| File name: | WW20.exe |
| Full analysis: | https://app.any.run/tasks/4414503a-6a1a-42f8-a85d-21d1743468a1 |
| Verdict: | Malicious activity |
| Threats: | PrivateLoader is a malware family that is specifically created to infect computer systems and drop additional malicious programs. It operates using a pay-per-install business model, which means that the individuals behind it are paid for each instance of successful deployment of different types of harmful programs, including trojans, stealers, and other ransomware. |
| Analysis date: | June 12, 2023, 17:29:35 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 5DEBAE710ACC279440B0FB96AD7BA5EF |
| SHA1: | 90D849A4C61B183B13DCCE6A7622C0C9D569E96B |
| SHA256: | B60004CF3B319182C85D8FEEAE4D3FC9D9F7CEC8DD7740B1F7731F1D21CB11A8 |
| SSDEEP: | 49152:ojOcnDWdf0c37oGtkJ/5Hb4bd/nG78GDeYDCThetBdDdMJoTdtqhpP:mOcDaf0mkddod/nbGEadM |
MALICIOUS
PRIVATELOADER was detected
- WW20.exe (PID: 3296)
Connects to the CnC server
- WW20.exe (PID: 3296)
PRIVATELOADER detected by memory dumps
- WW20.exe (PID: 3296)
SUSPICIOUS
Reads settings of System Certificates
- WW20.exe (PID: 3296)
Checks for external IP
- WW20.exe (PID: 3296)
INFO
Reads the computer name
- WW20.exe (PID: 3296)
Checks supported languages
- WW20.exe (PID: 3296)
The process checks LSA protection
- WW20.exe (PID: 3296)
Reads the machine GUID from the registry
- WW20.exe (PID: 3296)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
PrivateLoader
(PID) Process(3296) WW20.exe
C2 (3)http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
208.67.104.60
Attributes
Payload (37)https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
https://vk.com/doc746114504_647280734?hash=Doz4iot4bg0WOvZC8ZMInERV5U1fmjrKZZhl7jf6wBE&dl=G42DMMJRGQ2TANA:1661413506:vGfIf9YivGqE9gd11wvm9KZLzv9DMwdM9Wp0LmcsAhz&api=1&no_preview=1
https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://193.56.146.76/Proxytest.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://privacy-tools-for-you-780.com/downloads/toolspab3.exe
http://luminati-china.xyz/aman/casper2.exe
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe
http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe
https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp
http://185.215.113.208/ferrari.exe
https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp
https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp
https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp
http://mnbuiy.pw/adsli/note8876.exe
https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe
http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe
https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp
https://iplogger.org/2BTmf7
https://iplogger.org/2BAmf7
https://iplogger.org/2BDmf7
https://iplogger.org/2BFmf7
https://iplogger.org/2s2pg6
https://iplogger.org/2s3pg6
https://iplogger.org/2s4pg6
https://iplogger.org/2s5pg6
https://iplogger.org/2s6pg6
https://iplogger.org/2s7pg6
http://163.123.143.4/download/YT_Client.exe
Strings (817)Snowman+under_a_sn0wdrift_forgot_the_Snow_Maiden
iplogger.org/1nhuM4.js
SOFTWARE\LilFreske
Installed
SOFTWARE\LilFreskeUS
IsWow64Process
GetModuleHandleA
LoadLibraryA
SetPriorityClass
Sleep
GetTempPathA
CreateProcessA
GetFileAttributesA
CreateDirectoryA
CreateThread
CloseHandle
VirtualAlloc
VirtualFree
OpenProcess
TerminateProcess
GetUserGeoID
ntdll.dll
NtQuerySystemInformation
RtlGetVersion
Shell32.dll
ShellExecuteA
SHGetFolderPathA
Advapi32.dll
RegOpenKeyExA
RegSetValueExA
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegDeleteValueA
RegQueryValueExA
RegEnumKeyExA
ConvertSidToStringSidA
LookupAccountNameA
WINHTTP.dll
wininet.dll
GetComputerNameA
VerSetConditionMask
VerifyVersionInfoW
GetGeoInfoA
GetCurrentProcess
GetVersionExA
MultiByteToWideChar
WideCharToMultiByte
GetCurrentProcessId
CreateToolhelp32Snapshot
Process32First
Process32Next
Wow64DisableWow64FsRedirection
Wow64RevertWow64FsRedirection
User32.dll
CharToOemA
//Minor Policy
SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions
Exclusions_Extensions
SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions
SOFTWARE\Policies\Microsoft\Windows Defender
DisableAntiSpyware
DisableRoutinelyTakingAction
SOFTWARE\Policies\Microsoft\Windows\System
EnableSmartScreen
SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
DisableBehaviorMonitoring
DisableOnAccessProtection
DisableScanOnRealtimeEnable
DisableRealtimeMonitoring
DisableIOAVProtection
DisableRawWriteNotification
Windows Server 2016
Windows Server 2012 R2
Windows Server 2012
Windows Server 2008 R2
Windows Server 2008
Windows Server
Windows 10
Windows 8.1
Windows 8
Windows 7
Windows Vista
Windows XP
(x64)
(x32)
explorer.exe
current
children
SOFTWARE\Classes\ms-settings\Shell\Open\command
DelegateExecute
\ComputerDefaults.exe
SOFTWARE\Classes
ms-settings\Shell\Open\command
ms-settings\Shell\Open
ms-settings\Shell
ms-settings
data=
/api/firegate.php
Error!
onlyType
ext_url
cfg_url
ipinfo.io/widget
country
company
Google LLC
db-ip.com
data-api-key="
/self
countryCode
organization
www.maxmind.com/geoip/v2.1/city/me
iso_code
traits
GetIP
api.ipgeolocation.io/ipgeo?include=hostname&ip=
country_code2
/api/tracemap.php
http://
15.5pnp.10.lock
Guest Profile
System Profile
\Google\Chrome\Application
(x86)\Google\Chrome\Application
SOFTWARE\Google\Chrome\BLBeacon
version
\resources.pak
SOFTWARE\Google\Chrome\PreferenceMACs
\Google\Chrome\User Data\
\Secure Preferences
filter_browsers
chrome
browser
use_open_browser
extensions
settings
install_time
\Extensions\
\u003C
protection
extensions.settings.
