File name:

aa.exe

Full analysis: https://app.any.run/tasks/cd489a1f-e6b5-4af0-a48f-bb700a3eba21
Verdict: Malicious activity
Analysis date: February 18, 2024, 00:26:23
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
bitrat
evasion
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

C76390D9E1052D9E708940D67B5C135D

SHA1:

A370A73A9DD746584428E8A939288ECFFD3C80F7

SHA256:

CAF48B67E7BB94A178426FC7CE6B9ED50FFB2F3813A7C68900F21BFFFB24E44F

SSDEEP:

393216:BLs+q1CPwDv3uFtn2EeJUO9WLrRxtw3iFFrS6XwdcU:Gc8c

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • aa.exe (PID: 3672)

    • BITRAT has been detected (YARA)

      • aa.exe (PID: 3672)

    • Changes the autorun value in the registry

      • aa.exe (PID: 3672)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • aa.exe (PID: 3672)

    • Reads the Internet Settings

      • aa.exe (PID: 3672)

    • Executable content was dropped or overwritten

      • aa.exe (PID: 3672)

    • Connects to unusual port

      • tor.exe (PID: 3972)
      • tor.exe (PID: 696)
      • tor.exe (PID: 2856)
      • tor.exe (PID: 3068)
      • tor.exe (PID: 1368)

    • Reads settings of System Certificates

      • aa.exe (PID: 3672)

    • Checks Windows Trust Settings

      • aa.exe (PID: 3672)

    • Adds/modifies Windows certificates

      • aa.exe (PID: 3672)

    • Checks for external IP

      • aa.exe (PID: 3672)

  • INFO

    • Checks supported languages

      • aa.exe (PID: 3672)
      • tor.exe (PID: 3972)
      • tor.exe (PID: 3068)
      • tor.exe (PID: 2856)
      • tor.exe (PID: 696)
      • tor.exe (PID: 1368)

    • Reads the computer name

      • aa.exe (PID: 3672)
      • tor.exe (PID: 3972)
      • tor.exe (PID: 2856)
      • tor.exe (PID: 696)
      • tor.exe (PID: 3068)
      • tor.exe (PID: 1368)

    • Reads the machine GUID from the registry

      • tor.exe (PID: 3972)
      • aa.exe (PID: 3672)
      • tor.exe (PID: 2856)
      • tor.exe (PID: 696)
      • tor.exe (PID: 3068)
      • tor.exe (PID: 1368)

    • Creates files or folders in the user directory

      • tor.exe (PID: 3972)
      • aa.exe (PID: 3672)
      • tor.exe (PID: 2856)
      • tor.exe (PID: 696)
      • tor.exe (PID: 3068)
      • tor.exe (PID: 1368)

    • Checks proxy server information

      • aa.exe (PID: 3672)

    • Reads the software policy settings

      • aa.exe (PID: 3672)

