analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | Lonelyscreen.1.2.9.keygen.by.Paradox.zip |
| Full analysis: | https://app.any.run/tasks/efb7a57e-b6f3-4be0-9789-ad6a37dfdc9f |
| Verdict: | Malicious activity |
| Threats: | Glupteba is a loader with information-stealing and traffic routing functionality. It is designed primarily to install other viruses on infected PCs but can do much more than that. In addition, it is being constantly updated, making this virus one to watch out for. |
| Analysis date: | August 08, 2020, 18:32:34 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v1.0 to extract |
| MD5: | A08AD2D67A8B60EE574A5D68FFF35C6E |
| SHA1: | AF6FFE03B0B53FA3EFDE61D8B9F115788CFFF032 |
| SHA256: | B8F8FE870C841E6249FDABC7429F735CEFA7C57F10C41F30964F7E5EC190DE54 |
| SSDEEP: | 393216:k0A1zvK1Nl0HeD0Uxir8pOA6AqVFD9HIOb3E:5ARvK1NOHkor8pwF6iE |
MALICIOUS
Application was dropped or rewritten from another process
- Lonelyscreen.1.2.9.keygen.by.Paradox.exe (PID: 2184)
- keygen-pr.exe (PID: 3648)
- keygen-step-3.exe (PID: 3816)
- key.exe (PID: 1800)
- key.exe (PID: 3608)
- id6.exe (PID: 116)
- keygen-step-4.exe (PID: 408)
- setup.upx.exe (PID: 3080)
- whhw.exe (PID: 2780)
- Setup.exe (PID: 2260)
- Setup.exe (PID: 2376)
- searzar.exe (PID: 1676)
- hjjgaa.exe (PID: 3732)
- hjjgaa.exe (PID: 2912)
- Install.exe (PID: 2848)
- jfiag_gg.exe (PID: 2444)
- Install.exe (PID: 2484)
- jfiag_gg.exe (PID: 3892)
- Yandex.exe (PID: 4072)
- Yandex.exe (PID: 180)
- Yandex.exe (PID: 2724)
- BTRSetp.exe (PID: 2308)
- Full Version.exe (PID: 2204)
- Full Version.exe (PID: 848)
- ProZipper.exe (PID: 2896)
- ProZipper.exe (PID: 3064)
- Lokuraexegae.exe (PID: 3700)
- Nivakyxyci.exe (PID: 820)
- Voxysekole.exe (PID: 2680)
- inst.exe (PID: 16364)
- videoplay_8.exe (PID: 13716)
- wyfdggcc.exe (PID: 18224)
- Microsoftunit.exe (PID: 5056)
- video.exe (PID: 17952)
- app.exe (PID: 17060)
- id20.exe (PID: 13944)
- app.exe (PID: 15076)
- dynlink_1593065624691.exe (PID: 2576)
- fish.exe (PID: 16648)
- searzar_9.exe (PID: 14768)
- app.exe (PID: 4568)
- app.exe (PID: 10032)
- y4.exe (PID: 11544)
- inst.exe (PID: 14532)
- searzar.exe (PID: 15336)
- installer.exe (PID: 10012)
- inst.exe (PID: 7628)
- csrss.exe (PID: 14892)
- LightHotlux.exe (PID: 8060)
- CloudPrinter.exe (PID: 5896)
- Trantech.exe (PID: 14368)
- Mbappert.exe (PID: 8376)
- windefender.exe (PID: 16716)
- windefender.exe (PID: 12476)
- Mbappert.exe (PID: 8364)
- JobSanhold.bin (PID: 4168)
- LogicHandler.exe (PID: 9492)
- LogicHandler.exe (PID: 7660)
- Mbappert.exe (PID: 6372)
- set.exe (PID: 7752)
- Mbappert.exe (PID: 10788)
- Mbappert.exe (PID: 3768)
- Mbappert.exe (PID: 15780)
- Mbappert.exe (PID: 13344)
Stealing of credential data
- keygen-step-3.exe (PID: 3816)
- setup.upx.exe (PID: 3080)
- id6.exe (PID: 116)
- xcopy.exe (PID: 3596)
Runs PING.EXE for delay simulation
- cmd.exe (PID: 2840)
- cmd.exe (PID: 2932)
- cmd.exe (PID: 2296)
- cmd.exe (PID: 3784)
- cmd.exe (PID: 2224)
- cmd.exe (PID: 3196)
- cmd.exe (PID: 17140)
Detected Pony/Fareit Trojan
- key.exe (PID: 1800)
Actions looks like stealing of personal data
- id6.exe (PID: 116)
- keygen-step-4.exe (PID: 408)
- key.exe (PID: 1800)
- searzar.exe (PID: 1676)
- Yandex.exe (PID: 4072)
- Yandex.exe (PID: 180)
- BTRSetp.exe (PID: 2308)
- wyfdggcc.exe (PID: 18224)
- video.exe (PID: 17952)
- searzar.exe (PID: 15336)
- id20.exe (PID: 13944)
- Mbappert.exe (PID: 8376)
PONY was detected
- key.exe (PID: 1800)
Connects to CnC server
- key.exe (PID: 1800)
- id6.exe (PID: 116)
- searzar.exe (PID: 1676)
- hjjgaa.exe (PID: 2912)
- Yandex.exe (PID: 4072)
- video.exe (PID: 17952)
- id20.exe (PID: 13944)
- searzar.exe (PID: 15336)
