File name:

IPTV Tools 1.1.6 Premium_Cracked[@hacklabb].zip

Full analysis: https://app.any.run/tasks/99a43c0d-f1a3-4bbb-917d-a917d3a25bf5
Verdict: Malicious activity
Threats:

Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.

Analysis date: July 06, 2025, 03:07:48
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto
tinynuke
banker
redline
stealer
amadey
clipper
diamotrix
svcstealer
netreactor
confuser
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

6F7409CE070C062CD17C4D4121D3951B

SHA1:

9D9A7ED2F249642DB0BC82DAECC6547E321C524A

SHA256:

A54D1C9DC0D2C7080A99B90530D0C2C1117E9A7A03F7C71644F04BF6ABD2324D

SSDEEP:

98304:i6SvFtvpZXiXXHYeF81hj+cPi/fG+jcnid2AKVb2hHapSXVtzPOX4JzvXedLEX4P:wjH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • TINYNUKE has been found (auto)

      • IPTV Tools 1.1.6 Premium_Cracked[@hacklabb].exe (PID: 3672)
      • bvxbvbvf.exe (PID: 3704)
    • Runs injected code in another process

      • bvxbvbvf.exe (PID: 3704)
      • svchost.exe (PID: 684)
    • Application was injected by another process

      • explorer.exe (PID: 4772)
    • Changes the autorun value in the registry

      • bvxbvbvf.exe (PID: 3704)
      • systaxpcosx.exe (PID: 2468)
      • msiexec.exe (PID: 4012)
      • audiodg.exe (PID: 6664)
      • explorer.exe (PID: 4772)
    • REDLINE mutex has been found

      • audiodg.exe (PID: 6664)
      • svchost.exe (PID: 684)
      • msiexec.exe (PID: 4012)
      • explorer.exe (PID: 4772)
    • AMADEY has been found (auto)

      • Launcher.exe (PID: 5548)
      • sysxchostbvv.exe (PID: 5372)
    • AMADEY mutex has been found

      • sysxchostbvv.exe (PID: 5372)
      • Gxtuum.exe (PID: 3196)
    • Actions looks like stealing of personal data

      • yutuytt.exe (PID: 7028)
    • Registers / Runs the DLL via REGSVR32.EXE

      • vbdvbccw.tmp (PID: 2072)
    • DIAMOTRIX has been detected (SURICATA)

      • svchost.exe (PID: 2200)
    • SVCSTEALER has been detected (YARA)

      • yutuytt.exe (PID: 7028)
    • DIAMOTRIX mutex has been found

      • regsvr32.exe (PID: 4808)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • IPTV Tools 1.1.6 Premium_Cracked[@hacklabb].exe (PID: 3672)
      • Launcher.exe (PID: 5548)
      • vbdvbccw.exe (PID: 2692)
      • bvxbvbvf.exe (PID: 3704)
      • systaxpcosx.exe (PID: 2468)
      • vbdvbccw.tmp (PID: 4196)
      • vbdvbccw.tmp (PID: 2072)
      • sysxchostbvv.exe (PID: 5372)
      • vbdvbccw.exe (PID: 4324)
    • Reads the date of Windows installation

      • IPTV Tools 1.1.6 Premium_Cracked[@hacklabb].exe (PID: 3672)
    • Reads security settings of Internet Explorer

      • IPTV Tools 1.1.6 Premium_Cracked[@hacklabb].exe (PID: 3672)
      • vbdvbccw.tmp (PID: 4196)
      • sysxchostbvv.exe (PID: 5372)
      • yutuytt.exe (PID: 7028)
      • Gxtuum.exe (PID: 3196)
    • Process drops legitimate windows executable

      • Launcher.exe (PID: 5548)
      • systaxpcosx.exe (PID: 2468)
      • vbdvbccw.tmp (PID: 4196)
      • vbdvbccw.tmp (PID: 2072)
    • Reads the Windows owner or organization settings

