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

12C1842C3CCAFE7408C23EBF292EE3D9

SHA1:

4B1AF84CC11A8B1E290A18A4222A49526EEADD10

SHA256:

A040A0AF8697E30506218103074C7D6EA77A84BA3AC1EE5EFAE20F15530A19BB

SSDEEP:

6144:sMHklTfkt3eaAuvuOosMVhCHCEs2qwYZKmATfrdHcn5:loTMperwCC5EQrfZHK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • STEALC was detected

      • VPN.exe (PID: 3484)

    • Steals credentials

      • VPN.exe (PID: 3484)

    • OSKI detected by memory dumps

      • VPN.exe (PID: 3484)

    • Connects to the CnC server

      • VPN.exe (PID: 3484)

    • STEALC detected by memory dumps

      • VPN.exe (PID: 3484)

    • Starts CMD.EXE for self-deleting

      • VPN.exe (PID: 3484)

    • Loads dropped or rewritten executable

      • VPN.exe (PID: 3484)

    • Steals credentials from Web Browsers

      • VPN.exe (PID: 3484)

    • Actions looks like stealing of personal data

      • VPN.exe (PID: 3484)

  • SUSPICIOUS

    • Searches for installed software

      • VPN.exe (PID: 3484)

    • Reads the Internet Settings

      • VPN.exe (PID: 3484)

    • Connects to the server without a host name

      • VPN.exe (PID: 3484)

    • Process requests binary or script from the Internet

      • VPN.exe (PID: 3484)

    • Reads browser cookies

      • VPN.exe (PID: 3484)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 2780)

    • Starts CMD.EXE for commands execution

      • VPN.exe (PID: 3484)

  • INFO

    • Reads the computer name

      • VPN.exe (PID: 3484)

    • Checks supported languages

      • VPN.exe (PID: 3484)

    • Reads the machine GUID from the registry

      • VPN.exe (PID: 3484)

    • Reads CPU info

      • VPN.exe (PID: 3484)

    • Checks proxy server information

      • VPN.exe (PID: 3484)

    • Reads product name

      • VPN.exe (PID: 3484)

    • Reads Environment values

      • VPN.exe (PID: 3484)

    • Creates files in the program directory

      • VPN.exe (PID: 3484)