super_mac
chrome.exe
ChromeRegistryHashStoreValidationSeed
\extensions.settings
SOFTWARE\Google\Chrome\PreferenceMACs\
\chrome.exe
\Microsoft\Edge\Application
(x86)\Microsoft\Edge\Application
SOFTWARE\Microsoft\Edge\BLBeacon
SOFTWARE\Microsoft\Edge\PreferenceMACs
\Microsoft\Edge\User Data\
msedge.exe
SOFTWARE\Microsoft\Edge\PreferenceMACs\
\msedge.exe
\Roaming
\atomic
\Atomic Wallet
\com.liberty.jaxx
\Electrum
\Exodus
\MultiDoge
\Monero
\binance.chain
\Binance
\Metamask
\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbh
\Local Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpn
\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjca
\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
\Local Extension Settings\fmblappgoiilbgafhjklehhfifbdocee
\Local Extension Settings\hmeobnfnfcmdkdcmlblgagmfpfboieaf
\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
sorare.com
yobit.net
zb.com
binance.com
huobi.com
okex.com
hitbtc.com
bitfinex.com
kraken.com
bitstamp.net
payoneer.com
bittrex.com
bittrex.zendesk.com
gate.io
exmo.com
yobit.io
bitflyer.com
poloniex.com
kucoin.com
coinone.co.kr
localbitcoins.com
korbit.co.kr
cex.io
luno.com
bitkonan.com
jubi.com
koinex.in
koineks.com
kuna.io
koinim.com
kiwi-coin.com
leoxchange.com
lykke.com
localtrade.cc
magnr.com
lbank.info
itbit.com
gemini.com
gdax.com
gatehub.net
satoshitango.com
foxbit.com.br
flowbtc.com.br
exx.com
exrates.me
excambriorex.com
ezbtc.ca
infinitycoin.exchange
tdax.com
stex.com
vbtc.exchange
coinmarketcap.com
vwlpro.com
nocks.com
nlexch.com
novaexchange.com
mynxt.info
nzbcx.com
nevbit.com
mixcoins.com
mr.exchange
neraex.pro
dsx.uk
okcoin.com
liquid.com
quoine.com
quadrigacx.com
rightbtc.com
rippex.net
ripplefox.com
qryptos.com
ore.bz
openledger.info
omnidex.io
paribu.com
paymium.com
dcexchange.ru
dcexe.com
bitmex.com
funpay.ru
bitmaszyna.pl
bitonic.nl
bitpanda.com
bitsblockchain.net
bitmarket.net
bitlish.com
bitfex.trade
blockchain.com
blockchain.info
cryptofresh.com
btcmarkets.net
braziliex.com
btc-trade.com.ua
btc-alpha.com
bitspark.io
bitso.com
bittylicious.com
altcointrader.co.za
arenabitcoin.com
allcoin.com
796.com
abucoins.com
aidosmarket.com
bitcointrade.com
bitcointoyou.com
bitbanktrade.jp
big.one
bcex.ca
bitconnect.co
coinsbank.com
coinsecure.in
coinsquare.com
coinspot.io
coinsmarkets.com
crypto-bridge.org
dcex.com
dabtc.com
decentrex.com
deribit.com
dgtmarket.com
btcturk.com
btcxindia.com
bt.cx
bitstarcoin.com
coincheck.com
coinmate.io
coingi.com
coinnest.co.kr
coinrail.co.kr
coinpit.io
coingather.com
coinfloor.co.uk
coinegg.com
coincorner.com
coinexchange.io
pancakeswap.finance
coinbase.com
livecoin.net
mercatox.com
cryptobridge.freshdesk.com
volabit.com
tradeogre.com
bitkub.com
uphold.com
wallet.uphold.com
login.blockchain.com
tidex.com
coinome.com
coinpayments.net
bitmax.io
bitbank.cc
independentreserve.com
bitmart.com
cryptopia.co.nz
cryptonator.com
advcash.com
my.dogechain.info
spectrocoin.com
exir.io
exir.tech
coinbene.com
bitforex.com
gopax.co.kr
catex.io
vindax.com
coineal.com
maicoin.com
finexbox.com
etherflyer.com
bx.in.th
bitopro.com
citex.co.kr
coinzo.com
atomars.com
coinfinit.com
bitker.com
dobitrade.com
btcexa.com
satowallet.com
cpdax.com
trade.io
btcnext.io
exmarkets.com
btc-exchange.com
chaoex.com
jex.com
therocktrading.com
gdac.com
southxchange.com
tokens.net
fexpro.net
btcbox.co.jp
coinmex.com
cryptology.com
cointiger.com
cashierest.com
coinbit.co.kr
mxc.com
bilaxy.com
coinall.com
coindeal.com
omgfin.com
oceanex.pro
bithumb.com
ftx.com
shortex.net
coin.z.com
fcoin.com
fatbtc.com
tokenize.exchange
simex.global
instantbitex.com
\Login Data
SOFTWARE\BraveSoftware\Brave-Browser\PreferenceMACs
\BraveSoftware\Brave-Browser\User Data\
SOFTWARE\CryptoTab Browser\PreferenceMACs
\CryptoTab Browser\User Data\
\Opera Software\Opera Stable
ascendex.com
crypto.com
coins.ph
coins.th
dogechain.info
miningpoolhub.com
etrade.com
schwab.com
fidelity.com
chase.com
morganstanley.com
citi.com
robinhood.com
navyfederal.org
ally.com
schoolsfirstfcu.org
redfcu.org
mtb.com
53.com
easternbank.com
bankofamerica.com
santander.com
marcus.com
schools.org
cu.com
usaa.com
ncsecu.org
penfed.org
becu.org
firsttechfed.com
golden1.com
alliantcreditunion.org
americafirst.com
suncoastcreditunion.com
secumd.org
safecu.org
missionfed.com
greendot.com
rbfcu.org
macu.com
dcu.org
ssfcu.org
bethpagefcu.com
starone.org
alaskausa.org
sdccu.com
aacreditunion.org
lmcu.org
teachersfcu.org
patelco.org
esl.org
onpointcu.com
logixbanking.com
psecu.com
deltacommunitycu.com
ent.com
cefcu.com
greenstate.org
unfcu.org
pffcu.org
wingsfinancial.com
iccu.comdesertfinancial.com
iccu.com
desertfinancial.com
hvfcu.org
wpcu.coop
redwoodcu.org
tcunet.com
wsecu.org
joviafinancial.com
coastal24.com
myeecu.org
gecreditunion.org