      • vbdvbccw.tmp (PID: 4196)
      • vbdvbccw.tmp (PID: 2072)
    • Starts POWERSHELL.EXE for commands execution

      • regsvr32.exe (PID: 4808)
    • Executes application which crashes

      • IptvRChecker.exe (PID: 2380)
    • Starts itself from another location

      • sysxchostbvv.exe (PID: 5372)
    • There is functionality for taking screenshot (YARA)

      • yutuytt.exe (PID: 7028)
    • The process hide an interactive prompt from the user

      • regsvr32.exe (PID: 4808)
    • Contacting a server suspected of hosting an CnC

      • svchost.exe (PID: 2200)
    • The process bypasses the loading of PowerShell profile settings

      • regsvr32.exe (PID: 4808)
  • INFO

    • Reads Microsoft Office registry keys

      • explorer.exe (PID: 4772)
    • The sample compiled with english language support

      • WinRAR.exe (PID: 2324)
      • WinRAR.exe (PID: 4832)
      • IPTV Tools 1.1.6 Premium_Cracked[@hacklabb].exe (PID: 3672)
      • Launcher.exe (PID: 5548)
      • systaxpcosx.exe (PID: 2468)
      • vbdvbccw.tmp (PID: 4196)
      • vbdvbccw.tmp (PID: 2072)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 4832)
    • Manual execution by a user

      • WinRAR.exe (PID: 4832)
    • Creates files or folders in the user directory

      • IPTV Tools 1.1.6 Premium_Cracked[@hacklabb].exe (PID: 3672)
      • Launcher.exe (PID: 5548)
      • systaxpcosx.exe (PID: 2468)
      • vbdvbccw.tmp (PID: 2072)
      • Gxtuum.exe (PID: 3196)
      • WerFault.exe (PID: 6304)
    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 4772)
    • Reads the computer name

      • IPTV Tools 1.1.6 Premium_Cracked[@hacklabb].exe (PID: 3672)
      • gfgfrxr.exe (PID: 3048)
      • vbdvbccw.tmp (PID: 4196)
      • yutuytt.exe (PID: 7028)
      • IptvRChecker.exe (PID: 2380)
      • sysxchostbvv.exe (PID: 5372)
      • vbdvbccw.tmp (PID: 2072)
      • Gxtuum.exe (PID: 3196)
    • Checks supported languages

      • gfgfrxr.exe (PID: 3048)
      • bvxbvbvf.exe (PID: 3704)
      • IPTV Tools 1.1.6 Premium_Cracked[@hacklabb].exe (PID: 3672)
      • yutuytt.exe (PID: 7028)
      • vbdvbccw.exe (PID: 2692)
      • Launcher.exe (PID: 5548)
      • sysxchostbvv.exe (PID: 5372)
      • vbdvbccw.tmp (PID: 4196)
      • systaxpcosx.exe (PID: 2468)
      • IptvRChecker.exe (PID: 2380)
      • vbdvbccw.exe (PID: 4324)
      • vbdvbccw.tmp (PID: 2072)
      • Gxtuum.exe (PID: 3196)
    • Reads the machine GUID from the registry

      • bvxbvbvf.exe (PID: 3704)
      • IptvRChecker.exe (PID: 2380)
    • Creates files in the program directory

      • yutuytt.exe (PID: 7028)
      • bvxbvbvf.exe (PID: 3704)
    • Process checks computer location settings

      • IPTV Tools 1.1.6 Premium_Cracked[@hacklabb].exe (PID: 3672)
      • vbdvbccw.tmp (PID: 4196)
      • sysxchostbvv.exe (PID: 5372)
    • Launching a file from a Registry key

      • bvxbvbvf.exe (PID: 3704)
      • systaxpcosx.exe (PID: 2468)
      • audiodg.exe (PID: 6664)
      • msiexec.exe (PID: 4012)
      • explorer.exe (PID: 4772)
    • Create files in a temporary directory