    • Create files in a temporary directory

      • aa.exe (PID: 3672)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

BitRat

(PID) Process(3672) aa.exe
C27sbl4dpbubwjjghdquwg47fyq7rookd4bgm2ypm2kjzkivd7tomvczqd.onion
Ports440
Options
TorProcesstor
CommunicationPassword4124bc0a9335c27f086f24ba207a4912
InstallNameRuntime_Broker
InstallFolderMinecraft
Version1.38
Keys
MD5af5b81f5ea1d7859
Strings (669)
(1)
(Build:
(Last bootup:
(max:
(x64)
(x86)
* CPU
* DONATE
* POOL #1
-a "
-incognito
-l "
GiB
Hz)</val2>
KiB
MHz)</val2>
MHz</val2>
Mbit/s
TiB
[Download]
algo
"message_id":
"text":"
"update_id":
% Available (charging)
%)</size>
%27.0.0.1:45808
%|-1
&text=
)</val1>
)</val2>
+HSA
, RAM:
-2147483643/
-2147483645/
-2147483646/
-2147483647/
-2147483648/
-2147483650
.dat
.enc
.json
.xml
.zip
.zipL
/altID: m
/camF
/clb
/dlex
/free
/msg3
/pws
/resync /nowait
/scrF
/sendMes
/sendMessage?chat_id=
/usbF
/volE
/web
127.0.0.1:45808
1|-1
9onnecting...
9ontinuing
9unning
;HIFT
</block>
</cpuusage>
</date>
</dep>
</err>
</est>
</files>
</filesystem>
</icon>
</isprc>
</issys>
</label>
</lis>
</mod>
</n></blX
</name>
</path>
</pb>
</pid>
</pri>
</ramload>
</ramsize>
</server>
</silent>
</sizefree>
</sizetotal>
</sizeused>
</state>
</status>
</sz>
</tcp>
</threads>
</title>
</type>
</udp>
</v>i
</val2>
</xml>
<F10]
<F11]
<F13]
<F14]
<F16]
<F1]
<F3]
<F5]
<F6]
<apptype>
<attr>
<block>
<block></block>
<cpuusage>
<date>
<date>N/A</date>
<dep>
<desc>
<dirs>
<disp>
<err>thrr
<filesystem>
<hwnd>
<icon>
<letter>
<lis>
<n>N/A</n>
<name>
<path>
<path>N/A</path>
<pb>N/A</pb>
<pb>N/A</pb>]
<ramfree>
<ramload>
<ramsize>
<server>
<silent>
<silent>N/A</silent>
<size>
<sizefree>
<sz>N/A</sz>
<tcp>
<threads>
<type>
<v>N/A</v>
<val1>Antivirus</val1>
<val1>BIOS</val1>
<val1>Graphic card (
<val1>Input locale</val1>
<val1>Installed RAM</val1>
<val1>Monitor (
<val1>OS architecture</val1>
<val1>OS install date</val1>
<val1>OS version</val1>
<val1>Operating system</val1>
<val1>PC domain</val1>
<val1>PC manufacturer</val1>
<val1>PC model</val1>
<val1>Platform type</val1>
<val1>Processor</val1>
<val1>RAM slot (
<val1>System locale</val1>
<val1>System uptime</val1>
<val1>Time zone</val1>
<val1>Username</val1>
<val2>
<xml>
=li_dc
=li_rc
?ocks5_srv_start
ADD
APPACTIVATE
AT
AVE_MARIA
Action: /cam
Action: /clsbrw
Action: /klg
Action: /msg
Action: /usb
Action: /vol
Action: /web
AdapteP
Afrikaans
Alerts disabled
Alerts enabled
All in One
Armenian
Attempting to launch browser...
Automatic
BS
Basque
Boot Start
Bot ID:
BuildNumber
Bulgarian
Bus Expansion Chassis
Business
CLOSED
Capacity
Caption
ChassisTypes
Closing virtual desktop...
Connecting...
CreateDesktop API failed!
CreateProcess API failed!
Critical error control
Croatian
Czech
DEL
DELETE_TCB
Danish
Datacenter
DelegateExecute
Desktop
Disabled
Disconnected
DisplayIcon
DisplayName
DisplayVersion
Docking Station
DriverVersion
END
ESC
Enterprise
EstimatedChargeRemaining
EstimatedSize
Estonian
Expansion Chassis
F1
F10
F11
F12
F13
F14
F15
F16
F2
F3
F4
F5
F6
F7
F8
F9
FAIL (invalid arguments)
FAIL (invalid log size)
FIN_WAIT1
FIN_WAIT2
FL_DL
Faeroese
Failed to launch browser
Finnish
FriendlyName
Fully charged (