- LightHotlux.exe (PID: 8060)
- Trantech.exe (PID: 14368)
- set.exe (PID: 7752)
SOCELARS was detected
- searzar.exe (PID: 1676)
- video.exe (PID: 17952)
- searzar.exe (PID: 15336)
Changes the autorun value in the registry
- hjjgaa.exe (PID: 2912)
- prozipperRed.exe (PID: 2200)
- app.exe (PID: 4568)
- app.exe (PID: 10032)
- regedit.exe (PID: 13500)
- regedit.exe (PID: 3744)
- regedit.exe (PID: 2216)
- regedit.exe (PID: 15480)
- regedit.exe (PID: 8016)
Changes settings of System certificates
- hjjgaa.exe (PID: 2912)
- Install.exe (PID: 2484)
- prozipperRed.exe (PID: 2200)
- Nivakyxyci.exe (PID: 820)
- video.exe (PID: 17952)
- inst.exe (PID: 16364)
- Lokuraexegae.exe (PID: 3700)
Modifies files in Chrome extension folder
- Yandex.exe (PID: 180)
INNOTOOLS was detected
- Full Version.tmp (PID: 536)
Downloads executable files from the Internet
- Full Version.tmp (PID: 536)
- Lokuraexegae.exe (PID: 3700)
- Nivakyxyci.exe (PID: 820)
- fish.exe (PID: 16648)
Loads dropped or rewritten executable
- ProZipper.exe (PID: 3064)
- schtasks.exe (PID: 10296)
- cmd.exe (PID: 17172)
- Mbappert.exe (PID: 8376)
- schtasks.exe (PID: 14692)
- cmd.exe (PID: 8456)
- conhost.exe (PID: 12196)
- conhost.exe (PID: 11700)
- conhost.exe (PID: 8512)
- schtasks.exe (PID: 5960)
- cmd.exe (PID: 7260)
- schtasks.exe (PID: 14292)
- schtasks.exe (PID: 11440)
- cmd.exe (PID: 6944)
- regedit.exe (PID: 3744)
- schtasks.exe (PID: 4708)
- cmd.exe (PID: 11132)
- cmd.exe (PID: 5844)
- Mbappert.exe (PID: 8364)
- conhost.exe (PID: 17160)
- schtasks.exe (PID: 6128)
- schtasks.exe (PID: 1532)
- conhost.exe (PID: 7952)
- conhost.exe (PID: 16828)
- taskeng.exe (PID: 6080)
- conhost.exe (PID: 11308)
- schtasks.exe (PID: 16728)
- conhost.exe (PID: 564)
- cmd.exe (PID: 17900)
- cmd.exe (PID: 5980)
- schtasks.exe (PID: 6860)
- conhost.exe (PID: 12344)
- cmd.exe (PID: 8304)
- conhost.exe (PID: 17052)
- schtasks.exe (PID: 9636)
- schtasks.exe (PID: 10880)
- conhost.exe (PID: 4528)
- conhost.exe (PID: 3832)
- regedit.exe (PID: 2216)
- cmd.exe (PID: 11180)
- cmd.exe (PID: 13140)
- schtasks.exe (PID: 9556)
- cmd.exe (PID: 9208)
- cmd.exe (PID: 9212)
- Mbappert.exe (PID: 6372)
- cmd.exe (PID: 10092)
- conhost.exe (PID: 8612)
- conhost.exe (PID: 8876)
- schtasks.exe (PID: 9996)
- schtasks.exe (PID: 13672)
- schtasks.exe (PID: 17488)
- conhost.exe (PID: 9236)
- cmd.exe (PID: 16244)
- cmd.exe (PID: 11396)
- schtasks.exe (PID: 16888)
- cmd.exe (PID: 14224)
- schtasks.exe (PID: 18236)
- conhost.exe (PID: 2024)
- conhost.exe (PID: 8360)
- conhost.exe (PID: 4460)
- Mbappert.exe (PID: 10788)
- schtasks.exe (PID: 9744)
- SearchProtocolHost.exe (PID: 5872)
- schtasks.exe (PID: 15308)
- schtasks.exe (PID: 11520)
- cmd.exe (PID: 15820)
- conhost.exe (PID: 9500)
- conhost.exe (PID: 17600)
- cmd.exe (PID: 10396)
- cmd.exe (PID: 11872)
- werfault.exe (PID: 2684)
- cmd.exe (PID: 2800)
- schtasks.exe (PID: 3104)
- werfault.exe (PID: 8216)
- schtasks.exe (PID: 14448)
- cmd.exe (PID: 11920)
- DllHost.exe (PID: 9168)
- conhost.exe (PID: 11924)
- conhost.exe (PID: 5152)
- cmd.exe (PID: 8236)
- schtasks.exe (PID: 12816)
- conhost.exe (PID: 12020)
- regedit.exe (PID: 15480)
- cmd.exe (PID: 12244)
- schtasks.exe (PID: 8944)
- schtasks.exe (PID: 16004)
- conhost.exe (PID: 15132)
- werfault.exe (PID: 6864)
- cmd.exe (PID: 10192)
- cmd.exe (PID: 17512)
- set.exe (PID: 7752)
- schtasks.exe (PID: 11316)
- conhost.exe (PID: 14440)
- conhost.exe (PID: 11224)
- conhost.exe (PID: 11192)
- regedit.exe (PID: 8016)
- cmd.exe (PID: 5232)
- schtasks.exe (PID: 12596)
- cmd.exe (PID: 15464)
- conhost.exe (PID: 16072)
- schtasks.exe (PID: 14464)
- schtasks.exe (PID: 17768)
- cmd.exe (PID: 5868)