      • vbdvbccw.exe (PID: 2692)
      • vbdvbccw.tmp (PID: 4196)
      • vbdvbccw.exe (PID: 4324)
      • vbdvbccw.tmp (PID: 2072)
      • sysxchostbvv.exe (PID: 5372)
      • yutuytt.exe (PID: 7028)
    • Checks proxy server information

      • explorer.exe (PID: 4772)
      • yutuytt.exe (PID: 7028)
      • Gxtuum.exe (PID: 3196)
      • WerFault.exe (PID: 6304)
    • .NET Reactor protector has been detected

      • IptvRChecker.exe (PID: 2380)
    • Confuser has been detected (YARA)

      • IptvRChecker.exe (PID: 2380)
    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 592)
      • powershell.exe (PID: 3148)
    • Reads the software policy settings

      • WerFault.exe (PID: 6304)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2020:10:31 02:15:50
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: config/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
165
Monitored processes
29
Malicious processes
15
Suspicious processes
3

Behavior graph

Click at the process to see the details
start winrar.exe no specs winrar.exe rundll32.exe no specs #TINYNUKE iptv tools 1.1.6 premium_cracked[@hacklabb].exe gfgfrxr.exe no specs #TINYNUKE bvxbvbvf.exe #SVCSTEALER yutuytt.exe vbdvbccw.exe #AMADEY launcher.exe vbdvbccw.tmp systaxpcosx.exe #AMADEY sysxchostbvv.exe iptvrchecker.exe #REDLINE audiodg.exe #REDLINE svchost.exe no specs #REDLINE msiexec.exe #REDLINE explorer.exe vbdvbccw.exe vbdvbccw.tmp regsvr32.exe no specs #DIAMOTRIX regsvr32.exe no specs gxtuum.exe powershell.exe no specs conhost.exe no specs werfault.exe powershell.exe no specs conhost.exe no specs #DIAMOTRIX svchost.exe slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
592"PowerShell.exe" -NoProfile -NonInteractive -Command -C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeregsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
684"C:\WINDOWS\system32\svchost.exe"C:\Windows\System32\svchost.exe
systaxpcosx.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1976"regsvr32.exe" /s /i:INSTALL "C:\Users\admin\AppData\Roaming\microsoft\systemcertificates\\8TextInputServices.pfx"C:\Windows\SysWOW64\regsvr32.exevbdvbccw.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
2072"C:\Users\admin\AppData\Local\Temp\is-TTTS7.tmp\vbdvbccw.tmp" /SL5="$130334,696294,301056,C:\Users\admin\AppData\Roaming\vbdvbccw.exe" /VERYSILENTC:\Users\admin\AppData\Local\Temp\is-TTTS7.tmp\vbdvbccw.tmp
vbdvbccw.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-ttts7.tmp\vbdvbccw.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
2200C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2324"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\IPTV Tools 1.1.6 Premium_Cracked[@hacklabb].zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2380"IptvRChecker.exe"C:\Users\admin\Desktop\IPTV Tools 1.1.6 Premium_Cracked[@hacklabb]\IptvRChecker.exe
Launcher.exe
User:
admin
Company:
Daniel Simons Studios
Integrity Level:
MEDIUM
Description:
IPTV Tools by Daniel
Exit code:
3762504530
Version:
1.1.6.0
Modules
Images
c:\users\admin\desktop\iptv tools 1.1.6 premium_cracked[@hacklabb]\iptvrchecker.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
2468"C:\Users\admin\AppData\Roaming\systaxpcosx.exe"C:\Users\admin\AppData\Roaming\systaxpcosx.exe
Launcher.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
System
Exit code:
0
Version:
2.0.0.1
Modules
Images
c:\users\admin\appdata\roaming\systaxpcosx.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2692"C:\Users\admin\AppData\Roaming\vbdvbccw.exe" C:\Users\admin\AppData\Roaming\vbdvbccw.exe
IPTV Tools 1.1.6 Premium_Cracked[@hacklabb].exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Attribute Utility Setup
Exit code:
1
Version:
Modules
Images
c:\users\admin\appdata\roaming\vbdvbccw.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
3048"C:\Users\admin\AppData\Roaming\gfgfrxr.exe" C:\Users\admin\AppData\Roaming\gfgfrxr.exeIPTV Tools 1.1.6 Premium_Cracked[@hacklabb].exe
User:
admin
Company:
Installer
Integrity Level:
MEDIUM
Description:
Installer
Exit code:
0
Version:
1.0.0.1
Modules
Images
c:\users\admin\appdata\roaming\gfgfrxr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
28 382
Read events
28 242
Write events
132
Delete events
8