Georgian
Gonnecting...
Greek
Gujarati
H/data>
H/path>
H/pb>
Hblock>
Hclass>
Hdep>
Hdir>
Hebrew
Hidden
Hindi
Hmod>
Hobj>dir</obj>
Hpath>
Hsize>-1</size>
Hungarian
INS
Icelandic
Iisconnected
InstallDate
InstallLocation
Interactive process
Itopping
JF12]
JF15]
JF2]
JF4]
JF8]
JF9]
Kazakh
Keep-alive
Keylog:
Kli_off
Kli_sleep
Kli_un
Kon_close
Konkani
Kyrgyz
LAST_ACK
LISTENING
Laptop
Latvian
Lithuanian
Low Profile Desktop
Lplg\
Lunch Box
Macedonian
Main System Chassis
Malay - Brunei Darussalam
Manual
Manufacturer
Marathi
Mate
MaxClockSpeed
Maximized
Mini Tower
Mrv_list
Mrv_start
No clipboard
Normal
Norwegian - Bokmal
Norwegian - Nynorsk
Notebook
OSLanguage
Oest
Oitle
P |
Peripheral Chassis
Pizza Box
Polish
Portable
Portuguese - Brazilian
Portuguese - Standard
Powrprof.dll
Publisher
QuietUninstallString
RB_ST
Rack Mount Chassis
Recognizer driver
Remote browser started!
Remote browser stopped!
RtlAdjustPrivilege
RtlGetVersion
Russian
SCK_CMD|
SC_PR_ST
SC_ST
SC_ST2
SELECT * FROM Win32_Processor
SELECT * From AntiVirusProduct
SYN_RCVD
SYN_SENT
ScreenHeight
ScreenWidth
Sealed-Case PC
Select * from Win32_BIOS
Select * from Win32_Battery
Select * from Win32_TimeZone
Serbian - Cyrillic
Serbian - Latin
Service ignores error
SetThreadDesktop API failed!
Severe error control
Slovak
Slovenian
Socket was unexpectedly closed!
Sorry, Chrome was not detected!
Space-Saving
Spanish - Argentina
Spanish - Bolivia
Spanish - Chile
Spanish - Colombia
Spanish - Costa_Rica
Spanish - Dominican Republic
Spanish - Ecuador
Spanish - El Salvador
Spanish - Guatemala
Spanish - Honduras
Spanish - Mexican
Spanish - Modern Sort
Spanish - Nicaragua
Spanish - Panama
Spanish - Paraguay
Spanish - Peru
Spanish - Puerto Rico
Spanish - Traditional Sort
Spanish - Uruguay
Spanish - Venezuela
Speed
Status:
Status: FAIL (no available cam)
Status: OK
Storage Chassis
Sub Notebook
SubChassis
Swahili
Swedish
Swedish - Finland
Switching to virtual desktop...
Syriac
TIME_WAIT
TLS Handshake
Tamild
Tatar
Telugu
Thai[
UCBrowser.exe
Ukrainian
Unknown
UrduD
User:
Uzbek - Cyrillic
V/dep>
V/dirs>
V/disp>
V/mod>
V/name>
V/path>
V/size>
Vblock>
Verr>
Version
Vietnamese
Virtual Machine
Vissys>
Vobj>file</obj>
Vpath>
Vpid>
Vudp>
Vxml>
WC_PR_ST
WELAY
Web Server
WelegateExecute
Win 10
Win 11
Win 2000
Win 8.1
Win Vista
Win XP
Win32
Win32 process
Win32 share process
Window:
WmiCloseBlock
WmiQueryAllDataW
Zplg\
[BACKSPACE]
[CAPSLOCK]
[CLIPBOARD_END]
[CLIPBOARD_START]
[CTRL+@]
[CTRL+C]
[CTRL+D]
[CTRL+E]
[CTRL+F]
[CTRL+G]
[CTRL+J]
[CTRL+M]
[CTRL+N]
[CTRL+O]
[CTRL+P]
[CTRL+R]
[CTRL+S]
[CTRL+T]
[CTRL+U]
[CTRL+V]
[CTRL+X]
[CTRL+Y]
[CTRL+Z]
[CTRL+[]
[CTRL+\]
[CTRL+^]
[CTRL+_]
[DOWN]
[ENTER]
[ESC]ile3
[EXECUTE]
[INS]
[LEFT]
[MENU]
[NUMPAD_7]
[NUMPAD_8]
[NUMPAD_9]
[NUMPAD_ADD]
[NUMPAD_MULTIPLY]
[NUMPAD_SEPARATOR]
[NUMPAD_SUBTRACT]
[PAGEDOWN]
[PAGEUP]
[PAUSE]
[SCROLL]
[SELECT]
[TAB]
[UP]&
[lexec
[nknown
\Google\C
\Google\Chrome\User Data
\Mozilla\F
\Mozilla\Firefox
\Mozilla\Firefox\profiles.ini
\Opera\Opera
\Torch\User Data
\b\d{2}[-]\d{2}[-]\d{4}\b
\plg
\plg\
\plg\inj64.exe
\plg\pid
\setup.exe
alert
alert|
aud_rec_list
autoruns
autoruns_del
autoruns_req
bg_change
browsers_clear