- conhost.exe (PID: 7528)
- Mbappert.exe (PID: 3768)
- schtasks.exe (PID: 7276)
- cmd.exe (PID: 17112)
- conhost.exe (PID: 4500)
- cmd.exe (PID: 16040)
- cmd.exe (PID: 6508)
- conhost.exe (PID: 12396)
- schtasks.exe (PID: 16312)
- schtasks.exe (PID: 3488)
- conhost.exe (PID: 14372)
- schtasks.exe (PID: 2384)
- conhost.exe (PID: 9160)
- cmd.exe (PID: 14312)
- cmd.exe (PID: 17804)
- schtasks.exe (PID: 17188)
- conhost.exe (PID: 15764)
- Mbappert.exe (PID: 15780)
- cmd.exe (PID: 7472)
- werfault.exe (PID: 16328)
- schtasks.exe (PID: 4216)
- conhost.exe (PID: 9976)
- schtasks.exe (PID: 10640)
- conhost.exe (PID: 15232)
- cmd.exe (PID: 11492)
- cmd.exe (PID: 8448)
- conhost.exe (PID: 12716)
- cmd.exe (PID: 14388)
- Mbappert.exe (PID: 13344)
- schtasks.exe (PID: 6904)
- conhost.exe (PID: 3684)
- cmd.exe (PID: 2620)
- schtasks.exe (PID: 5120)
- schtasks.exe (PID: 9688)
- conhost.exe (PID: 11216)
- werfault.exe (PID: 11460)
- SearchFilterHost.exe (PID: 7808)
- werfault.exe (PID: 14324)
- cmd.exe (PID: 7140)
- schtasks.exe (PID: 14244)
- DllHost.exe (PID: 6920)
- DllHost.exe (PID: 15544)
Downloads executable files from IP
- Nivakyxyci.exe (PID: 820)
- Lokuraexegae.exe (PID: 3700)
Known privilege escalation attack
- DllHost.exe (PID: 6968)
Modifies exclusions in Windows Defender
- app.exe (PID: 4568)
GLUPTEBA was detected
- app.exe (PID: 4568)
Uses Task Scheduler to autorun other applications
- csrss.exe (PID: 14892)
Loads the Task Scheduler COM API
- schtasks.exe (PID: 7736)
- schtasks.exe (PID: 12188)
- schtasks.exe (PID: 11840)
- schtasks.exe (PID: 4652)
- schtasks.exe (PID: 11472)
- schtasks.exe (PID: 10296)
- schtasks.exe (PID: 11440)
- schtasks.exe (PID: 14692)
- schtasks.exe (PID: 5960)
- schtasks.exe (PID: 14292)
- schtasks.exe (PID: 6128)
- schtasks.exe (PID: 1532)
- schtasks.exe (PID: 4708)
- schtasks.exe (PID: 9636)
- schtasks.exe (PID: 10880)
- schtasks.exe (PID: 6860)
- schtasks.exe (PID: 16728)
- schtasks.exe (PID: 16888)
- schtasks.exe (PID: 17488)
- schtasks.exe (PID: 13672)
- schtasks.exe (PID: 9556)
- schtasks.exe (PID: 9996)
- schtasks.exe (PID: 18236)
- schtasks.exe (PID: 15308)
- schtasks.exe (PID: 11520)
- schtasks.exe (PID: 9744)
- schtasks.exe (PID: 3104)
- schtasks.exe (PID: 14448)
- schtasks.exe (PID: 16004)
- schtasks.exe (PID: 12816)
- schtasks.exe (PID: 8944)
- schtasks.exe (PID: 11316)
- schtasks.exe (PID: 12596)
- schtasks.exe (PID: 17768)
- schtasks.exe (PID: 14464)
- schtasks.exe (PID: 7276)
- schtasks.exe (PID: 3488)
- schtasks.exe (PID: 16312)
- schtasks.exe (PID: 2384)
- schtasks.exe (PID: 17188)
- schtasks.exe (PID: 4216)
- schtasks.exe (PID: 10640)
- schtasks.exe (PID: 6904)
- schtasks.exe (PID: 5120)
- schtasks.exe (PID: 9688)
- schtasks.exe (PID: 14244)
LINKURY was detected
- LightHotlux.exe (PID: 8060)
- CloudPrinter.exe (PID: 5896)
- Trantech.exe (PID: 14368)
- LogicHandler.exe (PID: 9492)
- set.exe (PID: 7752)
Uses Task Scheduler to run other applications
- cmd.exe (PID: 7316)
- cmd.exe (PID: 11092)
- cmd.exe (PID: 15388)
- cmd.exe (PID: 14304)
- cmd.exe (PID: 8456)
- cmd.exe (PID: 17172)
- cmd.exe (PID: 7260)
- cmd.exe (PID: 6944)
- cmd.exe (PID: 11132)
- cmd.exe (PID: 5980)
- cmd.exe (PID: 17900)
- cmd.exe (PID: 8304)
- cmd.exe (PID: 5844)
- cmd.exe (PID: 9212)
- cmd.exe (PID: 9208)
- cmd.exe (PID: 13140)
- cmd.exe (PID: 11396)
- cmd.exe (PID: 11180)
- cmd.exe (PID: 10396)
- cmd.exe (PID: 16244)
- cmd.exe (PID: 10092)
- cmd.exe (PID: 14224)
- cmd.exe (PID: 2800)
- cmd.exe (PID: 15820)
- cmd.exe (PID: 11872)
- cmd.exe (PID: 8236)
- cmd.exe (PID: 12244)
- cmd.exe (PID: 11920)
- cmd.exe (PID: 10192)
- cmd.exe (PID: 17512)
- cmd.exe (PID: 15464)
- cmd.exe (PID: 5232)