Modification events

(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000003025E
Operation:writeName:VirtualDesktop
Value:
10000000303044563096AFED4A643448A750FA41CFC7F708
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconLayouts
Value:
00000000000000000000000000000000030001000100010012000000000000002C000000000000003A003A007B00360034003500460046003000340030002D0035003000380031002D0031003000310042002D0039004600300038002D003000300041004100300030003200460039003500340045007D003E002000200000001000000000000000430043006C00650061006E00650072002E006C006E006B003E0020007C0000001500000000000000410064006F006200650020004100630072006F006200610074002E006C006E006B003E0020007C000000190000000000000069006E0073007500720061006E00630065006500780069007300740069006E0067002E006A00700067003E002000200000000F00000000000000460069007200650066006F0078002E006C006E006B003E0020007C000000150000000000000047006F006F0067006C00650020004300680072006F006D0065002E006C006E006B003E0020007C000000180000000000000056004C00430020006D006500640069006100200070006C0061007900650072002E006C006E006B003E0020007C00000016000000000000004D006900630072006F0073006F0066007400200045006400670065002E006C006E006B003E0020007C000000160000000000000064006F00630075006D0065006E007400670065006F007200670065002E007200740066003E00200020000000160000000000000067006F007600650072006E006D0065006E00740075006E00690074002E007200740066003E0020002000000019000000000000006C006F00670069006E0069006E00740072006F00640075006300740069006F006E002E007200740066003E0020002000000013000000000000006D00610063006D0075006C007400690070006C0065002E0070006E0067003E002000200000001A000000000000006F00700070006F007200740075006E00690074006900650073006200750069006C0074002E007200740066003E002000200000001600000000000000700061007200740073006500660066006500630074006900760065002E0070006E0067003E002000200000001100000000000000730068006F00770073006C006F00720064002E007200740066003E002000200000001300000000000000730074006100740069006F006E0067006F006F0064002E007200740066003E0020002000000014000000000000007400650078007400610072006300680069007600650073002E007200740066003E0020002000000033000000000000004900500054005600200054006F006F006C007300200031002E0031002E00360020005000720065006D00690075006D005F0043007200610063006B00650064005B0040006800610063006B006C006100620062005D002E007A00690070003E00200020000000010000000000000002000100000000000000000001000000000000000200010000000000000000001100000006000000010000001200000000000000000000000000000000000000803F0000004008000000803F000040400900000000000000404003000000803F000080400A000000803F0000A0400B0000000040000000000C00000000400000803F0D0000000040000000400E0000000040000040400F0000000040000080401000000000000000803F01000000000000000040020000000000000080400400000000000000A04005000000803F0000000006000000803F0000803F0700000000400000A0401100
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconNameVersion
Value:
1
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts
Operation:writeName:LastUpdate
Value:
8AE8696800000000
(PID) Process:(2324) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(2324) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(2324) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(2324) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\IPTV Tools 1.1.6 Premium_Cracked[@hacklabb].zip
(PID) Process:(2324) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2324) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
Executable files
25
Suspicious files
14
Text files
16
Unknown types
0