    • Creates files or folders in the user directory

      • VPN.exe (PID: 3484)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Stealc

(PID) Process(3484) VPN.exe
C2http://171.22.28.221/5c06c05b7b34e8e6.php
Keys
RC45329514621441247975720749009
Strings (298)" & del "C:\ProgramData\*.dll"" & exit
%08lX%04lX%lu
%APPDATA%
%DESKTOP%
%DOCUMENTS%
%LOCALAPPDATA%
%PROGRAMFILES%
%PROGRAMFILES_86%
%RECENT%
%USERPROFILE%
%d/%d/%d %d:%d:%d
%hu/%hu/%hu
*.ini
*.lnk
*.tox
.exe
.txt
/5c06c05b7b34e8e6.php
/9e226a84ec50246d/
/c start
/c timeout /t 5 & del /f /q "
00000001
00000002
00000003
00000004
A7FDF864FBC10B77*
ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
All Users:
BCryptCloseAlgorithmProvider
BCryptDestroyKey
BCryptGenerateSymmetricKey
BCryptOpenAlgorithmProvider
BCryptSetProperty
BitBlt
C:\ProgramData\
C:\ProgramData\nss3.dll
C:\Windows\system32\cmd.exe
CURRENT
CharToOemW
CloseHandle
CoCreateInstance
Content-Disposition: form-data; name="
Content-Type: multipart/form-data; boundary=----
Cookies
CopyFileA
CreateCompatibleBitmap
CreateCompatibleDC
CreateDCA
CreateEventA
CreateFileA
CreateStreamOnHGlobal
CryptStringToBinaryA
CryptUnprotectData
Current User:
D877F783D5D3EF8C*
DISPLAY
DeleteFileA
DeleteObject
DialogConfig.vdf
DialogConfigOverlay*.vdf
DisplayName
DisplayVersion
ExitProcess
F8806DD0C461824F*
FALSE
FindClose
FindFirstFileA
FindNextFileA
GdipCreateBitmapFromHBITMAP
GdipDisposeImage
GdipFree
GdipGetImageEncoders
GdipGetImageEncodersSize
GdipSaveImageToStream
GdiplusShutdown
GdiplusStartup
GetComputerNameA
GetCurrentProcess
GetCurrentProcessId
GetDC
GetDesktopWindow
GetFileAttributesA
GetFileSize
GetFileSizeEx
GetHGlobalFromStream
GetKeyboardLayoutList
GetLastError
GetLocalTime
GetLocaleInfoA
GetModuleFileNameA
GetModuleFileNameExA
GetProcAddress
GetProcessHeap
GetSystemInfo
GetSystemPowerStatus
GetSystemTime
GetTimeZoneInformation
GetUserDefaultLangID
GetUserDefaultLocaleName
GetUserNameA
GetVolumeInformationA
GetWindowRect
GetWindowsDirectoryA
GlobalAlloc
GlobalFree
GlobalLock
GlobalMemoryStatusEx
GlobalSize
HAL9TH
HTTP/1.1
HeapAlloc
HeapFree
History
HttpOpenRequestA
HttpSendRequestA
IndexedDB
Installed Apps:
InternetCloseHandle
InternetConnectA
InternetCrackUrlA
InternetOpenA
InternetOpenUrlA
InternetReadFile
IsWow64Process
JohnDoe
Local Extension Settings
Local State
LocalAlloc
LocalFree
Login Data
MultiByteToWideChar
NSS_Shutdown
Network
Network Info:
OpenEventA
OpenProcess
Opera
Opera GX Stable
Opera Stable
OperaGX
PATH
PK11SDR_Decrypt
PK11_Authenticate
PK11_FreeSlot
PK11_GetInternalKeySlot
POST
Password
PathMatchSpecA
Pidgin
Process List:
Process32First
Process32Next
ProcessorNameString
ProductName
ReadFile
RegEnumKeyExA
RegEnumValueA
RegOpenKeyExA
RegQueryValueExA
ReleaseDC
RmEndSession
RmRegisterResources
RmStartSession
SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
SELECT fieldname, value FROM moz_formhistory
SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
SELECT name, value FROM autofill
SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
SELECT origin_url, username_value, password_value FROM logins
SELECT url FROM moz_places LIMIT 1000
SELECT url FROM urls LIMIT 1000
SHGetFolderPathA
SOFTWARE\Microsoft\Windows NT\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
SelectObject
SetFilePointer
ShellExecuteExA
Sleep
Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Valve\Steam
SteamPath
StrCmpCA
StrCmpCW
StrStrA
Sync Extension Settings
System Summary:
SystemTimeToFileTime
TRUE
Telegram
TerminateProcess
User Agents:
VMwareVMware
VirtualAlloc
VirtualAllocExNuma
VirtualFree
VirtualProtect
Web Data
WideCharToMultiByte
\.purple\
\Discord\tokens.txt
\Local Storage\leveldb
\Local Storage\leveldb\CURRENT
\Outlook\accounts.txt
\Steam\
\Telegram Desktop\
\Temp\
\config\
\discord\
_0.indexeddb.leveldb
accounts.xml
autofill
bcrypt.dll
browser:
browsers
build
card:
chrome
chrome-extension_
config.vdf
cookies
cookies.sqlite
crypt32.dll
dQw4w9WgXcQ
default
done
encryptedPassword
encryptedUsername
encrypted_key
file
file_name
files
firefox
formSubmitURL
freebl3.dll
f~)Us$rUa"\v
gdi32.dll
gdiplus.dll
guid
history
http://171.22.28.221
https
hwid
key_datas
libraryfolders.vdf
login:
logins.json
loginusers.vdf
lstrcatA
lstrcpyA
lstrcpynA
lstrlenA
map*
message
month:
mozglue.dll
name:
nss3.dll
ntdll.dll
ole32.dll
open
opera
password:
places.sqlite
plugins
profile:
profiles.ini
psapi.dll
rstrtmgr.dll
runas
screenshot.jpg
shell32.dll
soft
softokn3.dll
sqlite3.dll
sqlite3_close
sqlite3_column_blob
sqlite3_column_bytes
sqlite3_column_text
sqlite3_finalize
sqlite3_open
sqlite3_prepare_v2
sqlite3_step
sscanf
ssfn*
system_info.txt
token
token:
url:
user32.dll
usernameField
wallets
wininet.dll
wsprintfA
wsprintfW
year:
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (46.3)
.exe | Win64 Executable (generic) (41)
.exe | Win32 Executable (generic) (6.6)
.exe | Generic Win/DOS Executable (2.9)
.exe | DOS Executable Generic (2.9)