- cmd.exe (PID: 5868)
- cmd.exe (PID: 17112)
- cmd.exe (PID: 6508)
- cmd.exe (PID: 16040)
- cmd.exe (PID: 17804)
- cmd.exe (PID: 14312)
- cmd.exe (PID: 7472)
- cmd.exe (PID: 11492)
- cmd.exe (PID: 8448)
- cmd.exe (PID: 14388)
- cmd.exe (PID: 2620)
- cmd.exe (PID: 7140)
Changes AppInit_DLLs value (autorun option)
- regedit.exe (PID: 13500)
- regedit.exe (PID: 3744)
- regedit.exe (PID: 2216)
- regedit.exe (PID: 15480)
- regedit.exe (PID: 8016)
SUSPICIOUS
Application launched itself
- WinRAR.exe (PID: 3216)
- key.exe (PID: 1800)
- hjjgaa.exe (PID: 3732)
- app.exe (PID: 15076)
- app.exe (PID: 17060)
- LogicHandler.exe (PID: 9492)
Executable content was dropped or overwritten
- Lonelyscreen.1.2.9.keygen.by.Paradox.exe (PID: 2184)
- keygen-pr.exe (PID: 3648)
- keygen-step-4.exe (PID: 408)
- whhw.exe (PID: 2780)
- Setup.exe (PID: 2260)
- Setup.exe (PID: 2376)
- Setup.tmp (PID: 556)
- hjjgaa.exe (PID: 2912)
- Install.exe (PID: 2484)
- Yandex.exe (PID: 4072)
- xcopy.exe (PID: 3596)
- Full Version.exe (PID: 2204)
- Full Version.exe (PID: 848)
- Full Version.tmp (PID: 536)
- ProZipper.tmp (PID: 2628)
- prozipperRed.exe (PID: 2200)
- ProZipper.exe (PID: 2896)
- Lokuraexegae.exe (PID: 3700)
- Nivakyxyci.exe (PID: 820)
- videoplay_8.exe (PID: 13716)
- videoplay_8.tmp (PID: 9504)
- inst.exe (PID: 16364)
- searzar_9.exe (PID: 14768)
- y4.exe (PID: 11544)
- searzar_9.tmp (PID: 2192)
- inst.exe (PID: 7628)
- app.exe (PID: 4568)
- csrss.exe (PID: 14892)
- fish.exe (PID: 16648)
- LightHotlux.exe (PID: 8060)
- Trantech.exe (PID: 14368)
- JobSanhold.bin (PID: 4168)
- Mbappert.exe (PID: 8376)
- LogicHandler.exe (PID: 7660)
Starts CMD.EXE for commands execution
- Lonelyscreen.1.2.9.keygen.by.Paradox.exe (PID: 2184)
- keygen-step-3.exe (PID: 3816)
- setup.upx.exe (PID: 3080)
- Install.exe (PID: 2484)
- keygen-step-4.exe (PID: 408)
- Yandex.exe (PID: 2724)
- Yandex.exe (PID: 180)
- rundll32.exe (PID: 3044)
- BTRSetp.exe (PID: 2308)
- Yandex.exe (PID: 4072)
- Lokuraexegae.exe (PID: 3700)
- Nivakyxyci.exe (PID: 820)
- y4.exe (PID: 11544)
- app.exe (PID: 10032)
- app.exe (PID: 4568)
- csrss.exe (PID: 14892)
- windefender.exe (PID: 16716)
- LogicHandler.exe (PID: 7660)
- Mbappert.exe (PID: 8376)
- Mbappert.exe (PID: 8364)
- Mbappert.exe (PID: 6372)
- Mbappert.exe (PID: 10788)
- Mbappert.exe (PID: 3768)
- Mbappert.exe (PID: 15780)
- Mbappert.exe (PID: 13344)
Reads the cookies of Google Chrome
- keygen-step-3.exe (PID: 3816)
- setup.upx.exe (PID: 3080)
- id6.exe (PID: 116)
- searzar.exe (PID: 1676)
- jfiag_gg.exe (PID: 2444)
- Yandex.exe (PID: 4072)
- xcopy.exe (PID: 3596)
- BTRSetp.exe (PID: 2308)
Starts CMD.EXE for self-deleting
- keygen-step-3.exe (PID: 3816)
- setup.upx.exe (PID: 3080)
- Install.exe (PID: 2484)
- Yandex.exe (PID: 2724)
- Yandex.exe (PID: 180)
- Yandex.exe (PID: 4072)
- BTRSetp.exe (PID: 2308)
- y4.exe (PID: 11544)
Reads the Windows organization settings
- key.exe (PID: 3608)
- Setup.tmp (PID: 556)
- videoplay_8.tmp (PID: 9504)
- searzar_9.tmp (PID: 2192)
Reads Windows Product ID
- key.exe (PID: 3608)
- fish.exe (PID: 16648)
Reads Environment values
- key.exe (PID: 3608)
- Mbappert.exe (PID: 8376)
Reads Windows owner or organization settings
- key.exe (PID: 3608)
- Setup.tmp (PID: 556)
- videoplay_8.tmp (PID: 9504)
- searzar_9.tmp (PID: 2192)
Loads DLL from Mozilla Firefox
- key.exe (PID: 1800)
Reads Internet Cache Settings
- key.exe (PID: 1800)
- id6.exe (PID: 116)
- searzar.exe (PID: 1676)
- BTRSetp.exe (PID: 2308)
- Yandex.exe (PID: 4072)
- Full Version.tmp (PID: 536)
- wyfdggcc.exe (PID: 18224)
- inst.exe (PID: 16364)
- video.exe (PID: 17952)
- searzar.exe (PID: 15336)
- id20.exe (PID: 13944)