c o#\dat
chrome.exe
cli_bsod
cli_hib
cli_log
cli_off
cli_rs
cli_sleep
cli_up
clipboard_get
con_list
crd_logins
crd_logins_report
crd_logins_report_req
crd_logins_req
crd_logins_req_tg
crd_logins_start_tg
crd_logins_tg
data
date
ddos_stop
displayName
dl_dir_obj_count
drives_get
files_delete
files_delete_dir_normal
files_delete_dir_secure
files_delete_end
files_delete_normal
files_delete_secure
files_delete_start
files_download_resume
files_get
files_search_path
files_upload
files_zip
files_zip_end
files_zip_start
firefox.exe
h7s~~hWCs
h?|~~
hK
h]z
hep~~h
http://api.ipify.org
http://ip
http://ipecho.net/plain
http://ipinfo.io/ip
http://ipv4.icanhazip.com
http://wtfismyip.com/text
h{~~~3?
iexplore.exe
image/png
infompti)
injdll
inknown
j,h??s
jAh/fs
klg_search
klgoff_del
klgoff_dl_all
klgoff_dl_recent
klgoff_get
klgoff_list
klgonlinestart
klgonlinestop
max
miles_delete_start
miles_download
miles_new_dir
miles_rename
miles_zip_dir
mnk32
monitors_refresh
msedge.exe
msgbox
notes_get
notes_set
ntdll.dll
opera.exe
prc_kill
prc_list
prc_priority
prc_restart
prc_resume
prc_suspend
productState
reg_hkeys_get
reg_keys_get
rejected
remotebrowser_error
remotebrowser_info
remotebrowser_stop
root
scr_off
scr_on
screenlive_stop
settings
shell_stop
socks4r_stats
socks4r_stop
socks5_srv_stats
soft_list
soft_uninstall
speed
speedtest
srv_control
srv_list
srv_start
srv_uninstall
task_del
tasks_list
thtml
thumb_data
torch.exe
u0 Hz,
unk32
unknown
upnp_data
usb_spread
vivaldi.exe
vol_edit
w32tm.exe
wd_kill
webcam_devices
webcam_start
webcam_stop
website_open
wnd_cmd
wnd_list
wnd_title
xmr64_mine_ready
xmr64_mine_req
xmr_mine_ready
xmr_mine_req
xmr_mine_stats
xmrmine
zS:
{iles_exec
{iles_search
{iles_search_stop
{iles_upload_dir
{iles_zip
{iles_zip_end
/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRgNNmf9XjPAEaZ6CQ6NJlHzgU1ck3qhq0LC7ULPi97...
06bc1cbe81be27924fc2f531b4532024
4D5A6B65726E656C33320000504500004C01030000000000000000000000000078000F030B01000000000000000000000000000014310000000000000C00000000004000001000000002000004000000010000000400000000000000A631000014010000000000000300000000001000001000000000000000000000000000000200000000000000000000007E3100004B0000000000...
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
adcc3a8469c6b9df
b27a218a5dac00b0ed4b855546131d6929d3c512320a28fb7691eeb6f1f6711dc840a6857a5f07c4cf368deac3c482d010e4e6c3e2b390d32244fc98ad1c4b0608de1bb2b52879fe3bfb8cabd2448a1722f917d63921dd4d0b5daea383c6bb7d7f870cd3f490540a47689318b8c0df0bfe3c934a995397e5288ec6f96a970c7eca04785dffc96488011093a509e66f0a1e389904176f...
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (64.2)
.dll | Win32 Dynamic Link Library (generic) (15.6)
.exe | Win32 Executable (generic) (10.6)
.exe | Generic Win/DOS Executable (4.7)
.exe | DOS Executable Generic (4.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:06:30 02:19:48+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 3006976
InitializedDataSize: 5169152
UninitializedDataSize: -
EntryPoint: 0x289752
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
6
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #BITRAT aa.exe tor.exe tor.exe tor.exe tor.exe tor.exe