nymcu.org
affinityfcu.com
towerfcu.org
ccu.com
communityamerica.com
langleyfcu.org
credithuman.com
techcu.com
gecu.com
kfcu.org
applefcu.org
nasafcu.com
sfcu.org
genisyscu.org
unifyfcu.com
apcocu.org
firstcommunity.com
unitedfcu.com
fairwinds.org
ufcu.org
wescom.org
bcu.org
vacu.org
citadelbanking.com
servicecu.org
summitcreditunion.com
gesa.com
chevronfcu.org
traviscu.org
uwcu.org
communityfirstcu.org
ecu.org
sccu.com
bfsfcu.org
bellco.org
dfcufinancial.com
msufcu.org
members1st.org
landmarkcu.com
kinecta.org
midflorida.com
visionsfcu.org
veridiancu.org
statefarmfcu.com
tinkerfcu.org
sefcu.com
americanheritagecu.org
robinsfcu.org
canvas.org
growfinancial.org
truliantfcu.org
ascend.org
foundersfcu.com
calcoastcu.org
ucu.org
connexuscu.org
slfcu.org
numericacu.com
eecu.org
georgiasown.org
nusenda.org
tvacreditunion.com
pcu.org
msgcu.org
nuvisionfederal.com
trumarkonline.org
navigantcu.org
ornlfcu.com
jscfcu.org
lgfcu.org
elevationscu.com
gtefinancial.org
chartway.com
ecu.com
sdfcu.org
apcu.com
metrocu.org
campuscu.com
adviacu.org
psfcu.com
andrewsfcu.org
eglinfcu.org
imcu.com
americaneagle.org
ttcu.com
vantagewest.org
empowerfcu.com
rfcu.com
capcomfcu.org
arizonafederal.org
csecreditunion.com
communityfirstfl.org
bayportcu.org
gwcu.org
wecu.com
stgeorge.com.au
imb.com.au
ing.com.au
bankofmelbourne.com.au
regionalaustraliabank.com
suncorp.com.au
regionalaustraliabank.com.au
neofinancial.com
bmo.com
rbcroyalbank.com
fcu.com
tboholidays.com
24x7rooms.com
adonis.com
abreuonline.com
almundo.com.ar
bonotel.com
bookohotel.com
didatravel.com
dotwconnect.com
eetglobal.com
escalabeds.com
fastpayhotels.com
getaroom.com
goglobal.travel
hoteldo.com.mx
hotelspro.com
jumbonline.com
kaluahtours.com
lci-euro.com
lotsofhotels.com
mikinet.co.uk
misterroom.com
nexustours.com
olympiaeurope.com
paximum.com
restel.es
rezserver.com
rezlive.com
sunhotels.com
totalstay.com
travco.co.uk
travellanda.com
smyrooms.com
welcomebeds.com
yalago.com
hotelbeds.com
mercadolibre.com.mx
hsbc.com.mx
bbvanetcash.mx
scotiabank.com.mx
santander.com.mx
bbva.mx
opensea.io
plantvsundead.com
axieinfinity.com
cryptocars.me
bombcrypto.io
cryptoplanes.me
cryptozoon.io
bankalhabib.com
correosprepago.es
orangebank.es
amazon.it
amazon.ca
amazon.de
amazon.com
netspend.com
online.citi.com
cloud.ibm.com
ca.ovh.com
account.alibabacloud.com
cloud.huawei.com
cloud.tencent.com
vultr.com
aws.amazon.com
portal.azure.com
digitalocean.com
console.scaleway.com
hetzner.com
linode.com
oracle.com
rackspace.com
phoenixnap.com
leaseweb.com
sso.ctl.io
ctl.io
lumen.com
paypal.com
WW_P_7
WW_P_8
https://
WW_P_
WW_P_1
links
ezstat.ru/1BfPg7
USA_1
iplis.ru/1BX4j7.png
iplis.ru/1BV4j7.mp4
USA_2
iplogger.org/1nkuM4.jpeg
iplis.ru/1BNhx7.mp3
iplis.ru/1pRXr7.txt
SetIncrement|ww_starts
false
iplis.ru/1S2Qs7.mp3
iplis.ru/1S3fd7.mp3
iplis.ru/17VHv7.mp3
iplis.ru/1GLDc7.mp3
iplis.ru/1xDsk7.mp3
iplis.ru/1xFsk7.mp3
WW_OPERA
iplis.ru/1GCuv7.pdf
iplis.ru/1lmex.mp3
iplis.ru/1Gemv7.mp3
WW_10
iplis.ru/1Gymv7.mp3
WW_11
iplis.ru/1tqHh7.mp3
WW_12
iplis.ru/1aFYp7.mp3
WW_13
iplis.ru/1cC8u7.mp3
WW_14
iplis.ru/1cN8u7.mp3
WW_15
iplis.ru/1kicy7.mp3
iplis.ru/1BMhx7.mp3
WW_16
iplis.ru/1edLy7.png
WW_17
iplis.ru/1nGPt7.png
WW_P_2
iplis.ru/1Bshv7.mp3
WW_P_3
iplis.ru/1Lgnh7.mp3
WW_P_4
iplis.ru/1vt8c7.mp3
WW_P_5
iplis.ru/1IcfD.mp3
WW_P_6
iplis.ru/1eXqs7.mp3
iplis.ru/1Unzy7.mp3
WW_18
iplis.ru/12hYs7.mp3
WW_19
iplis.ru/12d8d7.mp3
WW_20
iplis.ru/1Uvgu7.mp3
WW_21
iplis.ru/1jvTz7.mp3
browsers
Chrome:
Edge:
os_country_code
ip_country
AddExtensionStat|
net_country_code
https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
https://vk.com/doc746114504_647280734?hash=Doz4iot4bg0WOvZC8ZMInERV5U1fmjrKZZhl7jf6wBE&dl=G42DMMJRGQ2TANA:1661413506:vGfIf9YivGqE9gd11wvm9KZLzv9DMwdM9Wp0LmcsAhz&api=1&no_preview=1
https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://193.56.146.76/Proxytest.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://91.241.19.125/pub.php?pub=one
http://privacy-tools-for-you-780.com/downloads/toolspab3.exe
http://luminati-china.xyz/aman/casper2.exe
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe
http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe
https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp
http://185.215.113.208/ferrari.exe
https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp
https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp
https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp
http://mnbuiy.pw/adsli/note8876.exe
http://sarfoods.com/index.php
https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe
http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe
https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp
https://iplogger.org/2BTmf7
https://iplogger.org/2BAmf7