Creates files in the user directory
- key.exe (PID: 1800)
- id6.exe (PID: 116)
- Yandex.exe (PID: 180)
- Yandex.exe (PID: 4072)
- Lokuraexegae.exe (PID: 3700)
- Mbappert.exe (PID: 8376)
Searches for installed software
- key.exe (PID: 1800)
- key.exe (PID: 3608)
- csrss.exe (PID: 14892)
- fish.exe (PID: 16648)
- Mbappert.exe (PID: 8376)
Reads the cookies of Mozilla Firefox
- id6.exe (PID: 116)
- searzar.exe (PID: 1676)
- Yandex.exe (PID: 4072)
- BTRSetp.exe (PID: 2308)
Checks for external IP
- hjjgaa.exe (PID: 2912)
Creates a software uninstall entry
- searzar.exe (PID: 1676)
- Install.exe (PID: 2484)
- video.exe (PID: 17952)
- searzar.exe (PID: 15336)
- csrss.exe (PID: 14892)
- fish.exe (PID: 16648)
Adds / modifies Windows certificates
- hjjgaa.exe (PID: 2912)
- prozipperRed.exe (PID: 2200)
- inst.exe (PID: 16364)
- Nivakyxyci.exe (PID: 820)
- video.exe (PID: 17952)
- Lokuraexegae.exe (PID: 3700)
Low-level read access rights to disk partition
- Install.exe (PID: 2484)
- Yandex.exe (PID: 180)
- Yandex.exe (PID: 2724)
- Yandex.exe (PID: 4072)
- y4.exe (PID: 11544)
Starts itself from another location
- Install.exe (PID: 2484)
- app.exe (PID: 4568)
- fish.exe (PID: 16648)
Starts Internet Explorer
- cmd.exe (PID: 3096)
- Voxysekole.exe (PID: 2680)
Uses RUNDLL32.EXE to load library
- Yandex.exe (PID: 2724)
Uses TASKKILL.EXE to kill Browsers
- cmd.exe (PID: 2504)
- cmd.exe (PID: 2648)
Creates files in the Windows directory
- Yandex.exe (PID: 4072)
- app.exe (PID: 4568)
- csrss.exe (PID: 14892)
- CloudPrinter.exe (PID: 5896)
- Mbappert.exe (PID: 8376)
- Nivakyxyci.exe (PID: 820)
- Lokuraexegae.exe (PID: 3700)
- set.exe (PID: 7752)
Creates or modifies windows services
- inst.exe (PID: 16364)
- inst.exe (PID: 7628)
Uses NETSH.EXE for network configuration
- cmd.exe (PID: 16972)
- cmd.exe (PID: 15720)
- cmd.exe (PID: 9108)
- cmd.exe (PID: 13456)
Executed via COM
- DllHost.exe (PID: 6968)
Reads the machine GUID from the registry
- app.exe (PID: 10032)
Creates files in the driver directory
- csrss.exe (PID: 14892)
Creates files in the program directory
- LightHotlux.exe (PID: 8060)
- Trantech.exe (PID: 14368)
- Mbappert.exe (PID: 8376)
- LogicHandler.exe (PID: 9492)
- LogicHandler.exe (PID: 7660)
- fish.exe (PID: 16648)
Starts SC.EXE for service management
- LightHotlux.exe (PID: 8060)
- cmd.exe (PID: 10620)
- cmd.exe (PID: 3440)
- cmd.exe (PID: 18020)
- Trantech.exe (PID: 14368)
- cmd.exe (PID: 11568)
- cmd.exe (PID: 6224)
- LogicHandler.exe (PID: 7660)
Executed as Windows Service
- CloudPrinter.exe (PID: 5896)
- windefender.exe (PID: 12476)
- Mbappert.exe (PID: 8376)
- set.exe (PID: 7752)
Starts application with an unusual extension
- fish.exe (PID: 16648)
Executed via Task Scheduler
- cmd.exe (PID: 14304)
- cmd.exe (PID: 7260)
- Mbappert.exe (PID: 8364)
- cmd.exe (PID: 16244)
- cmd.exe (PID: 11920)
- cmd.exe (PID: 5232)
Removes files from Windows directory
- Lokuraexegae.exe (PID: 3700)
- Mbappert.exe (PID: 8376)
- set.exe (PID: 7752)
Changes the started page of IE
- Mbappert.exe (PID: 8376)
INFO
Manual execution by user
- Lonelyscreen.1.2.9.keygen.by.Paradox.exe (PID: 2184)
Reads Microsoft Office registry keys
- key.exe (PID: 3608)
Application was dropped or rewritten from another process
- Setup.tmp (PID: 3620)
- Setup.tmp (PID: 556)
- prozipperRed.exe (PID: 2200)
- Full Version.tmp (PID: 536)
- Full Version.tmp (PID: 3432)
- ProZipper.tmp (PID: 2628)
- videoplay_8.tmp (PID: 9504)
- searzar_9.tmp (PID: 2192)
Creates a software uninstall entry
- Setup.tmp (PID: 556)
- ProZipper.tmp (PID: 2628)
- videoplay_8.tmp (PID: 9504)
- searzar_9.tmp (PID: 2192)
Reads Internet Cache Settings
- iexplore.exe (PID: 3072)
- iexplore.exe (PID: 3020)