Process information

PID
CMD
Path
Indicators
Parent process
696"C:\Users\admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrcC:\Users\admin\AppData\Local\a5b260eb\tor\tor.exe
aa.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\a5b260eb\tor\tor.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
1368"C:\Users\admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrcC:\Users\admin\AppData\Local\a5b260eb\tor\tor.exe
aa.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\a5b260eb\tor\tor.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
2856"C:\Users\admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrcC:\Users\admin\AppData\Local\a5b260eb\tor\tor.exe
aa.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\a5b260eb\tor\tor.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
3068"C:\Users\admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrcC:\Users\admin\AppData\Local\a5b260eb\tor\tor.exe
aa.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\a5b260eb\tor\tor.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
3672"C:\Users\admin\AppData\Local\Temp\aa.exe" C:\Users\admin\AppData\Local\Temp\aa.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\aa.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\user32.dll
BitRat
(PID) Process(3672) aa.exe
C27sbl4dpbubwjjghdquwg47fyq7rookd4bgm2ypm2kjzkivd7tomvczqd.onion
Ports440
Options
TorProcesstor
CommunicationPassword4124bc0a9335c27f086f24ba207a4912
InstallNameRuntime_Broker
InstallFolderMinecraft
Version1.38
Keys
MD5af5b81f5ea1d7859
Strings (669)
(1)
(Build:
(Last bootup:
(max:
(x64)
(x86)
* CPU
* DONATE
* POOL #1
-a "
-incognito
-l "
GiB
Hz)</val2>
KiB
MHz)</val2>
MHz</val2>
Mbit/s
TiB
[Download]
algo
"message_id":
"text":"
"update_id":
% Available (charging)
%)</size>
%27.0.0.1:45808
%|-1
&text=
)</val1>
)</val2>
+HSA
, RAM:
-2147483643/
-2147483645/
-2147483646/
-2147483647/
-2147483648/
-2147483650
.dat
.enc
.json
.xml
.zip
.zipL
/altID: m
/camF
/clb
/dlex
/free
/msg3
/pws
/resync /nowait
/scrF
/sendMes
/sendMessage?chat_id=
/usbF
/volE
/web
127.0.0.1:45808
1|-1
9onnecting...
9ontinuing
9unning
;HIFT
</block>
</cpuusage>
</date>
</dep>
</err>
</est>
</files>
</filesystem>
</icon>
</isprc>
</issys>
</label>
</lis>
</mod>
</n></blX
</name>
</path>
</pb>
</pid>
</pri>
</ramload>
</ramsize>
</server>
</silent>
</sizefree>
</sizetotal>
</sizeused>
</state>
</status>
</sz>
</tcp>
</threads>
</title>
</type>
</udp>
</v>i
</val2>
</xml>
<F10]
<F11]
<F13]
<F14]
<F16]
<F1]
<F3]
<F5]
<F6]
<apptype>
<attr>
<block>
<block></block>
<cpuusage>
<date>
<date>N/A</date>
<dep>
<desc>
<dirs>
<disp>
<err>thrr
<filesystem>
<hwnd>
<icon>
<letter>
<lis>
<n>N/A</n>
<name>
<path>
<path>N/A</path>
<pb>N/A</pb>
<pb>N/A</pb>]
<ramfree>
<ramload>
<ramsize>
<server>
<silent>
<silent>N/A</silent>
<size>
<sizefree>
<sz>N/A</sz>
<tcp>
<threads>
<type>
<v>N/A</v>
<val1>Antivirus</val1>
<val1>BIOS</val1>
<val1>Graphic card (
<val1>Input locale</val1>
<val1>Installed RAM</val1>
<val1>Monitor (
<val1>OS architecture</val1>
<val1>OS install date</val1>
<val1>OS version</val1>
<val1>Operating system</val1>
<val1>PC domain</val1>
<val1>PC manufacturer</val1>
<val1>PC model</val1>
<val1>Platform type</val1>
<val1>Processor</val1>
<val1>RAM slot (
<val1>System locale</val1>
<val1>System uptime</val1>
<val1>Time zone</val1>
<val1>Username</val1>
<val2>
<xml>
=li_dc
=li_rc
?ocks5_srv_start
ADD
APPACTIVATE
AT
AVE_MARIA
Action: /cam
Action: /clsbrw