https://iplogger.org/2BDmf7
https://iplogger.org/2BFmf7
https://iplogger.org/2s2pg6
https://iplogger.org/2s3pg6
https://iplogger.org/2s4pg6
https://iplogger.org/2s5pg6
https://iplogger.org/2s6pg6
https://iplogger.org/2s7pg6
crypto_wallets
domain
bank_wallets
cu_bank_wallets
shop_wallets
bank_au_wallets
amazon_eu
webhosts
paypal
bank_ca_wallets
browser_vbmt
GetCryptoSleeping
http://163.123.143.4/download/YT_Client.exe
metazone1.com
meta-zone-1.ru
meta-zone-1.online
208.67.104.60
kolo5oso.com
cryptoWallets
status
bankWallets
cuBankWallets
shops
bankAUWallets
bankCAWallets
cryptoWallets_part1
cryptoWallets_part2
bankWallets_part1
bankWallets_part2
bankMXWallets
cryptoGames
bankPKWallets
bankESWallets
SetLoaderAnalyze|
SetIncrement|not_elevated
WinHttpConnect
WinHttpQueryHeaders
WinHttpOpen
WinHttpOpenRequest
WinHttpQueryDataAvailable
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpReadData
WinHttpCloseHandle
WinHttpSetTimeouts
InternetOpenA
InternetSetOptionA
HttpOpenRequestA
InternetConnectA
InternetOpenUrlA
HttpQueryInfoA
InternetQueryOptionA
HttpSendRequestA
InternetReadFile
InternetCloseHandle
TRiD
| .exe | | | Win32 Executable (generic) (52.9) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (23.5) |
| .exe | | | DOS Executable Generic (23.5) |
EXIF
EXE
| ProductVersion: | 1.0.0.5 |
|---|---|
| ProductName: | NetBIUI |
| OriginalFileName: | NetBIUI.exe |
| LegalCopyright: | Copyright (C) 2022 NetBIUI |
| InternalName: | NetBIUI.exe |
| FileVersion: | 1.0.0.5 |
| FileDescription: | NetBIUI |
| CompanyName: | NetBIUI |
| CharacterSet: | Unicode |
| LanguageCode: | German |
| FileSubtype: | - |
| ObjectFileType: | Executable application |
| FileOS: | Windows NT |
| FileFlags: | Patched, Private build |
| FileFlagsMask: | 0x003f |
| ProductVersionNumber: | 1.0.0.5 |
| FileVersionNumber: | 1.0.0.5 |
| Subsystem: | Windows GUI |
| SubsystemVersion: | 6 |
| ImageVersion: | - |
| OSVersion: | 6 |
| EntryPoint: | 0x1d8b61 |
| UninitializedDataSize: | - |
| InitializedDataSize: | 321024 |
| CodeSize: | 2111488 |
| LinkerVersion: | 14.29 |
| PEType: | PE32 |
| ImageFileCharacteristics: | Executable, 32-bit |
| TimeStamp: | 2022:12:12 14:19:43+00:00 |
| MachineType: | Intel 386 or later, and compatibles |
Summary
| Architecture: | IMAGE_FILE_MACHINE_I386 |
|---|---|
| Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
| Compilation Date: | 12-Dec-2022 14:19:43 |
| Detected languages: |
|
| CompanyName: | NetBIUI |
| FileDescription: | NetBIUI |
| FileVersion: | 1.0.0.5 |
| InternalName: | NetBIUI.exe |
| LegalCopyright: | Copyright (C) 2022 NetBIUI |
| OriginalFilename: | NetBIUI.exe |
| ProductName: | NetBIUI |
| ProductVersion: | 1.0.0.5 |
DOS Header
| Magic number: | MZ |
|---|---|
| Bytes on last page of file: | 0x0090 |
| Pages in file: | 0x0003 |
| Relocations: | 0x0000 |
| Size of header: | 0x0004 |
| Min extra paragraphs: | 0x0000 |
| Max extra paragraphs: | 0xFFFF |
| Initial SS value: | 0x0000 |
| Initial SP value: | 0x00B8 |
| Checksum: | 0x0000 |
| Initial IP value: | 0x0000 |
| Initial CS value: | 0x0000 |
| Overlay number: | 0x0000 |
| OEM identifier: | 0x0000 |
| OEM information: | 0x0000 |
| Address of NE header: | 0x00000118 |
PE Headers
| Signature: | PE |
|---|---|
| Machine: | IMAGE_FILE_MACHINE_I386 |
| Number of sections: | 5 |
| Time date stamp: | 12-Dec-2022 14:19:43 |
| Pointer to Symbol Table: | 0x00000000 |
| Number of symbols: | 0 |
| Size of Optional Header: | 0x00E0 |
| Characteristics: |
|
Sections
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
|---|---|---|---|---|---|
.text | 0x00001000 | 0x002036CF | 0x00203800 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.39542 |
.rdata | 0x00205000 | 0x0002A2D2 | 0x0002A400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.82341 |
.data | 0x00230000 | 0x00008AB8 | 0x00006200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.69039 |
.rsrc | 0x00239000 | 0x00010DA8 | 0x00010E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.61867 |
.reloc | 0x0024A000 | 0x0000A6AC | 0x0000A800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.52899 |
Resources
Title | Entropy | Size | Codepage | Language | Type |
|---|---|---|---|---|---|
1 | 4.89623 | 392 | UNKNOWN | English - United States | RT_MANIFEST |
107 | 1.98048 | 20 | UNKNOWN | Russian - Russia | RT_GROUP_ICON |
Imports
ADVAPI32.dll |
KERNEL32.dll |
SHELL32.dll |
USER32.dll |
ole32.dll |
Total processes
42
Monitored processes
2
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2400 | "C:\Users\admin\AppData\Local\Temp\WW20.exe" | C:\Users\admin\AppData\Local\Temp\WW20.exe | — | explorer.exe | |||||||||||
User: admin Company: NetBIUI Integrity Level: MEDIUM Description: NetBIUI Exit code: 3221226540 Version: 1.0.0.5 Modules