- iexplore.exe (PID: 1728)
- iexplore.exe (PID: 7012)
- iexplore.exe (PID: 7360)
- iexplore.exe (PID: 6328)
Reads settings of System Certificates
- iexplore.exe (PID: 3020)
- iexplore.exe (PID: 3072)
- chrome.exe (PID: 3520)
- iexplore.exe (PID: 1728)
- iexplore.exe (PID: 7012)
- iexplore.exe (PID: 6328)
- Nivakyxyci.exe (PID: 820)
- iexplore.exe (PID: 7360)
- csrss.exe (PID: 14892)
Changes internet zones settings
- iexplore.exe (PID: 3072)
- iexplore.exe (PID: 7360)
Application launched itself
- iexplore.exe (PID: 3072)
- chrome.exe (PID: 3840)
- iexplore.exe (PID: 7360)
Reads internet explorer settings
- iexplore.exe (PID: 3020)
- iexplore.exe (PID: 6328)
- iexplore.exe (PID: 1728)
- iexplore.exe (PID: 7012)
Adds / modifies Windows certificates
- iexplore.exe (PID: 3072)
- chrome.exe (PID: 3520)
Changes settings of System certificates
- iexplore.exe (PID: 3072)
- chrome.exe (PID: 3520)
Dropped object may contain Bitcoin addresses
- xcopy.exe (PID: 3596)
Reads the hosts file
- chrome.exe (PID: 3520)
- chrome.exe (PID: 3840)
Loads dropped or rewritten executable
- Full Version.tmp (PID: 536)
- ProZipper.tmp (PID: 2628)
Creates files in the program directory
- prozipperRed.exe (PID: 2200)
- ProZipper.tmp (PID: 2628)
Creates files in the user directory
- iexplore.exe (PID: 6328)
- iexplore.exe (PID: 7012)
- iexplore.exe (PID: 3072)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipFileName: | Lonelyscreen.1.2.9.keygen.by.Paradox.zip |
|---|---|
| ZipUncompressedSize: | 13900749 |
| ZipCompressedSize: | 13900749 |
| ZipCRC: | 0x1ed6911e |
| ZipModifyDate: | 2020:08:08 21:32:02 |
| ZipCompression: | None |
| ZipBitFlag: | - |
| ZipRequiredVersion: | 10 |
Total processes
412
Monitored processes
305
Malicious processes
116
Suspicious processes
67
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 3216 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Lonelyscreen.1.2.9.keygen.by.Paradox.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
| 2960 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Rar$DIa3216.41532\Lonelyscreen.1.2.9.keygen.by.Paradox.zip | C:\Program Files\WinRAR\WinRAR.exe | — | WinRAR.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
| 2184 | "C:\Users\admin\Desktop\Lonelyscreen.1.2.9.keygen.by.Paradox.exe" | C:\Users\admin\Desktop\Lonelyscreen.1.2.9.keygen.by.Paradox.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
| 2688 | cmd /c ""C:\Users\admin\AppData\Local\Temp\RarSFX0\keygen.bat" " | C:\Windows\system32\cmd.exe | — | Lonelyscreen.1.2.9.keygen.by.Paradox.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
| 3648 | keygen-pr.exe -p83fsase3Ge | C:\Users\admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe | cmd.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
| 3816 | keygen-step-3.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe | cmd.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
| 408 | keygen-step-4.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe | cmd.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
| 1800 | "C:\Users\admin\AppData\Local\Temp\RarSFX1\key.exe" | C:\Users\admin\AppData\Local\Temp\RarSFX1\key.exe | keygen-pr.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
| 2780 | "C:\Users\admin\AppData\Local\Temp\RarSFX2\whhw.exe" | C:\Users\admin\AppData\Local\Temp\RarSFX2\whhw.exe | keygen-step-4.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
| 2840 | cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe" | C:\Windows\system32\cmd.exe | — | keygen-step-3.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
Total events
16 049
Read events
14 574
Write events
0
Delete events
0
Modification events