Action: /klg
Action: /msg
Action: /usb
Action: /vol
Action: /web
AdapteP
Afrikaans
Alerts disabled
Alerts enabled
All in One
Armenian
Attempting to launch browser...
Automatic
BS
Basque
Boot Start
Bot ID:
BuildNumber
Bulgarian
Bus Expansion Chassis
Business
CLOSED
Capacity
Caption
ChassisTypes
Closing virtual desktop...
Connecting...
CreateDesktop API failed!
CreateProcess API failed!
Critical error control
Croatian
Czech
DEL
DELETE_TCB
Danish
Datacenter
DelegateExecute
Desktop
Disabled
Disconnected
DisplayIcon
DisplayName
DisplayVersion
Docking Station
DriverVersion
END
ESC
Enterprise
EstimatedChargeRemaining
EstimatedSize
Estonian
Expansion Chassis
F1
F10
F11
F12
F13
F14
F15
F16
F2
F3
F4
F5
F6
F7
F8
F9
FAIL (invalid arguments)
FAIL (invalid log size)
FIN_WAIT1
FIN_WAIT2
FL_DL
Faeroese
Failed to launch browser
Finnish
FriendlyName
Fully charged (
Georgian
Gonnecting...
Greek
Gujarati
H/data>
H/path>
H/pb>
Hblock>
Hclass>
Hdep>
Hdir>
Hebrew
Hidden
Hindi
Hmod>
Hobj>dir</obj>
Hpath>
Hsize>-1</size>
Hungarian
INS
Icelandic
Iisconnected
InstallDate
InstallLocation
Interactive process
Itopping
JF12]
JF15]
JF2]
JF4]
JF8]
JF9]
Kazakh
Keep-alive
Keylog:
Kli_off
Kli_sleep
Kli_un
Kon_close
Konkani
Kyrgyz
LAST_ACK
LISTENING
Laptop
Latvian
Lithuanian
Low Profile Desktop
Lplg\
Lunch Box
Macedonian
Main System Chassis
Malay - Brunei Darussalam
Manual
Manufacturer
Marathi
Mate
MaxClockSpeed
Maximized
Mini Tower
Mrv_list
Mrv_start
No clipboard
Normal
Norwegian - Bokmal
Norwegian - Nynorsk
Notebook
OSLanguage
Oest
Oitle
P |
Peripheral Chassis
Pizza Box
Polish
Portable
Portuguese - Brazilian
Portuguese - Standard
Powrprof.dll
Publisher
QuietUninstallString
RB_ST
Rack Mount Chassis
Recognizer driver
Remote browser started!
Remote browser stopped!
RtlAdjustPrivilege
RtlGetVersion
Russian
SCK_CMD|
SC_PR_ST
SC_ST
SC_ST2
SELECT * FROM Win32_Processor
SELECT * From AntiVirusProduct
SYN_RCVD
SYN_SENT
ScreenHeight
ScreenWidth
Sealed-Case PC
Select * from Win32_BIOS
Select * from Win32_Battery
Select * from Win32_TimeZone
Serbian - Cyrillic
Serbian - Latin
Service ignores error
SetThreadDesktop API failed!
Severe error control
Slovak
Slovenian
Socket was unexpectedly closed!
Sorry, Chrome was not detected!
Space-Saving
Spanish - Argentina
Spanish - Bolivia
Spanish - Chile
Spanish - Colombia
Spanish - Costa_Rica
Spanish - Dominican Republic
Spanish - Ecuador
Spanish - El Salvador
Spanish - Guatemala
Spanish - Honduras
Spanish - Mexican
Spanish - Modern Sort
Spanish - Nicaragua
Spanish - Panama
Spanish - Paraguay
Spanish - Peru
Spanish - Puerto Rico
Spanish - Traditional Sort
Spanish - Uruguay
Spanish - Venezuela
Speed
Status:
Status: FAIL (no available cam)
Status: OK
Storage Chassis
Sub Notebook
SubChassis
Swahili
Swedish
Swedish - Finland
Switching to virtual desktop...
Syriac
TIME_WAIT
TLS Handshake
Tamild
Tatar
Telugu
Thai[
UCBrowser.exe
Ukrainian
Unknown
UrduD
User:
Uzbek - Cyrillic
V/dep>
V/dirs>
V/disp>
V/mod>
V/name>
V/path>
V/size>
Vblock>
Verr>
Version
Vietnamese
Virtual Machine
Vissys>
Vobj>file</obj>
Vpath>
Vpid>
Vudp>
Vxml>
WC_PR_ST
WELAY
Web Server
WelegateExecute
Win 10
Win 11
Win 2000
Win 8.1
Win Vista
Win XP
Win32
Win32 process
Win32 share process
Window:
WmiCloseBlock
WmiQueryAllDataW
Zplg\
[BACKSPACE]
[CAPSLOCK]
[CLIPBOARD_END]
[CLIPBOARD_START]
[CTRL+@]
[CTRL+C]
[CTRL+D]
[CTRL+E]
[CTRL+F]
[CTRL+G]
[CTRL+J]
[CTRL+M]
[CTRL+N]
[CTRL+O]
[CTRL+P]
[CTRL+R]
[CTRL+S]
[CTRL+T]
[CTRL+U]
[CTRL+V]
[CTRL+X]
[CTRL+Y]