EXIF

EXE

ProductVersion: 2.8.47.63
ProductName: Hdfgodifjg
OriginalFileName: Hugidfgy.exe
InternalName: Velectrelidat.exe
FileVersions: 64.5.34.31
CharacterSet: Unknown (85B3)
LanguageCode: Unknown (0294)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Windows NT 32-bit
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 98.0.0.0
FileVersionNumber: 91.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x54bd
UninitializedDataSize: -
InitializedDataSize: 35049472
CodeSize: 240640
LinkerVersion: 10
PEType: PE32
ImageFileCharacteristics: No relocs, Executable, 32-bit
TimeStamp: 2022:09:28 17:40:46+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #STEALC vpn.exe cmd.exe no specs timeout.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2780"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\admin\AppData\Local\Temp\VPN.exe" & del "C:\ProgramData\*.dll"" & exitC:\Windows\System32\cmd.exeVPN.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3320timeout /t 5 C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3484"C:\Users\admin\AppData\Local\Temp\VPN.exe" C:\Users\admin\AppData\Local\Temp\VPN.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Stealc
(PID) Process(3484) VPN.exe
C2http://171.22.28.221/5c06c05b7b34e8e6.php
Keys
RC45329514621441247975720749009
Strings (298)" & del "C:\ProgramData\*.dll"" & exit
%08lX%04lX%lu
%APPDATA%
%DESKTOP%
%DOCUMENTS%
%LOCALAPPDATA%
%PROGRAMFILES%
%PROGRAMFILES_86%
%RECENT%
%USERPROFILE%
%d/%d/%d %d:%d:%d
%hu/%hu/%hu
*.ini
*.lnk
*.tox
.exe
.txt
/5c06c05b7b34e8e6.php
/9e226a84ec50246d/
/c start
/c timeout /t 5 & del /f /q "
00000001
00000002
00000003
00000004
A7FDF864FBC10B77*
ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
All Users:
BCryptCloseAlgorithmProvider
BCryptDestroyKey
BCryptGenerateSymmetricKey
BCryptOpenAlgorithmProvider
BCryptSetProperty
BitBlt
C:\ProgramData\
C:\ProgramData\nss3.dll
C:\Windows\system32\cmd.exe
CURRENT
CharToOemW
CloseHandle
CoCreateInstance
Content-Disposition: form-data; name="
Content-Type: multipart/form-data; boundary=----
Cookies
CopyFileA
CreateCompatibleBitmap
CreateCompatibleDC
CreateDCA
CreateEventA
CreateFileA
CreateStreamOnHGlobal
CryptStringToBinaryA
CryptUnprotectData
Current User:
D877F783D5D3EF8C*
DISPLAY
DeleteFileA
DeleteObject
DialogConfig.vdf
DialogConfigOverlay*.vdf
DisplayName
DisplayVersion
ExitProcess
F8806DD0C461824F*
FALSE
FindClose
FindFirstFileA
FindNextFileA
GdipCreateBitmapFromHBITMAP
GdipDisposeImage
GdipFree
GdipGetImageEncoders
GdipGetImageEncodersSize
GdipSaveImageToStream
GdiplusShutdown
GdiplusStartup
GetComputerNameA
GetCurrentProcess
GetCurrentProcessId
GetDC
GetDesktopWindow
GetFileAttributesA
GetFileSize
GetFileSizeEx
GetHGlobalFromStream
GetKeyboardLayoutList
GetLastError
GetLocalTime
GetLocaleInfoA
GetModuleFileNameA
GetModuleFileNameExA
GetProcAddress
GetProcessHeap
GetSystemInfo
GetSystemPowerStatus
GetSystemTime
GetTimeZoneInformation
GetUserDefaultLangID
GetUserDefaultLocaleName
GetUserNameA
GetVolumeInformationA
GetWindowRect
GetWindowsDirectoryA
GlobalAlloc
GlobalFree
GlobalLock
GlobalMemoryStatusEx
GlobalSize
HAL9TH
HTTP/1.1
HeapAlloc
HeapFree
History
HttpOpenRequestA
HttpSendRequestA
IndexedDB
Installed Apps:
InternetCloseHandle
InternetConnectA
InternetCrackUrlA
InternetOpenA
InternetOpenUrlA
InternetReadFile
IsWow64Process
JohnDoe
Local Extension Settings
Local State
LocalAlloc
LocalFree
Login Data
MultiByteToWideChar
NSS_Shutdown
Network
Network Info:
OpenEventA
OpenProcess
Opera
Opera GX Stable
Opera Stable
OperaGX
PATH
PK11SDR_Decrypt
PK11_Authenticate
PK11_FreeSlot
PK11_GetInternalKeySlot
POST
Password
PathMatchSpecA
Pidgin
Process List:
Process32First
Process32Next
ProcessorNameString
ProductName
ReadFile
RegEnumKeyExA
RegEnumValueA