| |||||||||||||||
| 3296 | "C:\Users\admin\AppData\Local\Temp\WW20.exe" | C:\Users\admin\AppData\Local\Temp\WW20.exe | explorer.exe | ||||||||||||
User: admin Company: NetBIUI Integrity Level: HIGH Description: NetBIUI Exit code: 3 Version: 1.0.0.5 Modules
PrivateLoader(PID) Process(3296) WW20.exe C2 (3)http://91.241.19.125/pub.php?pub=one http://sarfoods.com/index.php 208.67.104.60 Attributes Payload (37)https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1 https://vk.com/doc746114504_647280734?hash=Doz4iot4bg0WOvZC8ZMInERV5U1fmjrKZZhl7jf6wBE&dl=G42DMMJRGQ2TANA:1661413506:vGfIf9YivGqE9gd11wvm9KZLzv9DMwdM9Wp0LmcsAhz&api=1&no_preview=1 https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp https://c.xyzgamec.com/userdown/2202/random.exe http://193.56.146.76/Proxytest.exe http://www.yzsyjyjh.com/askhelp23/askinstall23.exe http://privacy-tools-for-you-780.com/downloads/toolspab3.exe http://luminati-china.xyz/aman/casper2.exe https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp http://185.215.113.208/ferrari.exe https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp http://mnbuiy.pw/adsli/note8876.exe https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp https://iplogger.org/2BTmf7 https://iplogger.org/2BAmf7 https://iplogger.org/2BDmf7 https://iplogger.org/2BFmf7 https://iplogger.org/2s2pg6 https://iplogger.org/2s3pg6 https://iplogger.org/2s4pg6 https://iplogger.org/2s5pg6 https://iplogger.org/2s6pg6 https://iplogger.org/2s7pg6 http://163.123.143.4/download/YT_Client.exe Strings (817)Snowman+under_a_sn0wdrift_forgot_the_Snow_Maiden iplogger.org/1nhuM4.js SOFTWARE\LilFreske Installed SOFTWARE\LilFreskeUS IsWow64Process GetModuleHandleA LoadLibraryA SetPriorityClass Sleep GetTempPathA CreateProcessA GetFileAttributesA CreateDirectoryA CreateThread CloseHandle VirtualAlloc VirtualFree OpenProcess TerminateProcess GetUserGeoID ntdll.dll NtQuerySystemInformation RtlGetVersion Shell32.dll ShellExecuteA SHGetFolderPathA Advapi32.dll RegOpenKeyExA RegSetValueExA RegCloseKey RegCreateKeyExA RegDeleteKeyA RegDeleteValueA RegQueryValueExA RegEnumKeyExA ConvertSidToStringSidA LookupAccountNameA WINHTTP.dll wininet.dll GetComputerNameA VerSetConditionMask VerifyVersionInfoW GetGeoInfoA GetCurrentProcess GetVersionExA MultiByteToWideChar WideCharToMultiByte GetCurrentProcessId CreateToolhelp32Snapshot Process32First Process32Next Wow64DisableWow64FsRedirection Wow64RevertWow64FsRedirection User32.dll CharToOemA //Minor Policy SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions Exclusions_Extensions SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions SOFTWARE\Policies\Microsoft\Windows Defender DisableAntiSpyware DisableRoutinelyTakingAction SOFTWARE\Policies\Microsoft\Windows\System EnableSmartScreen SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection DisableBehaviorMonitoring DisableOnAccessProtection DisableScanOnRealtimeEnable DisableRealtimeMonitoring DisableIOAVProtection DisableRawWriteNotification Windows Server 2016 Windows Server 2012 R2 Windows Server 2012 Windows Server 2008 R2 Windows Server 2008 Windows Server Windows 10 Windows 8.1 Windows 8 Windows 7 Windows Vista Windows XP (x64) (x32) explorer.exe current children SOFTWARE\Classes\ms-settings\Shell\Open\command DelegateExecute \ComputerDefaults.exe SOFTWARE\Classes ms-settings\Shell\Open\command ms-settings\Shell\Open ms-settings\Shell ms-settings data= /api/firegate.php Error! onlyType ext_url cfg_url ipinfo.io/widget country company Google LLC db-ip.com data-api-key=" /self countryCode organization www.maxmind.com/geoip/v2.1/city/me iso_code traits GetIP api.ipgeolocation.io/ipgeo?include=hostname&ip= country_code2 /api/tracemap.php http:// 15.5pnp.10.lock Guest Profile System Profile \Google\Chrome\Application (x86)\Google\Chrome\Application SOFTWARE\Google\Chrome\BLBeacon version \resources.pak SOFTWARE\Google\Chrome\PreferenceMACs \Google\Chrome\User Data\ \Secure Preferences filter_browsers chrome browser use_open_browser extensions settings install_time \Extensions\ \u003C protection extensions.settings. super_mac chrome.exe ChromeRegistryHashStoreValidationSeed \extensions.settings SOFTWARE\Google\Chrome\PreferenceMACs\ \chrome.exe \Microsoft\Edge\Application (x86)\Microsoft\Edge\Application SOFTWARE\Microsoft\Edge\BLBeacon SOFTWARE\Microsoft\Edge\PreferenceMACs \Microsoft\Edge\User Data\ msedge.exe SOFTWARE\Microsoft\Edge\PreferenceMACs\ \msedge.exe \Roaming \atomic \Atomic Wallet \com.liberty.jaxx \Electrum \Exodus \MultiDoge \Monero \binance.chain \Binance \Metamask \Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn \Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec \Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp \Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec \Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa \Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbh \Local Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpn \Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjca \Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn \Local Extension Settings\fmblappgoiilbgafhjklehhfifbdocee \Local Extension Settings\hmeobnfnfcmdkdcmlblgagmfpfboieaf \Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo \Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm sorare.com yobit.net zb.com binance.com huobi.com okex.com hitbtc.com bitfinex.com kraken.com bitstamp.net payoneer.com bittrex.com bittrex.zendesk.com gate.io exmo.com yobit.io bitflyer.com poloniex.com kucoin.com coinone.co.kr localbitcoins.com korbit.co.kr cex.io luno.com bitkonan.com jubi.com koinex.in koineks.com kuna.io koinim.com kiwi-coin.com leoxchange.com lykke.com localtrade.cc magnr.com lbank.info itbit.com gemini.com gdax.com gatehub.net satoshitango.com foxbit.com.br flowbtc.com.br exx.com exrates.me excambriorex.com ezbtc.ca infinitycoin.exchange tdax.com stex.com vbtc.exchange coinmarketcap.com vwlpro.com nocks.com nlexch.com novaexchange.com mynxt.info nzbcx.com nevbit.com mixcoins.com mr.exchange neraex.pro dsx.uk okcoin.com liquid.com quoine.com quadrigacx.com rightbtc.com rippex.net ripplefox.com qryptos.com ore.bz openledger.info omnidex.io paribu.com paymium.com dcexchange.ru dcexe.com bitmex.com funpay.ru bitmaszyna.pl bitonic.nl bitpanda.com bitsblockchain.net bitmarket.net bitlish.com bitfex.trade blockchain.com blockchain.info cryptofresh.com btcmarkets.net braziliex.com btc-trade.com.ua btc-alpha.com bitspark.io bitso.com bittylicious.com altcointrader.co.za arenabitcoin.com allcoin.com 796.com abucoins.com aidosmarket.com bitcointrade.com bitcointoyou.com bitbanktrade.jp big.one bcex.ca bitconnect.co coinsbank.com coinsecure.in coinsquare.com coinspot.io coinsmarkets.com crypto-bridge.org dcex.com dabtc.com decentrex.com deribit.com dgtmarket.com btcturk.com btcxindia.com bt.cx bitstarcoin.com coincheck.com coinmate.io coingi.com coinnest.co.kr coinrail.co.kr coinpit.io coingather.com coinfloor.co.uk coinegg.com coincorner.com coinexchange.io pancakeswap.finance coinbase.com livecoin.net mercatox.com cryptobridge.freshdesk.com volabit.com tradeogre.com bitkub.com uphold.com wallet.uphold.com login.blockchain.com tidex.com coinome.com coinpayments.net bitmax.io bitbank.cc independentreserve.com bitmart.com cryptopia.co.nz cryptonator.com advcash.com my.dogechain.info spectrocoin.com exir.io exir.tech coinbene.com bitforex.com gopax.co.kr catex.io vindax.com coineal.com maicoin.com finexbox.com etherflyer.com bx.in.th bitopro.com citex.co.kr coinzo.com atomars.com coinfinit.com bitker.com dobitrade.com btcexa.com satowallet.com cpdax.com trade.io btcnext.io exmarkets.com btc-exchange.com chaoex.com jex.com therocktrading.com gdac.com southxchange.com tokens.net fexpro.net btcbox.co.jp coinmex.com cryptology.com cointiger.com cashierest.com coinbit.co.kr mxc.com bilaxy.com coinall.com coindeal.com omgfin.com oceanex.pro bithumb.com ftx.com shortex.net coin.z.com fcoin.com fatbtc.com tokenize.exchange simex.global instantbitex.com \Login Data SOFTWARE\BraveSoftware\Brave-Browser\PreferenceMACs \BraveSoftware\Brave-Browser\User Data\ SOFTWARE\CryptoTab Browser\PreferenceMACs \CryptoTab Browser\User Data\ \Opera Software\Opera Stable ascendex.com crypto.com coins.ph coins.th dogechain.info miningpoolhub.com etrade.com schwab.com fidelity.com chase.com morganstanley.com citi.com robinhood.com navyfederal.org ally.com schoolsfirstfcu.org redfcu.org mtb.com 53.com easternbank.com bankofamerica.com santander.com marcus.com schools.org cu.com usaa.com ncsecu.org penfed.org becu.org firsttechfed.com golden1.com alliantcreditunion.org americafirst.com suncoastcreditunion.com secumd.org safecu.org missionfed.com greendot.com rbfcu.org macu.com dcu.org ssfcu.org bethpagefcu.com starone.org alaskausa.org sdccu.com aacreditunion.org lmcu.org teachersfcu.org patelco.org esl.org onpointcu.com logixbanking.com psecu.com deltacommunitycu.com ent.com cefcu.com greenstate.org unfcu.org pffcu.org wingsfinancial.com iccu.comdesertfinancial.com iccu.com desertfinancial.com hvfcu.org wpcu.coop redwoodcu.org tcunet.com wsecu.org joviafinancial.com coastal24.com myeecu.org gecreditunion.org nymcu.org affinityfcu.com towerfcu.org ccu.com communityamerica.com langleyfcu.org credithuman.com techcu.com gecu.com kfcu.org applefcu.org nasafcu.com sfcu.org genisyscu.org unifyfcu.com apcocu.org firstcommunity.com unitedfcu.com fairwinds.org ufcu.org wescom.org bcu.org vacu.org citadelbanking.com