Executable files
98
Suspicious files
266
Text files
703
Unknown types
133
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2960 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2960.42840\Lonelyscreen.1.2.9.keygen.by.Paradox.exe | — | |
MD5:— | SHA256:— | |||
| 408 | keygen-step-4.exe | C:\Users\admin\AppData\Local\Temp\RarSFX2\Full Version.exe | executable | |
MD5:5EB7D1110A6268092D008D93701A08B5 | SHA256:B858E24EAC464AFD49D6BF782557F946B03E5E97431A1987B09B0203B5636C97 | |||
| 2780 | whhw.exe | C:\Users\admin\AppData\Local\Temp\RarSFX3\setup.upx.exe | executable | |
MD5:7D72DB8AACECCD5CAB82E0F618CE9D81 | SHA256:A8374F4EFACD0D4ACE4F78A781BAF7A1E0913EDACEB8FEDDCB82D07B68A1BCAB | |||
| 408 | keygen-step-4.exe | C:\Users\admin\AppData\Local\Temp\RarSFX2\whhw.exe | executable | |
MD5:2FB5455DAB77DD4D793AAFA3DF21B013 | SHA256:160785406249AAE0E5F2BD62DD5DAF64A15CE9BBB36C57A6F8F5C1DDB6390D9B | |||
| 408 | keygen-step-4.exe | C:\Users\admin\AppData\Local\Temp\RarSFX2\DreamTrips.bat | text | |
MD5:7B24665F2DB82F311BFF238F05EB639A | SHA256:81C2E1E08984F45A9FCD8A5E54087B5B2160ED553B584BAC7EF589C0867E4478 | |||
| 3816 | keygen-step-3.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Login Data1 | sqlite | |
MD5:B07445123C1156C138DBB2C09CA56381 | SHA256:60EF4EEFAE5E163D3C38BBBF592B70453BE8C17D95537C84438DCA3DB7B150F5 | |||
| 2184 | Lonelyscreen.1.2.9.keygen.by.Paradox.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\keygen.bat | text | |
MD5:362A98FF358CEE4C06AEDF4C8E6F8770 | SHA256:C02A8B5CD85868DA0523B58370BC5B6F8C24FA5AC8E59D874F8BA1C21F4EF158 | |||
| 2184 | Lonelyscreen.1.2.9.keygen.by.Paradox.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\user32.dll | executable | |
MD5:634FBE95EA4EF2E799B3D117DD9EC52E | SHA256:1BA4BC4F000DD9263307357FFA42D83EB01F59BF28AEC16EF2EB74E24683412E | |||
| 408 | keygen-step-4.exe | C:\Users\admin\AppData\Local\Temp\RarSFX2\Install.exe | executable | |
MD5:2C0E1409D473E0ABD4780E8FE56FBCC1 | SHA256:8EA9BF28F667ABD691E7794CCA3095FFF79A2B0FE0CBE3DA3FB8EFFC10DAB4BB | |||
| 408 | keygen-step-4.exe | C:\Users\admin\AppData\Local\Temp\RarSFX2\Setup.exe | executable | |
MD5:E818A2384A90A03D8314CC4CF1CAD1E0 | SHA256:0585A29DDCDB6A4F0D23D4D09304768877EF1AE500C9664AF9C21A6AFF9D330C | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
157
TCP/UDP connections
228
DNS requests
138
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1676 | searzar.exe | GET | 200 | 2.16.186.35:80 | http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D | unknown | der | 1.37 Kb | whitelisted |
1800 | key.exe | POST | — | 104.27.166.134:80 | http://www.oldhorse.info/ | US | — | — | malicious |
3080 | setup.upx.exe | POST | 200 | 45.32.114.117:80 | http://www.wdsfw34erf93.com/index.php/api/fb | SG | text | 24 b | whitelisted |
1676 | searzar.exe | POST | 200 | 38.27.96.30:80 | http://www.nicekkk.pw/Home/Index/getdata | US | text | 7 b | malicious |
1800 | key.exe | POST | — | 104.27.166.134:80 | http://www.oldhorse.info/ | US | — | — | malicious |
2484 | Install.exe | POST | 200 | 172.67.152.86:80 | http://ef1db1064a5e5794.xyz/info/w | US | — | — | malicious |
1800 | key.exe | POST | 200 | 104.27.167.134:80 | http://oldhorse.info/a.php | US | — | — | malicious |
116 | id6.exe | POST | 200 | 194.54.83.254:80 | http://freekzvideo.cloud/business/receive | UA | — | — | malicious |
2724 | Yandex.exe | POST | 200 | 172.67.152.86:80 | http://ef1db1064a5e5794.xyz/info/w | US | — | — | malicious |
4072 | Yandex.exe | POST | 200 | 172.67.152.86:80 | http://ef1db1064a5e5794.xyz/info/w | US | — | — | malicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1800 | key.exe | 104.27.167.134:80 | oldhorse.info | Cloudflare Inc | US | malicious |