[CTRL+Z]
[CTRL+[]
[CTRL+\]
[CTRL+^]
[CTRL+_]
[DOWN]
[ENTER]
[ESC]ile3
[EXECUTE]
[INS]
[LEFT]
[MENU]
[NUMPAD_7]
[NUMPAD_8]
[NUMPAD_9]
[NUMPAD_ADD]
[NUMPAD_MULTIPLY]
[NUMPAD_SEPARATOR]
[NUMPAD_SUBTRACT]
[PAGEDOWN]
[PAGEUP]
[PAUSE]
[SCROLL]
[SELECT]
[TAB]
[UP]&
[lexec
[nknown
\Google\C
\Google\Chrome\User Data
\Mozilla\F
\Mozilla\Firefox
\Mozilla\Firefox\profiles.ini
\Opera\Opera
\Torch\User Data
\b\d{2}[-]\d{2}[-]\d{4}\b
\plg
\plg\
\plg\inj64.exe
\plg\pid
\setup.exe
alert
alert|
aud_rec_list
autoruns
autoruns_del
autoruns_req
bg_change
browsers_clear
c o#\dat
chrome.exe
cli_bsod
cli_hib
cli_log
cli_off
cli_rs
cli_sleep
cli_up
clipboard_get
con_list
crd_logins
crd_logins_report
crd_logins_report_req
crd_logins_req
crd_logins_req_tg
crd_logins_start_tg
crd_logins_tg
data
date
ddos_stop
displayName
dl_dir_obj_count
drives_get
files_delete
files_delete_dir_normal
files_delete_dir_secure
files_delete_end
files_delete_normal
files_delete_secure
files_delete_start
files_download_resume
files_get
files_search_path
files_upload
files_zip
files_zip_end
files_zip_start
firefox.exe
h7s~~hWCs
h?|~~
hK
h]z
hep~~h
http://api.ipify.org
http://ip
http://ipecho.net/plain
http://ipinfo.io/ip
http://ipv4.icanhazip.com
http://wtfismyip.com/text
h{~~~3?
iexplore.exe
image/png
infompti)
injdll
inknown
j,h??s
jAh/fs
klg_search
klgoff_del
klgoff_dl_all
klgoff_dl_recent
klgoff_get
klgoff_list
klgonlinestart
klgonlinestop
max
miles_delete_start
miles_download
miles_new_dir
miles_rename
miles_zip_dir
mnk32
monitors_refresh
msedge.exe
msgbox
notes_get
notes_set
ntdll.dll
opera.exe
prc_kill
prc_list
prc_priority
prc_restart
prc_resume
prc_suspend
productState
reg_hkeys_get
reg_keys_get
rejected
remotebrowser_error
remotebrowser_info
remotebrowser_stop
root
scr_off
scr_on
screenlive_stop
settings
shell_stop
socks4r_stats
socks4r_stop
socks5_srv_stats
soft_list
soft_uninstall
speed
speedtest
srv_control
srv_list
srv_start
srv_uninstall
task_del
tasks_list
thtml
thumb_data
torch.exe
u0 Hz,
unk32
unknown
upnp_data
usb_spread
vivaldi.exe
vol_edit
w32tm.exe
wd_kill
webcam_devices
webcam_start
webcam_stop
website_open
wnd_cmd
wnd_list
wnd_title
xmr64_mine_ready
xmr64_mine_req
xmr_mine_ready
xmr_mine_req
xmr_mine_stats
xmrmine
zS:
{iles_exec
{iles_search
{iles_search_stop
{iles_upload_dir
{iles_zip
{iles_zip_end
/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRgNNmf9XjPAEaZ6CQ6NJlHzgU1ck3qhq0LC7ULPi97...
06bc1cbe81be27924fc2f531b4532024
4D5A6B65726E656C33320000504500004C01030000000000000000000000000078000F030B01000000000000000000000000000014310000000000000C00000000004000001000000002000004000000010000000400000000000000A631000014010000000000000300000000001000001000000000000000000000000000000200000000000000000000007E3100004B0000000000...
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
adcc3a8469c6b9df
b27a218a5dac00b0ed4b855546131d6929d3c512320a28fb7691eeb6f1f6711dc840a6857a5f07c4cf368deac3c482d010e4e6c3e2b390d32244fc98ad1c4b0608de1bb2b52879fe3bfb8cabd2448a1722f917d63921dd4d0b5daea383c6bb7d7f870cd3f490540a47689318b8c0df0bfe3c934a995397e5288ec6f96a970c7eca04785dffc96488011093a509e66f0a1e389904176f...
3972"C:\Users\admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrcC:\Users\admin\AppData\Local\a5b260eb\tor\tor.exe
aa.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\a5b260eb\tor\tor.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
Total events
12 723
Read events
12 473
Write events
174
Delete events
76