servicecu.org summitcreditunion.com gesa.com chevronfcu.org traviscu.org uwcu.org communityfirstcu.org ecu.org sccu.com bfsfcu.org bellco.org dfcufinancial.com msufcu.org members1st.org landmarkcu.com kinecta.org midflorida.com visionsfcu.org veridiancu.org statefarmfcu.com tinkerfcu.org sefcu.com americanheritagecu.org robinsfcu.org canvas.org growfinancial.org truliantfcu.org ascend.org foundersfcu.com calcoastcu.org ucu.org connexuscu.org slfcu.org numericacu.com eecu.org georgiasown.org nusenda.org tvacreditunion.com pcu.org msgcu.org nuvisionfederal.com trumarkonline.org navigantcu.org ornlfcu.com jscfcu.org lgfcu.org elevationscu.com gtefinancial.org chartway.com ecu.com sdfcu.org apcu.com metrocu.org campuscu.com adviacu.org psfcu.com andrewsfcu.org eglinfcu.org imcu.com americaneagle.org ttcu.com vantagewest.org empowerfcu.com rfcu.com capcomfcu.org arizonafederal.org csecreditunion.com communityfirstfl.org bayportcu.org gwcu.org wecu.com stgeorge.com.au imb.com.au ing.com.au bankofmelbourne.com.au regionalaustraliabank.com suncorp.com.au regionalaustraliabank.com.au neofinancial.com bmo.com rbcroyalbank.com fcu.com tboholidays.com 24x7rooms.com adonis.com abreuonline.com almundo.com.ar bonotel.com bookohotel.com didatravel.com dotwconnect.com eetglobal.com escalabeds.com fastpayhotels.com getaroom.com goglobal.travel hoteldo.com.mx hotelspro.com jumbonline.com kaluahtours.com lci-euro.com lotsofhotels.com mikinet.co.uk misterroom.com nexustours.com olympiaeurope.com paximum.com restel.es rezserver.com rezlive.com sunhotels.com totalstay.com travco.co.uk travellanda.com smyrooms.com welcomebeds.com yalago.com hotelbeds.com mercadolibre.com.mx hsbc.com.mx bbvanetcash.mx scotiabank.com.mx santander.com.mx bbva.mx opensea.io plantvsundead.com axieinfinity.com cryptocars.me bombcrypto.io cryptoplanes.me cryptozoon.io bankalhabib.com correosprepago.es orangebank.es amazon.it amazon.ca amazon.de amazon.com netspend.com online.citi.com cloud.ibm.com ca.ovh.com account.alibabacloud.com cloud.huawei.com cloud.tencent.com vultr.com aws.amazon.com portal.azure.com digitalocean.com console.scaleway.com hetzner.com linode.com oracle.com rackspace.com phoenixnap.com leaseweb.com sso.ctl.io ctl.io lumen.com paypal.com WW_P_7 WW_P_8 https:// WW_P_ WW_P_1 links ezstat.ru/1BfPg7 USA_1 iplis.ru/1BX4j7.png iplis.ru/1BV4j7.mp4 USA_2 iplogger.org/1nkuM4.jpeg iplis.ru/1BNhx7.mp3 iplis.ru/1pRXr7.txt SetIncrement|ww_starts false iplis.ru/1S2Qs7.mp3 iplis.ru/1S3fd7.mp3 iplis.ru/17VHv7.mp3 iplis.ru/1GLDc7.mp3 iplis.ru/1xDsk7.mp3 iplis.ru/1xFsk7.mp3 WW_OPERA iplis.ru/1GCuv7.pdf iplis.ru/1lmex.mp3 iplis.ru/1Gemv7.mp3 WW_10 iplis.ru/1Gymv7.mp3 WW_11 iplis.ru/1tqHh7.mp3 WW_12 iplis.ru/1aFYp7.mp3 WW_13 iplis.ru/1cC8u7.mp3 WW_14 iplis.ru/1cN8u7.mp3 WW_15 iplis.ru/1kicy7.mp3 iplis.ru/1BMhx7.mp3 WW_16 iplis.ru/1edLy7.png WW_17 iplis.ru/1nGPt7.png WW_P_2 iplis.ru/1Bshv7.mp3 WW_P_3 iplis.ru/1Lgnh7.mp3 WW_P_4 iplis.ru/1vt8c7.mp3 WW_P_5 iplis.ru/1IcfD.mp3 WW_P_6 iplis.ru/1eXqs7.mp3 iplis.ru/1Unzy7.mp3 WW_18 iplis.ru/12hYs7.mp3 WW_19 iplis.ru/12d8d7.mp3 WW_20 iplis.ru/1Uvgu7.mp3 WW_21 iplis.ru/1jvTz7.mp3 browsers Chrome: Edge: os_country_code ip_country AddExtensionStat| net_country_code https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1 https://vk.com/doc746114504_647280734?hash=Doz4iot4bg0WOvZC8ZMInERV5U1fmjrKZZhl7jf6wBE&dl=G42DMMJRGQ2TANA:1661413506:vGfIf9YivGqE9gd11wvm9KZLzv9DMwdM9Wp0LmcsAhz&api=1&no_preview=1 https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp https://c.xyzgamec.com/userdown/2202/random.exe http://193.56.146.76/Proxytest.exe http://www.yzsyjyjh.com/askhelp23/askinstall23.exe http://91.241.19.125/pub.php?pub=one http://privacy-tools-for-you-780.com/downloads/toolspab3.exe http://luminati-china.xyz/aman/casper2.exe https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp http://185.215.113.208/ferrari.exe https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp http://mnbuiy.pw/adsli/note8876.exe http://sarfoods.com/index.php https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp https://iplogger.org/2BTmf7 https://iplogger.org/2BAmf7 https://iplogger.org/2BDmf7 https://iplogger.org/2BFmf7 https://iplogger.org/2s2pg6 https://iplogger.org/2s3pg6 https://iplogger.org/2s4pg6 https://iplogger.org/2s5pg6 https://iplogger.org/2s6pg6 https://iplogger.org/2s7pg6 crypto_wallets domain bank_wallets cu_bank_wallets shop_wallets bank_au_wallets amazon_eu webhosts paypal bank_ca_wallets browser_vbmt GetCryptoSleeping http://163.123.143.4/download/YT_Client.exe metazone1.com meta-zone-1.ru meta-zone-1.online 208.67.104.60 kolo5oso.com cryptoWallets status bankWallets cuBankWallets shops bankAUWallets bankCAWallets cryptoWallets_part1 cryptoWallets_part2 bankWallets_part1 bankWallets_part2 bankMXWallets cryptoGames bankPKWallets bankESWallets SetLoaderAnalyze| SetIncrement|not_elevated WinHttpConnect WinHttpQueryHeaders WinHttpOpen WinHttpOpenRequest WinHttpQueryDataAvailable WinHttpSendRequest WinHttpReceiveResponse WinHttpReadData WinHttpCloseHandle WinHttpSetTimeouts InternetOpenA InternetSetOptionA HttpOpenRequestA InternetConnectA InternetOpenUrlA HttpQueryInfoA InternetQueryOptionA HttpSendRequestA InternetReadFile InternetCloseHandle | |||||||||||||||