RegOpenKeyExA
RegQueryValueExA
ReleaseDC
RmEndSession
RmRegisterResources
RmStartSession
SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
SELECT fieldname, value FROM moz_formhistory
SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
SELECT name, value FROM autofill
SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
SELECT origin_url, username_value, password_value FROM logins
SELECT url FROM moz_places LIMIT 1000
SELECT url FROM urls LIMIT 1000
SHGetFolderPathA
SOFTWARE\Microsoft\Windows NT\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
SelectObject
SetFilePointer
ShellExecuteExA
Sleep
Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Valve\Steam
SteamPath
StrCmpCA
StrCmpCW
StrStrA
Sync Extension Settings
System Summary:
SystemTimeToFileTime
TRUE
Telegram
TerminateProcess
User Agents:
VMwareVMware
VirtualAlloc
VirtualAllocExNuma
VirtualFree
VirtualProtect
Web Data
WideCharToMultiByte
\.purple\
\Discord\tokens.txt
\Local Storage\leveldb
\Local Storage\leveldb\CURRENT
\Outlook\accounts.txt
\Steam\
\Telegram Desktop\
\Temp\
\config\
\discord\
_0.indexeddb.leveldb
accounts.xml
autofill
bcrypt.dll
browser:
browsers
build
card:
chrome
chrome-extension_
config.vdf
cookies
cookies.sqlite
crypt32.dll
dQw4w9WgXcQ
default
done
encryptedPassword
encryptedUsername
encrypted_key
file
file_name
files
firefox
formSubmitURL
freebl3.dll
f~)Us$rUa"\v
gdi32.dll
gdiplus.dll
guid
history
http://171.22.28.221
https
hwid
key_datas
libraryfolders.vdf
login:
logins.json
loginusers.vdf
lstrcatA
lstrcpyA
lstrcpynA
lstrlenA
map*
message
month:
mozglue.dll
name:
nss3.dll
ntdll.dll
ole32.dll
open
opera
password:
places.sqlite
plugins
profile:
profiles.ini
psapi.dll
rstrtmgr.dll
runas
screenshot.jpg
shell32.dll
soft
softokn3.dll
sqlite3.dll
sqlite3_close
sqlite3_column_blob
sqlite3_column_bytes
sqlite3_column_text
sqlite3_finalize
sqlite3_open
sqlite3_prepare_v2
sqlite3_step
sscanf
ssfn*
system_info.txt
token
token:
url:
user32.dll
usernameField
wallets
wininet.dll
wsprintfA
wsprintfW
year:
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
12
Suspicious files
10
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3484VPN.exeC:\ProgramData\FIDAFIEBbinary
MD5:03EF1C0012EE77CDA2C2CB36DFBDA123
SHA256:800D734016D8FBCDE263D8CD2411167406C544FC090A5DCBD2D374CABF918B86
3484VPN.exeC:\ProgramData\EGIDAAFIbinary
MD5:F47EB60CDF981C17722D0CE740129927
SHA256:0210071DF12CA42D70DCB679926668AE072264705AC139A24F94BBC5A129DD8F
3484VPN.exeC:\ProgramData\AAKJKJDGCGDBGDHIJKJECFCFBG
MD5:
SHA256:
3484VPN.exeC:\ProgramData\msvcp140.dllexecutable
MD5:5FF1FCA37C466D6723EC67BE93B51442
SHA256:5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
3484VPN.exeC:\ProgramData\mozglue.dllexecutable
MD5:C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA256:BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
3484VPN.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\msvcp140[1].dllexecutable
MD5:5FF1FCA37C466D6723EC67BE93B51442
SHA256:5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
3484VPN.exeC:\ProgramData\softokn3.dllexecutable
MD5:4E52D739C324DB8225BD9AB2695F262F
SHA256:74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
3484VPN.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\softokn3[1].dllexecutable
MD5:4E52D739C324DB8225BD9AB2695F262F
SHA256:74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
3484VPN.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\mozglue[1].dllexecutable
MD5:C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA256:BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
3484VPN.exeC:\ProgramData\freebl3.dllexecutable
MD5:550686C0EE48C386DFCB40199BD076AC
SHA256:EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
22
TCP/UDP connections
5
DNS requests
0
Threats
36