Modification events

(PID) Process:(3672) aa.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3672) aa.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3672) aa.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3672) aa.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3672) aa.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Runtime_Broker
Value:
C:\Users\admin\AppData\Local\Minecraft\Runtime_Broker
(PID) Process:(3672) aa.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
aa.exe
(PID) Process:(3672) aa.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3672) aa.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyServer
Value:
(PID) Process:(3672) aa.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyOverride
Value:
(PID) Process:(3672) aa.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoConfigURL
Value:
Executable files
9
Suspicious files
5
Text files
20
Unknown types
4

Dropped files

PID
Process
Filename
Type
3672aa.exeC:\Users\admin\AppData\Local\a5b260eb\tor\libcrypto-1_1.dllexecutable
MD5:2384A02C4A1F7EC481ADDE3A020607D3
SHA256:C8DB0FF0F7047ED91B057005E86AD3A23EAE616253313AA047C560D9EB398369
3672aa.exeC:\Users\admin\AppData\Local\a5b260eb\tor\libwinpthread-1.dllexecutable
MD5:D407CC6D79A08039A6F4B50539E560B8
SHA256:92CFD0277C8781A15A0F17B7AEE6CFF69631B9606A001101631F04B3381EFC4E
3972tor.exeC:\Users\admin\AppData\Local\a5b260eb\tor\data\cached-microdesc-consensus.tmptext
MD5:DC6C354837BA42FB8D8D16962E2AECEB
SHA256:41B357EB93B20EBAD3C63484EDF25CAA94001466FD818E282FD063689E62234E
3972tor.exeC:\Users\admin\AppData\Local\a5b260eb\tor\data\unverified-microdesc-consensustext
MD5:DC6C354837BA42FB8D8D16962E2AECEB
SHA256:41B357EB93B20EBAD3C63484EDF25CAA94001466FD818E282FD063689E62234E
3672aa.exeC:\Users\admin\AppData\Local\a5b260eb\tor\libgcc_s_sjlj-1.dllexecutable
MD5:B0D98F7157D972190FE0759D4368D320
SHA256:2922193133DABAB5B82088D4E87484E2FAC75E9E0C765DACAF22EB5F4F18B0C5
3672aa.exeC:\Users\admin\AppData\Local\a5b260eb\tor\zlib1.dllexecutable
MD5:ADD33041AF894B67FE34E1DC819B7EB6
SHA256:8688BD7CA55DCC0C23C429762776A0A43FE5B0332DFD5B79EF74E55D4BBC1183
3672aa.exeC:\Users\admin\AppData\Local\a5b260eb\tor\torrctext
MD5:DB9DE734D2282692595A1A191AA04D26
SHA256:F97DC5F682EDC1751559E5007321A33A8654CEF8B6BA512C601FA56076182A91
3972tor.exeC:\Users\admin\AppData\Local\a5b260eb\tor\data\state.tmptext
MD5:036A270D80A4157E004A5652C535E125
SHA256:470D297857202B3C5BD936270ECC31BB692419311135018756BBE899137E0A03
3972tor.exeC:\Users\admin\AppData\Local\a5b260eb\tor\data\statetext
MD5:036A270D80A4157E004A5652C535E125
SHA256:470D297857202B3C5BD936270ECC31BB692419311135018756BBE899137E0A03
2856tor.exeC:\Users\admin\AppData\Local\a5b260eb\tor\data\cached-microdescs.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
29
DNS requests
5
Threats
20

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3672
aa.exe
GET
304
23.216.77.22:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?3eb62bd5d68144a3
unknown
unknown
1080
svchost.exe
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?1b8fee253118cbef
unknown
unknown
3672
aa.exe
GET
200
69.192.161.44:80
http://x1.c.lencr.org/
unknown
binary
717 b
unknown
3672
aa.exe
GET
200
184.24.77.67:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgOl%2Bm1OBuofdqCDAPfYIcL74g%3D%3D
unknown
binary
503 b
unknown
3672
aa.exe
GET
200
23.216.77.22:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?174f274616bc7e17
unknown
compressed
65.2 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
3972
tor.exe
176.10.107.180:9001
Datasource AG
CH
unknown
3972
tor.exe
185.246.152.22:443
Melbikomas UAB
NL
unknown
3972
tor.exe
94.23.68.187:9001
OVH SAS
FR
unknown
3972
tor.exe
162.19.204.163:10000
OVH SAS
FR
unknown
3672
aa.exe
34.117.118.44:443
myexternalip.com
GOOGLE-CLOUD-PLATFORM
US
unknown
3672
aa.exe
23.216.77.22:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
3672
aa.exe
69.192.161.44:80
x1.c.lencr.org
AKAMAI-AS
DE
unknown

DNS requests

Domain
IP
Reputation
myexternalip.com
  • 34.117.118.44
shared
ctldl.windowsupdate.com
  • 23.216.77.22
  • 23.216.77.14
  • 93.184.221.240
whitelisted
x1.c.lencr.org
  • 69.192.161.44
whitelisted
r3.o.lencr.org
  • 184.24.77.67
  • 184.24.77.61
  • 184.24.77.69
  • 184.24.77.70
  • 184.24.77.65
  • 184.24.77.71
  • 184.24.77.62
  • 184.24.77.73
  • 184.24.77.80
shared

Threats

PID
Process
Class
Message
3972
tor.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 240
3972
tor.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 223
3972
tor.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 825
3672
aa.exe
Potential Corporate Privacy Violation
ET POLICY IP Check Domain (myexternalip .com in TLS SNI)
3672
aa.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup SSL/TLS Certificate (ifconfig .me)
3672
aa.exe
Potential Corporate Privacy Violation
ET POLICY IP Check Domain (myexternalip .com in TLS SNI)
3672
aa.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup SSL/TLS Certificate (ifconfig .me)
2856
tor.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 144
2856
tor.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 766
3672
aa.exe
Potential Corporate Privacy Violation
ET POLICY IP Check Domain (myexternalip .com in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
aa.exe