Total events
2 926
Read events
2 888
Write events
16
Delete events
22
Modification events
| (PID) Process: | (3296) WW20.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{0A522633-F4D3-4E4B-B0C1-1D82A4CCB3D5}Machine\Software\Policies\Microsoft\Windows Defender |
| Operation: | write | Name: | DisableAntiSpyware |
Value: 1 | |||
| (PID) Process: | (3296) WW20.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{0A522633-F4D3-4E4B-B0C1-1D82A4CCB3D5}Machine\Software\Policies\Microsoft\Windows Defender\Real-time Protection |
| Operation: | write | Name: | DisableRealtimeMonitoring |
Value: 1 | |||
| (PID) Process: | (3296) WW20.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{0A522633-F4D3-4E4B-B0C1-1D82A4CCB3D5}User |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3296) WW20.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3296) WW20.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{0A522633-F4D3-4E4B-B0C1-1D82A4CCB3D5}Machine |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3296) WW20.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{0A522633-F4D3-4E4B-B0C1-1D82A4CCB3D5}Machine\Software |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3296) WW20.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{0A522633-F4D3-4E4B-B0C1-1D82A4CCB3D5}Machine\Software\Policies |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3296) WW20.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{0A522633-F4D3-4E4B-B0C1-1D82A4CCB3D5}Machine\Software\Policies\Microsoft |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3296) WW20.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{0A522633-F4D3-4E4B-B0C1-1D82A4CCB3D5}Machine\Software\Policies\Microsoft\Windows |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3296) WW20.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{0A522633-F4D3-4E4B-B0C1-1D82A4CCB3D5}Machine\Software\Policies\Microsoft\Windows\WindowsUpdate |
| Operation: | delete key | Name: | (default) |
Value: | |||
Executable files
0
Suspicious files
1
Text files
1
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3296 | WW20.exe | C:\Windows\System32\GroupPolicy\gpt.ini | text | |
MD5:FED929AE34422010496B5B4A1827A501 | SHA256:2DDA40A266ECA9DDD736701EFA24C6FE186EDD6737DB7BF52BFFE32D614667ED | |||
| 3296 | WW20.exe | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | binary | |
MD5:CB74C9519D11B70696475FC269EC1815 | SHA256:0192DC85F901F57C4A346C1F77CE2D5E5193A0B4BBCB6CA51F9F676E95CD87A4 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
18
DNS requests
11
Threats
2
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3296 | WW20.exe | GET | 301 | 104.17.214.67:80 | http://www.maxmind.com/geoip/v2.1/city/me | US | — | — | whitelisted |
3296 | WW20.exe | GET | 404 | 45.95.233.7:80 | http://meta-zone-1.online/api/tracemap.php | FR | text | 16 b | malicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1140 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1076 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
3296 | WW20.exe | 31.31.196.157:80 | metazone1.com | Domain names registrar REG.RU, Ltd | RU | malicious |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
3296 | WW20.exe | 31.31.198.105:80 | meta-zone-1.ru | Domain names registrar REG.RU, Ltd | RU | malicious |
3296 | WW20.exe | 45.95.233.7:80 | meta-zone-1.online | Global Internet Solutions LLC | FR | malicious |
3296 | WW20.exe | 208.67.104.60:80 | — | Delis LLC | US | malicious |
3296 | WW20.exe | 104.26.4.15:443 | db-ip.com | CLOUDFLARENET | US | malicious |
3296 | WW20.exe | 104.17.214.67:443 | www.maxmind.com | CLOUDFLARENET | — | shared |
DNS requests
Domain | IP | Reputation |
|---|---|---|
metazone1.com |
| malicious |
meta-zone-1.ru |
| unknown |
meta-zone-1.online |
| malicious |
kolo5oso.com |
| unknown |
dns.msftncsi.com |
| shared |
ipinfo.io |
| shared |
db-ip.com |
| whitelisted |
api.db-ip.com |
| shared |
www.maxmind.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
3296 | WW20.exe | Malware Command and Control Activity Detected | ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) |
3296 | WW20.exe | Device Retrieving External IP Address Detected | ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) |