1676 | searzar.exe | 88.99.66.31:443 | iplogger.org | Hetzner Online GmbH | DE | malicious |
3816 | keygen-step-3.exe | 45.32.114.117:80 | www.wdsfw34erf93.com | Choopa, LLC | SG | malicious |
3080 | setup.upx.exe | 45.32.114.117:80 | www.wdsfw34erf93.com | Choopa, LLC | SG | malicious |
116 | id6.exe | 194.54.83.254:80 | freekzvideo.cloud | Omnilance Ltd | UA | malicious |
1676 | searzar.exe | 149.28.244.249:80 | www.ipcode.pw | — | US | suspicious |
2912 | hjjgaa.exe | 208.95.112.1:80 | ip-api.com | IBURST | — | malicious |
1676 | searzar.exe | 2.16.186.11:80 | isrg.trustid.ocsp.identrust.com | Akamai International B.V. | — | whitelisted |
1676 | searzar.exe | 38.27.96.30:80 | www.nicekkk.pw | HOSTSPACE NETWORKS LLC | US | malicious |
1676 | searzar.exe | 2.16.186.35:80 | isrg.trustid.ocsp.identrust.com | Akamai International B.V. | — | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
www.wdsfw34erf93.com |
| whitelisted |
oldhorse.info |
| malicious |
www.oldhorse.info |
| malicious |
freekzvideo.cloud |
| malicious |
www.ipcode.pw |
| malicious |
iplogger.org |
| shared |
isrg.trustid.ocsp.identrust.com |
| whitelisted |
ocsp.int-x3.letsencrypt.org |
| whitelisted |
www.nicekkk.pw |
| malicious |
ip-api.com |
| shared |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1800 | key.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan.Win32.Nebuler Checkin |
1800 | key.exe | A Network Trojan was detected | ET TROJAN Fareit/Pony Downloader Checkin 2 |
1048 | svchost.exe | Potentially Bad Traffic | ET INFO Observed DNS Query to .cloud TLD |
116 | id6.exe | A Network Trojan was detected | ET TROJAN Suspicious User-Agent (WindowsNT) With No Separating Space |
116 | id6.exe | Potentially Bad Traffic | ET INFO HTTP Request to Suspicious *.cloud Domain |
1048 | svchost.exe | Potentially Bad Traffic | ET DNS Query to a *.pw domain - Likely Hostile |
1676 | searzar.exe | Potentially Bad Traffic | ET INFO HTTP Request to a *.pw domain |
1676 | searzar.exe | Potential Corporate Privacy Violation | POLICY [PTsecurity] IP Check Domain SSL certificate |
1676 | searzar.exe | Potential Corporate Privacy Violation | POLICY [PTsecurity] IP Check Domain SSL certificate |
1048 | svchost.exe | Potentially Bad Traffic | ET DNS Query to a *.pw domain - Likely Hostile |
113 ETPRO signatures available at the full report
Process | Message |
|---|---|
id6.exe | 006 |
id6.exe | http://freekzvideo.cloud/business/receive |
chrome.exe | RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Temp\1596911662941 directory exists )
|
id20.exe | http://freekzvideo.cloud/business/receive |
LightHotlux.exe | DeviceId=0743643e-9037-d808-6b96-07efe0d17ab7 Distributer=APSFADexpNR ChannelId=3 BarcodeId=54369003 ApName=Mbappert
|
Trantech.exe | DeviceId=0743643e-9037-d808-6b96-07efe0d17ab7 Distributer=APSFADexpNR ChannelId=3 BarcodeId=54369003 DefaultSearchDomain=https://feed.sonic-search.com HomePageDomain=https://feed.helperbar.com NewTabDomain=https://feed.helperbar.com EncryptUrl=true AddRemove=false AgentName=Mbappert YBSearch=false ApName=Mbappert SetAll=true campaignId=461
|
Mbappert.exe | Agent Main
|
Mbappert.exe | Agent Started
|
Mbappert.exe | Agent service started with arg: DeviceId=0743643e-9037-d808-6b96-07efe0d17ab7 Distributer=APSFADexpNR ChannelId=3 BarcodeId=54369003 DefaultSearchDomain=https://feed.sonic-search.com HomePageDomain=https://feed.helperbar.com NewTabDomain=https://feed.helperbar.com EncryptUrl=true AddRemove=false AgentName=Mbappert YBSearch=false ApName=Mbappert SetAll=true campaignId=461
|
Mbappert.exe | Current directory: C:\ProgramData\Mbappert
|