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3484
VPN.exe
POST
200
171.22.28.221:80
http://171.22.28.221/5c06c05b7b34e8e6.php
unknown
text
1.75 Kb
malicious
3484
VPN.exe
GET
200
171.22.28.221:80
http://171.22.28.221/9e226a84ec50246d/mozglue.dll
unknown
executable
593 Kb
malicious
3484
VPN.exe
GET
200
171.22.28.221:80
http://171.22.28.221/9e226a84ec50246d/softokn3.dll
unknown
executable
251 Kb
malicious
3484
VPN.exe
POST
200
171.22.28.221:80
http://171.22.28.221/5c06c05b7b34e8e6.php
unknown
executable
1.06 Mb
malicious
3484
VPN.exe
POST
200
171.22.28.221:80
http://171.22.28.221/5c06c05b7b34e8e6.php
unknown
executable
78.9 Kb
malicious
3484
VPN.exe
POST
200
171.22.28.221:80
http://171.22.28.221/5c06c05b7b34e8e6.php
unknown
executable
1.06 Mb
malicious
3484
VPN.exe
POST
200
171.22.28.221:80
http://171.22.28.221/5c06c05b7b34e8e6.php
unknown
executable
78.9 Kb
malicious
3484
VPN.exe
GET
200
171.22.28.221:80
http://171.22.28.221/9e226a84ec50246d/vcruntime140.dll
unknown
executable
78.9 Kb
malicious
3484
VPN.exe
POST
200
171.22.28.221:80
http://171.22.28.221/5c06c05b7b34e8e6.php
unknown
executable
1.06 Mb
malicious
3484
VPN.exe
POST
200
171.22.28.221:80
http://171.22.28.221/5c06c05b7b34e8e6.php
unknown
text
992 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
3484
VPN.exe
171.22.28.221:80
ASN-QUADRANET-GLOBAL
US
malicious
3284
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

No data

Threats

PID
Process
Class
Message
3484
VPN.exe
Malware Command and Control Activity Detected
STEALER [ANY.RUN] Stealc
3484
VPN.exe
Malware Command and Control Activity Detected
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
3484
VPN.exe
Malware Command and Control Activity Detected
ET MALWARE Win32/Stealc Requesting browsers Config from C2
3484
VPN.exe
Malware Command and Control Activity Detected
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config
3484
VPN.exe
Malware Command and Control Activity Detected
ET MALWARE Win32/Stealc Requesting plugins Config from C2
3484
VPN.exe
Malware Command and Control Activity Detected
ET MALWARE Win32/Stealc Active C2 Responding with plugins Config
3484
VPN.exe
A suspicious filename was detected
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
3484
VPN.exe
Potential Corporate Privacy Violation
AV POLICY HTTP request for .dll file with no User-Agent
3484
VPN.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host DLL Request
3484
VPN.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
VPN.exe