Dropped files

PID
Process
Filename
Type
4832WinRAR.exeC:\Users\admin\Desktop\IPTV Tools 1.1.6 Premium_Cracked[@hacklabb]\images\pause.pngimage
MD5:A97A4FD94583E624FD7E17D74F98905F
SHA256:80EB2C6FFE735302A4E9062984B8F82DAFA904B2B8EAC5D735E82B7F8AAA4D93
4772explorer.exeC:\Users\admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datbinary
MD5:E49C56350AEDF784BFE00E444B879672
SHA256:A8BD235303668981563DFB5AAE338CB802817C4060E2C199B7C84901D57B7E1E
4832WinRAR.exeC:\Users\admin\Desktop\IPTV Tools 1.1.6 Premium_Cracked[@hacklabb]\images\play.pngimage
MD5:706A7F496F0225ED5FE2C2CB4923132E
SHA256:EA9D4CE8BB78E3C616C1406A340023C3D0F528E66BD65B8F3637EC6019AC6A31
4832WinRAR.exeC:\Users\admin\Desktop\IPTV Tools 1.1.6 Premium_Cracked[@hacklabb]\MetroFramework.Design.dllexecutable
MD5:AB4C3529694FC8D2427434825F71B2B8
SHA256:0A4A96082E25767E4697033649B16C76A652E120757A2CECAB8092AD0D716B65
3672IPTV Tools 1.1.6 Premium_Cracked[@hacklabb].exeC:\Users\admin\AppData\Roaming\vbdvbccw.exeexecutable
MD5:5235983724705B359C8248A6D84C416D
SHA256:198F737D5A64D2A44FAE287C50929D208E2D4CEE9A77C1605E56F7D04799ED42
4832WinRAR.exeC:\Users\admin\Desktop\IPTV Tools 1.1.6 Premium_Cracked[@hacklabb]\Interop.AXVLC.dllexecutable
MD5:7CE279AF19A398F73667B2FD35BC4292
SHA256:81C000827F9B7C10EFA85B759EF0165A5F7529B44719F45E26E4A351ED29A98C
3672IPTV Tools 1.1.6 Premium_Cracked[@hacklabb].exeC:\Users\admin\AppData\Roaming\Launcher.exeexecutable
MD5:87D1949CEFFBA9F68FA73E2A1EF768DA
SHA256:B239DA042DBB23C0EDAA6F1CDB53C95F80417969D6F6CAFF3926901F4275DAF7
4832WinRAR.exeC:\Users\admin\Desktop\IPTV Tools 1.1.6 Premium_Cracked[@hacklabb]\AxInterop.AXVLC.dllexecutable
MD5:12695F884550E0D29493B69D6F54F3DC
SHA256:4BB3582746683A09C49BC462AE5AA879E12AD4E78AA9324EFDB1F9260D99B476
4832WinRAR.exeC:\Users\admin\Desktop\IPTV Tools 1.1.6 Premium_Cracked[@hacklabb]\IPTV Tools 1.1.6 Premium.exe.configxml
MD5:81269737FFD0833E696BB479D14D0578
SHA256:9D430AB95568B65CE6C8E8E4C58E73C6D595DD07ACDC87921F09979B1394063E
3672IPTV Tools 1.1.6 Premium_Cracked[@hacklabb].exeC:\Users\admin\AppData\Roaming\gfgfrxr.exeexecutable
MD5:52B1EAA4E45665A7BC3EF22EED6CC099
SHA256:C4E57BA5280096EC6C499A8E03B28428352D9270CDB889D745DBA2418F3FAF19
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
37
DNS requests
20
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3704
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4320
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
3704
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6304
WerFault.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6304
WerFault.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3688
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4320
svchost.exe
40.126.31.131:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4320
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
  • 51.104.136.2
  • 40.127.240.158
whitelisted
google.com
  • 142.250.184.238
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
login.live.com
  • 40.126.31.131
  • 20.190.159.128
  • 20.190.159.131
  • 20.190.159.68
  • 40.126.31.69
  • 40.126.31.1
  • 20.190.159.130
  • 20.190.159.4
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
nexusrules.officeapps.live.com
  • 52.111.236.21
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
diamotrix.world
malicious

Threats

PID
Process
Class
Message
2200
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Diamotrix Clipper Domain (diamotrix .world) in DNS Lookup
No debug info